ACS 5.x using of per-user Shell Command Authorisation with NDGs

Similar Messages

• Oracle9iR2/Solaris8 --  DRG-11207: user filter command exited with status 137

  The ctx_ddl.sync_index() procedure hangs when I use it to synchronize the index. It is obvious that the INSO filter is not responding.The LD_LIBRARY_PATH and PATH variables are correctly pointing to $ORACLE_HOME/ctx/lib, $ORACLE_HOME/lib and $ORACLE_HOME/bin,$ORACLE_HOME/ctx/bin respectively. The error in CTX_USER_INDEX_ERRORS is the all too famous:'DRG-11207: user filter command exited with status 137'. The platform is 9iR2/Solaris 8.
  Any ideas as to how to get INSO to start working with the various documents ON SOLARIS 8???
  Thanks

  The ctx_ddl.sync_index() procedure hangs when I use it to synchronize the index. It is obvious that the INSO filter is not responding.The LD_LIBRARY_PATH and PATH variables are correctly pointing to $ORACLE_HOME/ctx/lib, $ORACLE_HOME/lib and $ORACLE_HOME/bin,$ORACLE_HOME/ctx/bin respectively. The error in CTX_USER_INDEX_ERRORS is the all too famous:'DRG-11207: user filter command exited with status 137'. The platform is 9iR2/Solaris 8.
  Any ideas as to how to get INSO to start working with the various documents ON SOLARIS 8???
  Thanks

• Logging to a systemd per-user journal from shell

  Does anybody know how I can log a message to a per-user journal without using a per-user systemd service (~/.config/systemd/user/something.service)?
  As root, I can run:
  echo This is a test. | systemd-cat -t test
  or:
  echo This is a test. | logger -t test
  and see the logged message with:
  journalctl --since='-300' -e
  or:
  journalctl --since='-300' -et test
  As a non-root user, I can see the logs of per-user systemd services, among other things, with:
  journalctl --user --since=today
  I'm unable, however, to find a way to see the output of using systemd-cat or logger as a user, and when I use those commands, the timestamp of the user journal file in /var/log/journal doesn't change, so I don't think the journal is actually being written.
  Any ideas?

  Apparently I can do so as some users but not others.
  For example:
  echo This is a test. | sudo -u http systemd-cat -t test
  allows me to see the entry in the journal, but:
  echo This is a test. | sudo -u somenewuser systemd-cat -t test
  doesn't.

• RDS (2012 R2, Per User) client issues after moving from TS Licesning (Win 2K3, Per Device)

  I run a XenApp environment (mixed Presentation Server 4.5, XA6.5, XA7.6... I know).
  I've somewhat recently moved our RDS/TS licensing from an old 2K3 TS licensing vm that needed to go to a 2012 R2 RDS licensing vm.
  The 2K3 vm ran with a Per Device mode, and the 2012 R2 vm is using a Per User model.
  RDS is working fine as far as I can tell - handing out licenses to their RD Session hosts, in the proper security group which has the ability to Read/Write the MSLicensing user attributes (Terminal Server License Servers). By GPO, I am telling (and they are
  applying) my XenApp servers to use their new RDS Licensing server and with a Per User model. The issue I
  am seeing is this:
  On a give XenApp server, the eventID 1011 - TerminalServicesRemoteConnectionManager
  The remote session could not be established from remote desktop client
  computername because its temporary license has expired.
  When I hit the Details tab,
  Windows Server 2003 - Terminal Server Per Device CAL Token.
  Which then results in having to remove the MSLicensing registry key. Which is annoying. Anyone else run into this after moving licensing servers and/or models? Feedback would be awesome, danke!

  Hi,
  According to your description, it sounds like a known issue. The workwgoup is to delete the MSLicensing key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing. (Note: please create a backup of the MSLicensing registry key and its subkeys on the
  client before you remove the original key and subkeys.)
  For more detailed information, you can refer to the similar thread below:
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/9eb42798-e75e-4693-9a5d-9e96895e16c8/remote-desktop-license-server-problem?forum=winserverTS
  Best regards,
  Ssie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• [Solved] stumpwm: how to get rid of newline using run-shell-command

  Hi all,
  in order to set up my mode-line for stumpwm, I've been using the commad
  run-shell-command such as in:
  (setf *screen-mode-line-format*
  (list
  '(:eval (run-shell-command "date" t))
  '(:eval (run-shell-command "date" t))))
  However, each instance of run-shell-command creates an unnecessary
  newline (so that my mode line contains two lines without necessity).
  Do you know how I can get rid of this newline?
  Thanks!
  Last edited by falsum (2011-05-23 07:12:27)

  jiyuu wrote:
  I didn't test it but the function you want is 'string-trim' or 'string-right-trim'.
  You use it like this:
  (string-trim '(#\Newline) my-string)
  So in your case:
  (setf *screen-mode-line-format*
  (list
  '(:eval (string-trim '(#\Newline)
  (run-shell-command "date" t)))
  '(:eval (run-shell-command "date" t))))
  That works perfectly well. Thanks a lot jiyuu!!

• List all app-v applications in use on the users PC

  Hi All ,
  In need of a solution to list all the app-v application name that are currently "In Use" on the users PC.
      Tried with SFTTRAY.exe /EXIT - This command provides only the number of app-v applications in use but not the application name .
   Also tried with MS tool listAppVirt.exe from this link
  http://www.microsoft.com/en-us/download/details.aspx?id=8901. We could only list the running process & PID for the application. But could not find the application name .
  Please let me know if any one have idea on this.
  Thanks In Advance.
  Anand.

  Hello,
  See this script;
  http://www.verboon.info/2013/12/powershell-retrieve-app-v-4-6-package-information/
  Nicke Källén | The Knack| Twitter:
  @Znackattack

• Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)

  Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)
  So I am trying to get TACACS+ auth to work for my ACE.
  The command string that I have on the ACE is as follows:
  tacacs-server host 172.16.101.4 key 7 XXXYYYZZZ timeout 15
  aaa group server tacacs+ tacacs+
    server 172.16.101.4
  aaa authentication login default group tacacs+ local
  aaa authentication login console local
  aaa accounting default group tacacs+ local
  But to finish getting this enabled I need to create some sort of shell (exec) string in the ACS that tells the ACE what permission level to allocate.
  I do not know how to do this on the ACS 5.1.0.44.
  Anyone know?
  TAC made a good suggestion but the command path doesn't seem to line up with my version of ACS.
  Thanks for your reply. About this question:
  shell:<Context>*<Role> <Domain>
  What I meant is that you need to check the following couple of things on
  your ACS server in order to have AAA Tacacs users to login into the
  ACE over the context with superuser ritghts.
  Group setup ‑> users ‑> TACACS + Settings ‑> enable Shell(exec)
  ‑> enable Custom attributes ‑> right below this part you need to
  use the following sintax to link the ACE context that this user
  has access to.
  For example:
  shell:<Context>*<Role> <Domain>
  shell:Admin*Admin default‑domain
  Where this user will have access to the Admin context with the role
  admin using the 'default‑domain'

  Wilfred,
  What you will have to do on your version of ACS is modify the shell profile that your admins are hitting for other IOS devices or you can create another shell profile under Policy Elements -> Device Administration ->
  Once you get into this shell profile select the Custom Attributes tab and put in the following fields close to the bottom of the screen, from the example you provided type shell:Admin for the attribute field and then default-domain for the value field, and make sure you select this requirement as optional, if you select mandatory and other IOS devices use this same shell profile you will force this av pair to these devices also which will impact the priv levels that then need for authentication.
  After you add this attribute, save your changes and then test, also make sure that your Aceess Policy is calling this shell profile under the authorization profile for default device admin.
  Thanks,
  Tarik Admani

• Using Windows Server 2012 per-User RDS CAL on Server 2008 R2 Session Host

  I have a Remote Desktop Licensing Server setup on my domain controller running Windows Server 2012 R2. I have installed a
  ’Windows Server 2012 Remote Desktop Services per-User CAL’ there and activated the licensing server already.
  Currently I use ONLY Windows Server 2008 R2 machines as RDS Session Hosts (in the future I plan to transition them to 2012 R2, hence the CAL I bought is
  already in the newest version).
  I have already configured my WS 2008 RDS Session Hosts: set
  Per-User licensing mode and specified license server address. The connectivity between my Session Host(s) and my License Server seems to be ok as the
  Remote Desktop Session Host Configuration window on the Session Host correctly lists the 2012 per-user
  license (CAL installed on server) from the license server.
  On the License Server I can also see event logs entries (in
  Microsoft-Windows-TerminalServices-Licensing/Admin), indicating that the user has been issued a license.
  The issue I am having is that the license being issued is
  2008 Per User CAL license (Build-in OverUsed - temporary) and not the 2012 Per User CAL license which is the only license installed on the server. According to the RDS CAL interoperability matrix at
  social.technet.microsoft.com/wiki/contents/articles/14988.rds-and-ts-cal-interoperability-matrix.aspx, I was expecting the 2012 license to be backward-compatible with 2008 client (and that
  in the absence of legacy licenses, the (only) 2012 license would be used for all clients connecting to the licensing server)
  Before I bought my license, I found this document: 
  download.microsoft.com/download/3/D/4/3D42BDC2-6725-4B29-B75A-A5B04179958B/WindowsServerRDS_VLBrief.pdf 
  which says that - "newer version RDS CALs can be used with an older version of the server software" (In section FAQ, Q4), which means to me that
  the 2012 license would work as-is for the 2008 Server and gives me flexibility when upgrading to the new server version.
  How can I make this CAL work in my environment? 
  Note:
  I have already explicitly disabled
  Prevent license upgrade Group Policy setting which I assumed would fix the issue but nothing has changed.
  Then I have enabled License server security group Group Polity setting
  and added computers from my domain to RDS Endpoint Servers AD group. I have also created new AD group called
  Terminal Server Computers and added the computer accounts there, but it changes
  nothing. Reference - technet.microsoft.com/en-us/library/ee791761.aspx , technet.microsoft.com/en-us/library/cc725704.aspx and blogs.msdn.com/b/rds/archive/2009/09/17/control-the-issuance-of-rds-cals.aspx.
  I found one potential ‘workaround’ which involved manually downgrading my CAL license by calling
  Microsoft Clearinghouse. I am very reluctant do to so because, as I upgrade parts of my infrastructure to Server 2012, I’d need to then ask Microsoft to manually upgrade a part of my license back as well.
  Am I missing something? What should I do to get my 2012 CAL to be issued to 2008 R2 server

  Hi, I have tried several other possibilities.
  I change expire date for my temporary assigned license (2008 CAL overused). It can be done, by changing Active Directory user properties – msTSExpireDate. When I restart my Session Host server and logged again, my license was renewed
  for next 60 days (event ID - 4145).
  I also delete information about license for this user (clear msTSExpireDate and msTSLicenseVersion). And the license was successfully removed from License Manager. After another SH restart it gets the same – 2008 overused – license
  (event ID 4143 - license server has successfully issued …)
  I now, that changing info in AD attributes is a little trick, and this is not a real value - only a reference, but it was useful to delete or change expiration date of license. But it didn’t change type of license as I expected.
  Reference -
  http://discussions.citrix.com/topic/243320-windows-2008-licensing-questions/
  To TP:
  I have found your post with information:
  If you have a Server 2012 RD Licensing server you may install your 2012 RDS CALs on it (no downgrade necessary) and then set your Server 2008 R2 RDSH to
  use the 2012 RDL server.  The 2012 RD Licensing server will automatically issue the CALs as 2008. -
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/6046ded1-96bf-4d79-89ce-38aac2a6694e/can-we-use-windows-server-2012-rds-cal-license-in-rds-2008-r2-server?forum=winserverTS
  And it showing my situation in brief. I also found
  similar problems, but the solutions don’t meet my expectations.
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/dcfb1966-89a8-4b5d-bf5a-ff03ac0b7a66/rds-cal-licenses-not-recognized?forum=winserverTS
  – “sudden all of the CALS were available”
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/f1228599-8452-4a3e-a263-061de14bfcfe/server-2012-rds-builtin-overused-cals-issue?forum=winserverTS
  – “this should go away after a while”
  Is there a way to determine this time you mentioned before? Or should I just wait patiently…

• How to use the *new* "per-user remote control"?

  Per the ARD discription page at:  http://itunes.apple.com/us/app/apple-remote-desktop/id409907375?mt=12
  It says under "Whats New in 3.5.1":
  "Per-user remote control
  You can remotely log in to a Mac with any user account on that computer and control it, without interrupting someone else who might be using the computer under a different login.
  How can I do this?  I can't seem to find the ability.  If I use ARD in it's "normal" mode, I am on the user's console at the same time they are.... I want to be "underneath" the console without affecting them.

  That capability is only available if your client systems are running Mac OS X 10.7 Lion. See:
  http://support.apple.com/kb/HT4715
  Regards.

• Limit bandwidth per user/computer using Catalyst 3560 switch

  Hi -
  Can someone help me getting started (if at all possible...) with enabling controll of used bandwidth at a "per-user"-level.
  I wonder if it possible to do this dynamicly with respect to the overall demand from other users.
  I've searching a lot, but I'm missing the terminology :) 
  Sincerly
  Nicholas

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  To my knowledge, what you want to accomplish isn't possible on a 3560.
  You can police at ingress, and if you use a policy map, you can police different "known" IPs.
  What you could do, is police user ports ingress at some nomimal bandwidth, and if exceeded, mark the packets.  Then on egress, you could direct those packets to an different egress queue with a lower bandwidth guarantee than the normal queue.

• Restriction SSID Per User with ACS 5.x version

  Hi
  I would like to ask some question on WLAN technology, which I using WiSM version 2. And i get requirement that user must be restrict with SSID, so, i found that it can do it on ACS version 4.x via NAR for SSID-based authentication feature. Then, is it possible to do restriction on ACS Version 5.x?
  Please give me the idea or help
  Thanks

  There is a guide how to achieve this with ACS4.2:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
  (you probably know that one)
  This is also working with ACS5.x, maybe this can help you:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/pol_elem.html#wp1074194
  Be careful when configuring a DNIS in ACS5, maybe you are hitting CSCtk16271 (but there is an easy workaround, so this will definitely work!)
  Regards
  Stefan

• Additional runtime license fees per user in order to use the Java connector

  Hi All,
  I have one question.
  Do we require to pay additional runtime license fees per user in order to use the Java connector (Jco) supplied by SAP?
  We're currently not using the Jco but are looking into the possibility of using it.
  Thank in Advance.

  Hi All,
  Please answer my question
  We need to use Jco to connect to our 4.6C SAP production system. We do not have Portal or any other components. It's just a plain 4.6C system, service pack level is 23.
  We are currently paying license fees for using the system on a per user basis.
  Thank You.

• Wayland backend per user for Gnome Shell?

  Hello, I've been trying to set environment variable with Wayland backend for Gnome Shell on Wayland but this per user just doesn't work.
  I tried to put:
  export GDK_BACKEND=wayland
  export CLUTTER_BACKEND=wayland
  to files like .profile and .bashrc but Gnome Shell doesn't tolerate these two. Without Wayland backend everything just run in XWayland "mode".
  Weston tolerate this backends but it is highly "underfetaured" and sometimes it's just crash (some breakpoint trap).
  Any response appreciated.

  I have had a brief look and I think there may be a way in to add/change things via .desktop files.  It looks like whenever gnome loads a .desktop type file it should look in $XDG_CONFIG_HOME home which, by default, would be $HOME/.config first before loading it from one of the standard system directories.  The standard session definitions are desktop files (though with a .session extension) so putting a copy on $HOME/.config should enable user specific reconfiguration.

• Mix to use Per user & Per device CALs ??

  Hi,
  I have built 2 RDS server and formed a NLB cluster.
  Is possible mix Per user and Per device CALs to use under this environment ?? How to make it ??
  Thanks

  Hi,
  Please see this similar thread which covers how to set it up and how to do tracking of licenses
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/2ce9f814-822c-436b-bd12-80e1ec74c27b/combine-both-per-device-and-per-user-rds-cals-on-the-same-remote-desktop-session-host?forum=winserverTS
  Kind regards,
  Freek Berson
  The Microsoft Platform
  Twitter
  Linked-in
  Wortell company website

• Setting up ACS 3.3 on a member server / use external windows user db

  Hi,
  I´ve a question referring to setting up an ACS (Version 3.3(1)Build 17 ) on a member server to use windows external user db.
  In step 2 of the installation guide you have to create am computer account named CISCO.
  Is it possible to use an other name instead? If yes, how can I amnage this?
  Does ACS support a more detailed logfile than the "Failed Attempts" report?
  Any replies appreciated.
  Thanks in advance.
  Regards.

  Dr. Livingstone wrote:
  For Address, I enter 192.168.1.102/ipp/2 and I get 'invalid or incomplete address' for any text entered after 102.
  Like I said, it's been a while...but have you tried 192.168.1.102/ipp/port2 (not just /2) ?