Authentication with nfs
Hello
I run oracle 9i and oracle 9ifs on the same server.
The oracle 9ifs nfs server works fine.
The mount operation is only executable by root.
And so when i mount the <ifsserver>:home directory,
i can only see the home/guest directory.
I have created a scott user and edit the UidToName file,
adding the line : scott:x:100:
where 100 is uid's scott unix user.
how can i authenticate as scott with nfs to see oracle ifs scott home directory?
Thanks for help
PAtrice
Hello
I run oracle 9i and oracle 9ifs on the same server.
The oracle 9ifs nfs server works fine.
The mount operation is only executable by root.
And so when i mount the <ifsserver>:home directory,
i can only see the home/guest directory.
I have created a scott user and edit the UidToName file,
adding the line : scott:x:100:
where 100 is uid's scott unix user.
how can i authenticate as scott with nfs to see oracle ifs scott home directory?
Thanks for help
PAtrice Based on what you said , you have a unix user with uid 100 and a ifs user scott in iFS.
like you said you need to add the entry to UidToName file ... and restart your NFS Server.
To mount from the unix client as scoot(uid 100) just login as root and do an nfs mount to ifs Server.
If you now login as scott you should see the home folder of scott along with guest on your local mounted drive.
Note that you would have to restart your server after you make entry in the uidtoname file.
Similar Messages
-
I get error message: "An error occurred with the publication of album...Authentication with server failed. Please check your login and password information" whenever I open a facebook file in my iPhoto. In each file, most of my photos have disappeared. I am hoping I can retrieve these "lost" files. What do I need to do?
Message was edited by: leroydouglas
better yet, try this solution:
https://discussions.apple.com/message/12351186#12351186 -
Error in authentication with ldap server with certificate
Hi,
i have a problem in authentication with ldap server with certificate.
here i am using java API to authenticate.
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
I issued the new certificate which is having the up to 5 years valid time.
is java will authenticate up to one year only?
Can any body help on this issue...
Regards
Rangasorry i am gettting ythe same error
javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
here when i am using the old certificate and changing the system date means i can get the authentication.
can you tell where we can concentrate and solve the issue..
where is the issue
1. need to check with the ldap server only
2. problem in java code only.
thanks in advance -
I got an issue with OS of widows 7.
unable to scan documents to user's PC.am getting error message "Authentication with the destination has failed. Check settings. To check the current status, press [Scanned Files Status
Other Windows xp PC can do this.
How can I fix this problem?
Printer Model :C2051 /mp2001spHi,
I searched for the error and it is mentioned in Ricoh's website:
Messages Displayed on the Control Panel When Using the Scanner Function
http://support.ricoh.com/bb_v1oi/pub_e/oi_view/0001045/0001045718/view/trouble/int/0036.htm
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Message
Cause
Solution
“Authentication with the destination has failed. Check settings. To check the current status, press [Comm. Status/Print].”
The entered login user name or login password is not correct.
Check that the user name and password are correct.
Check that the ID and password for the destination folder are correct.
A password of 128 or more characters may not be recognized.
From the solution, it mentioned that the issue could relate to user account or its password.
Please let me know if it is in domain environment. If so, please test to log the same user account currently on Windows 7 to Windows XP and see if issue persists.
Also please test to directly access the scanning folder on printer server to see if there is any issue in accessing the destination folder. -
Help needed with using network disk with iMovie with NFS or AFP
Hi,
I have iMac with iMovie08 that talks to a remote disk hosted under Linux over a gigabit network using SMB (Samba). It all works ok and I have done a few movies.
Now, I have done some tests with NFS and AFP (AppleTalk) and it seems that these are much faster than SMB.
I then stopped the Samba server and proceeded to setup NFS and also AFP
First NFS,
So I then exported my directory using NFS and I can see everything from my Mac (correct permissions too since I made both user and group IDs the same...). The problem is that when I launch iMovie it shows me the Volume for my external networked disk but it shows it with a little triangle with yellow exclamation and it does not show any of the events (>500GB of events).
If I stop NFS and then switch to AFP I get the same behavior. That is, everything from the Mac works on the AFS mounted disk (copying files back and forth, etc....) but I can't see the contents of the disk from within iMovie
I changed permissions so that anybody can read/write/execute (although there are files that have an '@' sign at the end when I do ls -l on them and I can't remember what that means....)
If I stop NFS and then go back to SMB (Samba) then I am back to a working configuration.
Can I use NFS or AFP with iMovie? What exactly does the yellow triangle mean?
Thanks
Dazed and confused at 330am EST...More timings on smb vs nfs. Note that the big diffs is when sending single large files. The dd cmd was used to simulate 1 hour of DV video which is about 12GB
1.27GB dvd project (twice each, note the variability... I guess because the project has multiple files?):
MEiMac:Movies me$ time cp -r LS2000Berlin.dvdproj /Volumes/bigsmb/
real 0m37.114s
user 0m0.008s
sys 0m4.164s
MEiMac:Movies me$ time cp -r LS2000Berlin.dvdproj /Volumes/bignfs/
real 0m59.351s
user 0m0.009s
sys 0m8.336s
MEiMac:Movies me$ time cp -r LS2000Berlin.dvdproj /Volumes/bignfs/
real 0m40.671s
user 0m0.009s
sys 0m8.205s
MEiMac:Movies me$ time cp -r LS2000Berlin.dvdproj /Volumes/bigsmb/
real 0m41.680s
user 0m0.008s
sys 0m4.094s
Simulated 1 hour video single file:
MEiMac:Movies me$ time dd if=/dev/zero of=/Volumes/bigsmb/1hour bs=16k count=786432
786432+0 records in
786432+0 records out
12884901888 bytes transferred in 443.960166 secs (29022653 bytes/sec)
real 7m23.994s
user 0m3.434s
sys 1m18.900s
MEiMac:Movies me$ time dd if=/dev/zero of=/Volumes/bignfs/1hournfs bs=16k count=786432
786432+0 records in
786432+0 records out
12884901888 bytes transferred in 235.887283 secs (54623131 bytes/sec)
real 3m56.271s
user 0m1.666s
sys 1m56.995s -
Problem with NFS file adapter using a network share as source of files
Hello,
I have set up a sender cc with NFS format file adapter, with at the source directory a network share (
server\sharename ). The share is on another system and not mapped to a local drivename, but it is open for everybody.
The problem is, the adapter seems to not pick up the files in the directory, so there must be something I'm overlooking.
- Both servers run on Windows
- Share is available normally and open for everybody for all actions (including the SAPServiceSID user)
- Files themselves are okay. If I put a file on a local drive and make the source directory the local drive instead of the network path, the file gets processed correctly
- Because of the need for a file completion check, FTP is not an option
Does anybody know what is going wrong, or what I could check for trace / logging info on possible cause of the problem?Hi,
While using NFS mode you are supposed to put the file on XI server directory NOT to a common share directory of any other machine. And this is the reason your adapter in not picking the file.
You can upload the file on XI server directory by using the tcode "SXDA_TOOLS", morevere you can check the file on the same directory with tcode "AL11". It is otherway-around, you can first select or chose the dir by AL11 and then put the file in the same dir by tcode SXDA_TOOLS.
If you need more info about SXDA_TOOLS, let me know.
Regards,
Sarvesh -
Not Working-central web-authentication with a switch and Identity Service Engine
on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
The interface configuration looks like this:
interface FastEthernet0/24
switchport access vlan 6
switchport mode access
switchport voice vlan 20
ip access-group webauth in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
spanning-tree portfast
end
The ACL's
Extended IP access list webauth
10 permit ip any any
Extended IP access list redirect
10 deny ip any host 172.22.2.38
20 permit tcp any any eq www
30 permit tcp any any eq 443
The ISE side configuration I follow it step by step...
When I conect the XP client, e see the following Autenthication session...
swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99
IP Address: 172.22.3.184
User-Name: 00-15-C5-49-5C-99
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC16011F000000490AC1A9E2
Acct Session ID: 0x00000077
Handle: 0xB7000049
Runnable methods list:
Method State
mab Authc Success
But there is no redirection, and I get the the following message on switch console:
756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
I have to mention I'm using an http proxy on port 8080...
Any Ideas on what is going wrong?
Regards
NunoOK, so I upgraded the IOS to version
SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
I tweak with ACL's to the following:
Extended IP access list redirect
10 permit ip any any (13 matches)
and created a DACL that is downloaded along with the authentication
Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
10 permit ip any any
I can see the epm session
swlx0x0x#show epm session ip 172.22.3.74
Admission feature: DOT1X
ACS ACL: xACSACLx-IP-redirect-4f743d58
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
And authentication
swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99
IP Address: 172.22.3.74
User-Name: 00-15-C5-49-5C-99
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-redirect-4f743d58
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC16011F000000160042BD98
Acct Session ID: 0x0000001B
Handle: 0x90000016
Runnable methods list:
Method State
mab Authc Success
on the logging, I get the following messages...
017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
What I'm I missing? -
I have recently upgraded a clients servers to Windows Server 2012 & since doing so have lost the ability to scan to folder.
Both servers are domain controllers and previously on a 2008 domain controller I would have had to make the following change to allow scan to folder:
Administrative Tools
Server Manager
Features
Group Policy Manager
Forest: ...
Default Domain Policy
Computer configuration
Policies
Windows Settings
Security Settings
Local Policies
Security Options
Microsoft Network Server: Digitally Sign Communications (Always)
- Define This Policy
- Disabled
However I have applied this to the Windows 2012 server but am still unable to scan, possibly due to added layers of security in server 2012. The error on the scanner is Authentication with the destination has failed check settings.
I have also tried the following at the server:
Policies -> Security Policies
Change Network Security: LAN Manager authentication level to: Send LM & NTLM - Use NTLMv2 session security if negotiated.
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients and uncheck the require 128 bit.
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers and uncheck the require 128 bit
I have created a user account on the server for the ricoh and set this in the settiings of the Ricoh and verified everything is correct.
Are there any other things I have missed?I can email anybody the firmware module if interested and how to...
Tell me your model and email
If your offer still stands we have an Aficio MP C3300
Firmwareversion
Modulnavn Version Delnummer
System/Copy 1.13 D0255562H
Network Support 8.16.1 D0255563D
Font EXP 1.03 D0255588
OptionPCLFont 1.02 D0255589
animation 1.3.1 D0255568A
Fax 01.10.00 D0255569B
RemoteFax 01.10.00 D0255564B
Printer 1.11 D0255572A
RPCS 3.7.5.4.1 D0255574A
Option PCL 1.00 D0255580A
Scanner 01.17 D0255570C
Network DocBox 1.00 D0255567B
Web Support 1.06 D0255565B
Web Uapl 1.07 D0255566C
libcvm(v4) 4.13 D4135765B
GWFCU3-13(WW) 03.00.00 D3935570C
PowerSaving Sys 1.10 D0255560C
Engine 1.51:09 D0255117E
OpePanel 1.03 D0251492A
LANG0 1.03 D0251496
LANG1 1.03 D0251496
ADF 03.420:02 D3665604
Finisher 01.090:03 D3725112
Best Regards/
Henrik Plougstad
henrik(a)pieroth.dk -
Policy agent 2.2 amfilter local authentication with session binding failed
Hi All,
I have policy agent 2.2 for weblogic 8.1 sp4 installed on redhat linux. All are working fine in my development box. But I was running all the process under user root, so today I decided to change it to a regular user, joe. I changed all the files' owner for weblogic server and policy agent from root to joe, and restart server as user Joe. After the change, I can not access the application on Weblogic server. I changed file ownership back to root and restart weblogic server as root, still same error.
Here is the error I got:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
Here is the error I found from agent log file, amFilter:
AmFilter: now processing: SSO Task Handler
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
SSOTaskHandler: caching SSO Token for user uid=amAdmin,ou=People,dc=etouch,dc=net
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmBaseSSOCache: cached the sso token for user principal : uid=amadmin,ou=people,dc=etouch,dc=net sso token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#, cache size = 1
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
SSOTaskHandler: SSO Validation successful for uid=amAdmin,ou=People,dc=etouch,dc=net
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: now processing: J2EE Local Logout Task Handler
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: local logout skipped SSO User => amAdmin, principal =>null
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: now processing: J2EE Local Auth Task Handler
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: No principal found. Initiating local authentication for amAdmin
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: doing local authentication with session binding
05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: Local authentication failed, invalidating session.05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: LocalAuthTaskHandler: Local authentication failed for : /portal/index.jsp, SSO Token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#
05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: result =>
FilterResult:
Status : FORBIDDEN
RedirectURL : null
RequestHelper:
null
Data:
null
-----------------------------------------------------------Hi,
I'm having the exact same problem in the Prod environment, but on a Sun App Server. In development all is fine, in prod we now have:
ERROR: AmFilter: Error while delegating to inbound handler: J2EE Local Auth Task Handler, access will be denied
java.lang.IllegalStateException: invalidate: Session already invalidated
at org.apache.catalina.session.StandardSession.invalidate(StandardSession.java:1258)
at org.apache.catalina.session.StandardSessionFacade.invalidate(StandardSessionFacade.java:164)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.doLocalAuthWithSessionBinding(LocalAuthTaskHandler.java:289)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.authenticate(LocalAuthTaskHandler.java:159)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.process(LocalAuthTaskHandler.java:106)
at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:185)
at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:152)
at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:38)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
FilterResult:
Status : FORBIDDEN
RedirectURL : null
RequestHelper:
null
Data:
null
Also, we I debug I see:
LocalAuthTaskHandler: No principal found. Initiating local authentication for ...
Did you receive any solution for this?
Many, many thanks,
Philip -
Certificate based authentication with sender SOAP adapter. Please help!
Hi Experts,
I have a scenario where first a .Net application makes a webservice call to XI via SOAP Adapter. Then the input from the .Net application is sent to the R/3 system via RFC adapter.
.Net --->SOAP -
>XI -
>RFC -
R/3 System
Now as per client requirement I have to implement certificate based authentication in the sender side for the webservice call. In this case the .Net application is the "client" and XI is the "server". In other words the client has to be authenticated by XI server. In order to accomplish this I have setup the security level in the SOAP sender channel as "HTTPS with client authentication". Additionally I have assigned a .Net userid in the sender agreement under "Assigned users" tab.
I have also installed the SSL certificate in the client side. Then generated the public key and loaded it into the XI server's keystore.
When I test the webservice via SOAPUI tool I am always getting the "401 Unauthorized" error. However if I give the userid/password for XI login in the properties option in the SOAPUI tool then it works fine. But my understanding is that in certificate based authentication, the authentication should happen based on the certificate and hence there is no need for the user to enter userid/password. Is my understanding correct? How to exactly test certificate based authentication?
Am I missing any steps for certificate based authentication?
Please help
Thanks
Gopal
Edited by: gopalkrishna baliga on Feb 5, 2008 10:51 AMHi!
Although soapUI is a very goot SOAP testing tool, you can't test certificate based authentication with it. There is no way (since I know) how to import certificat into soapUI.
So, try to find other tool, which can use certificates or tey it directly with the sender system.
Peter -
LDAP authentication with MD5 passwords
Hi,
in one of our Linux servers we have MD5 passwords stored in /etc/shadow. We want to implement pam_ldap on that machine, and move passwords to an LDAP database.
I know it is to be done with {crypt} storage scheme.
This works with DS 5.2 running on a Linux box, but under Solaris 8 I couldn't get it working. I know that Solaris 8 doesn't support MD5 passwords in its crypt(3) function, and I suppose Directory Server uses that. Somewhere I read that, however crypt() in Solaris 9 does support MD5.
Can you confirm that after upgrading to Solaris 9, authentication with MD5-hashed passwords will be possible? Has anyone tried it?
Thanks in advance,
KristofThanks you for your reply.
Our openldap version is openldap-2.3.39
And all passwords are encrypted with : Base 64 encoded md5
Below is a sample password:
{md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help.. -
RSA authentication with LDAP group mapping
Greetings,
I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
The problem I'm having is that my users are in multiple OU's on our AD tree. When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error. If I add an OU in front of it, then it will work fine.
As far as I know, you can only use one LDAP configuration with RSA.
Any thoughts on this?@Tarik
I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen. I have resorted to creating a Radius profile on the RSA appliance for each access group I need. Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
Thankfully, I have a small group of users that I am attempting to map. I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create. Likewise, our Account Admin will have to determine who gets assigned a particular access group.
I would still prefer to do this dynamically.
Scott -
Solaris 10 openldap authentication with md5 passwords
Hello to everyone,
We are trying to enable ldap authentication with pam_ldap and md5 passwords on a Solaris 10 system to an openldap server. If passwords are stored using crypt, everything works correctly. But if the password in openldap is in md5, then authentication fails.
We have installed openldap client along with pam_ldap and nss_ldap from padl (http://www.padl.com/pam_ldap.html)
The error messages when trying to 'su -' to the ldap user are:
Jun 1 18:35:23 servername su: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:35:23 servername su: [ID 810491 auth.crit] 'su ldapuser' failed for mike on /dev/pts/4and for ssh:
Jun 1 18:35:54 servername sshd[14197]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:35:54 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:00 servername sshd[14224]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:00 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:02 servername sshd[14278]: [ID 800047 auth.info] Accepted publickey for scponly from 10.24.4.52 port 35390 ssh2
Jun 1 18:36:04 servername sshd[14270]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:04 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:04 servername sshd[14191]: [ID 800047 auth.info] Failed keyboard-interactive/pam for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:08 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:08 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:12 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:12 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:17 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:17 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2Below are the configuration files (pam.conf, nsswitch.conf, ldap.conf) and anything else that I imagine could help (comments of the files have been removed).
Please feel free to ask for any other configuration file:
*/etc/pam.conf*
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth sufficient pam_unix_auth.so.1 server_policy debug
login auth required /usr/lib/security/pam_ldap.so.1 debug
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1 use_first_pass
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth required pam_unix_auth.so.1
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth sufficient pam_unix_auth.so.1 server_policy
other auth sufficient /usr/lib/security/pam_ldap.so.1 debug
other auth required pam_unix_auth.so.1 use_first_pass debug
passwd auth sufficient pam_passwd_auth.so.1 server_policy
passwd auth required /usr/lib/security/pam_ldap.so.1 debug
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account sufficient pam_unix_account.so.1 server_policy
other account required /usr/lib/security/pam_ldap.so.1 debug
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy*/etc/ldap.conf*
base ou=users,ou=Example,dc=staff,dc=example
ldap_version 3
scope sub
pam_groupdn [email protected],ou=groups,ou=Example,dc=staff,dc=example
pam_member_attribute memberUid
nss_map_attribute uid displayName
nss_map_attribute cn sn
pam_password_prohibit_message Please visit https://changepass.exapmle.int/ to change your password.
uri ldap://ldapserver01/
ssl no
bind_timelimit 1
bind_policy soft
timelimit 10
nss_reconnect_tries 3
host klnsds01
nss_base_group ou=system_groups,ou=Example,dc=staff,dc=example?sub
pam_password md5*/etc/nsswitch.conf*
passwd: files ldap
group: files ldap
hosts: files dns
ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files*/etc/security/policy.conf*
AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris User
CRYPT_ALGORITHMS_DEPRECATE=__unix__
LOCK_AFTER_RETRIES=YES
CRYPT_ALGORITHMS_ALLOW=1,2a,md5
CRYPT_DEFAULT=1Thanks in advance for any response...!!Thanks you for your reply.
Our openldap version is openldap-2.3.39
And all passwords are encrypted with : Base 64 encoded md5
Below is a sample password:
{md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help.. -
Machine authentication with Windows 7
Version: ISE 1.2p12
Hello,
I'm doing user and machine authentication with ISE.
I use a first authorization rule to authenticate the machine against the AD. If it's part computers of the domain.
Then I use an authorization rule to check if the user's group in AD with the credential he used to open the session + "Network Access:WasMachineAuthenticated = True"
Things seems to be working and I see my switch port is "Authz Success" but shortly after the Windows 7 machine is behaving like 802.1X authentication fails. The little computer on the bottom right has a cross on it.
If I disable and enable again the network card of that windows machine it works.
Does any one of you have an idea about this problem ? something to tweak on Windows 7 like timers...
Thank youHi Mika. My comments below:
a) You told me that MAR ("Network Access:WasMachineAuthenticated = True") has some drawbacks. When hibernation is used it can cause problems since the MAC address could have been removed from the cache when the user un-hibernate its computer. Then why not increasing the MAR cache to a value of 7 days then ? Regarding the roaming between wire and wireless it's a problem indeed.
NS: I don't believe that the MAR cache would be affected by a machine hibernating or going to sleep. There are some dot1x related bug fixes that Massimo outlined in his first pos that you should look into. But yes, you can increase the MAR timer to a value that fits your environent
b) You suggest to use one authorization rule for the device which should be part of the AD and one authorization rule for the user with the extra result "IdentityAccessRestricted = False". By the was, are we really talking about authorization rules here ? I will try this but it's difficult for me to imagine how it would really work.
NS: Perhaps there is some confusion here but let me try to explain this again. The "IdentityAccessRestricted" is a check that can be done against a machine or a user account in AD. It is an optional attribute and you don't have to have it. I use it so I can prevent terminated users from gaining access to the network by simply disabling their AD account. Again, that account can be either for a "user" or for a "machine"
z) One question I was asking myself for a long time. All of us want to do machine+user authentication but Windows write Machine OR User Authentication. This "OR" is very confusing.
NS: At the moment, the only way you can accomplish a true machine+user authentication is to use the Cisco AnyConnect supplicant. The process is also known as "EAP-Chaining" and/or "EAP-TEAP." In fact there is an official RFC (RFC 7170 - See link below). Now the question is when and if Microsoft, Apple, Linux, etc will start supporting it:
https://tools.ietf.org/html/rfc7170
Thank you for rating helpful posts! -
ISE Web Authentication with Profile
Hi,
I'm using Web Authentication with Cisco ISE 1.2.1 without problems.
The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication
But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use
the Web Authentication cause the endpoint is already in the internal endpoint store.
What's the better way to solve this problem ?
Thanks in Advanced
Andre Gustavo LomonacoHi Neno, let me clarify my question
I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers. I'm using Profile to be able to populate this ISE internet database.
Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication.
Maybe you are looking for
-
I wanted to play movies from my iPod on my TV. So I went and spent $25 at Best Buy on a Creative A/V cable. The cable looked identical to the others at Radio Shack. I plugged the three color coded ends to the back of my TV (24" Mitsubishi) and the ot
-
Need info on how to make this effect..
http://www.youtube.com/watch?v=naZ60vXJVWI&feature=player_embedded timeline 1:22 and 1:30 please help if i cant do it on imovie then please let me know what i need to make it happen thank you..
-
I tried creating new instance using oradim utility oradim -new -sid MUM01 but received following error in oradim.log ora-01012: not logged on db version is 11.2.0 on windows server 2008 R2
-
Number of "songs available in iCloud" problem
Everytime I update iTunes Match the number of "songs available in iCloud" is 1 extra to the amount of songs in iTunes on my Mac. For instance I currently have 12089 in iTunes, but updating iTunes Match always says I have 12090 songs available in iClo
-
Adding line to txt file and then rename
Hello there. I am trying to create a class that will add a line to a txt file and then if the nuber of lines are greater than 5 it will rename the file. I think I have solved it with this class. My problem is that the file2.renameTo does not work doe