Snoop in zones
Hi
I tried to make snoop in zone and i got message " No Interfaces found " or "not a dlpi interface " . How can i snoop a particular port in the zone since i cannot get the snoop information for particular port from global zone .
Thanks/Regards
Sadiq
Hi
I got some information after googling that it is possible in shared network zone also if we add some directives to the zones configuration.
Ever been frustrated by the inability to snoop network traffic from within your Solaris Zones? Good news: Solaris 10 11/06 adds "configurable privileges" - the ability to modify the security boundary around one or more zones. How can this help you?
First some background: part of the implementation of a zone's security boundary is the lack of certain Solaris Privileges(5) - privileges that, in the wrong hands, could be used to affect other zones or even the entire system. One simple example is the SYS_TIME privilege, which allows the user to change the system clock that is used by all zones.
In the first release of Solaris 10 (in March, 2005) those privileges were not allowed in a zone. Even the root user of a non-global zone could not gain those privileges. This was a Good Thing, as you would not want one zone to change the system clock, for example.
However, since the debut of Solaris 10, we have investigated the implications of adding those 'prohibited' privileges into specific zones. Solaris 10 11/06 allows many of those privileges to be added to the default set of privileges that are permitted in a zone. Adding privileges must be performed the global zone administrator by using zonecfg(1M). While adding this functionality, we also added the ability to remove privileges from a zone's limit set.
Of course, adding functionality may also add security risks, and this is true for "configurable privileges." Adding a privilege to a zone's limit set may have unintended consequences. It is crucial to understand the implications of a adding a privilege to a zone before actually doing so.
A comprehensive analysis of new possibilities would be a significant undertaking, but in this blog entry and a few others, I hope to provide some guidance on this topic. I'll start with the new ability to snoop network traffic from within a zone. Keep in mind that this includes all traffic on the network interface(s), including traffic for other zones, including the global zone. Adding net_rawaccess also allows the zone to do other nefarious things. Use this privilege, and others, with caution.
To allow a zone to snoop network traffic, you must add two directives to the zone's configuration, and then [re]boot the zone:
global# zonecfg -z twilight
<zonecfg:twilight> set limitpriv="default,net_rawaccess"
<zonecfg:twilight> add device
<zonecfg:twilight> set match=/dev/e1000g0
<zonecfg:twilight> end
<zonecfg:twilight> exit
global#
After booting the zone, the root user can snoop that network interface, and see all traffic on that NIC.
Similar Messages
-
Snooping traffic between zones?
Hi fellow admins,
is there any supported method to snoop network traffic that's going on between two zones on the same machine?
I've tried the usual way with filtering for the IPs of both zones, but I see nothing.
My assumption goes that this comes from both zones running on two virtual instances of the same physical network interface,
and thus the traffic is handled internally, while snoop only sees traffic that actually goes out on the wires.
Any way to resolve this without splitting the zones over two servers?I think that you would have to snoop the loopback interface in order to do this, unfortunately snooping of a loopback interface has so far only been implemented in Solaris Express..
.7/M. -
Jumpstart installation from Solaris 10 zone
Hi,
I am using a Sol 10 zone as a jumpstart server, and have encountered a problem.
Due to not being able to use the out-of-the-box nfs server, as it does not run in a local zone on Sol 10, I have looked at using a user-space nfs server, unfsd.
unfsd runs fine, and can be used by a client to nfs-mount a directory, but when it comes to using the client's flash archive to build the client, I get this error below in my snoop output:
10:54:46.04754 js-client -> js-server MOUNT3 C Mount /flash_archives/TEST/js-client.flar
10:54:46.04779 js-server -> js-client MOUNT3 R Mount Not a directory
Which implies to me that the jumpstart client is trying to nfs-mount a file, and unfsd does nto allow this.
Any advice/suggestions on how to resolve this would be appreciated.
Richard.
Edited by: Richard on Jun 22, 2012 8:51 AMJust to provide an update.
I switched to using ftp to get the flar file from the jumpstart server, which works fine.
I do believe that the issue with NFS is because the Solaris in-built NFS will allow a file to be NFS-mounted, but the user-space NFS daemon I used ( unfsd ) does not allow this, although I've not done sufficient snooping to prove this.
Richard. -
W2003 DNS cache snooping vulnerability for PCI-DSS compliance.
Hi everyone.
How can I solve this security vulnerability reported by Nessus(security software) with W2003's DNS ?
DNS Server Cache Snooping Remote Information Disclosure
Synopsis:
The remote DNS server is vulnerable to cache snooping attacks.
Description:
The remote DNS server responds to queries for third-party domains that do not have the recursion bit set. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently
visited. For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution.
Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more. Note: If this is an internal DNS server not accessable to outside networks, attacks would be limited to the internal network. This may include
employees, consultants and potentially users on a guest network or WiFi connection if supported.
Risk factor:
Medium
CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
See also:
http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf
Solution:
Contact the vendor of the DNS software for a fix.
Plugin output:
Nessus sent a non-recursive query for example.com and received 1 answer : 192.0.43.10
I have been searching for a solution at the web...but I was unabled to find one..that could let me to use "recursion" at our DNS server.
We have an internal DNS server for Active Directory, with a forwarding to resolve external internet domains as is a requirement by our application..but now the only way to fix this is to disable "recursion" and we are working with external IP address instead
of internet DNS names..but this is not a good solution for us.
I found something about spliting DNS functions, but my point is that we have all the servers internal and DMZ, inside the same AD domain..so we need to use the same DNS server AD integrated, notwithstanding we must resolve external DNS records for our application...How
can I do this without getting the same vulnerability again ? I don´t know how to do it disabling "recursion"..If I disable recursion I will be unable to resolve external DNS names.
Any suggestion will be really appreciated!!
thx!!That's basically for your internet facing DNS. I wouldn't worry about it too much for internal DNS, since that's only hosting your internal AD zone.
Other than setting the "Secure cache against polution" setting, you can also opt to disable caching of all records so each and every query is a fresh query. This actually fixes CNAME vs A record TTL mismatch issues, too, not that you're probably seeing them
or not, but just wanted to add that:
Description of DNS registry entries in Windows 2000 Server, part 2 of 3 (applies to 2003, 2008 & 2008 R2)
http://support.microsoft.com/kb/813964
Cannot resolve names in certain top level domains like .co.uk.
http://blogs.technet.com/b/sbs/archive/2009/01/29/cannot-resolve-names-in-certain-top-level-domains-like-co-uk.aspx
============
To turn off or disable local cache: (WIndows 2000 notes, but they apply to all current OS's)
Set the MaxCacheTtl to 0 in the registry or use Dnscmd
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
Value: MaxCacheTtl
Type: DWORD
Default: NoKey (Cache for up to one day)
Function: Set maximum caching TTL.
MaxCacheTtl
Type: DWORD
Default value: 0x15180 (86,400 seconds = 1 day)
Function: Determines how long the DNS server can save a record of a
recursive name query.
You can use the MaxCacheTtl registry entry to specify how long the DNS
server can save a record of a recursive name query.
If the value of the MaxCacheTtl entry is 0x0, the DNS server does not save
any records.
The DNS server saves the records of recursive name queries in a memory cache
so that it can respond quickly to new queries for the same name. Records are
deleted from the cache periodically to keep the cache content current. The
interval when the records remain in the cache typically is determined by the
value of the Time to Live (TTL) field in the record. The MaxCacheTtl entry
establishes the maximum time that records can remain in the cache. The DNS
server deletes records from the cache when the value of this entry expires,
even if the value of the TTL field in the record is greater.
Change method
To change the value of the MaxCacheTtl entry, use Dnscmd.exe, a tool that is
included with the Windows 2000 Support Tools. The change is effective
immediately so that you do not have to restart the DNS server.
Start method
DNS reads its registry entries only when it starts. If you change the value
of the MaxCacheTtl entry by editing the registry, the changes are not
effective until you restart the DNS server.
Note the following items: . Windows 2000 does not add the MaxCacheTtl entry
to the registry. You can add it by editing the registry or by using a
program that edits the registry.
The MaxCacheTtl entry does not affect Windows Internet Name Service
(WINS) data that is saved in the DNS memory cache. WINS data is saved until
the Cache Timeout Value on the WINS record expires. To view or change the
Cache Timeout Value on the WINS record, use the DNS snap-in. Right-click a
zone name, click Properties, click the WINS tab, and then click Advanced.
===============================
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Intermittent Routing between Shared IP Zones
I've setup a single machine with zones for apache and mail services which use the global zone's external data link. I've setup the zones as shared-ip zones:
zonename: apache
net:
address: 192.168.0.1/24
physical: bge1
defrouter not specified
zonename: mail
net:
address: 192.168.0.2/24
physical: bge1
defrouter not specified
The zones have their routing setup in the global some as such:
route add public apache -interface
route add public mail -interface
And the global ifconfig is as such:
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
zone mail
inet 127.0.0.1 netmask ff000000
lo0:2: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
zone apache
inet 127.0.0.1 netmask ff000000
bge1: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 2
inet XXX.XXX.XXX.XXX netmask fffffff8 broadcast XXX.XXX.XXX.XXX
ether 0:23:8b:aa:15:6b
bge1:1: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 2
zone mail
inet 192.168.0.2 netmask ffffff00 broadcast 192.168.0.255
bge1:2: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 2
zone apache
inet 192.168.0.1 netmask ffffff00 broadcast 192.168.0.255
The global zone is configured with NAT to map and rdr between the global ip address and the zone's local ip address.
The configuration works and runs ok, but i keep getting connection timeouts about 50% of the time.
I've snooped the tcp connections from the global zone but they are going unanswered even though the zones are running and responding correctly. The ipmon log shows the same behaviour with in requests but no mapped out responses during the connection timeouts.
I think this might be a problem with routing between zones with shared-ip but i'm not sure what i can do to fix the problem?
I'm running Solaris 10 10/09.
Thanks,
Camsowmini wrote:
The zones have their routing setup in the global some as such:
route add public apache -interface
route add public mail -interfaceit's not clear what "apache" and "mail" are, in your example above: are these the IP addresses assigned to
each of the non-global zones? (I'm assuming "public" is a subnet that you want the NGZ's to reach?)
yes, apache and mail are the local hostname of the 2 zones which are running those services which is specified in /etc/hosts
apache is 192.168.0.1/24
mail is 192.168.0.2/24
public is the subnet of the global zone's only ip address and external network
>
The global zone is configured with NAT to map and rdr between the global ip address and the zone's local ip address.
The configuration works and runs ok, but i keep getting connection timeouts about 50% of the time.What does "netstat -s -P ip" show? that may tell you where the packets are sporadically getting dropped
Here's the output of running the command:
bash-3.00# netstat -s -P ip
IPv4 ipForwarding = 1 ipDefaultTTL = 255
ipInReceives =8454948 ipInHdrErrors = 0
ipInAddrErrors = 0 ipInCksumErrs = 0
ipForwDatagrams = 152 ipForwProhibits = 0
ipInUnknownProtos = 114 ipInDiscards = 3
ipInDelivers =64396846 ipOutRequests =6476680
ipOutDiscards = 0 ipOutNoRoutes = 238
ipReasmTimeout = 60 ipReasmReqds = 0
ipReasmOKs = 0 ipReasmFails = 0
ipReasmDuplicates = 0 ipReasmPartDups = 0
ipFragOKs = 0 ipFragFails = 0
ipFragCreates = 0 ipRoutingDiscards = 0
tcpInErrs = 3 udpNoPorts = 2435
udpInCksumErrs = 0 udpInOverflows = 0
rawipInOverflows = 0 ipsecInSucceeded = 0
ipsecInFailed = 0 ipInIPv6 = 0
ipOutIPv6 = 0 ipOutSwitchIPv6 = 0
i found this discussion on the networking forum which sounds very similar to what i'm seeing but i've tried to set a static arp for the public router but it doesn't seem to have made much difference:
Solaris Server timeouts
when all is working the media table looks like this:
bash-3.00# netstat -pn
Net to Media Table: IPv4
Device IP Address Mask Flags Phys Addr
bge1 XXX.XXX.XXX.137 255.255.255.255 o 00:0c:31:ec:1b:01
bge1 192.168.0.1 255.255.255.255 SPLA 00:23:8b:aa:15:6b
bge1 192.168.0.2 255.255.255.255 SPLA 00:23:8b:aa:15:6b
bge1 XXX.XXX.XXX.138 255.255.255.255 SPLA 00:23:8b:aa:15:6b
bge1 224.0.0.0 240.0.0.0 SM 01:00:5e:00:00:00
and then every half hour to an hour, the router gets dropped and the table is flushed out before getting re-created:
Net to Media Table: IPv4
Device IP Address Mask Flags Phys Addr
bge1 192.168.0.1 255.255.255.255 SPLA 00:23:8b:aa:15:6b
bge1 192.168.0.2 255.255.255.255 SPLA 00:23:8b:aa:15:6b
bge1 XXX.XXX.XXX.138 255.255.255.255 SPLA 00:23:8b:aa:15:6b
bge1 224.0.0.0 240.0.0.0 SM 01:00:5e:00:00:00 -
Ipv6 address setup in local zone
I'm having problems with a local zone that needs a defined IPv6 address. I've had a number of issues -- now i'm down to routing.
I've set up a manual address on a physical interface, and assigned it to a zone by setting it from the global zone:
ifconfig bge3 inet6 addif 2001:6b0:8:1::54/64 zone g.ns.se upThe zone "gets" the interface but there are no default routes visible in the local zone. I can ping the interface from the local LAN connected to bge3, but not beyond. snoop in the global zone sees the packets.
The global zone can configure ipv6 by RA and gets its routing information all right.
Manually adding a default route from the global zone does not help.
Clues?My experience with a default route ipv6 visibility within a local zone is the same.
One way to get an ipv6 default route info into the local zone is to let the global zone in.ndpd daemon do the ipv6 autoconfig including a default route discovery (ipv6 RA you've mentioned) and manully configure/add a new unique link-local FE80::/10 address within the local zone (besides the global ipv6 address you've already set up). At that point default route makes it into the local zone table and ipv6 connectivity happens. Both ipv6 interfaces - a global zone with ndpd and also a local zone one - have to stay within the same LAN.
I see this as a temporary workaround as this way lacks autoconfig ability (remember ipv6 ?) and currently offers less compared to ipv4 setup options. -
Synchronous inetd coredumping over multiple zones
We're experiencing rather strange behaviour on several of our zoned systems (some M5k's, 5220's, T2000's),
in that some Solaris daemons (mostly the inetd) are repeatedly coredumping, in all zones at the same time.
Aug 2 13:29:01 so02 genunix: [ID 603404 kern.notice] NOTICE: core_log: inetd[18080] core dumped: /var/core/core_zone1_inetd_0_0_1217676540_18080
Aug 2 13:29:02 so02 genunix: [ID 603404 kern.notice] NOTICE: core_log: inetd[18094] core dumped: /var/core/core_zone2_inetd_0_0_1217676541_18094
Aug 2 13:29:02 so02 genunix: [ID 603404 kern.notice] NOTICE: core_log: inetd[18247] core dumped: /var/core/core_zone1_inetd_0_0_1217676542_18247
Aug 2 13:29:03 so02 genunix: [ID 603404 kern.notice] NOTICE: core_log: inetd[18261] core dumped: /var/core/core_zone2_inetd_0_0_1217676543_18261
Aug 2 13:29:04 so02 genunix: [ID 603404 kern.notice] NOTICE: core_log: inetd[18275] core dumped: /var/core/core_zone2_inetd_0_0_1217676543_18275
Aug 2 13:29:05 so02 genunix: [ID 603404 kern.notice] NOTICE: core_log: inetd[18285] core dumped: /var/core/core_zone1_inetd_0_0_1217676544_18285
These always seem to come in bursts of three crash rounds, then it's running fine for a few days, and suddenly another burst of coredumps - on average twice a week.
The machines are not visible to the internet, and as it also happens on weekends, so I think I can rule out some malicious user trying to exploit some flaw in inetd causing it to crash.
Anyone got a hint what might cause this, or how to trace the issue back?Smells like a bug in inetd that is being tickled by a port scan. If someone in your organization is doing scanning, it could hit all your zone IPs within a short period of time.
If you can't find who's responsible via other methods (asking around), I'd set up a zone that isn't doing anything (so it has almost no network traffic). Then I'd run snoop to watch traffic for that hostname just before you might expect it again. Then go back and correlate the traffic after you find inetd down again. By having the zone otherwise idle, the snoop traffic should be light enough that you can run it for hours with little impact.
Darren -
Hello,
Using a vulnerability tool, I have discovered I need to remedy DNS Snooping potential.
http://support.microsoft.com/kb/2678371
I understand that one fix is to disable recursion. I also understand that, if I disable recursion, I will need to setup forwarders in order for anyone in my LAN to reach the outside world. At least, that's the idea.
Here's where I get confused, though. I have a domain that is operating within a subnet of a larger network. I have no control over this network, and just barely have indirect control over how things are set up inside.
A DHCP server, which I do not control, issues IP addresses, DNS addresses, etc, based on the MAC address.
If I query what DNS server I'm using, I get two responses - neither of which are the DNS server that I actually operate as part of my Domain - which is hosted on my domain controller.
So my real question is: If my workstaitons report DNS entries for DNS servers that aren't my own, will I still break things if I disable recursion on the local DNS server?
Also, does this imply that when I resolve a local host name (say COMPUTER1.MYDOMAIN.BIGGERDOMAIN.COM), it goes to one of these "foreign" DNS servers first, which then directs the request back to my local DNS server? Still just a student here.
Thanks!
M.So my real question is: If my workstaitons report DNS entries for DNS servers that aren't
my own, will I still break things if I disable recursion on the local DNS server?
No as long as forwarders are properly set. Mainly configure your ISP DNS servers as forwarders. If you manage multiple domains internally then you can setup a conditional forwarder.
Also, does this imply that when I resolve a local host name (say COMPUTER1.MYDOMAIN.BIGGERDOMAIN.COM),
it goes to one of these "foreign" DNS servers first, which then directs the request back to my local DNS server? Still just a student here.
Assuming that your workstations use your internal DNS server for resolution then:
The internal DNS server will respond directly if it is authoritative on the DNS zone (Means that the zone is hosted on it)
The internal DNS server will forward the request to the DNS server of the specific domain if a conditional forwarder is set. Once it receives an answer then it will cache it and respond to the client
The internal DNS server will forward the request to your ISP DNS servers for domains on which it is not authoritative or have conditional forwarders set. Once it receives an answer then it will cache it and respond to the client
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
DNS: reverse zone comes back after remove and some follow up issues
hello community,
after installation of OSL i had setup dns with a primary zone.
the automatically created reverse zone for my internal network is fine.
whenever i enter a new system the default for the ip address is 10.0.0.1 and the reverse zone is automatically setup for this ip address.
whenever i remove this reverse zone it come back automatically after saving the dns configuration.
with this come some follow up error.
server admin claim that there is no name server configured for this reverse zone.
when i configure it the configured name server entry vanished after clicking the save button.
when i try to configure settings i can not. i get the error message that the configuration can not be saved cause of the missing name server for the reverse zone i am not using ....
in the log file i can see that the file for reverse zone can not be found.
when i check the dns configuration in the shell i can see that the reverse zone file is not there.
someone has an idea
- whats the best way to fix this?
- why is the gui still showing the reverse zone i am not using?
- is the dns configuration also in the ldap db with wrong entries?
regards
christianClean out your zone definitions, and start over. Server Admin is unfortunately seemingly fussy around the authoritative server stuff and the order stuff gets entered, and it seems you can get into a sequence where it doesn't have what it needs. I had encountered couple of cases when I was in a similar state as you're in now, and I ended up clearing and deleting the primary zone and re-adding the zone and the hosts, being careful to add the authoritative server as the first step of adding a zone.
-
Solaris 8 Container in Solaris 10 Zone
Hi All,
one of our customers wants to run Solaris 8 with Oracle 8.1.7 in a BrandZ Zone. Does anybody have an idea about how stable Solaris 8 is in a Zone environment? Are there any known issues with Solaris 8 running in a Zone?
Since Solaris 8 is EndOfShipment, are there chances to get up-to-date Sun Hardware bundled with Solaris 8 apart of using Solaris 10 Zones?
Thanks in Advace,
Dogi didnt however i wasnt hammering it. if the load was expected to be high i would have done the io layout diff (try and follow some of oracles ideas: SAME for one, if possible).
some depends on the load and the load from the other zones. you can use allocate resource limits to give more priority to more important zones or make sure you have enough resources to start. what type of load are you expecting? -
Hi Community!!
I have a ISE 1.2 pair, v9 patch installed and sychronized. Recently our time zone changed to summer time which is one hour later. In the CLI I can see that the reference is sent by NTP and the clock has changed but in monitoring I can still see that there is an hour difference from real time.
I read in Cisco official documentation that time cannot be changed on ISE or else it will become unusable but the logs are not being timestamped correctly and also the time the RADIUS request are made by NAD vs the time they are recieved by ISE have one hour difference.
Is there a way to solve this? it seems to be prone to any kind of unexpected behaviour when we are least expecting it.
Thank you!!Hmm, this is very strange and it almost seems like a bug with ISE. I would recommend that you contact TAC and have them check this out.
The reason I think that it is a bug (Related to the timezone) is the fact that the base OS (Cent/ADE OS) appears to be running fine and keeping track of DST (Day light savings) but the actual application (ISE) installed on Cent is not.
I am far from NTP or Linux expert but I don't believe that NTP pushes/honors timezones. I think NTP just synchronizes the clock while timezones/DST is controlled locally.
If the issue is not a bug, it is perhaps due to selecting the incorrect timezone. I have never done a deployment outside of the US and the UK so I am not familiar with timezones in Chile. However, if we take Eastern Time Zone for example. I had to make sure that I select "EST5EDT" in ISE and not just EST. If I simply selected EST then DST was not observed and made things ugly :) The same applied for Pacific timzone where I had to make sure that I select "PST8PDT" With all of that being said, I checked the CLI in ISE and I don't see any Chile related timezones that would indicate DST observations. You can check for those yourself by using the following command "show timezones"
I was able to find these but perhaps there are more and a specific one to CST/CLST. I tried searching for those but could not find anything:
NS-ISE-01/admin# show timezones | i Santiago
America/Santiago
NS-ISE-01/admin# show timezones | i Chile
Chile/EasterIsland
Chile/Continental
NS-ISE-01/admin# show timezones | i CLT
NS-ISE-01/admin# show timezones | i CLST
Let me know what you find. I would like to know the cause/resolution
Thank you for rating helpful posts! -
Zona Franca ICMS+IPI BXZF não desconto - Ordem de Vendas
Boa tarde;
Estou tentanto realizar uma configuração de um cenário Zona Franca para produtos importados no qual terão incidência de imposto ICMS+IPI.
O cenário esta configurado desta forma:
1) Cenário normal venda Zona Franca de Produto Nacionais. Sem incidência de impostos.
- Código do Imposto I1.
- IVA SZ dispara a linha de desconto BXZF no qual dá o desconto ZF - OK
2) Cenário de itens importados - materiais com origem "1", "2" ou "8" - Incidência de ICMS+IPI.
- Código do Imposto - I3 - ICMS+IPI
- Deve trazer o código IVA "SD" disparando cálculo de ICMS.
- BXZF é RefConType da IBRX.
- Não deve disparar a linha BXZF.
- BXZF - traz o IVA SZ.
Cenário Configurado:
- Criado uma nova tabela 972 - País, ClassCliente, Classi Mat, Origem Material.
- Sequencia de Acesso IZOF - a tabela 972
- Condição DIZF - Seq Aces - IZOF.
- Quando crio a ordem de vendas o sistema trata desta maneira:
1) Ele verifica a origem do material encontra "1"
2) Determina na condição DIZF - IVA "SD"
3) BXZF é um RefconType da IBRX
4) Por isso BXZF - determina "SD"
Entretanto, a linha de desconto BXZF esta trazendo o desconto ZF no qual se tenho o IVA SD não deveria trazer a linha.
Alguém tem alguma ideia de como fazer a configuração?
OBS: ZZOF é a mesma SeqAce - IZOF.
Muito Obrigado
Rodrigo VieiraOlá André;
Então pelo que entendi para o tipo de materiais com origem 1,2 e 8 Importados que não quero que aplique a linha de desconto se hoje tenho uma tabela de condição criada 972 972 - País, ClassCliente, Classi Mat, Origem Material e associada a sequência de acesso e condição DIZF conforme abaixo irá encontrar e SD, porém irá aplicar o desconto.
Registro de condição cadastrada.
BR 2 1 1 Foreign - imported directly 100,000 % 01.04.2014 31.12.9999 SD
BR 2 1 2 Foreign - acquired nationally 100,000 % 01.04.2014 31.12.9999 SD
BR 2 1 8 National - with import content over 70% 100,000 % 01.04.2014 31.12.9999 SD
Tenho um cenário que na mesma pricing terie produtos Nacionais origem "5" e Importados origem 1,2 e 8.
Para o primeiro a linha de desconto precisa ser disparada por causa da isenção..
Então o SZ na condição DIZF irá ser disparada e o desconto na BXZF séra aplicada.
Entretando, como posso fazer para que não se aplique o desconto..
As únicas possibilidades foi criado sequência de acesso forçando o SD, porém como a condição DIZF é determinada porque encontra origem ele força o desconto na BXZF
Tem alguma sugestão ou ideia de ocmo posso configurar?
Abs
Rodrigo Vieira -
Desconto do ICMS da Zona Franca de Manaus - Registro de Entrada
Bom dia caros colegas!
Estou com um cenário referente ao ICMS da Zona Fanca de Manaus, como sabemos este imposto é dado como desconto no total da fatura, o cenário ora solicitado pelo usuário é o seguinte.
Vr.Contábil -> 65.892,29
BC ICMS -> 74.877,60
Aliq.ICMS -> 12%
Vr. ICMS -> 8.985,31
A versão que estou usando é a 6.0
Vocês sabem me informar se existe alguma configuração stander para esse cenário, sei que existe a nota 8622370 com desconto na MIRO, porém o lançamento no Registro de entrada não fica correto.
Abs
NobreOlá Nobre,
Não encontrei a nota que você informou.
Contudo, seguem duas notas bem importantes com configurações da Zona Franca:
790429 - Transfer to Tax free zone (Zona Franca) ICMS not discounted
622370 - MIRO: ICMS-Discount by buying in Tax Free Zones(Zona Franca)
As notas ensinam a configuração das condições especiais para Zona Franca, que são ICZF e ICZG.
Atenciosamente,
Carla Kunz Bussolo -
Recebimento de Transferencia na Zona Franca - Erro M7050 Saldo nao nulo. Transacao MB0A
Pessoal,
Boa noite,
Estou com um problema e preciso da ajuda de vocês.
ERRO M7050 - Saldo não nulo: 28,04 - Debito: 28,08 Credito: 0,04
Quando realizo a entrada da transferência através da transação MB0A, ele executa esse erro. Quero acreditar que o SAP não esta considerando o valor da redução do ICMS que a Zona Franca possui, pois eh justamente o valor da redução na saída da mercadoria.
As notas 622370 e 790429 estão aplicadas no sistema, alem de ter a condition do ICMS de credito presumido da ZF marcado como D - Imposto de transferência na cadeia de contabilização.
Vocês sabem o que esta acontecendo?
Obrigado.Oi Renan & Hernandes
O que vcs tem na tabela J_1BCONDMAPV e J_1BTXCOND no que diz respeito a nota 790429?
Qual versão do erp que vcs estão?
Imagino que vcs já tenham olhado a nota.. 1826651 - STO: ICMS wrongly calculated for Full/Partial return from ZF
Abraço
Eduardo Chagas -
Can you program a Slave's Node ID or Zone ID using the USB-8476 as the LIN Master?
I am planning on using the USB-8476 LIN interface as the LIN bus Master in an application. The application would require the USB-8476 (Master) to program a Node ID and Zone ID into a slave device that is on the LIN bus. The slave device is a PIC12F1822 mcu + MCP2021 LIN transceiver. After reading through the User/Software Manual for the USB-8476, it does NOT seem possible to assign an ID to a slave device. It seems like you can only communicate with slaves that already have an ID programmed into their memory. The Node/Zone ID terminology is used by our customer and may not conform exactly to the IDs associated with LIN. I am new to the LIN world, so please let me know if you need more information about what I'm trying to accomplish. Can you program a Slave's Node ID or Zone ID using the USB-8476 as the LIN Master?
No need to respond to this topic. The company that builds the slave device has a communications specification that was recently provided to me. I should be able to use the NI USB-8476 and a call to the ncWrite function (NI-CAN Frame API function) to accomplish my goals.
Maybe you are looking for
-
cannot authorize my computer, I'm having this error message The required file was not found or has a permissions error. Correct this permissions problem and try again, or deauthorize this computer if the permissions cannot be changed." please help me
-
How to add one more field to an exist internal table
hi abapers i am a very new abap programmer and just started learning it. i want to know How to add one more field to an exist internal table. lemme me put my question in a very simple way. i have a internal table having fields f1,f2,f3 and which also
-
Number of messages in Sent folder
Since I was 'migrated' a month ago I've been keeping a daily eye on the number of messages in my Sent folder. Strangely the total is invariably 166! This is most odd; though my email traffic is generally modest, I send out an average 10-15 messages
-
I installed the newest itune (7) yesaterday and tried to install quicktime 7 on my g4 cube. I am running tiger and quicktime 7 will not install. It keeps saying try again later. I have repaired all permissions, restarted the computer, but still will
-
HI GURU'S, I NEED TO UPLOAD EMPLOYEE MASTER DATA ON SAP. WHAT PROGRAM OR TECHNIQUE I SHOULD USE. KINDLY THROW LIGHT ON THIS.