Baanboard.com

Go Back   Baanboard.com > Forum > Baan Quick Support: Functional & Technical > Tools Administration & Installation

User login

Frontpage Sponsor

Main

Poll
For ERP LN feature pack upgrade, what method of install are you using?
Installation Wizard into existing VRC
35%
Installation Wizard into new VRC
42%
Manual into existing VRC
3%
Manual into new VRC
19%
Total votes: 31

Baanboard at LinkedIn


Reference Content

Reply
 
Thread Tools Display Modes
  #1  
Old 19th January 2009, 14:01
bbomgardner bbomgardner is offline
Junior Member
 
Join Date: Jan 2009
Posts: 8
bbomgardner is on a distinguished road
Baan: Baan IV B40c.93 - DB: Oracle - OS: HP-UX
BaanLogin works for local user, not for LDAP user
Baan: Baan IVc4
DB: Oracle 10.2.0.x
OS: HP-UX 11.31
C/S: None/Unknown

Hi folks,

I'm a sysadmin who is pretty new to Baan and I'm trying to troubleshoot why BaanLogin will not allow LDAP users to connect. Local users connect just fine. LDAP users can authenticate to the OS without issue (and rexec works just fine).

I'm nearly positive this has something to do with PAM. I was hoping someone else had come across a similar problem in their environment and could offer some suggestions.

From the debug output it appears as if BaanLogin is detecting that my system is in trusted mode (incorrectly) which is causing the problem. Does anyone know how/why this detection of trusted mode occurs?

Local User (non trusted system)


Code:
Daemon: Incoming connection, spawn child.
2009-01-15[15:22:00]:  Child: handle BaanLogin request.
2009-01-15[15:22:00]: Daemon: revert to listen-mode.
2009-01-15[15:22:00]:  Child: received:  user bsp, action 1
2009-01-15[15:22:00]:                   IBCmd /u02007/ap-baancap1/bse/bin/ipc_boot, bseVersion 6.1
2009-01-15[15:22:00]: Try authentication via PAM
2009-01-15[15:22:00]: PAM available for this platform
2009-01-15[15:22:00]: Authenticating user 'bsp'.
2009-01-15[15:22:00]:  message 1: 'Password: '
2009-01-15[15:22:00]: Setting password for user bsp in PAM callback
2009-01-15[15:22:00]: Authentication via PAM succeeded
2009-01-15[15:22:00]:  Child: logon for bsp OK.
2009-01-15[15:22:00]: non-trusted system on HP_check_password().
2009-01-15[15:22:00]:  Child: pwd status = -5, message = -1005: The aging for name is turned off.
2009-01-15[15:22:00]:  Child: starting /u02007/ap-baancap1/bse/bin/ipc_boot6.1.
2009-01-15[15:22:45]:
LDAP User (non trusted system)

Code:
2009-01-15[15:23:37]: Daemon: revert to listen-mode.
2009-01-15[15:23:37]:  Child: handle BaanLogin request.
2009-01-15[15:23:37]:  Child: received:  user lmbasset, action 1
2009-01-15[15:23:37]:                   IBCmd /u02007/ap-baancap1/bse/bin/ipc_boot, bseVersion 6.1
2009-01-15[15:23:37]: Try authentication via PAM
2009-01-15[15:23:37]: PAM available for this platform
2009-01-15[15:23:37]: Authenticating user 'lmbasset'.
2009-01-15[15:23:37]:  message 1: 'Password: '
2009-01-15[15:23:37]: Setting password for user lmbasset in PAM callback
2009-01-15[15:23:37]: Authentication via PAM succeeded
2009-01-15[15:23:37]:  Child: logon for lmbasset OK.
2009-01-15[15:23:37]: trusted system on HP_check_password().
2009-01-15[15:23:37]:  Child: pwd status = -7, message = -1007: Something is wrong with system functions.


Thanks again for any suggestions!

Ben
Reply With Quote
  #2  
Old 19th January 2009, 18:23
dave_23's Avatar
dave_23 dave_23 is offline
Guru
 
Join Date: Oct 2002
Location: Portland, OR
Posts: 1,303
dave_23 will become famous soon enough
Baan: All - DB: Oracle / MS SQL / DB2 - OS: All
Last i checked blogind was not linked to PAM. This was scheduled for a future release.

So if you're on the latest porting set, then it still hasn't happened =( but if not, then there is a chance. Look through the PS release notes to see if you can find it.

Dave
Reply With Quote
  #3  
Old 19th January 2009, 18:55
bbomgardner bbomgardner is offline
Junior Member
 
Join Date: Jan 2009
Posts: 8
bbomgardner is on a distinguished road
Baan: Baan IV B40c.93 - DB: Oracle - OS: HP-UX
Thanks Dave for your comment. I'll see if the release notes have anything to say.

On second thought though, I don't think this error has to do with PAM directly - the passoff to PAM appears to work just fine for both users. This explains why both have no problems logging in to the OS and using the rexec connection method.

Does anyone know what Blogin is doing in these last two lines when the HP_check_password() function seems to be called?

Is there documentation on Blogin anywhere that may describe this?


Thanks
Reply With Quote
  #4  
Old 20th January 2009, 00:32
dave_23's Avatar
dave_23 dave_23 is offline
Guru
 
Join Date: Oct 2002
Location: Portland, OR
Posts: 1,303
dave_23 will become famous soon enough
Baan: All - DB: Oracle / MS SQL / DB2 - OS: All
It's checking password expiration i believe.

again, it's been a while but i think it calls badmin6.1 for that, badmin6.1 may need to be setuid root to make that work.

Dave
Reply With Quote
Sponsored Links
  #5  
Old 20th January 2009, 13:22
bbomgardner bbomgardner is offline
Junior Member
 
Join Date: Jan 2009
Posts: 8
bbomgardner is on a distinguished road
Baan: Baan IV B40c.93 - DB: Oracle - OS: HP-UX
Ah OK. Thanks for the lead! I'll check into badmin6.1 and let you know what I can find out...
Reply With Quote
  #6  
Old 20th January 2009, 19:57
NPRao's Avatar
NPRao NPRao is offline
Guru
 
Join Date: Aug 2001
Location: Pacific NW, USA
Posts: 3,028
NPRao will become famous soon enough
Baan: iBaanERP-5.2a(Reger),SSA-ERP-LN-6.1,Infor LN-10.x - DB: Oracle-10g,11g,12c,MS-SQL - OS: HP-UX, Linux, Windows
Dave is right, check if the following binaries which need to have the 'root' settings:
Quote:
-rwsr-xr-x 1 root bsp 438272 Oct 25 10:48 badmin6.2
-rwsr-xr-x 1 root bsp 4544936 Oct 25 10:48 blogind6.2
-rwxr-xr-x 1 root bsp 24476 Oct 25 10:48 lp6.2
-rwsr-xr-x 1 root bsp 5050368 Oct 25 10:48 pdaemon6.2
__________________
The art of perfection does not lie in doing extraordinary things but, doing ordinary things extraordinarily well. [-N. Prashanth Rao]
How To Ask Questions The Smart Way,BaaNBoard,NPRao
Reply With Quote
  #7  
Old 21st January 2009, 03:06
bbomgardner bbomgardner is offline
Junior Member
 
Join Date: Jan 2009
Posts: 8
bbomgardner is on a distinguished road
Baan: Baan IV B40c.93 - DB: Oracle - OS: HP-UX
Hey NPRao,

Many thanks for the suggestion. Unfortunately, I'm still getting the same error when attempting to use BaanLogin. The client error mentions a failure of ipc_boot (?).

Code:
-rwsr-xr-x   1 root       bsp         446464 Nov  3 10:52 badmin6.1
-rwsr-xr-x   1 root       bsp         458752 Jan 20 20:52 blogind6.1
-rwxr-xr-x   1 root       bsp          23836 Nov  3 10:52 lp6.1
-rwsr-xr-x   1 root       bsp        1007616 Nov  3 10:52 pdaemon6.1
blogind6.1 -d

Code:
2009-01-20[20:55:41]:
Daemon: Incoming connection, spawn child.
2009-01-20[20:55:41]: Daemon: revert to listen-mode.
2009-01-20[20:55:41]:  Child: handle BaanLogin request.
2009-01-20[20:55:41]:  Child: received:  user lmbasset, action 1
2009-01-20[20:55:41]:                   IBCmd /u02001/ap-baanusp1/bse/bin/ipc_boot, bseVersion 6.1
2009-01-20[20:55:41]: Try authentication via PAM
2009-01-20[20:55:41]: PAM available for this platform
2009-01-20[20:55:41]: Authenticating user 'lmbasset'.
2009-01-20[20:55:41]:  message 1: 'Password: '
2009-01-20[20:55:41]: Setting password for user lmbasset in PAM callback
2009-01-20[20:55:41]: Authentication via PAM succeeded
2009-01-20[20:55:41]:  Child: logon for lmbasset OK.
2009-01-20[20:55:41]: trusted system on HP_check_password().
2009-01-20[20:55:41]:  Child: pwd status = -7, message = -1007: Something is wrong with system functions.
Client error:

Code:
1 : Error 4 (reset unsuccessful logins failed) : baanlogin failed host 'sg-ap-baanusp1 username 'lmbasset'. Failure executing ipc_boot binary in '/u02001/ap-baanusp1/bse'.
2 : Error : bw failed to connect to sg-ap-baanusp1!bshell
Reply With Quote
  #8  
Old 21st January 2009, 16:27
dave_23's Avatar
dave_23 dave_23 is offline
Guru
 
Join Date: Oct 2002
Location: Portland, OR
Posts: 1,303
dave_23 will become famous soon enough
Baan: All - DB: Oracle / MS SQL / DB2 - OS: All
have you tried just resetting the guys password at the os level?


Dave
Reply With Quote
  #9  
Old 21st January 2009, 18:25
bbomgardner bbomgardner is offline
Junior Member
 
Join Date: Jan 2009
Posts: 8
bbomgardner is on a distinguished road
Baan: Baan IV B40c.93 - DB: Oracle - OS: HP-UX
Unfortunately changing the password didn't fix anything.

This is what I think is happening:

Blogin is first authenticating the user (via PAM), and then checking /etc/passwd or /etc/shadow to look for other password attributes. Because it doesn't find my ldap user in either spot, it is assuming that I am on a trusted system and tries to look in the /tcb/files/auth tree (or somewhere else) but of course, it isn't there.

I don't necessarily want to go adding ldap users to /etc/passwd, but I may try it once to see what happens. I also don't want to convert to a trusted system...

If I'm right about this, I don't think there is much else I can do to get this to work.

What do you think?
Reply With Quote
  #10  
Old 21st January 2009, 19:16
dave_23's Avatar
dave_23 dave_23 is offline
Guru
 
Join Date: Oct 2002
Location: Portland, OR
Posts: 1,303
dave_23 will become famous soon enough
Baan: All - DB: Oracle / MS SQL / DB2 - OS: All
Possibly, it would probably be a bug in blogind at this point.

blogind has a higher level of logging you can set.. i think you start it like

blogind6.X -D -D -D


(that'd be 3 levels of debugging.. unless that's changed recently..)

blogind6.2 -U[or -u] will give usage.

Dave
Reply With Quote
  #11  
Old 22nd January 2009, 00:05
bbomgardner bbomgardner is offline
Junior Member
 
Join Date: Jan 2009
Posts: 8
bbomgardner is on a distinguished road
Baan: Baan IV B40c.93 - DB: Oracle - OS: HP-UX
No kidding! That's exactly what I need. I'll check it out now...
Reply With Quote
  #12  
Old 22nd January 2009, 00:08
bbomgardner bbomgardner is offline
Junior Member
 
Join Date: Jan 2009
Posts: 8
bbomgardner is on a distinguished road
Baan: Baan IV B40c.93 - DB: Oracle - OS: HP-UX
Ak! I'm running 6.1....

blogind6.1: Unknown argument: -D
Usage: blogind6.1 [-vV] [-d] [-p Portnumber] [-kK]

Can I upgrade Blogin without disturbing anything else? Probably not, I'm assuming.
Reply With Quote
  #13  
Old 22nd January 2009, 00:23
NPRao's Avatar
NPRao NPRao is offline
Guru
 
Join Date: Aug 2001
Location: Pacific NW, USA
Posts: 3,028
NPRao will become famous soon enough
Baan: iBaanERP-5.2a(Reger),SSA-ERP-LN-6.1,Infor LN-10.x - DB: Oracle-10g,11g,12c,MS-SQL - OS: HP-UX, Linux, Windows
Try the lower-case option:
Quote:
$ blogind6.2 -
blogind6.2: Unknown argument: -
Usage: blogind6.2 [-vV] [-d] [-di] [-p Portnumber] [-kK] [-info]
-k : kill running blogind6.2 (if running as background process)
-p : override default TCP/IP listening port
-d : debug info for daemon 'blogind6.2'
-di : set -d option on ipc_boot program
-info : tells which protocols are available for daemon 'blogind6.2'
-v : displays version information
Also, you can figure out more using the utilities like truss or strace

I found a similar thread on the forum -blogin and PAM
__________________
The art of perfection does not lie in doing extraordinary things but, doing ordinary things extraordinarily well. [-N. Prashanth Rao]
How To Ask Questions The Smart Way,BaaNBoard,NPRao
Reply With Quote
  #14  
Old 8th March 2009, 19:52
bbomgardner bbomgardner is offline
Junior Member
 
Join Date: Jan 2009
Posts: 8
bbomgardner is on a distinguished road
Baan: Baan IV B40c.93 - DB: Oracle - OS: HP-UX
Alright,

I am very grateful for all of the help everyone here has given me on this problem. Thank you!

It turns out this entire issue was caused by the default setting to return '*' as the hidden password in the configuration for the ldapux client on HP-UX. Nothing mysterious at all.

For those who are interested, getting this to work involved changing password_as in /etc/opt/ldapux/ldapux_client.conf:

Code:
# You can set the user password to be returned as any string (consisting
# of characters from the encrypted password and the "*" character) instead
# of "*" when the password is hidden.  By returning something other than "*"
# for the hidden password, along with a specific pam_ldap configuration,
# r-commands such as rlogin will work with ldap users on the equivalent
# remote host.  Since the password field of each /etc/passwd entry
# contains an "x" when supporting shadow password, the example provided
# below sets the return password to "x".
#
# The default setting is to return "*" for hidden password.
#
# Warning:
#    Setting the user password to be returned as any string for the hidden
#    password could allow users with active accounts on a remote host to
#    rlogin to the local host on to a disabled account.
#
password_as="x"
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
User works on Menu Browser but not on DEM Alison DEM & Workflow 0 23rd January 2007 11:08
Packet-shaper lvdvelde Operating Systems & Databases 6 4th September 2004 13:41
Zoom Session for selection bklunder Tools Development 1 27th November 2003 07:25
creating a user in NT srinivas Tools Administration & Installation 4 9th December 2002 10:40


All times are GMT +2. The time now is 19:29.


©2001-2017 - Baanboard.com - Baanforums.com