Re: [9fans] File Server Authentication Woes

Re: [9fans] File Server Authentication Woes

[Russ Cox]

> I'm having a bit of trouble getting my newly installed file server to
> work with my Auth server.  I've installed everything from scratch and
> have a stand-alone auth server, a stand-alone terminal, and a file
> server.  Everything seems to be happy-happy except when I go to mount
> the file server from the auth-server I get an authentication error.

try

	echo -n debug > /mnt/factotum/ctl

on the client and repeat the mount.
you'll get a trace of the factotum activity,
which may contain more useful error messages.

Re: [9fans] File Server Authentication Woes

[plan9]

Did you check all that ?

File Server config
     ipauth    my.auth.server.ip
     end
     passwd
        id : bootes
        pass: donotusethisone
        authdom: mynet.com

/lib/ndb/local
     ipnet=myprivatenet ...
          authdom=mynet.com
          auth=my.auth.server.ip
          ...

    ip=my.fs.ip.addr  ether=000476dc2a00  sys=myfs
         ipnet=myprivatenet
         dom =myfs.mynet.com
         proto=il

On the CPU/AUTH console
    auth/wrkey
        id:            bootes
        domain:    mynet.com
        passwd:    donotusethisone

On the CPU again
        auth/changeuser -np bootes
        ...
        pass : donotusethisone

In /lib/ndb/auth
        uncomment the two lines as described


----- Original Message -----
From: "Eric Van Hensbergen" <airwick@mail.csh.rit.edu>
To: <9fans@cse.psu.edu>
Sent: Tuesday, May 07, 2002 5:10 PM
Subject: Re: [9fans] File Server Authentication Woes


> On Mon, 2002-05-06 at 20:03, Russ Cox wrote:
> > > I'm having a bit of trouble getting my newly installed file server to
> > > work with my Auth server.  I've installed everything from scratch and
> > > have a stand-alone auth server, a stand-alone terminal, and a file
> > > server.  Everything seems to be happy-happy except when I go to mount
> > > the file server from the auth-server I get an authentication error.
> >
> > try
> >
> > echo -n debug > /mnt/factotum/ctl
> >
> > on the client and repeat the mount.
> > you'll get a trace of the factotum activity,
> > which may contain more useful error messages.
>
> vampira# echo -n debug > /mnt/factotum/ctl
> vampira# mount -c /srv/il!9.3.61.42 /n/tor
> 9: start proto=p9any role=client yields phase CNeedProtos: ok
> 9: read 4093 in phase CNeedProtos yields phase CNeedProtos: phase:
protocol phas
> e error: read in state CNeedProtos
> 9: write 0 in phase CNeedProtos yields phase CNeedProtos: toosmall 2048
> 9: start proto=p9sk1 role=client dom=austin.ibm.com yields phase
CHaveChal: ok
> 9: write 25 in phase CNeedProtos yields phase CHaveProto: ok
> 9: read 21 in phase CHaveProto yields phase CNeedOK: ok
> 9: read 4093 in phase CNeedOK yields phase CNeedOK: phase: protocol phase
error:
>  read in state CNeedOK
> 9: write 0 in phase CNeedOK yields phase CNeedOK: toosmall 3
> 9: write 3 in phase CNeedOK yields phase CRelay: ok
> 9: read 8 in phase CHaveChal yields phase CNeedTreq: ok
> 9: read 8 in phase CRelay yields phase CRelay: ok
> 9: read 4093 in phase CNeedTreq yields phase CNeedTreq: phase: protocol
phase er
> ror: read in state CNeedTreq
> 9: read 4093 in phase CRelay yields phase CRelay: phase: protocol phase
error: r
> ead in state CNeedTreq
> 9: write 0 in phase CNeedTreq yields phase CNeedTreq: toosmall 141
> 9: write 0 in phase CRelay yields phase CRelay: toosmall 141
> 9: failure bad key
> 9: write 141 in phase CNeedTreq yields phase CNeedTreq: failure bad key
> 9: write 141 in phase CRelay yields phase CRelay: failure bad key
> mount: mount /n/tor: attach -- unknown user or failed authentication
>
>
> Oh..and to answer Presto's suggestion:
>
>
> vampira# ndb/csquery
> > net!$auth!ticket
> /net/il/clone 9.3.61.105!566!fasttimeout
> /net/tcp/clone 9.3.61.105!567
> /net/il/clone 9.3.61.105!566
> (105 is the auth server)
>
> -eric
>
>
>

Re: [9fans] File Server Authentication Woes

[Eric Van Hensbergen]

On Mon, 2002-05-06 at 20:03, Russ Cox wrote:
> > I'm having a bit of trouble getting my newly installed file server to
> > work with my Auth server.  I've installed everything from scratch and
> > have a stand-alone auth server, a stand-alone terminal, and a file
> > server.  Everything seems to be happy-happy except when I go to mount
> > the file server from the auth-server I get an authentication error.
>
> try
>
> 	echo -n debug > /mnt/factotum/ctl
>
> on the client and repeat the mount.
> you'll get a trace of the factotum activity,
> which may contain more useful error messages.

vampira# echo -n debug > /mnt/factotum/ctl
vampira# mount -c /srv/il!9.3.61.42 /n/tor
9: start proto=p9any role=client yields phase CNeedProtos: ok
9: read 4093 in phase CNeedProtos yields phase CNeedProtos: phase: protocol phas
e error: read in state CNeedProtos
9: write 0 in phase CNeedProtos yields phase CNeedProtos: toosmall 2048
9: start proto=p9sk1 role=client dom=austin.ibm.com yields phase CHaveChal: ok
9: write 25 in phase CNeedProtos yields phase CHaveProto: ok
9: read 21 in phase CHaveProto yields phase CNeedOK: ok
9: read 4093 in phase CNeedOK yields phase CNeedOK: phase: protocol phase error:
 read in state CNeedOK
9: write 0 in phase CNeedOK yields phase CNeedOK: toosmall 3
9: write 3 in phase CNeedOK yields phase CRelay: ok
9: read 8 in phase CHaveChal yields phase CNeedTreq: ok
9: read 8 in phase CRelay yields phase CRelay: ok
9: read 4093 in phase CNeedTreq yields phase CNeedTreq: phase: protocol phase er
ror: read in state CNeedTreq
9: read 4093 in phase CRelay yields phase CRelay: phase: protocol phase error: r
ead in state CNeedTreq
9: write 0 in phase CNeedTreq yields phase CNeedTreq: toosmall 141
9: write 0 in phase CRelay yields phase CRelay: toosmall 141
9: failure bad key
9: write 141 in phase CNeedTreq yields phase CNeedTreq: failure bad key
9: write 141 in phase CRelay yields phase CRelay: failure bad key
mount: mount /n/tor: attach -- unknown user or failed authentication


Oh..and to answer Presto's suggestion:


vampira# ndb/csquery
> net!$auth!ticket
/net/il/clone 9.3.61.105!566!fasttimeout
/net/tcp/clone 9.3.61.105!567
/net/il/clone 9.3.61.105!566
(105 is the auth server)

	-eric

Re: [9fans] File Server Authentication Woes

[Eric Van Hensbergen]

On Tue, 2002-05-07 at 11:20, rsc@plan9.bell-labs.com wrote:
> > When I do this, I don't get a key prompt again, but the error messages
> > change (due to the fact that there is no key matches apparently).
>
> You're on a cpu server, so factotum won't prompt.
> Instead tell it manually:
>
> 	echo 'key proto=p9sk1 dom=your.auth.domain user=you !password=secret' >/mnt/factotum/ctl
>
> If that works, try running auth/wrkey to rewrite your
> nvram and then reboot.
>
> Russ

That did the trick.  So I guess the passwords were screwed up in my auth
server's nvram.  Thanks for your help everyone.

	-eric

Re: [9fans] File Server Authentication Woes

[rsc]

> When I do this, I don't get a key prompt again, but the error messages
> change (due to the fact that there is no key matches apparently).

You're on a cpu server, so factotum won't prompt.
Instead tell it manually:

	echo 'key proto=p9sk1 dom=your.auth.domain user=you !password=secret' >/mnt/factotum/ctl

If that works, try running auth/wrkey to rewrite your
nvram and then reboot.

Russ

Re: [9fans] File Server Authentication Woes

[Eric Van Hensbergen]

On Tue, 2002-05-07 at 10:18, Russ Cox wrote:
> Somewhere along the line your servers don't agree about a key.
> It sounds like the factotum on your auth server doesn't have
> the right key.  Try drawing a new window on the auth server
> and running
>
> 	echo -n delkey >/mnt/factotum/ctl	# clears all keys
> 	mount -c /srv/il!9.3.61.42 /n/tor
>
> It will prompt for the key again and maybe this time
> will work better.
>
> Russ

When I do this, I don't get a key prompt again, but the error messages
change (due to the fact that there is no key matches apparently).

vampira# mount -c /srv/il!9.3.61.42 /n/tor
11: start proto=p9any role=client yields phase CNeedProtos: ok
11: read 4093 in phase CNeedProtos yields phase CNeedProtos: phase: protocol pha
se error: read in state CNeedProtos
11: write 0 in phase CNeedProtos yields phase CNeedProtos: toosmall 2048
11: no key matches  proto=p9sk1 dom=austin.ibm.com role=speakfor user? !password
?
11: failure no key matches  proto=p9sk1 dom=austin.ibm.com role=speakfor user? !
password?
11: no key matches  proto=p9sk1 dom=austin.ibm.com role=client user? !password?
11: failure no key matches  proto=p9sk1 dom=austin.ibm.com role=client user? !pa
ssword?
11: no key matches  proto=p9sk1 dom=austin.ibm.com role=client user? !password?
11: failure no key matches  proto=p9sk1 dom=austin.ibm.com role=client user? !pa
ssword?
11: failure no key matches  proto=p9sk1 dom=austin.ibm.com role=client user? !pa
ssword?
11: write 25 in phase CNeedProtos yields phase CNeedProtos: failure no key match
es  proto=p9sk1 dom=austin.ibm.com role=client user? !password?
mount: mount /n/tor: attach -- unknown user or failed authentication

Re: [9fans] File Server Authentication Woes

[Russ Cox]

Somewhere along the line your servers don't agree about a key.
It sounds like the factotum on your auth server doesn't have
the right key.  Try drawing a new window on the auth server
and running

	echo -n delkey >/mnt/factotum/ctl	# clears all keys
	mount -c /srv/il!9.3.61.42 /n/tor

It will prompt for the key again and maybe this time
will work better.

Russ

Re: [9fans] File Server Authentication Woes

[presotto]

[-- Attachment #1: Type: text/plain, Size: 460 bytes --]

The client calls the auth server.  If there isn't anything in
/sys/log/auth then the client isn't even trying the auth server.
It seems like the auth server doesn't know where the auth server
is, so to speak.

On the auth server, do

% ndb/csquery
> net!$auth!ticket

If there isn't a translation, that's the problem.  There are two
places you can specify the auth server, /net/ndb (plan 9 DHCP supplies
it) or in /lib/ndb/local.  Look for 'auth='.

[-- Attachment #2: Type: message/rfc822, Size: 2055 bytes --]

From: Eric Van Hensbergen <evanhensbergen@austin.rr.com>
To: 9fans@cse.psu.edu
Subject: [9fans] File Server Authentication Woes
Date: 06 May 2002 19:57:43 -0500
Message-ID: <1020733065.1790.2.camel@airwick>


I'm having a bit of trouble getting my newly installed file server to
work with my Auth server.  I've installed everything from scratch and
have a stand-alone auth server, a stand-alone terminal, and a file
server.  Everything seems to be happy-happy except when I go to mount
the file server from the auth-server I get an authentication error.
There doesn't seem to be anything useful in /sys/log/auth about it (or
in any of the other logs).  Is there any way I sanity check the auth
server configuration on the file server or get more verbose debugging
about where things are breaking down?

	-eric

[9fans] File Server Authentication Woes

[Eric Van Hensbergen]

I'm having a bit of trouble getting my newly installed file server to
work with my Auth server.  I've installed everything from scratch and
have a stand-alone auth server, a stand-alone terminal, and a file
server.  Everything seems to be happy-happy except when I go to mount
the file server from the auth-server I get an authentication error.
There doesn't seem to be anything useful in /sys/log/auth about it (or
in any of the other logs).  Is there any way I sanity check the auth
server configuration on the file server or get more verbose debugging
about where things are breaking down?

	-eric