* Yeeha! =) (was Re: [9fans] Argh -- auth checklist?)
@ 1999-02-26 17:41 Dorman, Eric
0 siblings, 0 replies; 8+ messages in thread
From: Dorman, Eric @ 1999-02-26 17:41 UTC (permalink / raw)
> -----Original Message-----
> From: James A. Robinson [mailto:Jim.Robinson@stanford.edu]
> Sent: Thursday, February 25, 1999 7:16 PM
[xx]
> #
> # CPU/Auth servers
> #
> sys=ruler
> dom=ruler.stanford.edu ip=36.48.0.135 ether=0060977e685a
> bootf=/386/9pccpudisk
> proto=il
> proto=tcp
> proto=udp
> ipnet=highwire-net
> fs=bela
hmm
> auth=ruler
Heh; Authserver needs to be told it's an authserver?
I'll have to look and see if that's how mine is set up.
eld
^ permalink raw reply [flat|nested] 8+ messages in thread
* Yeeha! =) (was Re: [9fans] Argh -- auth checklist?)
@ 1999-02-27 1:33 James
0 siblings, 0 replies; 8+ messages in thread
From: James @ 1999-02-27 1:33 UTC (permalink / raw)
> the applications that authenticate dial the authenticator. auth= says
> where to find it. it's possible to put the auth= entry in /lib/ndb/local
> only at net or subnet level, but that didn't work when Jim tried it
> (probably because the net/subnet entries aren't quite right, but i'll
> look at them closely later).
And Russ and Forsyth win the prize! I won't claim to understand it all,
but fixing the highwire-net entry does the trick as well. I am sort of
confused by it all. Yes, Stanford Libraries uses the 36.0.0.0 domain, one
of the few (two?) class A addresses still in use, but... We have always
been told that our network is 36.48.0.0, with the netmask 255.255.0.0.
Following Russ's e-mail to me, I switched out highwire-net
entry. Following Forsyth's comments, I cleaned up the rest of
/lib/ndb/local as well. =) The following works for me -- I can get
authentication.
#
# systems on the local network
#
#
# Domain Name Service
#
dom=
ns=cilantro.stanford.edu
ns=cassandra.stanford.edu
ns=caribou.stanford.edu
dom=cilantro.stanford.edu ip=171.64.7.99
dom=cassandra.stanford.edu ip=171.64.7.77
dom=caribou.stanford.edu ip=171.64.7.55
#
# Networks
#
ipnet=highwire-net
ip=36.0.0.0
ipmask=255.255.255.0
ipgw=36.48.0.1
fs=bela
auth=ruler
#
# CPU/Auth servers
#
sys=ruler
dom=ruler.stanford.edu ip=36.48.0.135 ether=0060977e685a
bootf=/386/9pccpudisk
proto=il
#
# File servers
#
sys=bela
dom=bela.stanford.edu ip=36.48.0.137 ether=00a02425fb61
proto=il
... terminals list ...
... services list ...
il=ticket port=566
^ permalink raw reply [flat|nested] 8+ messages in thread
* Yeeha! =) (was Re: [9fans] Argh -- auth checklist?)
@ 1999-02-26 18:21 James
0 siblings, 0 replies; 8+ messages in thread
From: James @ 1999-02-26 18:21 UTC (permalink / raw)
> proto=il
> and
> proto=fil
> are the only effective ones. they tell ndb/cs to allow the use of
That's what I thought from reading posts here (I've got as much of the
mail archive as I could find in my +9fans box). I only had proto=il in
there before, and somone suggested adding the others. I figured it doesn't
hurt. =) What I need to do is write up a real doc on how the ndb/* files
get parsed, so it isn't so hard to figure stuff out. The official docs are
geared toward people who are somewhat familier with the system already. =)
Jim
^ permalink raw reply [flat|nested] 8+ messages in thread
* Yeeha! =) (was Re: [9fans] Argh -- auth checklist?)
@ 1999-02-26 18:13 forsyth
0 siblings, 0 replies; 8+ messages in thread
From: forsyth @ 1999-02-26 18:13 UTC (permalink / raw)
>>Heh; Authserver needs to be told it's an authserver?
the applications that authenticate dial the authenticator.
auth= says where to find it. it's possible to put the auth=
entry in /lib/ndb/local only at net or subnet level, but
that didn't work when Jim tried it (probably because the
net/subnet entries aren't quite right, but i'll look at them closely later).
proto=il
and
proto=fil
are the only effective ones. they tell ndb/cs to allow the use of
the il (fil) protocol (and associated services) when net! is used to dial a
host that declares them. otherwise it limits the choice to standard ip protocols.
i'd be impressed if you could make use of proto=fil,
so proto=il is the only one you need. in effect, it marks machines
that can use the plan9-specific protocols.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Yeeha! =) (was Re: [9fans] Argh -- auth checklist?)
@ 1999-02-26 4:21 okamoto
0 siblings, 0 replies; 8+ messages in thread
From: okamoto @ 1999-02-26 4:21 UTC (permalink / raw)
The only one essential(?) difference between yours and mines
is that I have no line of
cpu=ruler.
> #
> # Networks
> #
> ipnet=highwire-net ip=36.48.0.0 ipmask=255.255.255.0
> fs=bela.stanford.edu
> ipgw=36.48.0.1
> mailgw=highwire
> cpu=ruler
> auth=ruler
Kenji
^ permalink raw reply [flat|nested] 8+ messages in thread
* Yeeha! =) (was Re: [9fans] Argh -- auth checklist?)
@ 1999-02-26 3:15 James
0 siblings, 0 replies; 8+ messages in thread
From: James @ 1999-02-26 3:15 UTC (permalink / raw)
> I'm not no authority on this matter, hwoever, the underlines
> could be enough for netkey working correctly. It works
> fine at least in my environment.
Well the below is what I had at first, and it did NOT work:
#
# systems on the local network
#
#
# Domain Name Service
#
dom=
ns=cilantro.stanford.edu
ns=cassandra.stanford.edu
ns=caribou.stanford.edu
dom=cilantro.stanford.edu ip=171.64.7.99
dom=cassandra.stanford.edu ip=171.64.7.77
dom=caribou.stanford.edu ip=171.64.7.55
#
# Networks
#
ipnet=highwire-net ip=36.48.0.0 ipmask=255.255.255.0
fs=bela.stanford.edu
ipgw=36.48.0.1
mailgw=highwire
cpu=ruler
auth=ruler
#
# CPU/Auth servers
#
ip=36.48.0.135 ether=0060977e685a sys=ruler
dom=ruler.stanford.edu
bootf=/386/9pccpudisk
proto=il
#
# File servers
#
ip=36.48.0.137 ether=00a02425fb61 sys=bela
dom=bela.stanford.edu
proto=il
... terminal entries and stuff ...
#
# il services
#
il=ticket port=566
The following is what I have now, and it will work as long as the
sys=ruler entry has the auth=ruler line. Various additional lines
are copied from the other ndb/local stuff people told me they had
in their systems (and if it doesn't hurt... =)
#
# systems on the local network
#
#
# Domain Name Service
#
dom=
ns=cilantro.stanford.edu
ns=cassandra.stanford.edu
ns=caribou.stanford.edu
dom=cilantro.stanford.edu ip=171.64.7.99
dom=cassandra.stanford.edu ip=171.64.7.77
dom=caribou.stanford.edu ip=171.64.7.55
#
# Networks
#
ipnet=highwire-net
ip=36.48.0.0
ipmask=255.255.255.0
ipgw=36.48.0.1
fs=bela
auth=ruler
#
# CPU/Auth servers
#
sys=ruler
dom=ruler.stanford.edu ip=36.48.0.135 ether=0060977e685a
bootf=/386/9pccpudisk
proto=il
proto=tcp
proto=udp
ipnet=highwire-net
fs=bela
auth=ruler
#
# File servers
#
sys=bela
dom=bela.stanford.edu ip=36.48.0.137 ether=00a02425fb61
proto=il
ipnet=highwire-net
... terminal entries and stuff ...
#
# il services
#
il=ticket port=566
^ permalink raw reply [flat|nested] 8+ messages in thread
* Yeeha! =) (was Re: [9fans] Argh -- auth checklist?)
@ 1999-02-26 3:10 okamoto
0 siblings, 0 replies; 8+ messages in thread
From: okamoto @ 1999-02-26 3:10 UTC (permalink / raw)
I'm not no authority on this matter, hwoever, the underlines
could be enough for netkey working correctly. It works
fine at least in my environment.
>I originally had a setup like:
>
> ipnet=foo
> ip=<net>
> ipmask=<mask>
> ipgw=<gw>
> auth=<authserver>
>
> sys=<authserver>
> ip=<ip>
> dom=<authserver.stanford.edu>
> proto=il
Kenji
--not an expert, but just one of users of Plan 9 :-)
^ permalink raw reply [flat|nested] 8+ messages in thread
* Yeeha! =) (was Re: [9fans] Argh -- auth checklist?)
@ 1999-02-26 2:29 James
0 siblings, 0 replies; 8+ messages in thread
From: James @ 1999-02-26 2:29 UTC (permalink / raw)
Thanks to everyone who responded: Forsyth, Russ, Steve, and David.
What was wrong was that I needed to add to by sys= entry for the auth
server, the line 'auth=<authserver>' so that my auth server would know
that it, itself, was the auth server to check.
Russ pointed out that I should be able to have csquery resolve lines
like net!$auth!ticket and tcp!$auth!telnet. I wasn't so that pointed
out the problem as being in my ndb/local file.
I originally had a setup like:
ipnet=foo
ip=<net>
ipmask=<mask>
ipgw=<gw>
auth=<authserver>
sys=<authserver>
ip=<ip>
dom=<authserver.stanford.edu>
proto=il
I had assumed that, since authserver was in subnet foo, it would understand
that it should use <autherserver> (itself) as authentication server. Instead,
I had to have:
sys=<authserver>
ip=<ip>
dom=<authserver.stanford.edu>
proto=il
proto=tcp (not sure about this, but someone suggested it)
auth=<authserver>
If I remove the auth=<authserver>, I get the error. If I put it back
in, I get the challenge/response and can login to the system. Wheee!
Thanks guys!
Jim
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~1999-02-27 1:33 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
1999-02-26 17:41 Yeeha! =) (was Re: [9fans] Argh -- auth checklist?) Dorman, Eric
-- strict thread matches above, loose matches on Subject: below --
1999-02-27 1:33 James
1999-02-26 18:21 James
1999-02-26 18:13 forsyth
1999-02-26 4:21 okamoto
1999-02-26 3:15 James
1999-02-26 3:10 okamoto
1999-02-26 2:29 James
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).