Yeeha! =) (was Re: [9fans] Argh -- auth checklist?)

Yeeha! =) (was Re: [9fans] Argh -- auth checklist?)

[James]

> the applications that authenticate dial the authenticator.  auth= says
> where to find it.  it's possible to put the auth= entry in /lib/ndb/local
> only at net or subnet level, but that didn't work when Jim tried it
> (probably because the net/subnet entries aren't quite right, but i'll
> look at them closely later).

And Russ and Forsyth win the prize!  I won't claim to understand it all,
but fixing the highwire-net entry does the trick as well. I am sort of
confused by it all. Yes, Stanford Libraries uses the 36.0.0.0 domain, one
of the few (two?) class A addresses still in use, but... We have always
been told that our network is 36.48.0.0, with the netmask 255.255.0.0.

Following Russ's e-mail to me, I switched out highwire-net
entry. Following Forsyth's comments, I cleaned up the rest of
/lib/ndb/local as well. =) The following works for me -- I can get
authentication.

    #
    # systems on the local network
    #
    
    #
    # Domain Name Service
    #
    dom=
        ns=cilantro.stanford.edu
        ns=cassandra.stanford.edu
        ns=caribou.stanford.edu
    dom=cilantro.stanford.edu ip=171.64.7.99
    dom=cassandra.stanford.edu ip=171.64.7.77
    dom=caribou.stanford.edu ip=171.64.7.55
     
    #
    # Networks
    #
    ipnet=highwire-net
        ip=36.0.0.0
        ipmask=255.255.255.0
        ipgw=36.48.0.1
        fs=bela
        auth=ruler
    
    #
    # CPU/Auth servers
    #
    sys=ruler
        dom=ruler.stanford.edu ip=36.48.0.135 ether=0060977e685a 
        bootf=/386/9pccpudisk
        proto=il
    
    #
    # File servers
    #
    sys=bela
        dom=bela.stanford.edu ip=36.48.0.137 ether=00a02425fb61
        proto=il
    
    ... terminals list ...

	... services list ...
	il=ticket		port=566

Yeeha! =) (was Re: [9fans] Argh -- auth checklist?)

[James]

> 	proto=il
> and
> 	proto=fil
> are the only effective ones.  they tell ndb/cs to allow the use of

That's what I thought from reading posts here (I've got as much of the
mail archive as I could find in my +9fans box). I only had proto=il in
there before, and somone suggested adding the others. I figured it doesn't
hurt. =)  What I need to do is write up a real doc on how the ndb/* files
get parsed, so it isn't so hard to figure stuff out. The official docs are
geared toward people who are somewhat familier with the system already. =)



Jim

Yeeha! =) (was Re: [9fans] Argh -- auth checklist?)

[forsyth]

>>Heh; Authserver needs to be told it's an authserver?

the applications that authenticate dial the authenticator.
auth= says where to find it.  it's possible to put the auth=
entry in /lib/ndb/local only at net or subnet level, but
that didn't work when Jim tried it (probably because the
net/subnet entries aren't quite right, but i'll look at them closely later).

	proto=il
and
	proto=fil
are the only effective ones.  they tell ndb/cs to allow the use of
the il (fil) protocol (and associated services) when net! is used to dial a
host that declares them.  otherwise it limits the choice to standard ip protocols.
i'd be impressed if you could make use of proto=fil,
so proto=il is the only one you need.  in effect, it marks machines
that can use the plan9-specific protocols.

Yeeha! =) (was Re: [9fans] Argh -- auth checklist?)

[Dorman, Eric]

> -----Original Message-----
> From: James A. Robinson [mailto:Jim.Robinson@stanford.edu]
> Sent: Thursday, February 25, 1999 7:16 PM
[xx]
>     #
>     # CPU/Auth servers
>     #
>     sys=ruler
>         dom=ruler.stanford.edu ip=36.48.0.135 ether=0060977e685a 
>         bootf=/386/9pccpudisk
>         proto=il
>         proto=tcp
>         proto=udp
>         ipnet=highwire-net
>         fs=bela

hmm

>         auth=ruler

Heh; Authserver needs to be told it's an authserver?
I'll have to look and see if that's how mine is set up.

eld

Yeeha! =) (was Re: [9fans] Argh -- auth checklist?)

[okamoto]

The only one essential(?) difference between yours and mines 
is that I have no line of

	cpu=ruler.

>    #
>    # Networks
>    #
>    ipnet=highwire-net ip=36.48.0.0 ipmask=255.255.255.0
>        fs=bela.stanford.edu
>        ipgw=36.48.0.1
>        mailgw=highwire
>        cpu=ruler
>        auth=ruler

Kenji

Yeeha! =) (was Re: [9fans] Argh -- auth checklist?)

[James]

> I'm not no authority on this matter, hwoever, the underlines
> could be enough for netkey working correctly.  It works
> fine at least in my environment.

Well the below is what I had at first, and it did NOT work:

    #
    # systems on the local network
    #
    
    #
    # Domain Name Service
    #
    dom=
        ns=cilantro.stanford.edu
        ns=cassandra.stanford.edu
        ns=caribou.stanford.edu
    dom=cilantro.stanford.edu ip=171.64.7.99
    dom=cassandra.stanford.edu ip=171.64.7.77
    dom=caribou.stanford.edu ip=171.64.7.55
     
    #
    # Networks
    #
    ipnet=highwire-net ip=36.48.0.0 ipmask=255.255.255.0
        fs=bela.stanford.edu
        ipgw=36.48.0.1
        mailgw=highwire
        cpu=ruler
        auth=ruler
    
    #
    # CPU/Auth servers
    #
    ip=36.48.0.135 ether=0060977e685a sys=ruler
        dom=ruler.stanford.edu
        bootf=/386/9pccpudisk
        proto=il
    
    #
    # File servers
    #
    ip=36.48.0.137 ether=00a02425fb61 sys=bela
        dom=bela.stanford.edu
        proto=il
    
    ... terminal entries and stuff ...

    #
    #  il services
    #
    il=ticket       port=566


The following is what I have now, and it will work as long as the
sys=ruler entry has the auth=ruler line. Various additional lines
are copied from the other ndb/local stuff people told me they had
in their systems (and if it doesn't hurt... =)

    #
    # systems on the local network
    #
    
    #
    # Domain Name Service
    #
    dom=
        ns=cilantro.stanford.edu
        ns=cassandra.stanford.edu
        ns=caribou.stanford.edu
    dom=cilantro.stanford.edu ip=171.64.7.99
    dom=cassandra.stanford.edu ip=171.64.7.77
    dom=caribou.stanford.edu ip=171.64.7.55
     
    #
    # Networks
    #
    ipnet=highwire-net
        ip=36.48.0.0
        ipmask=255.255.255.0
        ipgw=36.48.0.1
        fs=bela
        auth=ruler
    
    #
    # CPU/Auth servers
    #
    sys=ruler
        dom=ruler.stanford.edu ip=36.48.0.135 ether=0060977e685a 
        bootf=/386/9pccpudisk
        proto=il
        proto=tcp
        proto=udp
        ipnet=highwire-net
        fs=bela
        auth=ruler
    
    #
    # File servers
    #
    sys=bela
        dom=bela.stanford.edu ip=36.48.0.137 ether=00a02425fb61
        proto=il
        ipnet=highwire-net
      
    ... terminal entries and stuff ...

    #
    #  il services
    #
    il=ticket       port=566

Yeeha! =) (was Re: [9fans] Argh -- auth checklist?)

[okamoto]

I'm not no authority on this matter, hwoever, the underlines
could be enough for netkey working correctly.  It works
fine at least in my environment.

>I originally had a setup like:
>
>	ipnet=foo
>		ip=<net>
>		ipmask=<mask>
>		ipgw=<gw>
>		auth=<authserver>
>
>	sys=<authserver>
>		ip=<ip>
>		dom=<authserver.stanford.edu>
>		proto=il

Kenji 
--not an expert, but just one of users of Plan 9 :-)

Yeeha! =) (was Re: [9fans] Argh -- auth checklist?)

[James]

Thanks to everyone who responded: Forsyth, Russ, Steve, and David.

What was wrong was that I needed to add to by sys= entry for the auth
server, the line 'auth=<authserver>' so that my auth server would know
that it, itself, was the auth server to check.

Russ pointed out that I should be able to have csquery resolve lines
like net!$auth!ticket and tcp!$auth!telnet. I wasn't so that pointed
out the problem as being in my ndb/local file. 

I originally had a setup like:

	ipnet=foo
		ip=<net>
		ipmask=<mask>
		ipgw=<gw>
		auth=<authserver>

	sys=<authserver>
		ip=<ip>
		dom=<authserver.stanford.edu>
		proto=il
		
I had assumed that, since authserver was in subnet foo, it would understand
that it should use <autherserver> (itself) as authentication server.  Instead,
I had to have:

	sys=<authserver>
		ip=<ip>
		dom=<authserver.stanford.edu>
		proto=il
		proto=tcp (not sure about this, but someone suggested it)
		auth=<authserver>

If I remove the auth=<authserver>, I get the error. If I put it back
in, I get the challenge/response and can login to the system. Wheee!


Thanks guys!


Jim