[9fans] drawterm authentication failure

[9fans] drawterm authentication failure

[Martin Neubauer]

I've set up a new auth/cpu/fossil server via maht's make_cpuauth warlock.
Things went smoothly for the most part, but if I try to connect to it
drawterm does nothing for quite some time and finally prints:

cpu: can't authenticate: plan9host: auth_proxy rpc: p9any client get tickets: p9sk1: gettickets: Operation timed out

I don't quite have a clue what's going on (or, rather, not going on), but as
I can boot terminals off the system and cpu in from other plan 9 hosts it
seems that drawterm expects some network service cpu doesn't. Also, I dont
think my drawterm is broken. I can connect to mordor just fine, for example.

Baffled,
	Martin

Re: [9fans] drawterm authentication failure

[andrey mirtchovski]

looks like your drawterm can't connect to the authentication server's
port. are you specifying '-a' on the command line? do you have
anything filtering port 567? are you behind a nat and have to forward
it?

On 10/22/07, Martin Neubauer <m.ne@gmx.net> wrote:
> I've set up a new auth/cpu/fossil server via maht's make_cpuauth warlock.
> Things went smoothly for the most part, but if I try to connect to it
> drawterm does nothing for quite some time and finally prints:
>
> cpu: can't authenticate: plan9host: auth_proxy rpc: p9any client get tickets: p9sk1: gettickets: Operation timed out
>
> I don't quite have a clue what's going on (or, rather, not going on), but as
> I can boot terminals off the system and cpu in from other plan 9 hosts it
> seems that drawterm expects some network service cpu doesn't. Also, I dont
> think my drawterm is broken. I can connect to mordor just fine, for example.
>
> Baffled,
>         Martin
>
>

Re: [9fans] drawterm authentication failure

[Martin Neubauer]

* andrey mirtchovski (mirtchovski@gmail.com) wrote:
> looks like your drawterm can't connect to the authentication server's
> port. are you specifying '-a' on the command line? do you have
> anything filtering port 567? are you behind a nat and have to forward
> it?

I did specify the authserver (it's the same machine). Nat shouldn't be a
problem, because all machines in question are connected through a single
hub. It's just that cpu works, drawterm from the system next to it doesn't.
Conversely, drawterm to mordor, which lies behind a NAT'ing router, gives no
trouble.

Re: [9fans] drawterm authentication failure

[erik quanstrom]

> I did specify the authserver (it's the same machine). Nat shouldn't be a
> problem, because all machines in question are connected through a single
> hub. It's just that cpu works, drawterm from the system next to it doesn't.
> Conversely, drawterm to mordor, which lies behind a NAT'ing router, gives no
> trouble.
> 

sounds like a name resolution problem.

- erik

Re: [9fans] drawterm authentication failure

[Martin Neubauer]

* erik quanstrom (quanstro@coraid.com) wrote:
> > I did specify the authserver (it's the same machine). Nat shouldn't be a
> > problem, because all machines in question are connected through a single
> > hub. It's just that cpu works, drawterm from the system next to it doesn't.
> > Conversely, drawterm to mordor, which lies behind a NAT'ing router, gives no
> > trouble.
> > 
> 
> sounds like a name resolution problem.
> 
> - erik

I'm not sure that's the issue. The host names are mutually known (as of last
night, admittedly) and cpu with mutually unknown host names succeeds.

I might be missing something obvious, though.

	Martin

Re: [9fans] drawterm authentication failure

[sqweek]

On 10/23/07, Martin Neubauer <m.ne@gmx.net> wrote:
> I've set up a new auth/cpu/fossil server via maht's make_cpuauth warlock.
> Things went smoothly for the most part, but if I try to connect to it
> drawterm does nothing for quite some time and finally prints:
>
> cpu: can't authenticate: plan9host: auth_proxy rpc: p9any client get tickets: p9sk1: gettickets: Operation timed out

 I only ever muddled about with auth when I was getting my plan9 box
up so I may be misremembering, but isn't gettickets related to
factotum?
 Is there a factotum running on the host you're drawterming from or
are you just relying on what drawterm provides in that respect? Might
be worth a try.
-sqweek

Re: [9fans] drawterm authentication failure

[erik quanstrom]

> I'm not sure that's the issue. The host names are mutually known (as of last
> night, admittedly) and cpu with mutually unknown host names succeeds.
> 
> I might be missing something obvious, though.
> 
> 	Martin

snoopy is your friend!  

- erik

Re: [9fans] drawterm authentication failure

[Martin Neubauer]

* sqweek (sqweek@gmail.com) wrote:
>  I only ever muddled about with auth when I was getting my plan9 box
> up so I may be misremembering, but isn't gettickets related to
> factotum?
>  Is there a factotum running on the host you're drawterming from or
> are you just relying on what drawterm provides in that respect? Might
> be worth a try.
> -sqweek

I had indeed factotum running. after killing the process I could connect to
the plan 9 server. Looks like I've implemented some authentication self hate
on my network.

Some further digging and a peek at the archives showed that upon connecting
the following lines get appended to /mnt/factotum/log:

287: no key matches proto=9psk1 role=server dom?
287: failure no key matches proto=9psk1 role=server dom?

Also, whenever I use drawterm without factotum (which succeeds) I get
prompted for the secstore key twice. That seems a little odd to me.

	Martin

Re: [9fans] drawterm authentication failure

[erik quanstrom]

> I had indeed factotum running. after killing the process I could connect to
> the plan 9 server. Looks like I've implemented some authentication self hate
> on my network.
> 
> Some further digging and a peek at the archives showed that upon connecting
> the following lines get appended to /mnt/factotum/log:
> 
> 287: no key matches proto=9psk1 role=server dom?
> 287: failure no key matches proto=9psk1 role=server dom?
> 
> Also, whenever I use drawterm without factotum (which succeeds) I get
> prompted for the secstore key twice. That seems a little odd to me.

i think there's something else going on.  on the home machine i run p9p on,
i do run factotum with drawterm.

	; ps auxwww|grep factotum
	quanstro  4972  0.0  0.1  43648   360 ?        Sl   Sep13   0:00 factotum
	quanstro  4975  0.0  0.0  67880   204 ?        Sl   Sep13   0:03 9pserve -u unix!/tmp/ns.quanstro.:0/factotum
	quanstro  2202  0.0  0.2   1676   536 pts/9    S+   09:26   0:00 grep factotum

check your profile for a path that has two calls to auth/factotum.

- erik

Re: [9fans] drawterm authentication failure

[Martin Neubauer]

* erik quanstrom (quanstro@quanstro.net) wrote:
> i think there's something else going on.  on the home machine i run p9p on,
> i do run factotum with drawterm.
> 
> 	; ps auxwww|grep factotum
> 	quanstro  4972  0.0  0.1  43648   360 ?        Sl   Sep13   0:00 factotum
> 	quanstro  4975  0.0  0.0  67880   204 ?        Sl   Sep13   0:03 9pserve -u unix!/tmp/ns.quanstro.:0/factotum
> 	quanstro  2202  0.0  0.2   1676   536 pts/9    S+   09:26   0:00 grep factotum
> 
> check your profile for a path that has two calls to auth/factotum.
> 
> - erik

I'm fairly certain that factotum is only started once. As I wrote before,
connecting to mordor works, so it seems I'm experiencing some peculiarity of
my plan 9 server that apparrently exhibits some subtle difference between
cpu and drawterm. Perhaps I should just step back a little. Not running
factotum is a workaround, but i have the feeling that ignoring the issue
will come around some day and bite me.

Thanks anyway,
	Martin

Re: [9fans] drawterm authentication failure

[erik quanstrom]

> > check your profile for a path that has two calls to auth/factotum.
> > 
> > - erik
> 
> I'm fairly certain that factotum is only started once. As I wrote before,

by profile, i mean lib/profile on your plan 9 box.  sorry for being unclear
generally, there is a different path through lib/profile for drawterm calls.

this is part of my lib/profile from home

case cpu
	if (test -e /mnt/term/mnt/wsys) {
		# rio already running
		wsys = /mnt/term^`{cat /mnt/term/env/wsys}
		bind -a /mnt/term/mnt/wsys /dev
		if(test -f /mnt/term/dev/label)
			echo -n $sysname > /mnt/term/dev/label
	}
	bind /mnt/term/dev/cons /dev/cons
	bind /mnt/term/dev/consctl /dev/consctl
	bind -a /mnt/term/dev /dev
	prompt=('; ' '	')
	fn cpu%{ $* }
	news
	if (! test -e /mnt/term/mnt/wsys) {
		# cpu call from drawterm
		plumber
		auth/factotum
		upas/fs -lb >$home/log/upasfs.log>[2=1]
		exec rio
	}

- erik

Re: [9fans] drawterm authentication failure

[Lyndon Nerenberg]

On 2007-Oct-23, at 01:35 , Martin Neubauer wrote:

> I might be missing something obvious, though.

At this point you're best off putting a packet sniffer on the wire  
and taking a look to see what is really happening (or not happening).

Re: [9fans] drawterm authentication failure

[andrey mirtchovski]

> At this point you're best off putting a packet sniffer on the wire
> and taking a look to see what is really happening (or not happening).

...then let us know what happened so we can finally have an answer
when google asks to "please describe a situation in which you used
tcpdump to diagnose and solve a network problem" ;)

Re: [9fans] drawterm authentication failure

[Tim Wiess]

> I'm fairly certain that factotum is only started once. As I wrote before,
> connecting to mordor works, so it seems I'm experiencing some peculiarity of
> my plan 9 server that apparrently exhibits some subtle difference between
> cpu and drawterm. Perhaps I should just step back a little. Not running
> factotum is a workaround, but i have the feeling that ignoring the issue
> will come around some day and bite me.

    for P9P factotum make sure you have the relevant entries
    in $PLAN9/ndb/local.

Re: [9fans] drawterm authentication failure

[Martin Neubauer]

* Tim Wiess (tim@nop.cx) wrote:
>     for P9P factotum make sure you have the relevant entries
>     in $PLAN9/ndb/local.

That did it. Mordor worked, obviously, because the entry is already there by
default. Embarrassing, isn't it?

Thank you all,
	Martin

Re: [9fans] drawterm authentication failure

[Tim Wiess]

> * Tim Wiess (tim@nop.cx) wrote:
>>     for P9P factotum make sure you have the relevant entries
>>     in $PLAN9/ndb/local.
> 
> That did it. Mordor worked, obviously, because the entry is already there by
> default. Embarrassing, isn't it?

    great.
    some of the references in the man page need to be updated to
    reflect the P9P environment vs straight Plan 9, but the text for
    -a pretty much explains it.

Re: [9fans] drawterm authentication failure

[johnny]

yes, it seems factotum (p9p, i haven't had the chance of having two plan9 machines, which is really sad in itself) needs the authdom domain name to be resolvable, I had this problem until I started using the plan9 box as my local dns server (which, by the way is really really awesomly easy). an edit in /etc/hosts on linux is kindof a hack...doesn't scale, but it helps too.
Cheers