9fans - fans of the OS Plan 9 from Bell Labs
 help / color / mirror / Atom feed
* RE: [9fans] Auth problems (again?)
@ 2002-09-20 16:22 Russ Cox
  2002-09-20 16:44 ` [9fans] How Apache & Plan 9 will defeat Microsoft's Passport Arnaud SAHUGUET
  2002-09-20 17:09 ` [9fans] Auth problems (again?) gabidiaz
  0 siblings, 2 replies; 8+ messages in thread
From: Russ Cox @ 2002-09-20 16:22 UTC (permalink / raw)
  To: 9fans

It sounds like you're now having the same problems
Axel had a few weeks ago.  Can you make sure you
are running the latest kernel?  That is, do:

	9fat:
	cp /386/9pcdisk /n/9fat/9pcdisk

then halt and reboot.
I'm assuming you're booting from sdC0!9fat!9pcdisk;
that's how the install program sets things up.

Russ



^ permalink raw reply	[flat|nested] 8+ messages in thread

* [9fans] How Apache & Plan 9 will defeat Microsoft's Passport
  2002-09-20 16:22 [9fans] Auth problems (again?) Russ Cox
@ 2002-09-20 16:44 ` Arnaud SAHUGUET
  2002-09-20 17:09 ` [9fans] Auth problems (again?) gabidiaz
  1 sibling, 0 replies; 8+ messages in thread
From: Arnaud SAHUGUET @ 2002-09-20 16:44 UTC (permalink / raw)
  To: 9fans

http://www.linuxworld.com/site-stories/2002/0918.plan9.html



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [9fans] Auth problems (again?)
  2002-09-20 16:22 [9fans] Auth problems (again?) Russ Cox
  2002-09-20 16:44 ` [9fans] How Apache & Plan 9 will defeat Microsoft's Passport Arnaud SAHUGUET
@ 2002-09-20 17:09 ` gabidiaz
  1 sibling, 0 replies; 8+ messages in thread
From: gabidiaz @ 2002-09-20 17:09 UTC (permalink / raw)
  To: 9fans

On Fri, Sep 20, 2002 at 12:22:36PM -0400, Russ Cox wrote:
> It sounds like you're now having the same problems
> Axel had a few weeks ago.  Can you make sure you
> are running the latest kernel?  That is, do:
>
> 	9fat:
> 	cp /386/9pcdisk /n/9fat/9pcdisk
>
> then halt and reboot.
> I'm assuming you're booting from sdC0!9fat!9pcdisk;
> that's how the install program sets things up.
>
> Russ
>

That's is!! Thank you Russ. i forgot to copy from /sys/src/9/pc


Un saludo


^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: [9fans] Auth problems (again?)
  2002-09-20  5:03 Russ Cox
@ 2002-09-20 10:16 ` Gabriel Diaz Lopez de la Llave
  0 siblings, 0 replies; 8+ messages in thread
From: Gabriel Diaz Lopez de la Llave @ 2002-09-20 10:16 UTC (permalink / raw)
  To: 9fans

hello,

I updated again and run auth/debug tests.
The first time auth/debug says to me that password for bootes was bad,
but I changed it with auth/changeuser -p and echo asds > /dev/sdC0/nvram
to re-enter nvram stuff.

then i run auth/debug again with good results (i think)
---------------------
cpu# auth/debug
p9sk1 key: dom=ipsoluciones.com proto=p9sk1 user=bootes
	successfully dialed auth server
	password for bootes@ipsoluciones.com [hit enter to skip test]: 
	ticket request using bootes@ipsoluciones.com key succeeded
	cpu server owner for domain ipsoluciones.com [bootes]: 
	password for bootes@ipsoluciones.com [hit enter to skip test]: 
	ticket request using bootes@ipsoluciones.com key succeeded
cpu# auth/debug
p9sk1 key: dom=ipsoluciones.com proto=p9sk1 user=bootes
	successfully dialed auth server
	password for bootes@ipsoluciones.com [hit enter to skip test]: 
	ticket request using bootes@ipsoluciones.com key succeeded
	cpu server owner for domain ipsoluciones.com [bootes]: gabidiaz
	password for gabidiaz@ipsoluciones.com [hit enter to skip test]:

	ticket request using gabidiaz@ipsoluciones.com key succeeded
cpu#
--------------------


SSH connections fails with the message:


-------------------------
cpu Sep 20 11:45:21 [114] connect from 192.168.1.45!3242
cpu Sep 20 11:45:26 [114] auth_chuid to gabidiaz: writing  to
#¤/capuse: i/o count too small
/bin/aux/sshserve: auth_chuid: writing  to #¤/capuse: i/o count too
small
-------------------------

what is #¤/capuse? how can i see all bindings?

/sys/log/auth
-------------------
cpu Sep 20 12:03:53 secureidcheck: nil radius secret:
'/lib/ndb/common.radius' does not exist
cpu Sep 20 12:03:53 cr-fail authentication failed gabidiaz 213.0.106.123
cpu Sep 20 12:03:53 cr-fail gabidiaz@bootes(213.0.106.123): bad resp
---------------------

(i changed the password for that user with something silly and ease to
type but all the attempts fails)

Thank for the help!


-----Mensaje original-----
De: 9fans-admin@cse.psu.edu [mailto:9fans-admin@cse.psu.edu] En nombre
de Russ Cox
Enviado el: viernes, 20 de septiembre de 2002 7:03
Para: 9fans@cse.psu.edu
Asunto: RE: [9fans] Auth problems (again?)

Try updating from sources again.  It will pick
up a new program called auth/debug.

Run auth/debug.  It asks for your local user
password as well as the cpu hostowner name and
password.  It uses these to check that your
auth server is dialable and that it's giving out
correct tickets (which means it agrees with you
about those passwords).

The idea is that auth/debug will accumulate more
such sanity checks as time goes on.

For example, in my fairly complicated setup (three
p9sk1 domains), running auth/debug yields:

g% grep p9sk1 /mnt/factotum/ctl
key dom=cs.bell-labs.com proto=p9sk1 user=rsc !password?
key dom=outside.plan9.bell-labs.com proto=p9sk1 user=bozo !password?
key dom=insideout.plan9.bell-labs.com proto=p9sk1 role=speakfor
user=glenda !password?
g% auth/debug
p9sk1 key: dom=cs.bell-labs.com proto=p9sk1 user=rsc !password?
	successfully dialed auth server
	password for rsc@cs.bell-labs.com [hit enter to skip test]: 
	ticket request using rsc@cs.bell-labs.com key succeeded
	cpu server owner for domain cs.bell-labs.com [bootes]: 
	password for bootes@cs.bell-labs.com [hit enter to skip test]: 
	ticket request using bootes@cs.bell-labs.com key succeeded
p9sk1 key: dom=outside.plan9.bell-labs.com proto=p9sk1 user=bozo
!password?
	successfully dialed auth server
	password for bozo@outside.plan9.bell-labs.com [hit enter to skip
test]: 
	ticket request using bozo@outside.plan9.bell-labs.com key
succeeded
	cpu server owner for domain outside.plan9.bell-labs.com
[bootes]: glenda
	password for glenda@outside.plan9.bell-labs.com [hit enter to
skip test]: 
	ticket request using glenda@outside.plan9.bell-labs.com key
succeeded
p9sk1 key: dom=insideout.plan9.bell-labs.com proto=p9sk1 role=speakfor
user=glenda !password?
	cannot dial auth server: no auth server found for
insideout.plan9.bell-labs.com
	csquery authdom=insideout.plan9.bell-labs.com auth=* failed
	csquery dom=insideout.plan9.bell-labs.com auth=''
	dial net!!ticket failed: cs: can't translate address
g% 

The first two sections are examples of domains
that worked: I have cs.bell-labs.com (used by plan9.bell-labs.com)
and outside.plan9.bell-labs.com (used by sources)
set up correctly.

In the third, auth/debug flags the fact that it can't
figure out the auth server for the domain and thus can't
dial it.  (That's okay because there is no auth server,
but this is a degenerate case.)

Let me know what you get when you run auth/debug and we'll
go from there.

Russ



^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: [9fans] Auth problems (again?)
@ 2002-09-20  5:03 Russ Cox
  2002-09-20 10:16 ` Gabriel Diaz Lopez de la Llave
  0 siblings, 1 reply; 8+ messages in thread
From: Russ Cox @ 2002-09-20  5:03 UTC (permalink / raw)
  To: 9fans

Try updating from sources again.  It will pick
up a new program called auth/debug.

Run auth/debug.  It asks for your local user
password as well as the cpu hostowner name and
password.  It uses these to check that your
auth server is dialable and that it's giving out
correct tickets (which means it agrees with you
about those passwords).

The idea is that auth/debug will accumulate more
such sanity checks as time goes on.

For example, in my fairly complicated setup (three
p9sk1 domains), running auth/debug yields:

g% grep p9sk1 /mnt/factotum/ctl
key dom=cs.bell-labs.com proto=p9sk1 user=rsc !password?
key dom=outside.plan9.bell-labs.com proto=p9sk1 user=bozo !password?
key dom=insideout.plan9.bell-labs.com proto=p9sk1 role=speakfor user=glenda !password?
g% auth/debug
p9sk1 key: dom=cs.bell-labs.com proto=p9sk1 user=rsc !password?
	successfully dialed auth server
	password for rsc@cs.bell-labs.com [hit enter to skip test]:
	ticket request using rsc@cs.bell-labs.com key succeeded
	cpu server owner for domain cs.bell-labs.com [bootes]:
	password for bootes@cs.bell-labs.com [hit enter to skip test]:
	ticket request using bootes@cs.bell-labs.com key succeeded
p9sk1 key: dom=outside.plan9.bell-labs.com proto=p9sk1 user=bozo !password?
	successfully dialed auth server
	password for bozo@outside.plan9.bell-labs.com [hit enter to skip test]:
	ticket request using bozo@outside.plan9.bell-labs.com key succeeded
	cpu server owner for domain outside.plan9.bell-labs.com [bootes]: glenda
	password for glenda@outside.plan9.bell-labs.com [hit enter to skip test]:
	ticket request using glenda@outside.plan9.bell-labs.com key succeeded
p9sk1 key: dom=insideout.plan9.bell-labs.com proto=p9sk1 role=speakfor user=glenda !password?
	cannot dial auth server: no auth server found for insideout.plan9.bell-labs.com
	csquery authdom=insideout.plan9.bell-labs.com auth=* failed
	csquery dom=insideout.plan9.bell-labs.com auth=''
	dial net!!ticket failed: cs: can't translate address
g%

The first two sections are examples of domains
that worked: I have cs.bell-labs.com (used by plan9.bell-labs.com)
and outside.plan9.bell-labs.com (used by sources)
set up correctly.

In the third, auth/debug flags the fact that it can't
figure out the auth server for the domain and thus can't
dial it.  (That's okay because there is no auth server,
but this is a degenerate case.)

Let me know what you get when you run auth/debug and we'll
go from there.

Russ


^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: [9fans] Auth problems (again?)
  2002-09-18 20:19 Russ Cox
@ 2002-09-19 17:07 ` Gabriel Diaz Lopez de la Llave
  0 siblings, 0 replies; 8+ messages in thread
From: Gabriel Diaz Lopez de la Llave @ 2002-09-19 17:07 UTC (permalink / raw)
  To: 9fans

ok, ipsubmask was removed from my ndb file.

# cat /mnt/factotum/ctl
key dom=ipsoluciones.com proto=p9sk1 user=bootes
#

I must start a factotum instance from cpurc for bootes user?

thank you.

-----Mensaje original-----
De: 9fans-admin@cse.psu.edu [mailto:9fans-admin@cse.psu.edu] En nombre
de Russ Cox
Enviado el: miércoles, 18 de septiembre de 2002 22:20
Para: 9fans@cse.psu.edu
Asunto: Re: [9fans] Auth problems (again?)

ipsubmask= is now ignored.
the code searches all possible submasks
when walking the database.

on your cpu server, if you run

	cat /mnt/factotum/ctl

what do you see?




^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [9fans] Auth problems (again?)
@ 2002-09-18 20:19 Russ Cox
  2002-09-19 17:07 ` Gabriel Diaz Lopez de la Llave
  0 siblings, 1 reply; 8+ messages in thread
From: Russ Cox @ 2002-09-18 20:19 UTC (permalink / raw)
  To: 9fans

ipsubmask= is now ignored.
the code searches all possible submasks
when walking the database.

on your cpu server, if you run

	cat /mnt/factotum/ctl

what do you see?



^ permalink raw reply	[flat|nested] 8+ messages in thread

* [9fans] Auth problems (again?)
  2002-09-18 16:46 [9fans] /sys/src/^(9 boot)^/pc/memory.c Charles Forsyth
@ 2002-09-18 20:15 ` Gabriel Diaz Lopez de la Llave
  0 siblings, 0 replies; 8+ messages in thread
From: Gabriel Diaz Lopez de la Llave @ 2002-09-18 20:15 UTC (permalink / raw)
  To: 9fans

Hello there,

I updated my 4ed. Plan9 Standalone cpu server a week ago (replica/pull
-v /dist/replica/network like usual) and it stopped to authenticate the
users. (The upgrade is these that include the new gs stuff)

Using the telnet client you can see the message:

"auth server protocol botch"

I read a post from Russ Cox about that and checked my ndb file.
All looks fine (before upgrade all works :?)

--- /lib/ndb/local ----
#
database=
	file=/lib/ndb/local
	file=/lib/ndb/common

ipnet=ipsoluciones.com
	ip=213.0.106.64
	ipmask=255.255.255.192
	auth=213.0.106.123
	authdom=ipsoluciones.com
	dnsdomain=ipsoluciones.com
	dns=213.0.106.67
	dns=213.0.106.68

ip=213.0.106.123 sys=cpu ether=00047574b319 dom=cpu.ipsoluciones.com
ipgw=213.0.106.65


----------

(I try the ipsubmask syntax like:
	ipnet=ipsoluciones.com
	ip=213.0.106.0
	ipmask=255.255.255.0
	ipsubmask=255.255.255.192
width the same results
what's the better/correct choice?)


In ssh logs file I can read logs like:

"/bin/aux/sshserve: got unexpected <early oef: short net read: needkey
dom? proto=9psk1 user?> message"

" cpu Sep 18 21:52:28 cr-fail gabidiaz@bootes(IP)"

I re-enter all auth passwords (even nvram pass for bootes, and authdom
stuff).

Someone can tell me where I must look?

Thank You!




^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2002-09-20 17:09 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-09-20 16:22 [9fans] Auth problems (again?) Russ Cox
2002-09-20 16:44 ` [9fans] How Apache & Plan 9 will defeat Microsoft's Passport Arnaud SAHUGUET
2002-09-20 17:09 ` [9fans] Auth problems (again?) gabidiaz
  -- strict thread matches above, loose matches on Subject: below --
2002-09-20  5:03 Russ Cox
2002-09-20 10:16 ` Gabriel Diaz Lopez de la Llave
2002-09-18 20:19 Russ Cox
2002-09-19 17:07 ` Gabriel Diaz Lopez de la Llave
2002-09-18 16:46 [9fans] /sys/src/^(9 boot)^/pc/memory.c Charles Forsyth
2002-09-18 20:15 ` [9fans] Auth problems (again?) Gabriel Diaz Lopez de la Llave

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).