[9fans] Real basics: authentication

[9fans] Real basics: authentication

[Lucio De Re]

3ed environment, looks like I still don't understand authentication
properly (8 years down the line, ouch!).

File server has /lib/ndb/auth with

hostid=proxima
	uid=!sys uid=!adm uid=*

hostid=inferno
	uid=!sys uid=!adm uid=*

which in my understanding means (I hope) that a CPU (or is that an auth
server?) owned by "inferno" (or "proxima") can "speak for" "lucio".

I have a 3ed CPU server owned by inferno and I use "drawterm" to
connect to it (no 3ed workstations handy).  But I don't seem to have
lucio's permissions in that environment.

I'm sure it's something totally stupid on my part, but what is it?

The AUTH server uses the 4ed portion of the network, but drawterm
seems happy with its behaviour.  The 3ed file server, however, may not
be properly matched to it.  The AUTH server is "owned" by "proxima" (I
hope).

++L

Re: [9fans] Real basics: authentication

[Russ Cox]

Is there anything interesting in /sys/log/auth?

Re: [9fans] Real basics: authentication

[Lucio De Re]

On Thu, Jan 09, 2003 at 09:41:57AM -0500, Russ Cox wrote:
> 
> Is there anything interesting in /sys/log/auth?

It's empty :-(

I suppose _that_ could be called interesting.

++L

Re: [9fans] Real basics: authentication

[Lucio De Re]

On Thu, Jan 09, 2003 at 09:41:57AM -0500, Russ Cox wrote:
> 
> Is there anything interesting in /sys/log/auth?

I note that user inferno exists on the 3ed box but is a "group" with a
totally different id on the 4ed file server that the auth server uses.

I'll bring these two into line and see if it makes a difference.

++L

Re: [9fans] Real basics: authentication

[Lucio De Re]

On Fri, Jan 10, 2003 at 07:58:36AM +0200, Lucio De Re wrote:
> 
> On Thu, Jan 09, 2003 at 09:41:57AM -0500, Russ Cox wrote:
> > 
> > Is there anything interesting in /sys/log/auth?
> 
Maybe the following will help?

1. tickle Jan 10 07:14:54 tr-ok lucio@lucio(192.96.32.71) -> lucio@lucio
2. tickle Jan 10 07:14:56 tr-ok lucio@lucio(192.96.32.71) -> lucio@inferno
3. tickle Jan 10 07:15:09 tr-ok proxima@proxima(192.96.32.73) -> proxima@proxima
4. tickle Jan 10 07:24:44 tr-ok lucio@lucio(192.96.32.71) -> lucio@lucio
5. tickle Jan 10 07:24:45 tr-ok lucio@lucio(192.96.32.71) -> lucio@inferno
6. tickle Jan 10 07:47:54 tr-ok inferno@inferno(192.96.32.75) -> inferno@proxima
7. tickle Jan 10 07:56:47 tr-ok lucio@lucio(192.96.32.71) -> lucio@lucio
8. tickle Jan 10 07:56:48 tr-ok lucio@lucio(192.96.32.71) -> lucio@inferno
9. tickle Jan 10 07:56:51 tr-ok lucio@inferno(192.96.32.75) -> lucio@proxima
10. tickle Jan 10 08:32:20 tr-ok proxima@proxima(192.96.32.73) -> proxima@proxima

These are from the auth server, the first bunch (1-5) is subsequent
to a file server reboot (to put it into "allow" mode) and the second
(6-10) is subsequent to the next reboot where the file server was
restored to normal operation.  The proxima@proxima (ip 192.96.32.73)
is the 2ed CPU server and can safely be ignored.

192.96.32.71 is the drawterm workstation, 192.96.32.75 is the CPU
server.  I logged into it - but I'd have expected inferno@inferno,
perhaps my NVRAM is set up badly?  Or is it that lucio@inferno ought
to be lucio@proxima?  How is that determined?

> I note that user inferno exists on the 3ed box but is a "group" with a
> totally different id on the 4ed file server that the auth server uses.
> 
> I'll bring these two into line and see if it makes a difference.
> 
It didn't, but perhaps the solution is in the above, invisible to
me.

++L

Re: [9fans] Real basics: authentication

[Russ Cox]

Once you connect to the cpu server, cat /dev/user.
If it says lucio, then you're lucio.  It sounds to me
like the cpu server can't find the auth server.
The cpu server and file server can still chat because
they have the same uid and thus don't need an auth
server.  But when you try to authenticate to the file
server no auth server is found so it connects as none.

On the cpu server, if you run

	g% ndb/csquery
	> tcp!$auth!telnet

does it give you a response?