Proxy accounts

[praetor]

Howdy!

So I'm LOVING OpenVMS. It's taken it's spot in my top 3 favorite OSes. I have MQTT running on an OpenVMS server for my telco project and it's been dead reliable.

But I'm really new and trying to figure out some things.

The first is how proxy accounts work.

So I have DECNet-Plus workin, and I can do 'DIR SVR1"wfisher PaSsWoRd"::DISK$USER[wfisher]", and it shows the directory. I went into UAF and setup a proxy account with "ADD/PROXY DIOCLE::* */DEFAULT", but when I just try and do a 'DIR SVR1::DISK$USER[WFISHER]" it complains it can't login. Do I have to enable something? I did a "CREATE/PROXY" to create the database.

[sms]

Code: Select all

> The first is how proxy accounts work.

   Just a proxy, not an account.  An account is an account.  A proxy is
a proxy.

> [...] I can do 'DIR SVR1"wfisher PaSsWoRd"::DISK$USER[wfisher]", and
> it shows the directory. [...]

   You did this where?  Same system?  Different system?  Which accounts
exist where?  Who's doing what?

   A recent proxy problem discussion with some diagnostic suggestions:

      https://forum.vmssoftware.com/viewtopic.php?f=9&t=8773

   To enable an operator console to see OPCOM messages:

      HELP REPLY /ENABLE

   When you see the failure details, you might get a clue as to what
that proxy should look like.

[volkerhalle]

So I have DECNet-Plus workin, and I can do 'DIR SVR1"wfisher PaSsWoRd"::DISK$USER[wfisher]", and it shows the directory. I went into UAF and setup a proxy account with "ADD/PROXY DIOCLE::* */DEFAULT", but when I just try and do a 'DIR SVR1::DISK$USER[WFISHER]" it complains it can't login. Do I have to enable something? I did a "CREATE/PROXY" to create the database.

If you look at the default directory for user wfisher on node SVR1, type the file NET$SERVER.LOG. That will tell you, with which remote node specification your DIR command has arrived from the 'other' node.

Alternatively, you could log in from the 'other' node to SVR1 interactively with SET HOST SVR1 and look at the Remote Port Info: Host: ... string with $ SHOW TERMINAL

Then use that node name string to create the PROXY, e.g.

UAF> ADD/PROX LOCAL:.node::* */DEFAULT

For security reasons, it may be advisable to not use wildcard proxies, but just proxies for individual user names for those users, who need proxy access to the other node.

Volker.

[praetor]

Interesting. I did what you said, and it says

Code: Select all

Remote Port Info: IP$192.168.01.40::WFISHER

Shouldn't that be a hostname? I'm using DOMAIN as my DECnet naming service.

I did a 'add/prox ip$192.168.01.40::wfisher wfisher/default' and tried it again and it still doesn't work.

So I have DECNet-Plus workin, and I can do 'DIR SVR1"wfisher PaSsWoRd"::DISK$USER[wfisher]", and it shows the directory. I went into UAF and setup a proxy account with "ADD/PROXY DIOCLE::* */DEFAULT", but when I just try and do a 'DIR SVR1::DISK$USER[WFISHER]" it complains it can't login. Do I have to enable something? I did a "CREATE/PROXY" to create the database.

If you look at the default directory for user wfisher on node SVR1, type the file NET$SERVER.LOG. That will tell you, with which remote node specification your DIR command has arrived from the 'other' node.

Alternatively, you could log in from the 'other' node to SVR1 interactively with SET HOST SVR1 and look at the Remote Port Info: Host: ... string with $ SHOW TERMINAL

Then use that node name string to create the PROXY, e.g.

UAF> ADD/PROX LOCAL:.node::* */DEFAULT

For security reasons, it may be advisable to not use wildcard proxies, but just proxies for individual user names for those users, who need proxy access to the other node.

Volker.

[volkerhalle]

Did you check the NET$SERVER.LOG file contents on node SVR1 ?
Does TCPIP SHOW HOST/ADDR=192.168.01.40 on SVR1 correctly resolve the host name of the other node ?

Volker.

[imiller]

on the receiving end of the connection start tracing of name lookups by DECnet
$ MCR CDI$TRACE
then try the connection and see what it is making of the incoming connection

[praetor]

So this is what the OPCOM messages show when I try and do:

DIR SVR1::DISK$USER:[WFISHER] from my workstation DIOCLE:

Code: Select all

UAF-I-NOMODS, no modifications made to system authorization file
%UAF-I-NAFDONEMSG, network proxy database modified
%UAF-I-RDBNOMODS, no modifications made to rights database
$ 
%%%%%%%%%%%  OPCOM   1-AUG-2023 21:02:50.12  %%%%%%%%%%%
Message from user AUDIT$SERVER on SVR1
Security alarm (SECURITY) and security audit (SECURITY) on SVR1, system id: 1037
Auditable event:          Network login failure
Event time:                1-AUG-2023 21:02:50.11
PID:                      00000416        
Process name:             NET$ACP         
Username:                 DNA$SessCtrl    
Remote node id:           0 (0.0)
Remote node fullname:     DIOCLE
Remote username:          WFISHER
Status:                   %LOGIN-F-NOTVALID, user authorization failure

$ 
%%%%%%%%%%%  OPCOM   1-AUG-2023 21:02:50.18  %%%%%%%%%%%
Message from user SYSTEM on SVR1
Event: Access Control Violation from: Node SVR1.LAB.PRAETOR.TEL Session Control,
        at: 2023-08-01-21:02:50.182-05:00Iinf
        NSAP Address=/C0A80128, 
        Source=UIC = [0,0]WFISHER, 
        Destination=number = 17, 
        Destination User="", 
        Destination Account="", 
        Node Name=DIOCLE
        eventUid   C62502D7-30AE-11EE-96D8-5254009837F2
        entityUid  058D83E8-30AD-11EE-849A-AA0004000D04
        streamUid  0DEBD3EC-30AD-11EE-8731-AA0004000D04

There was some DNS screwiness. I setup reverse lookups which seems to make OpenVMS happier. If I do a 'SET HOST SVR1', it show the correct host

Code: Select all

$ show term
Terminal: _RTA1:      Device_Type: Unknown       Owner: _RTA1:
                                              Username: WFISHER
Remote Port Info: DIOCLE::WFISHER

But still no love on passwordless entry

[babydr]

Hello praetor , I noticed the "192.168.01.40" in eveyones conversations . Is this a hostname or an IP ?

Reason I ask is that most ip implimentations would actually convert the "01" in the above to a Octal or maybe Hex number , while this entry should still result in a '1' .

I would highly suggest not using preceding 0(zero)'s in any IP address to avoid the possibility of being interpreted as an Octel number .

Hth , JimL

[praetor]

Right. Nobody is really using that. That's just what VMS says.

I fixed that issue. I needed reverse lookups in DNS.

Hello praetor , I noticed the "192.168.01.40" in eveyones conversations . Is this a hostname or an IP ?

Reason I ask is that most ip implimentations would actually convert the "01" in the above to a Octal or maybe Hex number , while this entry should still result in a '1' .

I would highly suggest not using preceding 0(zero)'s in any IP address to avoid the possibility of being interpreted as an Octel number .

Hth , JimL

[volkerhalle]

Please consider to read this old post in comp.os.vms

https://groups.google.com/g/comp.os.vms/c/89uvC7Kk2pg


and (on SVR1) try:

UAF> ADD/PROXY DIOCLE.LAB.PRAETOR.TEL::WFISHER WFISHER/DEFAULT

Volker.