Proxy accounts
-
Topic author - Contributor
- Posts: 12
- Joined: Fri Jul 07, 2023 4:14 pm
- Reputation: 0
- Status: Offline
Proxy accounts
Howdy!
So I'm LOVING OpenVMS. It's taken it's spot in my top 3 favorite OSes. I have MQTT running on an OpenVMS server for my telco project and it's been dead reliable.
But I'm really new and trying to figure out some things.
The first is how proxy accounts work.
So I have DECNet-Plus workin, and I can do 'DIR SVR1"wfisher PaSsWoRd"::DISK$USER[wfisher]", and it shows the directory. I went into UAF and setup a proxy account with "ADD/PROXY DIOCLE::* */DEFAULT", but when I just try and do a 'DIR SVR1::DISK$USER[WFISHER]" it complains it can't login. Do I have to enable something? I did a "CREATE/PROXY" to create the database.
So I'm LOVING OpenVMS. It's taken it's spot in my top 3 favorite OSes. I have MQTT running on an OpenVMS server for my telco project and it's been dead reliable.
But I'm really new and trying to figure out some things.
The first is how proxy accounts work.
So I have DECNet-Plus workin, and I can do 'DIR SVR1"wfisher PaSsWoRd"::DISK$USER[wfisher]", and it shows the directory. I went into UAF and setup a proxy account with "ADD/PROXY DIOCLE::* */DEFAULT", but when I just try and do a 'DIR SVR1::DISK$USER[WFISHER]" it complains it can't login. Do I have to enable something? I did a "CREATE/PROXY" to create the database.
Last edited by praetor on Mon Jul 31, 2023 12:25 pm, edited 2 times in total.
Re: Proxy accounts
Code: Select all
> The first is how proxy accounts work.
Just a proxy, not an account. An account is an account. A proxy is
a proxy.
> [...] I can do 'DIR SVR1"wfisher PaSsWoRd"::DISK$USER[wfisher]", and
> it shows the directory. [...]
You did this where? Same system? Different system? Which accounts
exist where? Who's doing what?
A recent proxy problem discussion with some diagnostic suggestions:
https://forum.vmssoftware.com/viewtopic.php?f=9&t=8773
To enable an operator console to see OPCOM messages:
HELP REPLY /ENABLE
When you see the failure details, you might get a clue as to what
that proxy should look like.
-
- Master
- Posts: 201
- Joined: Fri Aug 14, 2020 11:31 am
- Reputation: 0
- Status: Offline
Re: Proxy accounts
If you look at the default directory for user wfisher on node SVR1, type the file NET$SERVER.LOG. That will tell you, with which remote node specification your DIR command has arrived from the 'other' node.praetor wrote: ↑Mon Jul 31, 2023 12:24 pmSo I have DECNet-Plus workin, and I can do 'DIR SVR1"wfisher PaSsWoRd"::DISK$USER[wfisher]", and it shows the directory. I went into UAF and setup a proxy account with "ADD/PROXY DIOCLE::* */DEFAULT", but when I just try and do a 'DIR SVR1::DISK$USER[WFISHER]" it complains it can't login. Do I have to enable something? I did a "CREATE/PROXY" to create the database.
Alternatively, you could log in from the 'other' node to SVR1 interactively with SET HOST SVR1 and look at the Remote Port Info: Host: ... string with $ SHOW TERMINAL
Then use that node name string to create the PROXY, e.g.
UAF> ADD/PROX LOCAL:.node::* */DEFAULT
For security reasons, it may be advisable to not use wildcard proxies, but just proxies for individual user names for those users, who need proxy access to the other node.
Volker.
Last edited by volkerhalle on Mon Jul 31, 2023 2:09 pm, edited 1 time in total.
-
Topic author - Contributor
- Posts: 12
- Joined: Fri Jul 07, 2023 4:14 pm
- Reputation: 0
- Status: Offline
Re: Proxy accounts
Interesting. I did what you said, and it says
Shouldn't that be a hostname? I'm using DOMAIN as my DECnet naming service.
I did a 'add/prox ip$192.168.01.40::wfisher wfisher/default' and tried it again and it still doesn't work.
Code: Select all
Remote Port Info: IP$192.168.01.40::WFISHER
I did a 'add/prox ip$192.168.01.40::wfisher wfisher/default' and tried it again and it still doesn't work.
volkerhalle wrote: ↑Mon Jul 31, 2023 2:01 pmIf you look at the default directory for user wfisher on node SVR1, type the file NET$SERVER.LOG. That will tell you, with which remote node specification your DIR command has arrived from the 'other' node.praetor wrote: ↑Mon Jul 31, 2023 12:24 pmSo I have DECNet-Plus workin, and I can do 'DIR SVR1"wfisher PaSsWoRd"::DISK$USER[wfisher]", and it shows the directory. I went into UAF and setup a proxy account with "ADD/PROXY DIOCLE::* */DEFAULT", but when I just try and do a 'DIR SVR1::DISK$USER[WFISHER]" it complains it can't login. Do I have to enable something? I did a "CREATE/PROXY" to create the database.
Alternatively, you could log in from the 'other' node to SVR1 interactively with SET HOST SVR1 and look at the Remote Port Info: Host: ... string with $ SHOW TERMINAL
Then use that node name string to create the PROXY, e.g.
UAF> ADD/PROX LOCAL:.node::* */DEFAULT
For security reasons, it may be advisable to not use wildcard proxies, but just proxies for individual user names for those users, who need proxy access to the other node.
Volker.
-
- Master
- Posts: 201
- Joined: Fri Aug 14, 2020 11:31 am
- Reputation: 0
- Status: Offline
Re: Proxy accounts
Did you check the NET$SERVER.LOG file contents on node SVR1 ?
Does TCPIP SHOW HOST/ADDR=192.168.01.40 on SVR1 correctly resolve the host name of the other node ?
Volker.
Does TCPIP SHOW HOST/ADDR=192.168.01.40 on SVR1 correctly resolve the host name of the other node ?
Volker.
Last edited by volkerhalle on Tue Aug 01, 2023 4:43 am, edited 1 time in total.
-
- Master
- Posts: 157
- Joined: Fri Jun 28, 2019 8:45 am
- Reputation: 0
- Location: South Tyneside, UK
- Status: Offline
- Contact:
Re: Proxy accounts
on the receiving end of the connection start tracing of name lookups by DECnet
$ MCR CDI$TRACE
then try the connection and see what it is making of the incoming connection
$ MCR CDI$TRACE
then try the connection and see what it is making of the incoming connection
Ian Miller
[ personal opinion only. usual disclaimers apply. Do not taunt happy fun ball ].
[ personal opinion only. usual disclaimers apply. Do not taunt happy fun ball ].
-
Topic author - Contributor
- Posts: 12
- Joined: Fri Jul 07, 2023 4:14 pm
- Reputation: 0
- Status: Offline
Re: Proxy accounts
So this is what the OPCOM messages show when I try and do:
DIR SVR1::DISK$USER:[WFISHER] from my workstation DIOCLE:
There was some DNS screwiness. I setup reverse lookups which seems to make OpenVMS happier. If I do a 'SET HOST SVR1', it show the correct host
But still no love on passwordless entry
DIR SVR1::DISK$USER:[WFISHER] from my workstation DIOCLE:
Code: Select all
UAF-I-NOMODS, no modifications made to system authorization file
%UAF-I-NAFDONEMSG, network proxy database modified
%UAF-I-RDBNOMODS, no modifications made to rights database
$
%%%%%%%%%%% OPCOM 1-AUG-2023 21:02:50.12 %%%%%%%%%%%
Message from user AUDIT$SERVER on SVR1
Security alarm (SECURITY) and security audit (SECURITY) on SVR1, system id: 1037
Auditable event: Network login failure
Event time: 1-AUG-2023 21:02:50.11
PID: 00000416
Process name: NET$ACP
Username: DNA$SessCtrl
Remote node id: 0 (0.0)
Remote node fullname: DIOCLE
Remote username: WFISHER
Status: %LOGIN-F-NOTVALID, user authorization failure
$
%%%%%%%%%%% OPCOM 1-AUG-2023 21:02:50.18 %%%%%%%%%%%
Message from user SYSTEM on SVR1
Event: Access Control Violation from: Node SVR1.LAB.PRAETOR.TEL Session Control,
at: 2023-08-01-21:02:50.182-05:00Iinf
NSAP Address=/C0A80128,
Source=UIC = [0,0]WFISHER,
Destination=number = 17,
Destination User="",
Destination Account="",
Node Name=DIOCLE
eventUid C62502D7-30AE-11EE-96D8-5254009837F2
entityUid 058D83E8-30AD-11EE-849A-AA0004000D04
streamUid 0DEBD3EC-30AD-11EE-8731-AA0004000D04
Code: Select all
$ show term
Terminal: _RTA1: Device_Type: Unknown Owner: _RTA1:
Username: WFISHER
Remote Port Info: DIOCLE::WFISHER
-
- Valued Contributor
- Posts: 54
- Joined: Thu Dec 23, 2021 8:02 pm
- Reputation: 0
- Location: Fairbanks , AK.
- Status: Offline
Re: Proxy accounts
Hello praetor , I noticed the "192.168.01.40" in eveyones conversations . Is this a hostname or an IP ?
Reason I ask is that most ip implimentations would actually convert the "01" in the above to a Octal or maybe Hex number , while this entry should still result in a '1' .
I would highly suggest not using preceding 0(zero)'s in any IP address to avoid the possibility of being interpreted as an Octel number .
Hth , JimL
Reason I ask is that most ip implimentations would actually convert the "01" in the above to a Octal or maybe Hex number , while this entry should still result in a '1' .
I would highly suggest not using preceding 0(zero)'s in any IP address to avoid the possibility of being interpreted as an Octel number .
Hth , JimL
-
Topic author - Contributor
- Posts: 12
- Joined: Fri Jul 07, 2023 4:14 pm
- Reputation: 0
- Status: Offline
Re: Proxy accounts
Right. Nobody is really using that. That's just what VMS says.
I fixed that issue. I needed reverse lookups in DNS.
I fixed that issue. I needed reverse lookups in DNS.
babydr wrote: ↑Tue Aug 01, 2023 10:15 pmHello praetor , I noticed the "192.168.01.40" in eveyones conversations . Is this a hostname or an IP ?
Reason I ask is that most ip implimentations would actually convert the "01" in the above to a Octal or maybe Hex number , while this entry should still result in a '1' .
I would highly suggest not using preceding 0(zero)'s in any IP address to avoid the possibility of being interpreted as an Octel number .
Hth , JimL
-
- Master
- Posts: 201
- Joined: Fri Aug 14, 2020 11:31 am
- Reputation: 0
- Status: Offline
Re: Proxy accounts
Please consider to read this old post in comp.os.vms
https://groups.google.com/g/comp.os.vms/c/89uvC7Kk2pg
and (on SVR1) try:
UAF> ADD/PROXY DIOCLE.LAB.PRAETOR.TEL::WFISHER WFISHER/DEFAULT
Volker.
https://groups.google.com/g/comp.os.vms/c/89uvC7Kk2pg
and (on SVR1) try:
UAF> ADD/PROXY DIOCLE.LAB.PRAETOR.TEL::WFISHER WFISHER/DEFAULT
Volker.
Last edited by volkerhalle on Wed Aug 02, 2023 4:19 am, edited 1 time in total.