Hi folks,

I'm a sysadmin who is pretty new to Baan and I'm trying to troubleshoot why BaanLogin will not allow LDAP users to connect. Local users connect just fine. LDAP users can authenticate to the OS without issue (and rexec works just fine).

I'm nearly positive this has something to do with PAM. I was hoping someone else had come across a similar problem in their environment and could offer some suggestions.

From the debug output it appears as if BaanLogin is detecting that my system is in trusted mode (incorrectly) which is causing the problem. Does anyone know how/why this detection of trusted mode occurs?

Local User (non trusted system)

Daemon: Incoming connection, spawn child.
2009-01-15[15:22:00]: Child: handle BaanLogin request.
2009-01-15[15:22:00]: Daemon: revert to listen-mode.
2009-01-15[15:22:00]: Child: received: user bsp, action 1
2009-01-15[15:22:00]: IBCmd /u02007/ap-baancap1/bse/bin/ipc_boot, bseVersion 6.1
2009-01-15[15:22:00]: Try authentication via PAM
2009-01-15[15:22:00]: PAM available for this platform
2009-01-15[15:22:00]: Authenticating user 'bsp'.
2009-01-15[15:22:00]: message 1: 'Password: '
2009-01-15[15:22:00]: Setting password for user bsp in PAM callback
2009-01-15[15:22:00]: Authentication via PAM succeeded
2009-01-15[15:22:00]: Child: logon for bsp OK.
2009-01-15[15:22:00]: non-trusted system on HP_check_password().
2009-01-15[15:22:00]: Child: pwd status = -5, message = -1005: The aging for name is turned off.
2009-01-15[15:22:00]: Child: starting /u02007/ap-baancap1/bse/bin/ipc_boot6.1.
2009-01-15[15:22:45]:

LDAP User (non trusted system)

2009-01-15[15:23:37]: Daemon: revert to listen-mode.
2009-01-15[15:23:37]: Child: handle BaanLogin request.
2009-01-15[15:23:37]: Child: received: user lmbasset, action 1
2009-01-15[15:23:37]: IBCmd /u02007/ap-baancap1/bse/bin/ipc_boot, bseVersion 6.1
2009-01-15[15:23:37]: Try authentication via PAM
2009-01-15[15:23:37]: PAM available for this platform
2009-01-15[15:23:37]: Authenticating user 'lmbasset'.
2009-01-15[15:23:37]: message 1: 'Password: '
2009-01-15[15:23:37]: Setting password for user lmbasset in PAM callback
2009-01-15[15:23:37]: Authentication via PAM succeeded
2009-01-15[15:23:37]: Child: logon for lmbasset OK.
2009-01-15[15:23:37]: trusted system on HP_check_password().
2009-01-15[15:23:37]: Child: pwd status = -7, message = -1007: Something is wrong with system functions.



Thanks again for any suggestions!

Ben

Last i checked blogind was not linked to PAM. This was scheduled for a future release.

So if you're on the latest porting set, then it still hasn't happened =( but if not, then there is a chance. Look through the PS release notes to see if you can find it.

Dave

Thanks Dave for your comment. I'll see if the release notes have anything to say.

On second thought though, I don't think this error has to do with PAM directly - the passoff to PAM appears to work just fine for both users. This explains why both have no problems logging in to the OS and using the rexec connection method.

Does anyone know what Blogin is doing in these last two lines when the HP_check_password() function seems to be called?

Is there documentation on Blogin anywhere that may describe this?


Thanks

It's checking password expiration i believe.

again, it's been a while but i think it calls badmin6.1 for that, badmin6.1 may need to be setuid root to make that work.

Dave

Ah OK. Thanks for the lead! I'll check into badmin6.1 and let you know what I can find out...

Dave is right, check if the following binaries which need to have the 'root' settings:
-rwsr-xr-x 1 root bsp 438272 Oct 25 10:48 badmin6.2
-rwsr-xr-x 1 root bsp 4544936 Oct 25 10:48 blogind6.2
-rwxr-xr-x 1 root bsp 24476 Oct 25 10:48 lp6.2
-rwsr-xr-x 1 root bsp 5050368 Oct 25 10:48 pdaemon6.2

Hey NPRao,

Many thanks for the suggestion. Unfortunately, I'm still getting the same error when attempting to use BaanLogin. The client error mentions a failure of ipc_boot (?).


-rwsr-xr-x 1 root bsp 446464 Nov 3 10:52 badmin6.1
-rwsr-xr-x 1 root bsp 458752 Jan 20 20:52 blogind6.1
-rwxr-xr-x 1 root bsp 23836 Nov 3 10:52 lp6.1
-rwsr-xr-x 1 root bsp 1007616 Nov 3 10:52 pdaemon6.1


blogind6.1 -d


2009-01-20[20:55:41]:
Daemon: Incoming connection, spawn child.
2009-01-20[20:55:41]: Daemon: revert to listen-mode.
2009-01-20[20:55:41]: Child: handle BaanLogin request.
2009-01-20[20:55:41]: Child: received: user lmbasset, action 1
2009-01-20[20:55:41]: IBCmd /u02001/ap-baanusp1/bse/bin/ipc_boot, bseVersion 6.1
2009-01-20[20:55:41]: Try authentication via PAM
2009-01-20[20:55:41]: PAM available for this platform
2009-01-20[20:55:41]: Authenticating user 'lmbasset'.
2009-01-20[20:55:41]: message 1: 'Password: '
2009-01-20[20:55:41]: Setting password for user lmbasset in PAM callback
2009-01-20[20:55:41]: Authentication via PAM succeeded
2009-01-20[20:55:41]: Child: logon for lmbasset OK.
2009-01-20[20:55:41]: trusted system on HP_check_password().
2009-01-20[20:55:41]: Child: pwd status = -7, message = -1007: Something is wrong with system functions.


Client error:

1 : Error 4 (reset unsuccessful logins failed) : baanlogin failed host 'sg-ap-baanusp1 username 'lmbasset'. Failure executing ipc_boot binary in '/u02001/ap-baanusp1/bse'.
2 : Error : bw failed to connect to sg-ap-baanusp1!bshell

have you tried just resetting the guys password at the os level?


Dave

Unfortunately changing the password didn't fix anything.

This is what I think is happening:

Blogin is first authenticating the user (via PAM), and then checking /etc/passwd or /etc/shadow to look for other password attributes. Because it doesn't find my ldap user in either spot, it is assuming that I am on a trusted system and tries to look in the /tcb/files/auth tree (or somewhere else) but of course, it isn't there.

I don't necessarily want to go adding ldap users to /etc/passwd, but I may try it once to see what happens. I also don't want to convert to a trusted system...

If I'm right about this, I don't think there is much else I can do to get this to work.

What do you think?

Possibly, it would probably be a bug in blogind at this point.

blogind has a higher level of logging you can set.. i think you start it like

blogind6.X -D -D -D


(that'd be 3 levels of debugging.. unless that's changed recently..)

blogind6.2 -U[or -u] will give usage.

Dave

No kidding! That's exactly what I need. I'll check it out now...

Ak! I'm running 6.1....

blogind6.1: Unknown argument: -D
Usage: blogind6.1 [-vV] [-d] [-p Portnumber] [-kK]

Can I upgrade Blogin without disturbing anything else? Probably not, I'm assuming.

Try the lower-case option:
$ blogind6.2 -
blogind6.2: Unknown argument: -
Usage: blogind6.2 [-vV] [-d] [-di] [-p Portnumber] [-kK] [-info]
-k : kill running blogind6.2 (if running as background process)
-p : override default TCP/IP listening port
-d : debug info for daemon 'blogind6.2'
-di : set -d option on ipc_boot program
-info : tells which protocols are available for daemon 'blogind6.2'
-v : displays version information
Also, you can figure out more using the utilities like truss or strace

I found a similar thread on the forum -blogin and PAM (http://www.baanboard.com/baanboard/showthread.php?t=43938)

Alright,

I am very grateful for all of the help everyone here has given me on this problem. Thank you!

It turns out this entire issue was caused by the default setting to return '*' as the hidden password in the configuration for the ldapux client on HP-UX. Nothing mysterious at all.

For those who are interested, getting this to work involved changing password_as in /etc/opt/ldapux/ldapux_client.conf:


# You can set the user password to be returned as any string (consisting
# of characters from the encrypted password and the "*" character) instead
# of "*" when the password is hidden. By returning something other than "*"
# for the hidden password, along with a specific pam_ldap configuration,
# r-commands such as rlogin will work with ldap users on the equivalent
# remote host. Since the password field of each /etc/passwd entry
# contains an "x" when supporting shadow password, the example provided
# below sets the return password to "x".
#
# The default setting is to return "*" for hidden password.
#
# Warning:
# Setting the user password to be returned as any string for the hidden
# password could allow users with active accounts on a remote host to
# rlogin to the local host on to a disabled account.
#
password_as="x"