We have a script that deploys code to our database as part of our application deployments. Currently, if a view or package errors, it ignores that error and moves on. We want it to fail at that point and exit sqlplus. I found the WHENEVER SQLERROR
statement, but found that it treats warnings as errors. We need it to continue on a warning but fail on an error. Is this possible?
Dessa Simpson's questions
We're about to move to using Active Directory to authenticate our users to Jira and Confluence. Currently, Confluence uses the Jira user directory. There's only one problem I can see. One user has a mismatched username - on Jira, they're firstname.l, where l is last initial. On AD, they're just firstname. What's the easiest way to change their username to (or move all their stuff to a new user called) firstname?
I have an NFS mount where the server is on the same subnet as the client.
When I time touch testempty
from the client, I get:
touch testempty 0.00s user 0.00s system 0% cpu 1.325 total
The time follows an bizarre pattern - Most of the time it's just over one second, but approximately once per minute it spikes to around 1.3. See this graph, compiled from time it takes to touch a nonexistent file, once every ten seconds:
When I rm testempty
then time touch testempty
from the server, I get:
touch testempty 0.00s user 0.00s system 29% cpu 0.005 total
So disk isn't the problem. Ping shows sub-200us latency, so network isn't the problem either. I've found that this still happens when the server mounts its own share.
Here is my /etc/exports
:
/data 192.168.0.0/16(rw,no_subtree_check,async,no_root_squash,insecure,sec=sys,fsid=0)
/data/dba_work 192.168.0.0/16(rw,no_subtree_check,async,no_root_squash,insecure,sec=sys,fsid=1)
Any idea what's causing this?
Server is running CentOS 7. Have tried multiple different Linux clients, including the server itself.
I'm trying to get kerberized NFSv4 running on our network. Server is CentOS 7. I'm able to mount the share on my Arch Linux workstation, but not our Oracle Linux 7 database servers.
I'm trying to mount from testdb with the command:
mount -v -t nfs4 -o rw,proto=tcp,vers=4.1,port=2049,sec=krb5 gs-storage.ad.goldblattsystems.com:/dba_work /dba_work
Which returns (stdout and /var/log/messages
):
mount.nfs4: timeout set for Mon Sep 17 12:11:40 2018
mount.nfs4: trying text-based options 'proto=tcp,vers=4.1,port=2049,sec=krb5,addr=192.168.5.30,clientaddr=192.168.5.32'
Sep 17 12:09:40 testdb kernel: NFS: nfs mount opts='proto=tcp,vers=4.1,port=2049,sec=krb5,addr=192.168.5.30,clientaddr=192.168.5.32'
Sep 17 12:09:40 testdb kernel: NFS: parsing nfs mount option 'proto=tcp'
Sep 17 12:09:40 testdb kernel: NFS: parsing nfs mount option 'vers=4.1'
Sep 17 12:09:40 testdb kernel: NFS: parsing nfs mount option 'port=2049'
Sep 17 12:09:40 testdb kernel: NFS: parsing nfs mount option 'sec=krb5'
Sep 17 12:09:40 testdb kernel: NFS: parsing sec=krb5 option
Sep 17 12:09:40 testdb kernel: NFS: parsing nfs mount option 'addr=192.168.5.30'
Sep 17 12:09:40 testdb kernel: NFS: parsing nfs mount option 'clientaddr=192.168.5.32'
Sep 17 12:09:40 testdb kernel: NFS: MNTPATH: '/dba_work'
Sep 17 12:09:40 testdb kernel: --> nfs4_try_mount()
Sep 17 12:09:40 testdb kernel: --> nfs4_create_server()
Sep 17 12:09:40 testdb kernel: --> nfs4_init_server()
Sep 17 12:09:40 testdb kernel: --> nfs_get_client(gs-storage.ad.goldblattsystems.com,v4)
Sep 17 12:09:40 testdb kernel: NFS: get client cookie (0xffff88061f3c3800/0xffff8801166af528)
Sep 17 12:09:40 testdb kernel: nfs_callback_create_svc: service created
Sep 17 12:09:40 testdb kernel: NFS: create per-net callback data; net=ffffffff81c60000
Sep 17 12:09:40 testdb kernel: NFS: svc_create_xprt(tcp-bc) returned 0
Sep 17 12:09:40 testdb kernel: --> nfs41_callback_up return 0
Sep 17 12:09:40 testdb kernel: nfs_callback_up: service started
Sep 17 12:09:40 testdb kernel: NFS: nfs4_discover_server_trunking: testing 'gs-storage.ad.goldblattsystems.com'
Sep 17 12:09:40 testdb kernel: NFS call exchange_id auth=RPCSEC_GSS, 'Linux NFSv4.1 testdb'
Sep 17 12:09:40 testdb kernel: NFS reply exchange_id: -13
Sep 17 12:09:40 testdb kernel: NFS call exchange_id auth=RPCSEC_GSS, 'Linux NFSv4.1 testdb'
Sep 17 12:09:40 testdb kernel: NFS reply exchange_id: -13
Sep 17 12:09:40 testdb kernel: NFS call exchange_id auth=RPCSEC_GSS, 'Linux NFSv4.1 testdb'
Sep 17 12:09:41 testdb kernel: NFS reply exchange_id: -13
Sep 17 12:09:41 testdb kernel: NFS call exchange_id auth=RPCSEC_GSS, 'Linux NFSv4.1 testdb'
Sep 17 12:09:41 testdb kernel: NFS reply exchange_id: -13
Sep 17 12:09:41 testdb kernel: NFS call exchange_id auth=UNIX, 'Linux NFSv4.1 testdb'
Sep 17 12:09:41 testdb kernel: NFS reply exchange_id: Server Implementation ID: domain: , name: , date: 0,0
Sep 17 12:09:41 testdb kernel: NFS reply exchange_id: 0
Sep 17 12:09:41 testdb kernel: NFS: <-- nfs41_walk_client_list using nfs_client = ffff88061f3c3800 ({2})
Sep 17 12:09:41 testdb kernel: NFS: <-- nfs41_walk_client_list status = 0
Sep 17 12:09:41 testdb kernel: NFS call exchange_id auth=UNIX, 'Linux NFSv4.1 testdb'
Sep 17 12:09:41 testdb kernel: NFS reply exchange_id: Server Implementation ID: domain: , name: , date: 0,0
Sep 17 12:09:41 testdb kernel: NFS reply exchange_id: 0
Sep 17 12:09:41 testdb kernel: --> nfs4_proc_create_session clp=ffff88061f3c3800 session=ffff880622919400
Sep 17 12:09:41 testdb kernel: nfs4_init_channel_attrs: Fore Channel : max_rqst_sz=1049620 max_resp_sz=1049480 max_ops=8 max_reqs=64
Sep 17 12:09:41 testdb kernel: nfs4_init_channel_attrs: Back Channel : max_rqst_sz=4096 max_resp_sz=4096 max_resp_sz_cached=0 max_ops=2 max_reqs=1
Sep 17 12:09:41 testdb kernel: --> nfs4_setup_session_slot_tables
Sep 17 12:09:41 testdb kernel: --> nfs4_realloc_slot_table: max_reqs=10, tbl->max_slots 0
Sep 17 12:09:41 testdb kernel: nfs4_realloc_slot_table: tbl=ffff880622919440 slots=ffff88013a4a5380 max_slots=10
Sep 17 12:09:41 testdb kernel: <-- nfs4_realloc_slot_table: return 0
Sep 17 12:09:41 testdb kernel: --> nfs4_realloc_slot_table: max_reqs=1, tbl->max_slots 0
Sep 17 12:09:41 testdb kernel: nfs4_realloc_slot_table: tbl=ffff880622919608 slots=ffff88013a4a5040 max_slots=1
Sep 17 12:09:41 testdb kernel: <-- nfs4_realloc_slot_table: return 0
Sep 17 12:09:41 testdb kernel: slot table setup returned 0
Sep 17 12:09:41 testdb kernel: nfs4_proc_create_session client>seqid 2 sessionid 1534807995:93024321:52:0
Sep 17 12:09:41 testdb kernel: <-- nfs4_proc_create_session
Sep 17 12:09:41 testdb kernel: nfs4_schedule_state_renewal: requeueing work. Lease period = 5
Sep 17 12:09:41 testdb kernel: --> nfs41_proc_reclaim_complete
Sep 17 12:09:41 testdb kernel: --> nfs41_setup_sequence
Sep 17 12:09:41 testdb kernel: --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=10
Sep 17 12:09:41 testdb kernel: <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0
Sep 17 12:09:41 testdb kernel: <-- nfs41_setup_sequence slotid=0 seqid=1
Sep 17 12:09:41 testdb kernel: NFS: nfs4_discover_server_trunking: status = 0
Sep 17 12:09:41 testdb kernel: encode_sequence: sessionid=1534807995:93024321:52:0 seqid=1 slotid=0 max_slotid=0 cache_this=0
Sep 17 12:09:41 testdb kernel: --> nfs_put_client({3})
Sep 17 12:09:41 testdb kernel: <-- nfs4_init_server() = 0
Sep 17 12:09:41 testdb kernel: --> nfs4_get_rootfh()
Sep 17 12:09:41 testdb kernel: --> nfs41_call_sync_prepare data->seq_server ffff88061eabf000
Sep 17 12:09:41 testdb kernel: --> nfs41_setup_sequence
Sep 17 12:09:41 testdb kernel: nfs41_setup_sequence session is draining
Sep 17 12:09:41 testdb kernel: --> nfs4_reclaim_complete_done
Sep 17 12:09:41 testdb kernel: --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=10
Sep 17 12:09:41 testdb kernel: <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1
Sep 17 12:09:41 testdb kernel: nfs4_free_slot: slotid 1 highest_used_slotid 0
Sep 17 12:09:41 testdb kernel: nfs41_sequence_done: Error 0 free the slot
Sep 17 12:09:41 testdb kernel: nfs4_free_slot: slotid 0 highest_used_slotid 4294967295
Sep 17 12:09:41 testdb kernel: <-- nfs4_reclaim_complete_done
Sep 17 12:09:41 testdb kernel: --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=1
Sep 17 12:09:41 testdb kernel: <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0
Sep 17 12:09:41 testdb kernel: nfs4_free_slot: slotid 0 highest_used_slotid 4294967295
Sep 17 12:09:41 testdb kernel: --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=10
Sep 17 12:09:41 testdb kernel: <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0
Sep 17 12:09:41 testdb kernel: --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=10
Sep 17 12:09:41 testdb kernel: <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1
Sep 17 12:09:41 testdb kernel: nfs4_free_slot: slotid 1 highest_used_slotid 0
Sep 17 12:09:41 testdb kernel: --> nfs_put_client({2})
Sep 17 12:09:41 testdb kernel: --> nfs41_call_sync_prepare data->seq_server ffff88061eabf000
Sep 17 12:09:41 testdb kernel: --> nfs41_setup_sequence
Sep 17 12:09:41 testdb kernel: nfs41_sequence_done: Error 1 free the slot
Sep 17 12:09:41 testdb kernel: nfs4_free_slot: slotid 0 highest_used_slotid 4294967295
Sep 17 12:09:41 testdb kernel: nfs4_get_rootfh: getroot error = 13
Sep 17 12:09:41 testdb kernel: <-- nfs4_get_rootfh() = -13
Sep 17 12:09:41 testdb kernel: --> nfs_free_server()
Sep 17 12:09:41 testdb kernel: --> nfs_put_client({1})
Sep 17 12:09:41 testdb kernel: --> nfs4_proc_destroy_session
Sep 17 12:09:41 testdb kernel: <-- nfs4_proc_destroy_session
Sep 17 12:09:41 testdb kernel: nfs4_destroy_session Destroy backchannel for xprt ffff88061eabb000
Sep 17 12:09:41 testdb kernel: NFS: destroy per-net callback data; net=ffffffff81c60000
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting gs-storage.ad.goldblattsystems.com:/dba_work
Sep 17 12:09:41 testdb kernel: nfs_callback_down: service stopped
Sep 17 12:09:41 testdb kernel: nfs_callback_down: service destroyed
Sep 17 12:09:41 testdb kernel: --> nfs_free_client(4)
Sep 17 12:09:41 testdb kernel: NFS: releasing client cookie (0xffff88061f3c3800/0xffff8801166af528)
Sep 17 12:09:41 testdb kernel: <-- nfs_free_client()
Sep 17 12:09:41 testdb kernel: <-- nfs_free_server()
Sep 17 12:09:41 testdb kernel: <-- nfs4_create_server() = error -13
Sep 17 12:09:41 testdb kernel: <-- nfs4_try_mount() = -13 [error]
I've used net ads keytab add nfs
to create the necessary keytab on both sides. What am I doing wrong? More debugging info follows:
/data 192.168.0.0/16(rw,no_subtree_check,sync,no_root_squash,insecure,sec=krb5:krb5i:krb5p,fsid=0)
/data/dba_work 192.168.0.0/16(rw,no_subtree_check,sync,no_root_squash,insecure,sec=krb5:krb5i:krb5p,fsid=1)
Environment overview:
Server Client
============================
Name: gs-storage testdb
IP: 192.168.5.30 192.168.5.32
OS: CentOS 7 Oracle Linux 7
Here is the /var/log/messages
output from the server when mounting, activated using rpcdebug -m nfsd all
:
Sep 17 12:08:32 gs-storage kernel: nfsd_dispatch: vers 4 proc 0
Sep 17 12:08:32 gs-storage kernel: nfsd_dispatch: vers 4 proc 1
Sep 17 12:08:32 gs-storage kernel: nfsv4 compound op #1/1: 42 (OP_EXCHANGE_ID)
Sep 17 12:08:32 gs-storage kernel: nfsd4_exchange_id rqstp=ffff9484f90ec000 exid=ffff94886989e0a0 clname.len=20 clname.data=ffff94886636c060 ip_addr=192.168.5.32 flags 103, spa_how 0
Sep 17 12:08:32 gs-storage kernel: renewing client (clientid 5b7b4fbb/058b7040)
Sep 17 12:08:32 gs-storage kernel: nfsd4_exchange_id seqid 0 flags 20001
Sep 17 12:08:32 gs-storage kernel: nfsv4 compound op ffff94886989e080 opcnt 1 #1: 42: status 0
Sep 17 12:08:32 gs-storage kernel: nfsv4 compound returned 0
Sep 17 12:08:32 gs-storage kernel: nfsd_dispatch: vers 4 proc 1
Sep 17 12:08:32 gs-storage kernel: nfsv4 compound op #1/1: 42 (OP_EXCHANGE_ID)
Sep 17 12:08:32 gs-storage kernel: nfsd4_exchange_id rqstp=ffff9484f90ec000 exid=ffff94886989e0a0 clname.len=20 clname.data=ffff94886636c060 ip_addr=192.168.5.32 flags 103, spa_how 0
Sep 17 12:08:32 gs-storage kernel: renewing client (clientid 5b7b4fbb/058b7041)
Sep 17 12:08:32 gs-storage kernel: nfsd4_exchange_id seqid 0 flags 20001
Sep 17 12:08:32 gs-storage kernel: nfsv4 compound op ffff94886989e080 opcnt 1 #1: 42: status 0
Sep 17 12:08:32 gs-storage kernel: nfsv4 compound returned 0
Sep 17 12:08:32 gs-storage kernel: nfsd_dispatch: vers 4 proc 1
Sep 17 12:08:32 gs-storage kernel: nfsv4 compound op #1/1: 43 (OP_CREATE_SESSION)
Sep 17 12:08:32 gs-storage kernel: renewing client (clientid 5b7b4fbb/058b7041)
Sep 17 12:08:32 gs-storage kernel: check_slot_seqid enter. seqid 1 slot_seqid 0
Sep 17 12:08:32 gs-storage kernel: NFSD: move_to_confirm nfs4_client ffff948844b8f800
Sep 17 12:08:32 gs-storage kernel: renewing client (clientid 5b7b4fbb/058b7041)
Sep 17 12:08:32 gs-storage kernel: renewing client (clientid 5b7b4fbb/058b7041)
Sep 17 12:08:32 gs-storage kernel: nfsv4 compound op ffff94886989e080 opcnt 1 #1: 43: status 0
Sep 17 12:08:32 gs-storage kernel: nfsv4 compound returned 0
Sep 17 12:08:32 gs-storage kernel: nfsd_dispatch: vers 4 proc 1
Sep 17 12:08:32 gs-storage kernel: nfsv4 compound op #1/2: 53 (OP_SEQUENCE)
Sep 17 12:08:32 gs-storage kernel: __find_in_sessionid_hashtbl: 1534807995:93024321:52:0
Sep 17 12:08:32 gs-storage kernel: nfsd4_sequence: slotid 0
Sep 17 12:08:32 gs-storage kernel: check_slot_seqid enter. seqid 1 slot_seqid 0
Sep 17 12:08:32 gs-storage kernel: nfsv4 compound op ffff94886989e080 opcnt 2 #1: 53: status 0
Sep 17 12:08:32 gs-storage kernel: nfsv4 compound op #2/2: 58 (OP_RECLAIM_COMPLETE)
Sep 17 12:08:32 gs-storage kernel: nfsd4_umh_cltrack_upcall: cmd: create
Sep 17 12:08:32 gs-storage kernel: nfsd4_umh_cltrack_upcall: arg: 4c696e7578204e465376342e3120746573746462
Sep 17 12:08:32 gs-storage kernel: nfsd4_umh_cltrack_upcall: env0: NFSDCLTRACK_CLIENT_HAS_SESSION=Y
Sep 17 12:08:32 gs-storage kernel: nfsd4_umh_cltrack_upcall: env1: NFSDCLTRACK_GRACE_START=1534807995
Sep 17 12:08:32 gs-storage kernel: nfsd4_umh_cltrack_upcall: /sbin/nfsdcltrack return value: 0
Sep 17 12:08:32 gs-storage kernel: nfsv4 compound op ffff94886989e080 opcnt 2 #2: 58: status 0
Sep 17 12:08:32 gs-storage kernel: nfsv4 compound returned 0
Sep 17 12:08:32 gs-storage kernel: --> nfsd4_store_cache_entry slot ffff9488443ca000
Sep 17 12:08:32 gs-storage kernel: renewing client (clientid 5b7b4fbb/058b7041)
Sep 17 12:08:32 gs-storage kernel: nfsd_dispatch: vers 4 proc 1
Sep 17 12:08:32 gs-storage kernel: nfsv4 compound op #1/1: 44 (OP_DESTROY_SESSION)
Sep 17 12:08:32 gs-storage kernel: nfsd4_destroy_session: 1534807995:93024321:52:0
Sep 17 12:08:32 gs-storage kernel: __find_in_sessionid_hashtbl: 1534807995:93024321:52:0
Sep 17 12:08:32 gs-storage kernel: NFSD: warning: no callback path to client Linux NFSv4.1 testdb: error -22
Sep 17 12:08:32 gs-storage kernel: renewing client (clientid 5b7b4fbb/058b7041)
Sep 17 12:08:32 gs-storage kernel: nfsv4 compound op ffff94886989e080 opcnt 1 #1: 44: status 0
Sep 17 12:08:32 gs-storage kernel: nfsv4 compound returned 0
Sep 17 12:08:33 gs-storage kernel: nfsd_dispatch: vers 4 proc 1
Sep 17 12:08:33 gs-storage kernel: nfsv4 compound op #1/1: 57 (OP_DESTROY_CLIENTID)
Sep 17 12:08:33 gs-storage kernel: renewing client (clientid 5b7b4fbb/058b7041)
Sep 17 12:08:33 gs-storage kernel: nfsd4_umh_cltrack_upcall: cmd: remove
Sep 17 12:08:33 gs-storage kernel: nfsd4_umh_cltrack_upcall: arg: 4c696e7578204e465376342e3120746573746462
Sep 17 12:08:33 gs-storage kernel: nfsd4_umh_cltrack_upcall: env0: (null)
Sep 17 12:08:33 gs-storage kernel: nfsd4_umh_cltrack_upcall: env1: (null)
Sep 17 12:08:33 gs-storage kernel: nfsd4_umh_cltrack_upcall: /sbin/nfsdcltrack return value: 0
Sep 17 12:08:33 gs-storage kernel: nfsv4 compound op ffff94886989e080 opcnt 1 #1: 57: status 0
Sep 17 12:08:33 gs-storage kernel: nfsv4 compound returned 0
Edit: The question marked as a duplicate of this does not fit this circumstance. krb5
is an enabled auth/transport mechanism. In addition, the error in the other question is completely different from in this one.
I have a list of interfaces to which I want to masquerade traffic to. The problem is only one of them is active at once. They all match the regex vlan14[0-9][0-9]
. How can I get shorewall to masquerade traffic destined out any of these interfaces based on which is active at the time?
More specifically they are all nearly identical networks (they're access ports for a product). They are all the same subnet, and use the same IPs, but they're different machines. That's why they're their own networks, and why only one can be active at a time.
I've been fighting with this for around a week now. I'm trying to get a RADIUS server to authenticate against our Samba-based Active Directory, but I can't get it to work. Because of our infrastructure, PAP will not work. Because AD does not offer a known good plaintext password, CHAP will not work. So this leaves MSCHAP.
The RADIUS server is on its own VM. Said VM is linked to the domain with Winbind. I have the following /etc/raddb/mods-available/mschap
:
$ cat /etc/raddb/mods-available/mschap|grep -Ev '^\s*(#|$)'
mschap {
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
winbind_username = "%{mschap:User-Name}"
winbind_domain = "[domain]"
winbind_retry_with_normalised_username = yes
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
}
}
When I have a client attempt to authenticate, the relevant radiusd -X
output is:
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Ready to process requests
(0) Received Access-Request Id 22 from 192.168.6.179:43922 to 192.168.6.192:1812 length 180
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Port = 15728668
(0) NAS-Port-Type = Virtual
(0) User-Name = "duncan"
(0) Calling-Station-Id = "192.168.6.100"
(0) Called-Station-Id = "192.168.6.179"
(0) MS-CHAP-Challenge = 0x7fd91ada13b38b1800f2f5c1b9a107e4
(0) MS-CHAP2-Response = 0x01000ff84b43a7f4d54b20da108b5f6a76480000000000000000b366008c649fc36a4a9bfb044f65dc8daf3aee10ad679141
(0) NAS-Identifier = "MikroTik"
(0) NAS-IP-Address = 192.168.6.179
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(0) [mschap] = ok
(0) [digest] = noop
(0) files: users: Matched entry DEFAULT at line 181
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) mschap: Creating challenge hash with username: duncan
(0) mschap: Client is using MS-CHAPv2
(0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(0) mschap: --> --username=duncan
(0) mschap: Creating challenge hash with username: duncan
(0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(0) mschap: --> --challenge=6c2a06548de859d5
(0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(0) mschap: --> --nt-response=b366008c649fc36a4a9bfb044f65dc8daf3aee10ad679141
(0) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
(0) mschap: External script failed
(0) mschap: ERROR: External script says: Logon failure (0xc000006d)
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0) [mschap] = reject
(0) } # authenticate = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> duncan
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.6 seconds.
Waking up in 0.3 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 22 from 192.168.6.192:1812 to 192.168.6.179:43922 length 103
(0) MS-CHAP-Error = "\001E=691 R=1 C=06f7ce6fa5be464d72e8def2f9634910 V=3 M=Authentication rejected"
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 22 with timestamp +8
Ready to process requests
And the samba log level 5 output:
[2018/03/19 11:13:13.166062, 3] ../libcli/auth/schannel_state_tdb.c:190(schannel_fetch_session_key_tdb)
schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/GS-RADIUS
[2018/03/19 11:13:13.166160, 3] ../source4/auth/ntlm/auth.c:271(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user [AD]\[duncan]@[\\GS-RADIUS]
[2018/03/19 11:13:13.166171, 5] ../source4/auth/ntlm/auth_util.c:57(map_user_info_cracknames)
map_user_info_cracknames: Mapping user [AD]\[duncan] from workstation [\\GS-RADIUS]
auth_check_password_send: mapped user is: [AD]\[duncan]@[\\GS-RADIUS]
[2018/03/19 11:13:13.166994, 5] ../source4/auth/ntlm/auth.c:67(auth_get_challenge)
auth_get_challenge: returning previous challenge by module netr_LogonSamLogonWithFlags (normal)
[2018/03/19 11:13:13.167006, 5] ../lib/util/util.c:555(dump_data)
[0000] 2D F2 C3 E3 15 05 ED 58 -......X
[2018/03/19 11:13:13.167502, 2] ../libcli/auth/ntlm_check.c:424(ntlm_password_check)
ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user duncan
[2018/03/19 11:13:13.167518, 3] ../libcli/auth/ntlm_check.c:431(ntlm_password_check)
ntlm_password_check: NEITHER LanMan nor NT password supplied for user duncan
[2018/03/19 11:13:13.167630, 5] ../source4/dsdb/common/util.c:5252(dsdb_update_bad_pwd_count)
Not updating badPwdCount on CN=duncan,CN=Users,DC=ad,DC=goldblattsystems,DC=com after wrong password
[2018/03/19 11:13:13.167656, 2] ../source4/auth/ntlm/auth.c:430(auth_check_password_recv)
auth_check_password_recv: sam_ignoredomain authentication for user [AD\duncan] FAILED with error NT_STATUS_WRONG_PASSWORD
[2018/03/19 11:13:13.348906, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2018/03/19 11:13:13.348929, 3] ../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
What's causing this? How can I fix it?
I'm trying to use the LDAP module to authenticate radius clients against active directory, so I need to have it actually use LDAP as the authenticator. However, it seems User-Password isn't getting set. First of all, is User-Password supposed to be sent by the client or the backend server? My main question is, what am I doing wrong?
And yes I'm aware that the logs are screaming "don't do this" at me, but reading the readme it seems that that's usually good advice but AD requires this.
I'm trying to set up a radius server to authenticate against LDAP, but I'm running into a weird issue:
rlm_ldap (ldap): Bind with radiusd@[domain] to ldaps://localhost:636 failed: Strong(er) authentication required
rlm_ldap (ldap): Server said: BindSimple: Transport encryption required..
As you can see by ldaps://
, it is using transport security. What's going on here? How can I fix this?
EDIT: I figured I'd try with starttls. Didn't fix anything:
rlm_ldap (ldap): Bind with radiusd@[domain] to ldap://localhost:389 failed: Strong(er) authentication required
rlm_ldap (ldap): Server said: BindSimple: Transport encryption required..
EDIT 2: The hell? It even does it when I pipe it through stunnel.
rlm_ldap (ldap): Bind with radiusd@[domain] to ldap://localhost:3636 failed: Strong(er) authentication required
rlm_ldap (ldap): Server said: BindSimple: Transport encryption required..
I'm working on moving a small business network away from a Windows Small Business Server. I've set up the active directory using Samba, and it all works well, but I see one potential problem: Currently we depend somewhat heavily on DHCP-based dynamic DNS, so that our workflow can look like this:
- Spin up a VM
- Change its hostname in the remote console
- Reboot
- SSH in with the hostname we just set
However, it seems like that would conflict with Samba's AD-based DDNS. Can we reconcile the two somehow? Our DNS backend for Samba is BIND9_DLZ, and the DHCP server we're moving to is isc_dhcp_server, although that is flexible.
I just linked my Arch Linux workstation to the Samba AD I set up for our company. I tested it, and it worked, or so I thought. It accepted my password, created my homedir and everything, and logged me in. What I forgot to test was what it wouldn't accept. As it turns out, as long as the username is valid (AD or local, doesn't matter), it will accept any password. Can somebody point me towards what I did wrong?
I'm using SSSD to manage the AD connection. Here's my /etc/pam.d/system-auth
:
#%PAM-1.0
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_env.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
I'm running a Mikrotik Cloud Hosted Router as an HVM DomU under Xen. How do I give it full control of the wifi card instead of my Dom0? The DomU needs to be able to associate and disassociate with networks, as well as host them, so NAT and bridging don't suit my circumstances.
I'm trying to install CentOS 7 under Xen as a PV DomU, but I can't find the needed initrd.img
and vmlinuz
images. Is there anywhere that I can download them, or if I need to, how can I generate them?
Note: I tried the pxeboot vmlinuz and initrd, but I got a kernel panic. The CentOS 5 Xen vmlinuz and initrd work fine. Perhaps it is possible to install 7 from the 5 install images?
I'm trying to set up replication between two MariaDB databases, but I get the following error in phpMyAdmin:
Error 'Character set '#610' is not a compiled character set and is not specified in the '/usr/share/mysql/charsets/Index.xml' file'
I checked mysqld --verbose --help
and both have UTF-8 as their default charsets.