Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. conserver>
  3. users
Permissions problems with conserver 8.11
ppacheco at genesyslab
Sep 15, 2005, 4:24 PM
Post #1 of 8 (3551 views)
Permalink
Users,



I am attempting to configure coserver 8.1.1 to work with Solaris 9 and
Cyclades TS1000. I have downloaded a pre-compiled and packaged version
of conserver from sunfreeware.com. Even though I have explicitly
allowed the server (unixlab2) to be trusted to use conserver, I still
cannot connect due to a permissions problem. Please observe the
information below, and provide me with any guidance you may have on this
issue.



Thank you

Phillip Pacheco

WIS-UNIX

Genesys





{unixlab2}/usr/local/etc> ../sbin/conserver -S

[Thu Sep 15 16:13:52 2005] conserver (1447): conserver.com version 8.1.1

[Thu Sep 15 16:13:52 2005] conserver (1447): started as `root' by `root'

[Thu Sep 15 16:13:52 2005] conserver (1447): performing configuration
file syntax check

[Thu Sep 15 16:13:52 2005] conserver (1447): terminated

{unixlab2}/usr/local/etc> echo $?

0

{unixlab2}/usr/local/etc> ../sbin/conserver -v

[Thu Sep 15 16:14:36 2005] conserver (1448): conserver.com version 8.1.1

[Thu Sep 15 16:14:36 2005] conserver (1448): started as `root' by `root'

[Thu Sep 15 16:14:36 2005] conserver (1448): INFO: interface address
127.0.0.1 (lo0)

[Thu Sep 15 16:14:36 2005] conserver (1448): INFO: interface address
192.168.28.62 (eri0)

[Thu Sep 15 16:14:36 2005] conserver (1448): daemonizing

{unixlab2}/usr/local/etc> ../sbin/conserver -V

conserver: conserver.com version 8.1.1

conserver: default access type `r'

conserver: default escape sequence `^Ec'

conserver: default configuration in `/usr/local/etc/conserver.cf'

conserver: default password in `/usr/local/etc/conserver.passwd'

conserver: default logfile is `/usr/local/var/log/conserver'

conserver: default pidfile is `/usr/local/var/run/conserver.pid'

conserver: default limit is 16 members per group

conserver: default primary port referenced as `conserver'

conserver: default secondary base port referenced as `0'

conserver: options: libwrap, openssl, pam

conserver: openssl version: OpenSSL 0.9.7c 30 Sep 2003

conserver: built with `./configure --disable-nls --prefix=/usr/local
--with-logfile=/usr/local/var/log/conserver
--with-pidfile=/usr/local/var/run/conserver.pid --with-pam
--with-libwrap --with-openssl=/usr/local/ssl'

{unixlab2}/usr/local/etc> ../sbin/conserver -at -E -d

[Thu Sep 15 16:15:20 2005] conserver (1452): conserver.com version 8.1.1

[Thu Sep 15 16:15:20 2005] conserver (1452): started as `root' by `root'

[Thu Sep 15 16:15:20 2005] conserver (1452): daemonizing



{unixlab2}/usr/local/etc> console unixlab1

console: access from your host refused



{unixlab2}/usr/local/etc> console unixlab2

console: access from your host refused



{unixlab2}/usr/local/etc> cat conserver.cf

config unixlab2.genesyslab.com {

daemonmode true;

defaultaccess trusted;

logfile /var/log/consoles/&;

sslrequired false;

}



default * {

logfile /var/log/consoles/&; # '&' is replaced with console
name

timestamp 1hab; # write timestamps

rw *; # allow all users

master unixlab2.genesyslab.com;

}



access unixlab2.genesyslab.com {

admin root;

trusted unixlab1, unixlab2;

}



default cyclades1 {

type host;

host labcon.genesyslab.com;

portbase 7000;

portinc 1;

master localhost;

}



console unixlab1 { type host;

host labcon.genesyslab.com;

port 7007;

master unixlab2;

}



console unixlab2 { type host;

host labcon.genesyslab.com;

master unixlab2.genesyslab.com;

port 7008;

}



#console test1 { include cyclades1; port 1; }

#console test2 { include cyclades1; port 6; }

#console unixlab1 { include cyclades1; port 7; }

#console unixlab2 { include cyclades1; port 8; }

#
Re: Permissions problems with conserver 8.11 [ In reply to ]
bryan at conserver
Sep 19, 2005, 11:16 AM
Post #2 of 8 (3425 views)
Permalink
you might want to try specifying 'unixlab2.genesyslab.com' instead of
just 'unixlab2' in the access list. might not make a difference
(depends on your name lookups).

if that doesn't help, i'd suggest running conserver with the -D option
and look at the debug lines mentioning access.c. it should show the ip
address of the connecting client, and then the tests of it against all
the items in the access list. it might give a hint as to why it's not
succeeding.

Bryan

> access unixlab2.genesyslab.com {
> admin root;
> trusted unixlab1, unixlab2;
> }
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users
RE: Permissions problems with conserver 8.11 [ In reply to ]
ppacheco at genesyslab
Sep 19, 2005, 12:02 PM
Post #3 of 8 (3437 views)
Permalink
Ah, perhaps we have something here. I made the change you suggested in
the access list (I think I had done this before). I tested it again and
it failed the same as before.

I ran conserver -D as you suggest, but there are no access.c entries. I
can see the readcfg entries which deal with the access section, see
below. Could there be something wrong with my config file which causes
conserver not to properly recognize the access section, or to not
properly translate it into access.c commands?

Thank you so much for your response.

Phillip Pacheco
WIS-UNIX
Genesys

[Mon Sep 19 11:28:08 2005] conserver (3112): DEBUG: [readcfg.c:4618]
ReadCfg(): got keyword 'access' [/usr/local/etc/conserver.cf:13]
[Mon Sep 19 11:28:08 2005] conserver (3112): DEBUG: [readcfg.c:3504]
AccessBegin(unixlab2.genesyslab.com) [/usr/local/etc/conserver.cf:15]
[Mon Sep 19 11:28:08 2005] conserver (3112): DEBUG: [cutil.c:349]
AllocString(): 0x4f9e8 created string #15
[Mon Sep 19 11:28:08 2005] conserver (3112): DEBUG: [readcfg.c:4697] got
keyword 'admin' [/usr/local/etc/conserver.cf:15]
[Mon Sep 19 11:28:08 2005] conserver (3112): DEBUG: [readcfg.c:3643]
AccessItemAdmin(root) [/usr/local/etc/conserver.cf:16]
[Mon Sep 19 11:28:08 2005] conserver (3112): DEBUG: [readcfg.c:1781]
ProcessRoRw(root) [/usr/local/etc/conserver.cf:16]
[Mon Sep 19 11:28:08 2005] conserver (3112): DEBUG: [readcfg.c:4697] got
keyword 'trusted' [/usr/local/etc/conserver.cf:16]
[Mon Sep 19 11:28:08 2005] conserver (3112): DEBUG: [readcfg.c:3832]
AccessItemTrusted(unixlab1.genesyslab.com, unixlab2.genesyslab.com)
[/usr/local/e
tc/conserver.cf:17]
[Mon Sep 19 11:28:08 2005] conserver (3112): DEBUG: [readcfg.c:3529]
AccessEnd() [/usr/local/etc/conserver.cf:17]

-----Original Message-----
From: users-bounces@conserver.com [mailto:users-bounces@conserver.com]
On Behalf Of Bryan Stansell
Sent: Monday, September 19, 2005 11:16 AM
To: users@conserver.com
Subject: Re: Permissions problems with conserver 8.11

you might want to try specifying 'unixlab2.genesyslab.com' instead of
just 'unixlab2' in the access list. might not make a difference
(depends on your name lookups).

if that doesn't help, i'd suggest running conserver with the -D option
and look at the debug lines mentioning access.c. it should show the ip
address of the connecting client, and then the tests of it against all
the items in the access list. it might give a hint as to why it's not
succeeding.

Bryan

> access unixlab2.genesyslab.com {
> admin root;
> trusted unixlab1, unixlab2;
> }
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users

_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users
Re: Permissions problems with conserver 8.11 [ In reply to ]
bryan at conserver
Sep 19, 2005, 2:10 PM
Post #4 of 8 (3441 views)
Permalink
On Mon, Sep 19, 2005 at 12:02:39PM -0700, Phillip Pacheco wrote:
> I ran conserver -D as you suggest, but there are no access.c entries. I
> can see the readcfg entries which deal with the access section, see
> below. Could there be something wrong with my config file which causes
> conserver not to properly recognize the access section, or to not
> properly translate it into access.c commands?

the access.c entries will show up once you try and connect with the
client. unless you're connecting to another conserver daemon, it'll
show something.

running 'console -v <console>' might show interesting things as well.
the combination of those should show something.

Bryan
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users
RE: Permissions problems with conserver 8.11 [ In reply to ]
ppacheco at genesyslab
Sep 19, 2005, 2:30 PM
Post #5 of 8 (3446 views)
Permalink
Thank you for the prompt response.

I am afraid I don't know what you mean about access.c entries showing
up. Where will they show up? Should I run conserver in daemon mode,
try to connect with console, then run conserver -D a second time? I
tried just that, and found no access.c entries.

I also tried console -v unixlab2 but that did not show anything useful.
Then I recalled that the console command has many of the same switches
as conserver, so I ran this:

{unixlab2}/usr/local/etc> console -D -D -D unixlab2

There were many lines created of course but this one seems to be the
only relevant (or at least the most salient):

console: DEBUG: [console.c:465] GetPort: hostname=XXXXX.genesyslab.com
(console), ip=199.XX.XXX.XXX, port=782

*X'ed out the hostname & IP for security reasons.

This confirms my initial fears: We have an extensive pre-existing
conserver network in our production environment using 7.1.3. unixlab2
is not mentioned anywhere in the config of the production network, yet
somehow it attempts to reference one of the other conserver servers.
This raises new questions:
1. Can I integrate an 8.1.1 server with the pre-existing 7.1.3 network?
(eventually we will upgrade the whole network)

2. How can I separate this test environment from the production
environment?

Thanks again for your attention to this matter. Your efforts are
greatly appreciated.

Phillip Pacheco
WIS-UNIX

-----Original Message-----
From: Bryan Stansell [mailto:bryan@conserver.com]
Sent: Monday, September 19, 2005 2:10 PM
To: Phillip Pacheco
Cc: Bryan Stansell; users@conserver.com
Subject: Re: Permissions problems with conserver 8.11

On Mon, Sep 19, 2005 at 12:02:39PM -0700, Phillip Pacheco wrote:
> I ran conserver -D as you suggest, but there are no access.c entries.
I
> can see the readcfg entries which deal with the access section, see
> below. Could there be something wrong with my config file which
causes
> conserver not to properly recognize the access section, or to not
> properly translate it into access.c commands?

the access.c entries will show up once you try and connect with the
client. unless you're connecting to another conserver daemon, it'll
show something.

running 'console -v <console>' might show interesting things as well.
the combination of those should show something.

Bryan

_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users
Re: Permissions problems with conserver 8.11 [ In reply to ]
bryan at conserver
Sep 19, 2005, 3:16 PM
Post #6 of 8 (3436 views)
Permalink
On Mon, Sep 19, 2005 at 02:30:44PM -0700, Phillip Pacheco wrote:
> I am afraid I don't know what you mean about access.c entries showing
> up. Where will they show up? Should I run conserver in daemon mode,
> try to connect with console, then run conserver -D a second time? I
> tried just that, and found no access.c entries.

you just run it in daemon mode, connect with the client, and you should
see access attempts. if not, something "bad" is happening and the
client isn't talking to the server (which below seems to confirm).

> {unixlab2}/usr/local/etc> console -D -D -D unixlab2
>
> console: DEBUG: [console.c:465] GetPort: hostname=XXXXX.genesyslab.com
> (console), ip=199.XX.XXX.XXX, port=782

ah...right. i steered you wrong. it was -D, not -v that was needed.
good catch. ;-)

> This confirms my initial fears: We have an extensive pre-existing
> conserver network in our production environment using 7.1.3. unixlab2
> is not mentioned anywhere in the config of the production network, yet
> somehow it attempts to reference one of the other conserver servers.

if you run 'console -V', you'll see the default server the client tries
to connect to (the master). that's probably pointing at your production
system. if you run 'console -M <host> [other options]' you can override
that and point at your test system. so, probably 'console -M unixlab2
unixlab2' would be a good start.

> This raises new questions:
>
> 1. Can I integrate an 8.1.1 server with the pre-existing 7.1.3 network?
> (eventually we will upgrade the whole network)

as long as the 8.x.x client is used to talk to an 8.x.x server and a
7.x.x client is talking to a 7.x.x server, yes. there are client/server
protocol issues between various revisions which the INSTALL file in the
distribution points out.

> 2. How can I separate this test environment from the production
> environment?

basically by using the -M flag on the client. you've already contained
the server (it knows about two consoles, and it manages them) and with
-M, you contain the client.

i hope this helps clear things up for folks (at least a bit), gives
people a view into how things work, and answers the important questions.

Bryan
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users
RE: Permissions problems with conserver 8.11 [ In reply to ]
ppacheco at genesyslab
Sep 19, 2005, 3:51 PM
Post #7 of 8 (3423 views)
Permalink
Thank you, Thank you!

Using the -M switch did the trick. I hadn't noticed this before, but
one of the production "conserver servers" has a CC name of "console".
This is why I was getting the wrong server when I attempted to connect.
It is also why I never noticed this fundamental configuration feature.

I see in the man page of the "console" command that it is necessary to
define the default server name at compile time. Is there an alternative
to this? I would like to define the server name in a configuration file
instead. If this is not possible now, will it be possible in future
releases. I ask because my boss has a preference for using pre-compiled
programs to ensure uniformity. I suppose that I can create a shell
alias as a band-aid solution.

Thank you one last time. I am stoked to have finally solved this
problem. Now I can move on to tweaking the config to my liking :).

Phillip Pacheco
Genesys



-----Original Message-----
From: users-bounces@conserver.com [mailto:users-bounces@conserver.com]
On Behalf Of Bryan Stansell
Sent: Monday, September 19, 2005 3:17 PM
To: users@conserver.com
Subject: Re: Permissions problems with conserver 8.11

On Mon, Sep 19, 2005 at 02:30:44PM -0700, Phillip Pacheco wrote:
> I am afraid I don't know what you mean about access.c entries showing
> up. Where will they show up? Should I run conserver in daemon mode,
> try to connect with console, then run conserver -D a second time? I
> tried just that, and found no access.c entries.

you just run it in daemon mode, connect with the client, and you should
see access attempts. if not, something "bad" is happening and the
client isn't talking to the server (which below seems to confirm).

> {unixlab2}/usr/local/etc> console -D -D -D unixlab2
>
> console: DEBUG: [console.c:465] GetPort: hostname=XXXXX.genesyslab.com
> (console), ip=199.XX.XXX.XXX, port=782

ah...right. i steered you wrong. it was -D, not -v that was needed.
good catch. ;-)

> This confirms my initial fears: We have an extensive pre-existing
> conserver network in our production environment using 7.1.3. unixlab2
> is not mentioned anywhere in the config of the production network, yet
> somehow it attempts to reference one of the other conserver servers.

if you run 'console -V', you'll see the default server the client tries
to connect to (the master). that's probably pointing at your production
system. if you run 'console -M <host> [other options]' you can override
that and point at your test system. so, probably 'console -M unixlab2
unixlab2' would be a good start.

> This raises new questions:
>
> 1. Can I integrate an 8.1.1 server with the pre-existing 7.1.3
network?
> (eventually we will upgrade the whole network)

as long as the 8.x.x client is used to talk to an 8.x.x server and a
7.x.x client is talking to a 7.x.x server, yes. there are client/server
protocol issues between various revisions which the INSTALL file in the
distribution points out.

> 2. How can I separate this test environment from the production
> environment?

basically by using the -M flag on the client. you've already contained
the server (it knows about two consoles, and it manages them) and with
-M, you contain the client.

i hope this helps clear things up for folks (at least a bit), gives
people a view into how things work, and answers the important questions.

Bryan
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users

_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users
Re: Permissions problems with conserver 8.11 [ In reply to ]
bryan at conserver
Sep 19, 2005, 4:14 PM
Post #8 of 8 (3440 views)
Permalink
On Mon, Sep 19, 2005 at 03:51:07PM -0700, Phillip Pacheco wrote:
> I see in the man page of the "console" command that it is necessary to
> define the default server name at compile time. Is there an alternative
> to this? I would like to define the server name in a configuration file
> instead. If this is not possible now, will it be possible in future
> releases. I ask because my boss has a preference for using pre-compiled
> programs to ensure uniformity. I suppose that I can create a shell
> alias as a band-aid solution.

the 8.x.x 'console' command can read options from a .consolerc file in
your homedir (or a global console.cf - the 'console -V' output shows the
locations). in it, you can define things like the master server based
on the host your run the command on. so, something like

config unixlab2.genesyslab.com {
master unixlab2.genesyslab.com;
}

would do the trick (if your homedir is shared on all the systems). the
console manpage talks about that configuration option.

Bryan
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal