Dear Managers,
No luck so far. Compaq support is going to try to simulate my
setup (v4.0Dp4 + C2 + RIS) on their own machine. Dr. Blinn suspects
that patch kit 4 and C2 together break RIS; so far it looks like he
may be right. We did eventually get rsh to work for a login into
root (see item xi in the original post), but not ris.
Thanks for the two responses received:
"Sean O'Connell" <sean_at_stat.Duke.EDU>
"Dr. Tom Blinn, 603-884-0646" <tpb_at_doctor.zk3.dec.com>
Sean suggested checking the ~ris/.rhosts file to be sure it
has the right client name in it. He also suggested trying to log in
directly from the client:
rsh <server> -l ris
My .rhosts file looks OK and the rsh command fails.
To quote Dr. Blinn: "My idea is that V4.0D plus Patch 4 plus C2
security breaks RIS." He suggests trying a server without patch kits
to see if that works (unfortunately the production server is all I've
got to work with) or using an external CD-ROM (also suggested in the
archives). I don't have a SCSI external CD-ROM, but maybe our Computer
Center can find one when they come back from vacation.
My original post:
Dear Managers,
Yesterday I put patch kit 4 on my server and clients (all v
4.0D). A catastrophic failure on two clients has left me trying to
reinstall the entire operating system. These clients are DEC 3000
300's and they don't have CD drives, so that means RIS.
I can boot the clients over the network, but when I try to select
software subsets, setld fails to "initialize the server". I've been
here before and I knew that meant that setld couldn't do an "rsh" into
the "ris" account on the RIS server. A check of the server's logs (in
particular /var/adm/sialog) confirmed this. In fact, experimentation
from a client that survived the patch kit revealed that rsh couldn't
login into the server at all (into root or any other account). I
checked my setup out and can't find a problem. I've been talking with
Compaq support all afternoon and so far no joy. Any ideas?
Here's my server setup:
i) The server is a DEC 3000 600 with v4.0Dp4. It runs C2 security.
ii) The OSFRIS425 subset was successfully installed. The ris utility
allowed me to add the two dead clients and the v4.0D CD.
iii) My /var/adm/ris/.rhosts file contains the fully-qualified names
of the two clients (/var/adm/ris is the ris account's home directory).
We tried substituting just the hostnames without success. Here's the
protection/ownership:
-rw-r--r-- 1 ris ris 45 Aug 12 13:33 /var/adm/ris/.rhosts
iv) The "shell" line in /etc/inetd.conf was enabled and a kill -HUP
issued to inetd. Here's the shell line:
shell stream tcp nowait root /usr/sbin/rshd rshd
I also tried TCP wrappers here, with a hosts.allow file that sent root
an e-mail message if the shell service was requested. The e-mail was
received every time I tried to boot the clients under RIS.
The ownership/protection is:
-rwxr-xr-x 1 root system 5903 Aug 12 18:01 /etc/inetd.conf
v) A previous bout with this problem was solved by putting the client
names into /etc/hosts.equiv (I don't understand why, since the local
user on the rsh client is necessarily root). I put the client names
in, both hostname and fully-qualified, but this didn't help. The
ownership/protection is
-rwxr-xr-x 1 bin bin 2379 Aug 12 13:33 /etc/hosts.equiv
vi) My /etc/exports file contains the following lines:
/ris/ris0.a/product_1 -root=0 -ro -access=jon:odie
/var/adm/ris/ris0.alpha/kit -root=0 -ro -access=jon:odie
(jon and odie are the two clients). A showmount -e command shows
these exports. The ownership/protection is:
-rw-r--r-- 1 root system 3198 Aug 11 17:57 /etc/exports
vii) The client names are in the server's /etc/hosts file (and the RIS
server is also their primary DNS server) in fully qualified form, with
the hostnames alone also present as aliases.
viii) Per a Compaq suggestion, we checked out /tcb/files/auth/r/ris.
It didn't even exist at first (I don't know why not). I created this
file (with no expiration) as per their suggestion:
ris:u_name=ris:u_id#11:u_oldcrypt#0:\
:u_pwd=*:u_exp#0:u_life#0:\
:u_succhg#934485193:u_lock_at_:chkent:
(The * in the u_pwd field and the 0 u_exp and u_life fields were
specifically suggested as having solved this problem for another
admin.) The ownership/protection of /tcb/files/auth/r/ris is:
-rw-rw---- 1 auth auth 104 Aug 12 15:14 ris
I ran convauth and verified the result with edauth, but rsh still
didn't work.
ix) Here's the ris entry in /etc/passwd:
ris:*:11:21:Remote Installation Services Account:/usr/adm/ris:/bin/sh
x) Per a suggestion in the archives, I checked that mountd was
running (it is).
xi) While testing, Compaq suggested putting the name of a live client
into /.rhosts on the server and trying this command from that client:
rsh <server> "echo hello"
That failed with a "permission denied" message. The /.rhosts file had
444 protection and was owned by root:system.
Any ideas?
Larry
============================================================================
Larry Griffith Dept. of Computer & Info Science
larry_at_cs.wsc.ma.edu Westfield State College
(413) 572-5294 Westfield, MA 01086 USA
PGP public key available at:
http://cs.wsc.ma.edu/dcis/griffith.html
============================================================================
============================================================================
Larry Griffith Dept. of Computer & Info Science
larry_at_cs.wsc.ma.edu Westfield State College
(413) 572-5294 Westfield, MA 01086 USA
PGP public key available at:
http://cs.wsc.ma.edu/dcis/griffith.html
============================================================================
Received on Fri Aug 13 1999 - 21:53:49 NZST