Dear Managers,
Sorry for the long delay, but the problem has just been solved.
A week of e-mail and phone calls to/from Compaq support determined
that the /tcb/files/auth.db and /var/tcb/files/auth.db databases were
corrupt. Alan Boda of Compaq support really went some extra miles
tracking this down. The solution was to regenerate these databases
(it is important to back them up first). Here is a shell script that
does the job:
if ! cp /tcb/files/auth.db /tcb/files/auth.db.bak
then
echo 'Backup failed, exiting'
exit
fi
if ! cp /var/tcb/files/auth.db /var/tcb/files/auth.db.bak
then
echo 'Backup failed, exiting'
exit
fi
touch prpasswd.txt
chmod 600 prpasswd.txt
/tcb/bin/edauth -gL > prpasswd.txt
/tcb/bin/edauth -gL root > /tcb/files/auth/r/root
rm -f /tcb/files/auth.db /var/tcb/files/auth.db
/tcb/bin/convauth -dp
/tcb/bin/edauth -sL < prpasswd.txt
Original Post
-------- ----
Dear Managers,
Yesterday I put patch kit 4 on my server and clients (all v
4.0D). A catastrophic failure on two clients has left me trying to
reinstall the entire operating system. These clients are DEC 3000
300's and they don't have CD drives, so that means RIS.
I can boot the clients over the network, but when I try to select
software subsets, setld fails to "initialize the server". I've been
here before and I knew that meant that setld couldn't do an "rsh" into
the "ris" account on the RIS server. A check of the server's logs (in
particular /var/adm/sialog) confirmed this. In fact, experimentation
from a client that survived the patch kit revealed that rsh couldn't
login into the server at all (into root or any other account). I
checked my setup out and can't find a problem. I've been talking with
Compaq support all afternoon and so far no joy. Any ideas?
Here's my server setup:
i) The server is a DEC 3000 600 with v4.0Dp4. It runs C2 security.
ii) The OSFRIS425 subset was successfully installed. The ris utility
allowed me to add the two dead clients and the v4.0D CD.
iii) My /var/adm/ris/.rhosts file contains the fully-qualified names
of the two clients (/var/adm/ris is the ris account's home directory).
We tried substituting just the hostnames without success. Here's the
protection/ownership:
-rw-r--r-- 1 ris ris 45 Aug 12 13:33 /var/adm/ris/.rhosts
iv) The "shell" line in /etc/inetd.conf was enabled and a kill -HUP
issued to inetd. Here's the shell line:
shell stream tcp nowait root /usr/sbin/rshd rshd
I also tried TCP wrappers here, with a hosts.allow file that sent root
an e-mail message if the shell service was requested. The e-mail was
received every time I tried to boot the clients under RIS.
The ownership/protection is:
-rwxr-xr-x 1 root system 5903 Aug 12 18:01 /etc/inetd.conf
v) A previous bout with this problem was solved by putting the client
names into /etc/hosts.equiv (I don't understand why, since the local
user on the rsh client is necessarily root). I put the client names
in, both hostname and fully-qualified, but this didn't help. The
ownership/protection is
-rwxr-xr-x 1 bin bin 2379 Aug 12 13:33 /etc/hosts.equiv
vi) My /etc/exports file contains the following lines:
/ris/ris0.a/product_1 -root=0 -ro -access=jon:odie
/var/adm/ris/ris0.alpha/kit -root=0 -ro -access=jon:odie
(jon and odie are the two clients). A showmount -e command shows
these exports. The ownership/protection is:
-rw-r--r-- 1 root system 3198 Aug 11 17:57 /etc/exports
vii) The client names are in the server's /etc/hosts file (and the RIS
server is also their primary DNS server) in fully qualified form, with
the hostnames alone also present as aliases.
viii) Per a Compaq suggestion, we checked out /tcb/files/auth/r/ris.
It didn't even exist at first (I don't know why not). I created this
file (with no expiration) as per their suggestion:
ris:u_name=ris:u_id#11:u_oldcrypt#0:\
:u_pwd=*:u_exp#0:u_life#0:\
:u_succhg#934485193:u_lock_at_:chkent:
(The * in the u_pwd field and the 0 u_exp and u_life fields were
specifically suggested as having solved this problem for another
admin.) The ownership/protection of /tcb/files/auth/r/ris is:
-rw-rw---- 1 auth auth 104 Aug 12 15:14 ris
I ran convauth and verified the result with edauth, but rsh still
didn't work.
ix) Here's the ris entry in /etc/passwd:
ris:*:11:21:Remote Installation Services Account:/usr/adm/ris:/bin/sh
x) Per a suggestion in the archives, I checked that mountd was
running (it is).
xi) While testing, Compaq suggested putting the name of a live client
into /.rhosts on the server and trying this command from that client:
rsh <server> "echo hello"
That failed with a "permission denied" message. The /.rhosts file had
444 protection and was owned by root:system.
Any ideas?
Larry
============================================================================
Larry Griffith Dept. of Computer & Info Science
larry_at_cs.wsc.ma.edu Westfield State College
(413) 572-5294 Westfield, MA 01086 USA
PGP public key available at:
http://cs.wsc.ma.edu/dcis/griffith.html
============================================================================
Received on Thu Aug 19 1999 - 18:44:58 NZST