HPE Community
Operating System - OpenVMS
1828657 Members
8057 Online
109983 Solutions
New Discussion

locked out

 
SOLVED
Go to solution
dschwarz
Frequent Advisor

‎09-06-2007 06:30 PM

‎09-06-2007 06:30 PM

locked out

We have a MicroVax 3100/96 running OpneVMS 6.2.

Yesterday I reboored the system to start some new and changed applications, all of them running as detached processes.

After rebooting I did some interactive tests on
the system, everything worked fine.

In the early afternoon, I tried to log in to
the system to do some additional checks but
the system did not let me in:
"User authorization failure"

I tried different username/password combinations, but the system refused any login even at the console terminal.

The application was still running perfectly so
reboot was/ist not an option during production time.

There are no device errors on the system but in the OPERATOR.LOG file I found a suspicious entry:

%%%%%%%%%%% OPCOM 6-SEP-2007 10:04:44.43 %%%%%%%%%%%
Message from user SYSTEM on MYNODE
%SECSRV-E-QIOFAILED, security server QIO on client mailbox failed
%SYSTEM-S-NORMAL, normal successful completion

What has happened with the system ?
Is there a chance to 'repair' this without reboot ?
Is there a chance not to repair this after reboot ?
What is the meaning of the OPCOM message ?

Thank you very much in advance.

0 Kudos
16 REPLIES 16
Willem Grooters
Honored Contributor

‎09-06-2007 10:28 PM

‎09-06-2007 10:28 PM

Re: locked out

Looks like the audit or security server has a problem with (one of) the mailboxes - or is gone.
Check devices AUDSRV$CONTROL_MAILBOX and SECSRV$MAILBOX, and look for processses AUDIT_SERVER and SECURITY_SERVER: Persence, status?

You could check these using SDA.

If the proces is gone, check accounting to find out what caused it to die.

a\After you gatheered the information, the next issue is to find out what caused the problem.
Willem Grooters
OpenVMS Developer & System Manager
0 Kudos
dschwarz
Frequent Advisor

‎09-06-2007 10:39 PM

‎09-06-2007 10:39 PM

Re: locked out

Both processes are hibernating:

OpenVMS V6.2 on node MYNODE 7-SEP-2007 12:34:00.40 Uptime 1 04:02:51
...
00000209 AUDIT_SERVER HIB 10 310 0 00:00:00.80 539 805
...
0000020D SECURITY_SERVER HIB 10 51 0 00:00:00.16 1724 689

Both mailboxes exist:

"AUDSRV$CONTROL_MAILBOX" = "_MBA12:" (LNM$SYSTEM_TABLE)

Device MBA12:, device type local memory mailbox, is online, record-oriented
device, shareable, mailbox device.

Error count 0 Operations completed 2
Owner process "" Owner UIC [SYSTEM]
Owner process ID 00000000 Dev Prot S:RWPL,O:RWPL,G,W
Reference count 1 Default buffer size 65535

"SECSRV$MAILBOX" = "_MBA13:" (LNM$SYSTEM_TABLE)

Device MBA13:, device type local memory mailbox, is online, record-oriented
device, shareable, mailbox device.

Error count 0 Operations completed 53
Owner process "" Owner UIC [SYSTEM]
Owner process ID 00000000 Dev Prot S:RWPL,O:RWPL,G:RWPL,W:RWPL
Reference count 1 Default buffer size 8192
Device access control list:
(IDENTIFIER=SECSRV$OBJECT,ACCESS=READ+PHYSICAL+LOGICAL+CONTROL)
(IDENTIFIER=SECSRV$CLIENT,ACCESS=WRITE+PHYSICAL)
(IDENTIFIER=SECSRV$COMMUNICATION,ACCESS=WRITE+PHYSICAL)
(IDENTIFIER=*,ACCESS=NONE)

SDA is no an option at the moment, no chance for interactive login.
0 Kudos
Robert Gezelter
Honored Contributor

‎09-06-2007 10:44 PM

‎09-06-2007 10:44 PM

Re: locked out

dschwarz,

Are there any potentials for "non-interactive" login?

- can you get to the system using SYSMAN?
- is it possible to use DECnet to run a batch job on the system?

How are you determining the information in your last posting?

- Bob Gezelter,http://www.rlgsc.com
0 Kudos
John Abbott_2
Esteemed Contributor

‎09-06-2007 11:00 PM

‎09-06-2007 11:00 PM

Re: locked out

> I tried different username/password combinations, but the system refused any login even at the console terminal.

What happens if you try the system account username from the system console - can you twice to the password prompt and get in ?

Did you changed any SYSGEN parameters before the reboot ?

Patch anything ?

J.
Don't do what Donny Dont does
0 Kudos
dschwarz
Frequent Advisor

‎09-06-2007 11:21 PM

‎09-06-2007 11:21 PM

Re: locked out

Robert:

Non interactive login is possible.
I used decnet task-to-task via proxy access.
What can I do with SYSMAN ?

John:

The system resides some miles away, so I have
no access to the console terminal today. Next
chance will be on sunday.

No SYSGEN changes, no patches.
I activated NFS-Client for future use.

TCP/IP stack is:
Digital TCP/IP Services for OpenVMS VAX Version V4.2 - ECO 4

very old, I know.

0 Kudos
Robert Gezelter
Honored Contributor

‎09-07-2007 12:05 AM

‎09-07-2007 12:05 AM

Re: locked out

dschwartz,

Take a look at the documentation for SYSMAN SET ENVIRONMENT/NODE command.

If you can do DECnet proxy access, is the proxy only for a non-privileged account?

- Bob Gezelter, http://www.rlgsc.com

0 Kudos
Wim Van den Wyngaert
Honored Contributor

‎09-07-2007 12:15 AM

‎09-07-2007 12:15 AM

Re: locked out

I tried a login on a system with success. Security server didn't do a io or pagefault.

But when I give invalid username and password it does. Or when there is an intrusion and the username + p is valid.

Do you have an intrusion ?

May be the message you see has nothing to do with this problem ?

Wim

Wim
0 Kudos
Daniel Fernandez Illan
Trusted Contributor

‎09-07-2007 12:16 AM

‎09-07-2007 12:16 AM

Re: locked out

dschwarz

Obiously.

Are you check the interactive limit value and intrusion database?

Saludos.
Daniel.
0 Kudos
dschwarz
Frequent Advisor

‎09-07-2007 12:16 AM

‎09-07-2007 12:16 AM

Re: locked out

Robert,

I have all privileges.
0 Kudos
dschwarz
Frequent Advisor

‎09-07-2007 12:36 AM

‎09-07-2007 12:36 AM

Re: locked out

Wim,

maybe the opcom message has nothing to do with the problem.

Daniel,

interactive limit is 64 as usual.

SHOW INTRUSION :
%SYSTEM-F-MBFULL, mailbox is full

There must be a lot of entries in the database. ! ??
0 Kudos
David Jones_21
Trusted Contributor

‎09-07-2007 01:05 AM

‎09-07-2007 01:05 AM

Re: locked out

I'd think the QIOFAILED opcom message and the MBFULL message on show intrusion are related. Whatever is supposed to be reading the mailbox isn't, so messages got saved in the mailbox's message queue until it reached it's quota.

I'm looking for marbles all day long.
0 Kudos
John Abbott_2
Esteemed Contributor

‎09-07-2007 01:09 AM

‎09-07-2007 01:09 AM

Re: locked out

Does anyone recall having to increase SYSGEN DEFMBXBUFQUO and/or DEFMBXMXMSG to accommodate large activity ? I vaguely recall something under an older version of VMS VAX or Alpha, but since upgrading to 7x and 8x I tidied up my modparams and cannot find anything (i.e. the settings these days are >= to what I had by default).

The problem I had was definately related to the audit server, although maybe it could have been more to do with a mailbox filter we have...

J.
Don't do what Donny Dont does
0 Kudos
Hein van den Heuvel
Honored Contributor

‎09-07-2007 01:24 AM

‎09-07-2007 01:24 AM

Solution

Re: locked out

Can you flush the mailbox(en) by $typing them, or better still, $copying the contents into a file?

Did you try stopping and restarting the audit and security servers?

$ SET SERVER SECURITY/EXIT
$ SET AUDIT/SERVER=EXIT
$ @SYS$SYSTEM:STARTUP AUDIT_SERVER
$ SET SERVER SECURITY/START

btw... Did you make sure you there is still space left on the system dusk or whatever disk the audit file is redirected to?

0 Kudos
Robert Gezelter
Honored Contributor

‎09-07-2007 03:05 AM

‎09-07-2007 03:05 AM

Re: locked out

dschwartz,

Ok, if you have access to a privileged account, then it is highly likely that it is possible to resolve this situation without access to the console.

It would also appear that you have access to another system locally or over your internal network.

This can be an involved process, but it is likely better than being locked out of the system until Sunday (particularly in that the problem may cascade in an unexpected way).

It is difficult to give instructions in the forum on how to go through this step-by-step; as the precise steps depend on what exactly has happened.

The basic steps are to use SYSMAN or DECnet Task-to-Task to execute a series of commands or command files to diagnose and then correct the problem. Most of the involved components can be restarted without rebooting the system. While this is not a common, everyday event, it is a standard part of OpenVMS.

It is possible, but not guaranteed, that no reboot will be needed to clear this problem.

If I can be of additional assistance, please let me know. (Obviously, while I do monitor this forum, I am working on various projects at my desk, so private communications are faster).

- Bob Gezelter, http://www.rlgsc.com
0 Kudos
dschwarz
Frequent Advisor

‎09-09-2007 03:02 AM

‎09-09-2007 03:02 AM

Re: locked out

Now it's sunday afternoon and I have rebooted the system.
Everything seems to work fine including interactive logins.
Before rebooting I tried to stop and restart SECURITY_SERVER and AUDIT_SERVER. This did not work with SECURITY_SERVER.
I also tried to flush/copy the mailbox SECSRV$MAILBOX
==> 25 additional operations in a SHOW DEVICE MBAxx.
After that I tried SHOW INTRUSION and got SECSRV-F-SRVREPLYTIMEOUT.
I used HELP/MESSAGE ... and decided to reboot.

Thank you guys for your help.
0 Kudos
dschwarz
Frequent Advisor

‎09-16-2007 07:36 PM

‎09-16-2007 07:36 PM

Re: locked out

Reboot has 'solved' the problem
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.