HPE Community
Operating System - OpenVMS
1755383 Members
3706 Online
54811 Solutions
New Discussion юеВ

Re: System account failure

 
SOLVED
Go to solution
Hoff
Honored Contributor

тАО01-16-2009 10:48 AM

тАО01-16-2009 10:48 AM

Re: System account failure

Please use the following command sequence to ensure that the SYSUAF file is the same file on all hosts:

SYSMAN> SET ENVIRONMENT/CLUSTER
SYSMAN> DO DIRECTORY /FILE SYSUAF

Ensure the file I/Os all match on all three nodes.

Repeat this for RIGHTSLIST, the NET*PROXY files, and the security files, among other shared files.

Enable security auditing for login, logout, logfail and process services (with the latter particularly for DELPRC calls). See HELP SET AUDIT /ENABLE for details.

Please confirm that ALL of those shared files are in fact shared, and that all logical names are in the proper access mode and logical name table.

Place the line $ EXIT at the top of SYLOGIN.COM and at the top of SYS$MANAGER:LOGIN.COM for the purposes of testing. This really looks like something in the login sequence, based on what I assume is a full login trace that was attached earlier.

Remove the PRCLM setting from SYSTEM. (I'd strongly encourage not making changes to the default SYSTEM username, and I see various changes have been made. SYSTEM is a core HP username, and should see minimal changes from how HP sets it up. Create and use and tailor your own local usernames, as a rule.)

Also confirm the quotas on the originating host are sufficient for the connection, and that the originating and target systems have seen recent AUTOGEN passes with FEEDBACK enabled.
0 Kudos
Reply
Jon Pinkley
Honored Contributor

тАО01-16-2009 11:14 AM

тАО01-16-2009 11:14 AM

Solution

Re: System account failure

Donna,

"It does not matter if I set host, telnet or use console, batch jobs where user=system it still fails on that node.
the error in accounting is Final status text: %SYSTEM-F-EXITFORCED, forced exit of image or process by SYS$DELPRC"

The first thing I would look at is your system wide login command procedure. The default for this is sys$manager:sylogin.com, but can be overridden with an executive mode logical name that will be visible to a process with UIC [1,4]. Normally the logical name would be in the system logical name table.

sylogin is executed regardless of the presence of /nocommand. That's are very good reason to be especially careful when making changes to it. (and always have a privileged account logged in until you have verified that you can log in from another session, i.e. don't log out, and try to log back in from the same "terminal")

My guess is that there is some checks limit privileged access to "authorized" nodes in the SYLOGIN.COM (and that is only a guess). Perhaps it is checking for specific usernames, perhaps checking for privileges. (if that is indeed what is causing the symptoms). I just checked: $ stop/id=0 will kill the process and leaves the exit status as reported by ACCOUNTING

--------------
Queue entry: Final status code: 00002BD4
Queue name:
Job name:
Final status text: %SYSTEM-F-EXITFORCED, forced exit of image or process by SYS$DELPRC
--------------

so something in sylogin that issues stop/id=0 is a plausible explanation.

I assume the "Unauthorized access ..." message is coming from SYS$WELCOME, so it appears the process is getting logged in.

You could turn on image accounting for a short time, as you will then see what images are being executed, but that doesn't show anything done by DCL commands that are cliroutines instead of images, or anything done with lexical functions. The point being that there are many things that can be done that don't generated image accounting records.

No guarantee that the cause is in sylogin, but that is an easy thing to check and eliminate as a possible cause.

Jon
it depends
Reply
Robert Gezelter
Honored Contributor

тАО01-16-2009 11:26 AM

тАО01-16-2009 11:26 AM

Re: System account failure

Jon,

Good point!

At several client sites over the years, I have implemented login restrictions based on Identifiers (e.g., LOGIN_).

On such a cluster, adding a new node also requires adding the identifier, and making sure that the flow is correct (e.g., granting the identifier to users, or adding the node name to some list or logical name).

- Bob Gezelter, http://www.rlgsc.com
0 Kudos
Reply
Walter Miller_1
Valued Contributor

тАО01-16-2009 11:28 AM

тАО01-16-2009 11:28 AM

Re: System account failure

Compare the logicals SYSUAF and SYS$SYLOGIN on the nodes. Is this the node that was recently added to the cluster?
0 Kudos
Reply
Donna Wolf
Advisor

тАО01-16-2009 11:44 AM

тАО01-16-2009 11:44 AM

Re: System account failure

Thks - Jon had it.
there was a sylogin on the root of the (3rd node a residual of days goneby)
It had a if user=(system) THEN STOP/ID=0
who knows why!!
My bad - I missed that. Thanks
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.