Re: Still getting "Authentication Failed"

Daniel_262 · ‎10-04-2004

On a new installation, I'm having difficulty running the initial Support Pack Install.

Right now I'm working with only the Insight Manager server and another server with agents loaded. I am set up to "trust all" until I get things running, then I'll tighten up security and deploy to the rest of my servers.

When I run my job, I fails with "EXCEPTION CLASS: com.hp.mx.exceptions.MxFailedAuthenticationException
EXCEPTION: Authentication failed."

The trust exists between the servers.

I read through the SSH white paper and feel I have followed that pretty closely. From the SSH command prompt on the Insight manager server I can log into the managed server.

However, when I do log into the managed server from the SSH command prompt, I getting a "cannot CHDIR to home directory" message.

I'm surprised to see the chdir happening.

1.)Who is making the CHDIR happen?
2.)What do I need to do to make this work correctly?
3.)Is this the reason for the deployment job failure?

DWM

Daniel_262 · ‎10-04-2004

...we're talking about Windows boxes here, by the way...

Rob Buxton · ‎10-04-2004

I'm no expert on SSH, but I think there's a login path, it seems as though that is incorrect.
I've a feeling you can see the path in one of the files stored in the SSH directory structure on the HPSIM Server.

Perhaps it's trying to access a device that is not mapped on that Server.

Christian Mentschik · ‎10-04-2004

hi,
i think it works only with trust by certificate. after installing this trust it works (on my servers without SSH).
maybe you try it.

hope it helps

christian

Daniel_262 · ‎10-05-2004

Documentation has lead me to believe that an SSH server must be running the Insight Manager server as well as each target system (see the "SSH Whitepaper", last paragraph of page 3).

Have I misunderstood what that means? Is the SSH server required?

Regardless of if "trusting all" or "trusting by certificate", after what I think is proper setup, I get the same message when running the deployment job: "EXCEPTION CLASS: com.hp.mx.exceptions.MxFailedAuthenticationException
EXCEPTION: Authentication failed."

Any help you can offer is appreciated.

Christian Mentschik · ‎10-05-2004

sorry, the SIM-server is running SSH. the managed server are without SSH.

christian

Scott_278 · ‎10-06-2004

I'm laughing because I spent two weeks on this problem, and I think I've run into every possible issue one can run into with this SSH thing (on Windows at least).

Couple of questions:
1) Windows 2000 or 2003
2) Have you renamed the local administrator account?

Daniel_262 · ‎10-06-2004

It is almost silly, isn't it. It sure seemed simple enough when I started. I thought dropping back to no security at all would allow me to at least get it working and then figured I could tighten it up from that point.

The Insight manager server is 2003.

I typically do not rename the "Administrator" account on my servers.

The first server I'm concentrating on with getting agents and monitoring working is 2000 and the "administrator" account is not available on this particular box.

The rest of my servers are a mix of 2000 and 2003.

If you can offer any hints, I would sincerely appreciate it!

DWM

Daniel_262 · ‎10-06-2004

...one more thing. I'm pretty sure the version I am installing is 4.0.

Should I go to 4.1? Is there much difference?

DWM

Scott_278 · ‎10-06-2004

I'm not experienced enough with the whole SIM product to tell you the differences between the two. So I can't really address that aspect, other than to say I'm working with 4.1

OK, so the SIM box is W2K3. Is the SSH service running under the credentials of the local adminstrator account?

On the managed server...there is a file called "passwd" in the /etc directory. Open it with notepad and look toward the end of the string - there should be an entry like /home/administrator. This path has to match the profile path of the user account which installed openssh. So for example let's say my local administrative account was named "NEWADMIN", but the profile directory for this account was C:\Documents and Settings\Administrator. OpenSSH would fail, because when it was installed, the passwd file assumes the "home directory" path was /home/newadmin. But there is no C:\documents and settings\newadmin path. So you have to edit the passwd file to match the profile path of the account used to install openssh, then restart the OpenSSH service. On ALL W2K3 boxes, the OpenSSH service must run under the credentials of an account that has administrative rights on the server as documented in the HPSIM README.

Let me know what happens, or how your config differs.

Daniel_262 · ‎10-06-2004

I appreciate your help.

The Userid I utilize to admin the 23k box has local admin rights and is the ID I used to install openssh.

The "home" path specified in the passwd file is /home/"username". I think it is seeing that OK. Is there a way for me to test?

On the managed server the "home" path specified in the passwd file appears to be correct as a home file is specified on the profile for this user and the paths match. It's a UNC path to a user folder on another server. I don't necessarily feel confident this is being seen properly.

Please help me understand how these paths should be properly specified. And how I can test it.

When I attempt to log into the managed server from the Insight Manager server from an SSH command prompt, I see a message about a missing key. maybe I'm close than I think.

I tried mxagentconfig. It just sits there forever. I have to kill the process.

DWM

Scott_278 · ‎10-06-2004

You didn't confirm that the OpenSSH Server Service on the SIM server is running as something other than the Local System account. That is the first thing to check - it has to be running under the credentials of an actual user account - local or domain. This process is described in the SIM README.

Assuming you have that configured properly, the next thing to check is that the passwd file matches the profile path for the user account. So if the user is MYADMIN1, and the profile path is C:\Documents and Settings\MYADMIN1, then the passwd file should have /home/MYADMIN1. Once you have this configured properly, restart the "OpenSSH Server Service" service.

Where I had a problem was the profile path for MYADMIN1 was C:\Documents and Settings\Administrator. But the path in the passwd file was /home/MYADMIN1.

Anyway, do this same configuration check on both servers - the SIM and the managed server. Next, ssh from a command line both ways: from SIM to managed, then managed to SIM. Once you make a successful connection, you should se a .ssh/ folder in the root of the user's profile directory with a file named "known_hosts". That tells you that the SSH is communcating properly. Again, you should do this both ways - SIM to managed, then managed to SIM.

So, these are the things to check:
1) Make sure the "OpenSSH Server Service" service on your Windows 2003 server is running under valid user credentials and not LOCAL SYSTEM.
2) Make sure the passwd home directory entry matches the actual user's profile directory name.
3) Restart the OpenSSH Server Service so it re-reads the passwd file.
4) Do a two-way SSH from a command-line.
5) Try running mxagentconfig.

Scott_278 · ‎10-07-2004

I just re-read your last response, and noticed you said on the managed machine, that the profile resides on another server. What you are referring to is that the user has a roaming profile. However, when that user logs into the server, a locally cached copy of the profile is created. The locally cached profile is the path that the passwd file needs - not the roaming profile path. Change the passwd file to point at the locally cached profile path i.e. C:\Documents and Settings\, then restart the SSH service.

Daniel_262 · ‎10-13-2004

I'm still chopping away at this issue but had to step back from it for a few days.

Your recent post mentioned an item from the SIM Readme, which I somehow missed.

The OpenSSH service is/was logging in on the Local System Account. When I change it to another account, Local or Domain, the service won't start.

A message appears saying (basically) that the service started then stopped, this may be normal.

Suggestions?

DWM

Scott_278 · ‎10-13-2004

OK good, we're getting somewhere. What you now have to do is delete the files in C:\Program Files\OpenSSH\var\log. Then try to restart the service. If it starts, then try to run mxagentconfig from the SIM server.

Daniel_262 · ‎10-14-2004

Things appear to be looking better!

I'm not certain if this is true or my imagination but after deleting the log file I was able to sucessfully reset the "log in as" ID.

The service now starts properly with the domain ID and password.

When I attempt to log into the managed server from the Insight Manager server from an SSH command prompt I am seeing login prompt and messages regarding authentication. I also see the message "Failed to add the host to the list of known hosts".

I take this to mean that I still don't have the path entered correctly in the passwd file.

Scott_278 · ‎10-14-2004

Beauty - ok we need to go back to this passwd file. I didn't realize you were using a domain account. Let's say the domain account you installed SSH as is \henry. The first thing you have to do is make sure Henry has actually logged in at the console of the managed server. This is because a locally-cached profile has to exist. Assuming you have done that, you should have this folder structure: "C:\Documents and Settings\Henry". The passwd file should point at the locally cached profile - in this case it would be /home/Henry. the "/home" part really equates to "C:\Documents and Settings". In fact if you look at the registry key HKLM\Software\Cygnus Solutions\Cygwin\mounts v2\/home, you'll see that /home explicitly stands for C:\Documents and Settings.

Once the passwd file has been edited, restart the OpenSSH service (may not actually be required, but just in case...) and then run MXAGENTCONFIG.

Daniel_262 · ‎10-14-2004

I know I'm making progress...I'm just so confused. I'm loosing track of what makes an impact and what doesn't.

I rebooted the Insight Manager server and things started to click a bit more.

I can see that the Openssh service (I guess) created the .ssh folder and the known_hosts file in the /home/ folder of the administrative user on the Insight Manager Server. The date/time stamp is today.

When I ssh command line to the managed server, I'm promopted to login, that's ok. I get "Could not chdir to home directory /home/BackUpdude: No such file or directory"

The managed server is running and logged in as the user I have specified. I verfied that the home folder exists and is accessible. The user I am logging in as is a domain ID with administrative rights. In AD users and computers, the home folder is specified as "\\server1\Users\is\BackUpdude"

Scott_278 · ‎10-14-2004

From what you state, it seems the SIM server is OK. The problem is with the managed server. Is the managed server W2K or W2K3?

Just FYI, the .ssh folder is created when you first run the SSH command from the command-line, not when the service is started.

I'll assume the user ID you're using on the managed server is BackupDude. Tell me these things:
1) Is there a C:\Documents and Settings\BackupDude folder on the managed server?
2) Paste the contents of the passwd file on the managed server, or at least the part of the line which includes the "/home" string.

What I am afraid of is that you are thinking of the term "home directory" in a literal sense - that is wrong. The passwd file wants the path to the locally-cached profile of BackupDude - not the actual home directory. The passwd file should contain the line /home/BackupDude.

If this doesn't work, we should probably delete the passwd file on the managed system and re-create it using this command: mkpasswd -l -u BackupDude << "C:\Program Files\OpenSSH\etc\passwd"

Daniel_262 · ‎10-15-2004

The managed server is W2k.

There is a c:\documents and settings\backupdude folder on the managed server. NTUSER.DAT exists in this folder and time stamp is current.

The passwd file on the managed server appears as so:

BackUpdude:unused_by_nt/2000/xp:1374:513:BackUpdude,U-HHS-INC\BackUpdude,S-1-5-21-299502267-220523388-1801674531-1374:/home/BackUpdude:/bin/switch
BackUpdude:unused_by_nt/2000/xp:11374:10513:BackUpdude,U-HHS-INC\BackUpdude,S-1-5-21-299502267-220523388-1801674531-1374:/home/BackUpdude:/bin/switch

Scott_278 · ‎10-15-2004

The think that looks a little odd to me is that you have two entries for BackupDude in the passwd file. Let's delete that file and run this command to re-create it. This command creates an entry for a domain account. The mkpasswd command I included in my previous post was for a local account.

mkpasswd â d â u BackupDude *domain* >> "C:\program files\openssh\etc\passwd"

After you re-create the passwd file, restart the OpenSSH service and try to do an SSH from the command line to your SIM s

Daniel_262 · ‎10-15-2004

Gettin' warmer...

Now I'm seeing a warning prompt regarding "Host ID has changed" and I'm not sure what I need to do to fix that. As I said earlier, I'm a bit confused at this point..

It's clear to me now, looking at the contents of the passwd file, where I was going wrong there regarding the path. Looking back, recreating the passwd file would have cleared up alot of questions. I guess I didn't pick up on the fact that it would recreate itself and pick up the proper home path.

Scott, are you a Compaq employee or representative?

DWM

Scott_278 · ‎10-15-2004

This is great - I think we're almost there. If you just accept the new host key when you're prompted, can you SSH to the SIM box successfully? If not, what happens?

No I am not affiliated with Compaq or HP. I'm just a schmuck who spent two weeks straight trying to get SSH working, and have run into just about every problem there is.

One thing that would have helped me right off the bat was to read the SSH and Insight Manager whitepaper. It documents just about every SSH problem there is (with the exception of one I am now having).
http://www.hp.com/wwsolutions/misc/hpsim-helpfiles/HPSIM_SSH_WP.pdf

Scott_278 · ‎10-15-2004

I actually just ran into this same problem. Just delete the known_hosts file under the %userprofile%\.ssh folder, and try it again.

Daniel_262 · ‎10-15-2004

I agree. I think I'm REAL close.

My hat is off to you. I sincerely appreciate you hanging with me to make this go.

I'm was not being given the opportunity to accept the host key. As an experiment, I renamed the known_hosts file, then ssh via comand prompt. It created a new file, new entry.

Somehow I must have come real close to making this go in the past, since these files were there already...

OK, I'm in managed server to Insight manager server (and I think I learned enough to make this go on my other servers). Yahoo!

One more related thing now...

When I ran the mkpasswd you suggested earlier the path to the home folder was inserted as a UNC path.

When I ssh command line from the insight manager server to the managed server, I get an error complaining about the UNC path.

Copy/paste from command line window below:

C:\Documents and Settings\altirisdude>ssh backupdude@backup
backupdude@backup's password:
CMD.EXE was started with '\\server1\Users\is\BackUpdude' as the current direc
tory path. UNC paths
are not supported. Defaulting to Windows directory.
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

Hmmm....

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Still getting "Authentication Failed"

Still getting "Authentication Failed"