Re: Still getting "Authentication Failed"

Scott_278 · ‎10-15-2004

No problem. I wish someone would have helped me through it like this.

Hmmm is right - I havent run into that one. What do the passwd files look like now - both on SIM and the managed server? And you don't get a similar error going from managed to SIM?

Daniel_262 · ‎10-15-2004

The passwd file in my Insight manager server now looks like this:

Administrator:unused_by_nt/2000/xp:500:513:U-ALTIRIS\Administrator,S-1-5-21-3701861016-2435991769-1927693423-500:/home/altirisdude:/bin/switch
Altirisdude:unused_by_nt/2000/xp:11302:10513:Altiris Manager,U-HHS-INC\Altirisdude,S-1-5-21-299502267-220523388-1801674531-1302:/home/altirisdude:/bin/switch
Altirisdude:unused_by_nt/2000/xp:11302:10513:Altiris Manager,U-HHS-INC\Altirisdude,S-1-5-21-299502267-220523388-1801674531-1302:/home/Altirisdude:/bin/switch

The passwd file in my managed server now looks like this:

BackUpdude:unused_by_nt/2000/xp:11374:10513:BackUpdude,U-HHS-INC\BackUpdude,S-1-5-21-299502267-220523388-1801674531-1374://server1/Users/is/BackUpdude:/bin/switch

Scott_278 · ‎10-15-2004

Oh - change the passwd file on the managed server to this:

BackUpdude:unused_by_nt/2000/xp:11374:10513:BackUpdude,U-HHS-INC\BackUpdude,S-1-5-21-299502267-220523388-1801674531-1374:/home/BackUpdude:/bin/switch

It's difficult to explain this clearly. What the passwd file is really looking for is the locally cached profile path for the user that's running SSH - not the actual roaming profile path of the domain user account. So the /home portion of the passwd file really stands for "C:\Documents and Settings".

Daniel_262 · ‎10-15-2004

Hear that hollow thumping sound? It's my head hitting the desk... :-)

This has taken us back (almost) where we started.

I changed the passwd file on the managed server as you suggested. Pasted below:

BackUpdude:unused_by_nt/2000/xp:11374:10513:BackUpdude,U-HHS-INC\BackUpdude,S-1-5-21-299502267-220523388-1801674531-1374:/home/BackUpdude:/bin/switch

Now when I ssh via command line from the Insight manager server to the managed server I see this:

C:\Documents and Settings\altirisdude>ssh backupdude@backup
backupdude@backup's password:
Could not chdir to home directory /home/BackUpdude: No such file or directory
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

I recall covering this issue earlier. I assumed that if the command placed the path in the passwd file, it's what was needed.

Scott_278 · ‎10-15-2004

You know something? All of the information I've given you has applied to local accounts and not domain accounts. I've never attempted to run SSH with a domain account, so there must be some difference between the two configurations - I was assuming there is not. Let me peek at the SSH guide to see if I can find anything...

Sorry to frustrate you again :S

What happens if you run MXAGENTCONFIG on the SIM server?

Daniel_262 · ‎10-15-2004

mxagentconfig behaves as it did before. It just sits there.

Scott_278 · ‎10-15-2004

Just read something - what is the value of this registry key:

HKLM\Software\Cygnus Solutions\Cygwin\mounts v2\/home\native

Daniel_262 · ‎10-15-2004

The string "native" is there, but there is no value set.

Scott_278 · ‎10-15-2004

OK - edit the value to be C:\Documents and Settings. Then edit the passwd file to be /home/BackupDude. Restart the SSH service, and try it again.

Daniel_262 · ‎10-15-2004

Bingo! That looks good.

I can now connect via ssh command line both ways with no errors.

I think mxagentconfig is the next step. When I enter the following command from the Insight manager server command line, it just sits there.:
C:\Documents and Settings\altiris>mxagentconfig -a -u backupdude -p cleverlydisgusedpassword -n backup

...maybe in all this confusion I have my config steps out of order.

Do I need to add users with mkpasswd? I say no, it's already done, right?

Scott_278 · ‎10-15-2004

Actually I think you're right - we might need to add the user running MXAGENTCONFIG to the passwd file on the managed server. If its a domain account, run this on the managed server:

mxpasswd -d -u >> "C:\program files\OpenSSH\etc\passwd"

Daniel_262 · ‎10-15-2004

mkpasswd, right. You typed mxpasswd.

I used mkpasswd to add the user running MXAGENTCONFIG from the Insight Manager Server to the passwd file on the managed server.

I can see the new entry in the passwd file.

Now, I'm about to run the mxagentconfig and I realize (again) that I'm confused (again) about what I'm configuring here. What details am I specifying in the mxagentconfig command.

Is it mxagentconfig -a -u "insight manager server id" -p "insight manager server id password" -n "name of insight manager server"

Scott_278 · ‎10-15-2004

What mxagentconfig is doing is placing its host key on the managed server. When the managed server receives a ssh communication request, it checks a file named authorize_keys2 in the .ssh directory. The server attempting to communicate with it must have its host key in this file for the managed server to accept the communication request.

So what mxagentconfig is doing is placing its host key on the managed server, so the managed server will accept ssh communication when SIM requests it.

That's how I understand it anyway...

In your example command, you specified the name of the SIM server, which is incorrect. What you want to do is specify the managed node as the server - essentially means "on what server do you want to place my public key?"

So on the SIM server, you'd run:

mxagentconfig -a -n -u -p

Or you can just run mxagentconfig without any arguments and fill in the fields.

Daniel_262 · ‎10-15-2004

OK, I understand.

When I issue that command from the Insight Manager server, it just sits there.

The command prompt doesn't come back to me.

Scott_278 · ‎10-15-2004

Hmmm... I'm thinking that now we have ssh configured correctly on both ends. I know when I've done this in the past, the amount of time it took for the command to finish did suprise me a bit, but it wasn't more than 30 seconds or a minute. Might take a bit longer if the two are seperated by a WAN. Are there any indications in the Event Log on the SIM or managed server?

Daniel_262 · ‎10-15-2004

I bounced each server.

I then tried the mxagentconfig command and received:

Configuration failed to complete due to an exception.

The Insight manager server shows two errors in event log that look interesting:

The description for Event ID ( 0 ) in Source ( OpenSSHd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: OpenSSHd : PID 2876 : `OpenSSHd' service started.

And:

The description for Event ID ( 0 ) in Source ( sshd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd : PID 740 : Server listening on 0.0.0.0 port 22..

No category or event ID for either message.

The service does start, however.

Scott_278 · ‎10-15-2004

Those look like events that are generated when the ssh service started after the reboot - not as a result of the mxagentconfig command. I know when I've run the mxagentconfig command unsuccessfully, it's always generated two events on the managed server which mention something about the ssh session being denied access.

What happens if you run the gui version of mxagentconfig? Do you get anything different - either at the gui, or in the event logs?

Also wonder what happens if you try to run a Windows command against this server in SIM?

Daniel_262 · ‎10-15-2004

The gui mxagentconfig comes back with "failed to establish connection to "server"."

It's different anyway...

I see no additional events.

Scott_278 · ‎10-15-2004

Can you run mxagentconfig against the SIM server itself?

Daniel_262 · ‎10-15-2004

Yes. Registered sucessfully

Daniel_262 · ‎10-15-2004

I decided to back up a bit and see if I could still SSH command line between the boxes.

When going from Insight manager server to managed server, I get:

C:\Documents and Settings\altirisdude>ssh backupdude@backup
ssh: connect to host backup port 22: Connection refused

Coming back the opposite way, managed server to insight manager server, I can log in.

Scott_278 · ‎10-15-2004

Does the AltirisDude account have a profile directory on your managed server? If not, log into the managed server so a cached profile gets created. Does AltirisDude have admin rights on your managed server?

Now I'm suspecting this is related to the fact that you're using two different user accounts - something I have not done.

Daniel_262 · ‎10-15-2004

I found the openssh service stopped on the managed server.

Started the service and can now ssh via command line to it from the Insight manager server.

mxagentconfig behaves as I have reported before. Just sits there.

The servers are local to one another on 100Mb switched LAN.

Scott_278 · ‎10-15-2004

Boy...at this point I'm just about out of ideas. It seems we've got it configured properly, but without anything in the event log on either server, it's going to be difficult to diagnose. I would probably let it run for a while to see if it's just a matter of time. Or maybe start a trace if you know how to analyze it to see what's happening on the wire. But if we don't get any indication of what's happening, then I'm thinking might need to start another post or call HP.

I feel just as frustrated now as I did when I first started using SIM... :(

Daniel_262 · ‎10-15-2004

Hey, I'll let you off the hook any time you are ready.

You have shown far more patience than I ever could have. I appreciate your having dedicated the time you have to my issue. I've made progess and I know I'll get it going at some point. You know this product well, I can tell.

I can't imagine you'd want to post it here, but if you can somehow get an email address to me, I would like send you a gift card for your efforts.

Software and Hardware forums like this one need more guys with know-how like you!

Thanks again!

DWM

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Still getting "Authentication Failed"