Environment
Novell Open Enterprise Server 11 (OES 11) Linux
Situation
A previously working DNS, DHCP, CIFS, or AFP service will now
fail to load.
Nobody knows of any changes that have been made.
An authentication error is reported by the service in it's logs giving a -669 error.
Nobody knows of any changes that have been made.
An authentication error is reported by the service in it's logs giving a -669 error.
Resolution
There are some scripts that can be used to troubleshoot and remedy
this situation.
Retrieve Proxy List
This one will list the names of all of the proxy users in use on "this" server.
/opt/novell/proxymgmt/bin/retrieve_proxy_list.sh
Names of proxy users used on local system is written to /var/opt/novell/log/proxymgmt/pxylist.txt
cat /var/opt/novell/log/proxymgmt/pxylist.txt
Proxy users in use on the local system
Common Proxy: cn=OESCommonProxy_srv1,o=novell
AFP Proxy User: cn=OESCommonProxy_srv1,o=novell
CIFS Proxy User: cn=OESCommonProxy_srv1,o=novell
DNS Proxy User: cn=OESCommonProxy_srv1,o=novell
DHCP Proxy User: cn=OESCommonProxy_srv1,o=novell
In this example all of the services are using the same proxy user. That is the recommended configuration. If you have different proxy users for different services then they can all be set to use the same proxy user and password with the change_proxy_pwd.sh script described below.
Change all proxy passwords
This script will set proxy user and password to be the same in eDir and CASA for all services.
/opt/novell/proxymgmt/bin/change_proxy_pwd.sh -p cn=OESCommonProxy_srv1,o=novell -A yes
Common Proxy password is changed and stored in CASA successfully
*****novell-afp************
AFP Proxy credential store update is successful
*****novell-cifs************
CIFS Proxy credential store update is successful
*****novell-named************
DNS Proxy Password update is Successful.
*****Novell DHCP************
DHCP Proxy Password update is successful.
Proxy password change task is completed. Refer to /var/opt/novell/log/proxymgmt/pxymgmt.log for more details
The /var/opt/novell/log/proxymgmt/pxymgmt.log is a very verbose output of the process of changing the passwords for each proxy user for each service.
Verifying the change
The easiest way to verify that the password change happened is to load the service and see if it now loads.
If the service still does not load, look to see if you are getting the same authentication error. (-669)
If there is still an authentication error then look at the /var/opt/novell/log/proxymgmt/pxymgmt.log for more information about the failure of the password to be set and whether it failed to be set in eDir or CASA or both.
Another way to verify that the password is in fact being changed, and to see what it is being set to in CASA, would be to retrieve the password from CASA for a specific service before running the change_proxypwd.sh script (shown above).
Then run the change_proxy_pwd.sh
Then retrieve the same services proxy user password again to verify that it gets changed.
For example to verify that the proxy users password is being changed for the DNS service:
Retrieve the DNS service proxy users password before running the change all proxy users script with this command.
/opt/novell/named/bin/dns_retrieve_proxy_cred password dnspwbefore.txt
cat /opt/novell/named/bin/dnspwbefore.txt
fU!6he673?
Run the change all proxy passwords script listed above
Retrieve the DNS service proxy users password again and compare the passwords.
/opt/novell/named/bin/dns_retrieve_proxy_cred password dnspwafter.txt
cat /opt/novell/named/bin/dnspwafter.txt
iwSl5499S@
Notice that the password was changed.
All services have a similar set of scripts for proxy user management in their /opt/novell/<service>/bin directory.
Retrieve Proxy List
This one will list the names of all of the proxy users in use on "this" server.
/opt/novell/proxymgmt/bin/retrieve_proxy_list.sh
Names of proxy users used on local system is written to /var/opt/novell/log/proxymgmt/pxylist.txt
cat /var/opt/novell/log/proxymgmt/pxylist.txt
Proxy users in use on the local system
Common Proxy: cn=OESCommonProxy_srv1,o=novell
AFP Proxy User: cn=OESCommonProxy_srv1,o=novell
CIFS Proxy User: cn=OESCommonProxy_srv1,o=novell
DNS Proxy User: cn=OESCommonProxy_srv1,o=novell
DHCP Proxy User: cn=OESCommonProxy_srv1,o=novell
In this example all of the services are using the same proxy user. That is the recommended configuration. If you have different proxy users for different services then they can all be set to use the same proxy user and password with the change_proxy_pwd.sh script described below.
Change all proxy passwords
This script will set proxy user and password to be the same in eDir and CASA for all services.
/opt/novell/proxymgmt/bin/change_proxy_pwd.sh -p cn=OESCommonProxy_srv1,o=novell -A yes
Common Proxy password is changed and stored in CASA successfully
*****novell-afp************
AFP Proxy credential store update is successful
*****novell-cifs************
CIFS Proxy credential store update is successful
*****novell-named************
DNS Proxy Password update is Successful.
*****Novell DHCP************
DHCP Proxy Password update is successful.
Proxy password change task is completed. Refer to /var/opt/novell/log/proxymgmt/pxymgmt.log for more details
The /var/opt/novell/log/proxymgmt/pxymgmt.log is a very verbose output of the process of changing the passwords for each proxy user for each service.
Verifying the change
The easiest way to verify that the password change happened is to load the service and see if it now loads.
If the service still does not load, look to see if you are getting the same authentication error. (-669)
If there is still an authentication error then look at the /var/opt/novell/log/proxymgmt/pxymgmt.log for more information about the failure of the password to be set and whether it failed to be set in eDir or CASA or both.
Another way to verify that the password is in fact being changed, and to see what it is being set to in CASA, would be to retrieve the password from CASA for a specific service before running the change_proxypwd.sh script (shown above).
Then run the change_proxy_pwd.sh
Then retrieve the same services proxy user password again to verify that it gets changed.
For example to verify that the proxy users password is being changed for the DNS service:
Retrieve the DNS service proxy users password before running the change all proxy users script with this command.
/opt/novell/named/bin/dns_retrieve_proxy_cred password dnspwbefore.txt
cat /opt/novell/named/bin/dnspwbefore.txt
fU!6he673?
Run the change all proxy passwords script listed above
Retrieve the DNS service proxy users password again and compare the passwords.
/opt/novell/named/bin/dns_retrieve_proxy_cred password dnspwafter.txt
cat /opt/novell/named/bin/dnspwafter.txt
iwSl5499S@
Notice that the password was changed.
All services have a similar set of scripts for proxy user management in their /opt/novell/<service>/bin directory.
Cause
The password for the common proxy user for each server is periodically changed by
the system.
If two different servers use the same common proxy user and one of those servers automatically changes the password in eDir and in CASA for it's common proxy user, it also changed the other servers proxy user password in eDir. However, that other server will still have the old password in CASA. Since the second servers proxy users passwords don't match, the service will fail to load and will give an authentication error. The original server that made the change will not have a problem until the second server does the same.
For this reason it is recommended that each server have it's own unique common proxy user.
The install typically will create one with the server name like this: OESCommonProxy_servername. Using that proxy user for that server is the recommended configuration.
If two different servers use the same common proxy user and one of those servers automatically changes the password in eDir and in CASA for it's common proxy user, it also changed the other servers proxy user password in eDir. However, that other server will still have the old password in CASA. Since the second servers proxy users passwords don't match, the service will fail to load and will give an authentication error. The original server that made the change will not have a problem until the second server does the same.
For this reason it is recommended that each server have it's own unique common proxy user.
The install typically will create one with the server name like this: OESCommonProxy_servername. Using that proxy user for that server is the recommended configuration.
Additional Information
With the /opt/novell/proxymgmt/bin/change_proxy_pwd.sh the -A option followed by yes will cause an auto genterated password to
be set. If you wish to specify a password then the -A needs to
be followed by "no" in which case you will be prompted for a password.
Note that the system at some future date when it runs through the password update process will auto generate a password
and set it to that new auto generated password.