[Info-ingres] Authentication fail

Paul White paul.white at shift7solutions.com.au
Wed Feb 1 23:04:25 UTC 2017 

Good morning all,

 

I'm hoping for some fresh ideas.

A few nights ago, the Ingres Windows server was rebooted and from that
point, remote Ingres Net/OpenROAD connections are rejected with errors:

 

E_GC000B_RMT_LOGIN_FAIL    Login failure: invalid username/password.

E_GC000B_RMT_LOGIN_FAIL    Login failure: invalid username/password.

E_GC000E_RMT_LOGIN_FAIL_INFO      A remote login attempt failed. The remote
machine was 'MACHINE', and the userid was 'someuser'.

 

 

sql myvnode::pw

INGRES TERMINAL MONITOR Copyright 2008 Ingres Corporation

E_LC0001 GCA protocol service (GCA_REQUEST) failure.

    Internal service status E_GC000b -- Login failure: invalid

    username/password..

E_LQ0001 Failed to connect to DBMS session.

 

These work:

RDP to the Ingres server as user Ingres, and can connect directly to any of
the databases with command line sql.

A local .net application is working fine synchronising between Ingres and
MSSQL which are running together on the server.

 

These fail:

vnode connections from remote machine.

vnode Local loopback to 127.0.0.1.

vnode changed user to ingres and other users.

Created new vnode.

 

The installation is owned by ingres. The site has been running since 2014.

II 10.1.1 (a64.win/100) + P14744

I've checked ownership and permissions on all IngresII files.

 

I've created a new Ingres user and corresponding operating system user. Also
fails.

The reject is immediate, it does not seem to be firewall timeout or DNS
lookup.

 

I've stopped and restarted Ingres service. Reset the password in the
service.

Run a install/repair and repatched.

I checked there have been no recent changes to vnode files in
%II_SYSTEM%\ingres\files\name\

Checked Ingres and system environment variables

Started ingres in local test only mode. (iigcn+iigcc)

Confirmed Ingres is a local admin, removed and added the account to "logon
as a service", "logon as a batch" and "act as part of the operating system"

Confirmed settings for "access this server from the network".

 

 

The Windows event log shows slightly different messages depending if I use
ingres user for connect:

============

EventID:4625

Security ID:MACHINE\ingres

Account Name:ingres

Account Domain:MACHINE

Logon ID:0x22F7B

Logon Type:3

Account for which Logon Failed:

Security ID:NULL SID

Account Name:ingres

Account Domain:

 

Failure information:

Failure Reason:An Error occurred during Logon

Status:0xC0000022

Sub Status:0x0

Process information

Caller ProcessID: 0xb58

Caller Process Name c:\IngresI\ingres\bin\iigcn.exe

Network Information

Workstation Name:MACHINE

 

============

EventID:4625

Security ID:MACHINE\ingres

Account Name:ingres

Account Domain:MACHINE

Logon ID:0x22F7B

Logon Type:3

Account for which Logon Failed:

Security ID:NULL SID

Account Name:someuser

Account Domain:

 

Failure information:

Failure Reason:Unknown user name or bad password

Status:0xC000006D

Sub Status:0xC000006A0

Process information

Caller ProcessID: 0xb58

Caller Process Name c:\IngresI\ingres\bin\iigcn.exe

Network Information

Workstation Name:MACHINE

 

 

The default Ingres port 21064 is open for TCP4 and TCP6.

 

netstat -an | grep 21064

 

  TCP    0.0.0.0:21064          0.0.0.0:0              LISTENING

  TCP    127.0.0.1:21064        127.0.0.1:62866        TIME_WAIT

  TCP    127.0.0.1:21064        127.0.0.1:62897        TIME_WAIT

  TCP    [::]:21064             [::]:0                 LISTENING

 

netstat -anb

  TCP    0.0.0.0:21064          0.0.0.0:0              LISTENING

 [iigcc.exe]

  TCP    127.0.0.1:21064        127.0.0.1:62866        TIME_WAIT

  TCP    127.0.0.1:21064        127.0.0.1:62897        TIME_WAIT

  TCP    [::]:21064             [::]:0                 LISTENING

 [iigcc.exe]

 

 

 

GCA trace has been captured. Here is my script.

 

@echo off

if [%1] == [-s] (

echo setting

ingsetenv II_GCA_TRACE 5

ingsetenv II_GCN_TRACE 5

ingsetenv II_GCS_TRACE 5

ingsetenv II_GCC_TRACE 5

ingsetenv II_GC_TRACE 5

ingsetenv II_GCA_LOG C:\IngresII\ingres\files\iigca_%%d_%%p.log

goto end

) 

 

echo clearing

ingunset II_GCA_TRACE

ingunset II_GCN_TRACE

ingunset II_GCS_TRACE

ingunset II_GCC_TRACE

ingunset II_GC_TRACE

ingunset II_GCA_LOG 

 

:end

 

Here is an excerpt of the trace

The second call to GCS_USR_AUTH fails with status 000C000B, it matches the
status in the reject given to the user "E_GC000b"

 

!GCS call: GCS_OP_VALIDATE, mechanism <internal>

!GCS call: validating GCS_USR_AUTH with mechanism ingres

!GCS ingres: GCS_OP_VALIDATE

!GCS ingres: validating GCS_USR_AUTH (43 bytes)

!GCS ingres: user 'ingres', alias 'ingres'

!GCS ingres: GCS_OP_VALIDATE status 0x00000000

!GCS call: GCS_OP_VALIDATE, status 0x00000000

!   1     GCA LS_CHKBED status 00000000 (148)

!   1     GCA LS_CHKAPI status 00000000 (149)

!   1     GCA RG_IF_NSDISC status 00000000 (203)

!   1     GCA LS_DONE status 00000000 (209)

!   1     GCA SA_COMPLETE status 00000000 (210)

!   1   GCA_COMPLETE 4 status=00000000

!   1   GCA_COMPLETE 4 completing

...

!GCS call: GCS_OP_VALIDATE, mechanism <internal>

!GCS call: validating GCS_PWD_AUTH with mechanism ingres

!GCS ingres: GCS_OP_VALIDATE

!GCS ingres: validating GCS_PWD_AUTH (82 bytes)

!GCS ingres: alias 'someuser'

!GCusrpwd: Entry point.

!GCS ingres: invalid password: 'mypasswd#'

!GCS ingres: GCS_OP_VALIDATE status 0x000C000B

!GCS call: GCS_OP_VALIDATE, status 0x000C000B

!   2     GCA LS_SET_PSTAT status 000C000B (152)

!   2     GCA LS_FMT_PEER status 000C000B (153)

!   2     GCA SA_SEND_PEER status 000C000B (154)

!   2     GCA SA_GOSUB status 000C000B (155)

!   2     GCA GC_SEND status 000C000B (509)

 

 

Other clues I have:

Windows patches were applied as part of the reboot.

New software was installed elsewhere on the machine.

MSSQL is running ok with remote connections.

Server is part of a domain but is not the DNS.

No other start up errors in Ingres errlog.log.

Site claims there has been no policy changes.

UAC is enabled on the server Win2012

I suspect the site administrator has changed something to do with guest
account, as I can see several attempts to log in as Administrator and Guest
just prior to restart.

 

Next steps:

Remove recent windows patches

Disable UAC

Disable Antivirus/firewall

 

 

 

&

Shift Seven Solutions

84 Annie Drive Peregian Beach QLD 4573

Mob 0414 681799

Ph 07 5448 2137

www.shift7solutions.com.au

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.planetingres.org/pipermail/info-ingres/attachments/20170202/ac730de3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iigca.zip
Type: application/octet-stream
Size: 25445 bytes
Desc: not available
URL: <https://lists.planetingres.org/pipermail/info-ingres/attachments/20170202/ac730de3/attachment.obj>

More information about the Info-ingres mailing list