[Info-ingres] Authentication fail
Paul White
paul.white at shift7solutions.com.au
Wed Feb 1 23:04:25 UTC 2017
Good morning all,
I'm hoping for some fresh ideas.
A few nights ago, the Ingres Windows server was rebooted and from that
point, remote Ingres Net/OpenROAD connections are rejected with errors:
E_GC000B_RMT_LOGIN_FAIL Login failure: invalid username/password.
E_GC000B_RMT_LOGIN_FAIL Login failure: invalid username/password.
E_GC000E_RMT_LOGIN_FAIL_INFO A remote login attempt failed. The remote
machine was 'MACHINE', and the userid was 'someuser'.
sql myvnode::pw
INGRES TERMINAL MONITOR Copyright 2008 Ingres Corporation
E_LC0001 GCA protocol service (GCA_REQUEST) failure.
Internal service status E_GC000b -- Login failure: invalid
username/password..
E_LQ0001 Failed to connect to DBMS session.
These work:
RDP to the Ingres server as user Ingres, and can connect directly to any of
the databases with command line sql.
A local .net application is working fine synchronising between Ingres and
MSSQL which are running together on the server.
These fail:
vnode connections from remote machine.
vnode Local loopback to 127.0.0.1.
vnode changed user to ingres and other users.
Created new vnode.
The installation is owned by ingres. The site has been running since 2014.
II 10.1.1 (a64.win/100) + P14744
I've checked ownership and permissions on all IngresII files.
I've created a new Ingres user and corresponding operating system user. Also
fails.
The reject is immediate, it does not seem to be firewall timeout or DNS
lookup.
I've stopped and restarted Ingres service. Reset the password in the
service.
Run a install/repair and repatched.
I checked there have been no recent changes to vnode files in
%II_SYSTEM%\ingres\files\name\
Checked Ingres and system environment variables
Started ingres in local test only mode. (iigcn+iigcc)
Confirmed Ingres is a local admin, removed and added the account to "logon
as a service", "logon as a batch" and "act as part of the operating system"
Confirmed settings for "access this server from the network".
The Windows event log shows slightly different messages depending if I use
ingres user for connect:
============
EventID:4625
Security ID:MACHINE\ingres
Account Name:ingres
Account Domain:MACHINE
Logon ID:0x22F7B
Logon Type:3
Account for which Logon Failed:
Security ID:NULL SID
Account Name:ingres
Account Domain:
Failure information:
Failure Reason:An Error occurred during Logon
Status:0xC0000022
Sub Status:0x0
Process information
Caller ProcessID: 0xb58
Caller Process Name c:\IngresI\ingres\bin\iigcn.exe
Network Information
Workstation Name:MACHINE
============
EventID:4625
Security ID:MACHINE\ingres
Account Name:ingres
Account Domain:MACHINE
Logon ID:0x22F7B
Logon Type:3
Account for which Logon Failed:
Security ID:NULL SID
Account Name:someuser
Account Domain:
Failure information:
Failure Reason:Unknown user name or bad password
Status:0xC000006D
Sub Status:0xC000006A0
Process information
Caller ProcessID: 0xb58
Caller Process Name c:\IngresI\ingres\bin\iigcn.exe
Network Information
Workstation Name:MACHINE
The default Ingres port 21064 is open for TCP4 and TCP6.
netstat -an | grep 21064
TCP 0.0.0.0:21064 0.0.0.0:0 LISTENING
TCP 127.0.0.1:21064 127.0.0.1:62866 TIME_WAIT
TCP 127.0.0.1:21064 127.0.0.1:62897 TIME_WAIT
TCP [::]:21064 [::]:0 LISTENING
netstat -anb
TCP 0.0.0.0:21064 0.0.0.0:0 LISTENING
[iigcc.exe]
TCP 127.0.0.1:21064 127.0.0.1:62866 TIME_WAIT
TCP 127.0.0.1:21064 127.0.0.1:62897 TIME_WAIT
TCP [::]:21064 [::]:0 LISTENING
[iigcc.exe]
GCA trace has been captured. Here is my script.
@echo off
if [%1] == [-s] (
echo setting
ingsetenv II_GCA_TRACE 5
ingsetenv II_GCN_TRACE 5
ingsetenv II_GCS_TRACE 5
ingsetenv II_GCC_TRACE 5
ingsetenv II_GC_TRACE 5
ingsetenv II_GCA_LOG C:\IngresII\ingres\files\iigca_%%d_%%p.log
goto end
)
echo clearing
ingunset II_GCA_TRACE
ingunset II_GCN_TRACE
ingunset II_GCS_TRACE
ingunset II_GCC_TRACE
ingunset II_GC_TRACE
ingunset II_GCA_LOG
:end
Here is an excerpt of the trace
The second call to GCS_USR_AUTH fails with status 000C000B, it matches the
status in the reject given to the user "E_GC000b"
!GCS call: GCS_OP_VALIDATE, mechanism <internal>
!GCS call: validating GCS_USR_AUTH with mechanism ingres
!GCS ingres: GCS_OP_VALIDATE
!GCS ingres: validating GCS_USR_AUTH (43 bytes)
!GCS ingres: user 'ingres', alias 'ingres'
!GCS ingres: GCS_OP_VALIDATE status 0x00000000
!GCS call: GCS_OP_VALIDATE, status 0x00000000
! 1 GCA LS_CHKBED status 00000000 (148)
! 1 GCA LS_CHKAPI status 00000000 (149)
! 1 GCA RG_IF_NSDISC status 00000000 (203)
! 1 GCA LS_DONE status 00000000 (209)
! 1 GCA SA_COMPLETE status 00000000 (210)
! 1 GCA_COMPLETE 4 status=00000000
! 1 GCA_COMPLETE 4 completing
...
!GCS call: GCS_OP_VALIDATE, mechanism <internal>
!GCS call: validating GCS_PWD_AUTH with mechanism ingres
!GCS ingres: GCS_OP_VALIDATE
!GCS ingres: validating GCS_PWD_AUTH (82 bytes)
!GCS ingres: alias 'someuser'
!GCusrpwd: Entry point.
!GCS ingres: invalid password: 'mypasswd#'
!GCS ingres: GCS_OP_VALIDATE status 0x000C000B
!GCS call: GCS_OP_VALIDATE, status 0x000C000B
! 2 GCA LS_SET_PSTAT status 000C000B (152)
! 2 GCA LS_FMT_PEER status 000C000B (153)
! 2 GCA SA_SEND_PEER status 000C000B (154)
! 2 GCA SA_GOSUB status 000C000B (155)
! 2 GCA GC_SEND status 000C000B (509)
Other clues I have:
Windows patches were applied as part of the reboot.
New software was installed elsewhere on the machine.
MSSQL is running ok with remote connections.
Server is part of a domain but is not the DNS.
No other start up errors in Ingres errlog.log.
Site claims there has been no policy changes.
UAC is enabled on the server Win2012
I suspect the site administrator has changed something to do with guest
account, as I can see several attempts to log in as Administrator and Guest
just prior to restart.
Next steps:
Remove recent windows patches
Disable UAC
Disable Antivirus/firewall
&
Shift Seven Solutions
84 Annie Drive Peregian Beach QLD 4573
Mob 0414 681799
Ph 07 5448 2137
www.shift7solutions.com.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.planetingres.org/pipermail/info-ingres/attachments/20170202/ac730de3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iigca.zip
Type: application/octet-stream
Size: 25445 bytes
Desc: not available
URL: <https://lists.planetingres.org/pipermail/info-ingres/attachments/20170202/ac730de3/attachment.obj>
More information about the Info-ingres
mailing list