Patch Name: PHSS_27963 Patch Description: s700_800 11.00 HP DCE/9000 1.7 Integrated Login cum. patch Creation Date: 02/09/23 Post Date: 02/12/10 Hardware Platforms - OS Releases: s700: 11.00 s800: 11.00 Products: N/A Filesets: IntegratedLogin.AUTH-COMMON,fr=B.11.00,fa=HP-UX_B.11.00_32/64,v=HP IntegratedLogin.AUTH-DCE,fr=B.11.00,fa=HP-UX_B.11.00_32/64,v=HP Automatic Reboot?: No Status: General Release Critical: Yes PHSS_27963: ABORT Category Tags: defect_repair general_release critical halts_system Path Name: /hp-ux_patches/s700_800/11.X/PHSS_27963 Symptoms: PHSS_27963: 1. JAGad37693 In the integrated login environment, a user login session responds abnormally when the user is in the /etc/passwd file and not in the DCE registry. 2. JAGad15130 The ilogind process is killed and the following error message is displayed: "Assertion failed: found_present == 1 message" 3. JAGad28191,JAGad50733,JAGad69252 Ilogind dumps core when the "runacct" and "quotacheck" commands are executed. The following error message is logged to the log file: "ilogind: Out of memory" 4. JAGad63490, JAGad57471 The "passwd" command will destroy valid user credentials if interrupted with Ctrl-C. 5. JAGad11213 When a user changes the password using the "passwd" command, no error is reported if the new password fails during syntax validation. 6. JAGad38926 Some files from the IntegratedLogin product are not deleted from the system after the OS has been upgraded from 10.20 to 11.00. These files have a suffix of .auth which are not replaced by any command in 11.00 system. 7. JAGad68492, JAGad68665 An attempt to change password for users listed in the /etc/opt/dce/password_override file does not work and at times dumps core with assertion failure. 8. JAGad96021 setpag() does not work with libdce library. 9. JAGae02578 Bogus error messages are displayed when forwarding DCE credentials. 10. JAGae02045 rlogin -F command does not work with the SIS and Ilogin combination. PHSS_20445: 1. JAGac78462 : Uninstall of DCE 1.7 Ilogin product removes /etc/nsswitch.conf file, hence users cannot login. PHSS_17811: 1. When integrated login is configured on a multi processor machine, telnet (rlogin ..) returns with an error message "Connection closed" and does not grant login to any user. Defect Description: PHSS_27963: 1. JAGad37693 When the "id" command is invoked with a user account that does not exist in the DCE registry, but exists in the /etc/passwd file, the user login session will hang. This is experienced, as the variable "result" in the getgrbymem() routine is not set to FAILURE when ilogind returns error. Resolution: When an error is returned from ilogind, the result variable is correctly set to FAILURE. 2. JAGad15130 ilogind exits with assertion because it is trying to free up a login context from the cache which it is not able to access. Resolution: Code has been modified to avoid forced freeing of a cache item. Thus, resolving the assertion failure. 3. JAGad28191, JAGad50733, JAGad69252 ilogind receives a SIGSEGV signal and exits when handling information of a group that has a large number of members. This problem was experienced because the total memory allocated to store group information was 10K. With the fix of JAGad28191, ilogind ends up with large number of cache entries if there are many users, and eventually ilogind reaches maxdsiz and core dumps. Resolution: The problem has been resolved where in, instead of allocating memory for all the members, the members are returned only up to the static size. This happens in the case of getgrid/getgrnam calls. When getgrent() request is received, members up to the maximum size are returned in each call. In the subsequent calls, all the members are retrieved by maintaining DCE registry cursor. This is a generic solution which solves memory related issues. Also a new environment variable, ILOGIND_CACHE_LIMIT has been added to fix the cache problem. The default value of this variable is 256. 4. JAGad57471, JAGad63490 "passwd" command establishes communication with the ilogin daemon with the login context. If the "passwd" command ends abruptly, then ilogind would cleanup the credentials. Resolution: The code which handles the login context purge, has been removed for cases where a private socket between ilogind and PAM DCE is left dangling. 5. JAGad11213 The ilogind returned a generic error status, DCE_STATUS_ERROR for all types of errors. Resolution: The problem is fixed with an additional error condition being checked. Also, the zero length verifier password has been fixed and appropriate error messages are displayed. 6. JAGad68492, JAGad68665 For users listed in the /etc/opt/dce/password_override file, there was no mechanism available to update their passwords. Also, for these users a valid network credential was not created. In the case of root, one would obtain the machine credentials but would still cause failure. In the case of other users, they would not obtain any credentials. Resolution: Code has been modified for changing password in override file. 7. JAGad96021 11.00 DCE PAM uses calls setpag/resetpag calls which, need to resolve to actual kernel calls in case of DFS. So far these functions were being resolved to dummy functions which return 0. Resolution: DCE PAM makefile has been changed to remove the references to these dummy routines. The libdce library is already linked with libpam_dce.1 and libdce will resolve setpag/resetpag to actual/dummy routines appropriately. 8. JAGad38926 Some files from the IntegratedLogin product are are not deleted after an OS update from 10.20 to 11.00, as no preinstall/postinstall script was written to remove these files. Resolution: Postinstall script is modified to remove these files. 9. JAGae02578 In case of overridden users, an error message "Unable to obtain DCE credentials" was displayed despite successful logins. However, in case of root (UID=0) this message is inappropriate as the root user inherits the default host credentials (dcecred_ffffffff). Resolution: Change was made in pam_sm_authenticate() to check for the UID=0, to determine whether it is a super-user. Also, the error message is not displayed for other users if KRB5CCNAME is set. 10. JAGae02045 With Ilogin configured, rlogin -F fails with SIS enabled. '*' is put in the password field by DCE when getpw* calls are made. Since '*' is considered as "invalid" account rlogin fails. Resolution: Instead of '*', DCE now places 'D' in password field. This is fixed in ilogind and password_export program. PHSS_20445: 1. JAGac78462 : Uninstall of DCE 1.7 Ilogin product removes /etc/nsswitch.conf file even though DCE backend to the Name Service switch is not enabled through auth.adm scr- ipt. Steps to reproduce the problem : a) Install the Ilogin product using "auth.adm -i -ldce -bux" select not to use NSS-DCE switch. b) Verify the presence of /etc/nsswitch.conf file. c) Run "auth.adm -u" to uninstall the product. d) Verify the presence of /etc/nsswitch.conf file You will not find /etc/nsswitch.conf file. Resolution: Remove the /etc/nsswitch.conf file, if and only if the /etc/nsswitch.conf.prev is existing (This file is generated during Ilogin installation). PHSS_17811: 1. This problem is caused by incorrect behavior of the call dfs_is_present. Even though dfs is not supported in 11.0 the code was returning incorrectly, indicating that dfs is present. This was the root cause of the problem. Resolution: On 11.0, dfs_is_present now returns, false, indicating the absence of DFS. Enhancement: No SR: 8606127660 8606168412 8606158862 8606145794 8606200068 8606194280 8606141859 8606188263 8606181517 8606199479 8606199304 8606226958 8606233354 8606232817 8606169652 Patch Files: IntegratedLogin.AUTH-COMMON,fr=B.11.00, fa=HP-UX_B.11.00_32/64,v=HP: /usr/sbin/auth.adm /usr/share/man/man1m.Z/auth.adm.1m IntegratedLogin.AUTH-DCE,fr=B.11.00,fa=HP-UX_B.11.00_32/64, v=HP: /opt/dce/sbin/ilogind /usr/lib/libnss_dce.1 /usr/lib/security/libpam_dce.1 /usr/sbin/auth.adm.dce /opt/dce/newconfig/RelNotes/ILoginRelNote.text /usr/share/man/man1m.Z/ilogind.1m /usr/share/man/man5.Z/pam_dce.5 /usr/lib/nls/msg/C/pam_dce.cat what(1) Output: IntegratedLogin.AUTH-COMMON,fr=B.11.00, fa=HP-UX_B.11.00_32/64,v=HP: /usr/sbin/auth.adm: None /usr/share/man/man1m.Z/auth.adm.1m: None IntegratedLogin.AUTH-DCE,fr=B.11.00,fa=HP-UX_B.11.00_32/64, v=HP: /opt/dce/sbin/ilogind: HP92453-02A.10.20 HP-UX SYMBOLIC DEBUGGER (END.O) $R evision: 74.03 $ HP DCE/9000 1.7-1.7.1 PHSS_27962-65 Module: ilogind (Export) Date: Sep 27 2002 22:18:48 /usr/lib/libnss_dce.1: HP DCE/9000 1.7-1.7.1 PHSS_27962-65 Module: libnss_d ce.1 (Export) Date: Sep 27 2002 22:14:45 /usr/lib/security/libpam_dce.1: HP DCE/9000 1.7-1.7.1 PHSS_27962-65 Module: libpam_d ce.1 (Export) Date: Sep 27 2002 22:14:55 $RCSfile: environment.c,v $ $Revision: /main/HPDCE02 /HPDCE_64/1 $ (OSF) $Date: 1997/11/06 19:44 UTC $ /usr/sbin/auth.adm.dce: None /opt/dce/newconfig/RelNotes/ILoginRelNote.text: None /usr/share/man/man1m.Z/ilogind.1m: None /usr/share/man/man5.Z/pam_dce.5: None /usr/lib/nls/msg/C/pam_dce.cat: None cksum(1) Output: IntegratedLogin.AUTH-COMMON,fr=B.11.00, fa=HP-UX_B.11.00_32/64,v=HP: 823304312 43049 /usr/sbin/auth.adm 2075841516 3985 /usr/share/man/man1m.Z/auth.adm.1m IntegratedLogin.AUTH-DCE,fr=B.11.00,fa=HP-UX_B.11.00_32/64, v=HP: 3985725749 104144 /opt/dce/sbin/ilogind 214311524 36864 /usr/lib/libnss_dce.1 3386119993 69632 /usr/lib/security/libpam_dce.1 745265640 33402 /usr/sbin/auth.adm.dce 1062551314 2663 /opt/dce/newconfig/RelNotes/ ILoginRelNote.text 558158166 1744 /usr/share/man/man1m.Z/ilogind.1m 2937487040 2612 /usr/share/man/man5.Z/pam_dce.5 2349741239 1303 /usr/lib/nls/msg/C/pam_dce.cat Patch Conflicts: None Patch Dependencies: s700: 11.00: PHSS_27962 s800: 11.00: PHSS_27962 Hardware Dependencies: None Other Dependencies: None Supersedes: PHSS_17811 PHSS_20445 Equivalent Patches: None Patch Package Size: 340 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHSS_27963 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHSS_27963.depot By default swinstall will archive the original software in /var/adm/sw/save/PHSS_27963. If you do not wish to retain a copy of the original software, include the patch_save_files option in the swinstall command above: -x patch_save_files=false WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHSS_27963.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHSS_27963.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHSS_27963.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: For this patch to take effect Stop and Start all DCE daemons and application processes OR reboot the machine after the patch is installed.