Unable to login to Zone

My zone got moved recently. It had been running on an acnient build of Solaris 10 that had been state of the art when we moved into this office and now it was to be hosted on a real Solaris 10 system. It mainly hosts legacy web pages from servers that have long since been decomissioned so that the links continue to function. As such, while is is mine and has my system name from the days when we had desktops, I hardly ever login to it.

Anyway after the move someone contacted me to say that one of the services it provides was not working. So I login to the system, or at least I try, but it won't let me in. Odd.

I finally get to the console and every time I try and login I get this message:

Mar  6 17:26:42 dredd sshd[13866]: pam_setcred: setppriv(defaultpriv) failed: Not owner


For some curious reason the cause of this error was not completely apparent to me straight away, despite google pointing me rather helpfuly at the source code. So setppriv is failing, but why, and why for me?


Doing my SGRT on it we have:


Is

Is Not

What is:What thing or group of things is having the problem?

What is NOT:What thing or group of things could be having the problem, but is not?

Setppriv for my login.

Other users logins.

What is:What is wrong with it or them?

What is NOT:What could be wrong with it or them, but is not?

Unable to login

No password entry. Logging in as root and doing getent finds me and the ksh can use ~ to get to my home directory

Where is:Where, geographically, is the thing when the problem is noticed?

Where is NOT :Where could the thing be when the problem is noticed, but is not?

On Zones in our namespace.

On other global zones in our namespace. On global and non global zones not in our namespace.


I'd like to tell you that at this point the problem was clear and obvious. Some thing in our namespace was making my login to non global zones fail. However by complete coincidence at this point, just as I was going to solve the problem, honest, I got an email that described the problem. It being where you have had your default privileges added to and those privileges are not available to non global Zones.


For me this was that I have some dtrace privileges. So I filled bug 6395043 which should filter into the opensolaris.org bugs database sometime soon to get the setting of extra privileges not be a hard error that locks you out.


The workaround is to add an entry for each user with raised privileges in the name service to the local user_attr file on each of the zones without the extra privileges. Not exactly a solution but at least I can now login.


Tags:

Comments:

Hi Found this myself on Monday. Have logged a call and am told a guy called Joe Phalan is picking this up. I had the privileges defined in a nisplus table as we run a large estate and populating /etc/user_attr in every global & non-global zone woudl be painful !

Posted by Keith Apps on March 10, 2006 at 05:26 AM GMT #

The bug is being actively worked so with luck you won't have to do the edit to all those files.

Posted by Chris Gerhard on March 10, 2006 at 07:31 AM GMT #

Post a Comment:
Comments are closed for this entry.
About

This is the old blog of Chris Gerhard. It has mostly moved to http://chrisgerhard.wordpress.com

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today