Discussion:
Howto create and login a new user? Keep getting "permission denied"
(too old to reply)
Marco Beishuizen
2017-02-16 15:27:20 UTC
Permalink
Raw Message
Hi,

I have OpenVMS running on a DEC PWS600au. In order to mount and use NFS
with a FreeBSD machine I want to add the user "root" to the OpenVMS
machine. After completing the "@SYS$EXAMPLES:ADDUSER.COM" procedure,
OpenVMS keeps denying logging in to the new root account, as if the
password is wrong or something.

So what am I doing wrong here?

regards,
Marco
--
I'm defending her honor, which is more than she ever did.
Scott Dorsey
2017-02-16 15:59:34 UTC
Permalink
Raw Message
Post by Marco Beishuizen
Hi,
I have OpenVMS running on a DEC PWS600au. In order to mount and use NFS
with a FreeBSD machine I want to add the user "root" to the OpenVMS
OpenVMS keeps denying logging in to the new root account, as if the
password is wrong or something.
So what am I doing wrong here?
So what do you see in syslog after the login fails?
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."
Stephen Hoffman
2017-02-16 16:04:34 UTC
Permalink
Raw Message
Post by Marco Beishuizen
I have OpenVMS running on a DEC PWS600au. In order to mount and use NFS
with a FreeBSD machine I want to add the user "root" to the OpenVMS
OpenVMS keeps denying logging in to the new root account, as if the
password is wrong or something.
So what am I doing wrong here?
Well, there's trying to use NFS. That's always "fun" on OpenVMS.
But for this case, my guess is that the new "root" user is still marked
DISUSER in SYSUAF (SET DEFAULT SYS$SYSTEM, then RUN AUTHORIZE, then
SHOW ROOT, check the flags), though there can be other causes for
blocked logins. Directory ownerships on the login directory for the
new "root" user can cause login failures, as can certain combinations
of flags and a protected SYLOGIN.COM command procedure, too. Check
the audit log (ANALYZE/AUDIT) or the system accounting data
(ACCOUNTING) for more details on the login failure.
--
Pure Personal Opinion | HoffmanLabs LLC
Marco Beishuizen
2017-02-16 16:22:24 UTC
Permalink
Raw Message
Well, there's trying to use NFS. That's always "fun" on OpenVMS. But
for this case, my guess is that the new "root" user is still marked
DISUSER in SYSUAF (SET DEFAULT SYS$SYSTEM, then RUN AUTHORIZE, then SHOW
ROOT, check the flags), though there can be other causes for blocked
logins. Directory ownerships on the login directory for the new "root"
user can cause login failures, as can certain combinations of flags and
a protected SYLOGIN.COM command procedure, too. Check the audit log
(ANALYZE/AUDIT) or the system accounting data (ACCOUNTING) for more
details on the login failure.
Don't know how to check the logs yet, but SHOW ROOT in UAF> says:
UAF> show root

Username: ROOT Owner: CHARLIE ROOT
Account: ROOT UIC: [200,101] ([ROOT])
CLI: DCL Tables: DCLTABLES
Default: SYS$SYSDEVICE:[ROOT]
LGICMD:
Flags:
Primary days: Mon Tue Wed Thu Fri
Secondary days: Sat Sun
No access restrictions
Expiration: (none) Pwdminimum: 6 Login Fails: 6
Pwdlifetime: 90 00:00 Pwdchange: (pre-expired)
Last Login: (none) (interactive), (none)
(non-interactive)
Maxjobs: 0 Fillm: 128 Bytlm: 128000
Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0
Maxdetach: 0 BIOlm: 150 JTquota: 4096
Prclm: 8 DIOlm: 150 WSdef: 4096
Prio: 4 ASTlm: 300 WSquo: 8192
Queprio: 4 TQElm: 100 WSextent: 16384
CPU: (none) Enqlm: 4000 Pgflquo: 256000
Authorized Privileges:
NETMBX TMPMBX
Default Privileges:
NETMBX TMPMBX

If it is still marked as a DISUSER, how do I UNDIS the USER?

Regards,
Marco
--
Say something you'll be sorry for, I love receiving apologies.
Stephen Hoffman
2017-02-16 16:41:30 UTC
Permalink
Raw Message
Post by Marco Beishuizen
Well, there's trying to use NFS. That's always "fun" on OpenVMS. But
for this case, my guess is that the new "root" user is still marked
DISUSER in SYSUAF (SET DEFAULT SYS$SYSTEM, then RUN AUTHORIZE, then
SHOW ROOT, check the flags), though there can be other causes for
blocked logins. Directory ownerships on the login directory for the
new "root" user can cause login failures, as can certain combinations
of flags and a protected SYLOGIN.COM command procedure, too. Check the
audit log (ANALYZE/AUDIT) or the system accounting data (ACCOUNTING)
for more details on the login failure.
UAF> show root
Username: ROOT Owner: CHARLIE ROOT
...
...
No access restrictions
...
.... Login Fails: 6
...
If it is still marked as a DISUSER, how do I UNDIS the USER?
it's not DISUSER'd That flag is not shown in the list of flags for
the user. Next step is to check the ownership on
SYS$SYSDEVICE:[000000]ROOT.DIR to ensure that matches [200,101] —
probably not a good idea to put every user in group 200, but that's
another security discussion and that's not related to this
login-related issue — and check the access on then
SYS$SYSDEVICE:[ROOT]LOGIN.COM and on any SYLOGIN.COM that might be
present, and then If you've logged in enough times and failed — 6 times
so far — breakin evasion can also activate and block subsequent
attempts. SHOW INTRUSION to show the intrusion database,
DELETE/INTRUSION to delete it, then use AUTHORIZE to reset the password
to something (else) to test for that case.

Then do what you seemingly don't want to do, and go check the auditing
logs after attempting to log into the "root" user interactively.
Attempt to log into the new root user directly, without NFS involved.

The auditing and accounting logs are often your friend here. Use them.
If sufficient auditing is not enabled (SHOW AUDIT), then add in some
login-related audits, and login-failure-related audits.
--
Pure Personal Opinion | HoffmanLabs LLC
Marco Beishuizen
2017-02-16 17:07:38 UTC
Permalink
Raw Message
it's not DISUSER'd That flag is not shown in the list of flags for the
user. Next step is to check the ownership on
SYS$SYSDEVICE:[000000]ROOT.DIR to ensure that matches [200,101] —
probably not a good idea to put every user in group 200, but that's
another security discussion and that's not related to this login-related
issue — and check the access on then SYS$SYSDEVICE:[ROOT]LOGIN.COM and
on any SYLOGIN.COM that might be present, and then If you've logged in
enough times and failed — 6 times so far — breakin evasion can also
activate and block subsequent attempts. SHOW INTRUSION to show the
intrusion database, DELETE/INTRUSION to delete it, then use AUTHORIZE to
reset the password to something (else) to test for that case.
Then do what you seemingly don't want to do, and go check the auditing
logs after attempting to log into the "root" user interactively.
Attempt to log into the new root user directly, without NFS involved.
The auditing and accounting logs are often your friend here. Use them.
If sufficient auditing is not enabled (SHOW AUDIT), then add in some
login-related audits, and login-failure-related audits.
It's not that I don't want to use the logs, I don't know how yet. I
started using OpenVMS on my Alpha a week ago.

Trying to log in directly on the OpenVMS machine or by ssh doesn't make a
difference. I also tried to delete the account and re-add it, and change
the password. All this results in the same.

But before I jump through a lot of hoops: I used a standard utility to add
a user, using only default values. Why isn't it just possible to login
after adding the user using this standard utility? To me as a VMS-newbie
this looks like a pretty useless utility (or useless defaults). Maybe
there is a simple explanation for OpenVMS users but I really want to
understand here.

Regards,
Marco
abrsvc
2017-02-16 17:32:17 UTC
Permalink
Raw Message
Lets start with the simple stuff first. Since you just started with VMS, do you have a license for it yet? If not, you can use the console for some functions, but remote access will be denied. You may or may not see the license not active message.

Dan
Marco Beishuizen
2017-02-16 18:42:27 UTC
Permalink
Raw Message
Post by abrsvc
Lets start with the simple stuff first. Since you just started with
VMS, do you have a license for it yet? If not, you can use the console
for some functions, but remote access will be denied. You may or may
not see the license not active message.
I have a hobbyist license. Installation of OpenVMS and the license went
fine afaik. During installation a "system" account was created (to me some
kind of root). After installation some TCPIP options were enabled like
SSH, Telnet, NTP and LPD. SSH and Telnet work fine, haven't tried lpd yet.
I've also setup the network at home during install and all computers can
ping each other and are visible in the DSL router.

Regards,
Marco
--
Science is like sex: sometimes something useful comes
out, but that is not the reason we are doing it
-- Richard Feynman
seasoned_geek
2017-02-19 15:47:37 UTC
Permalink
Raw Message
Post by Marco Beishuizen
Post by abrsvc
Lets start with the simple stuff first. Since you just started with
VMS, do you have a license for it yet? If not, you can use the console
for some functions, but remote access will be denied. You may or may
not see the license not active message.
I have a hobbyist license. Installation of OpenVMS and the license went
fine afaik. During installation a "system" account was created (to me some
kind of root). After installation some TCPIP options were enabled like
SSH, Telnet, NTP and LPD. SSH and Telnet work fine, haven't tried lpd yet.
I've also setup the network at home during install and all computers can
ping each other and are visible in the DSL router.
Regards,
Marco
--
Science is like sex: sometimes something useful comes
out, but that is not the reason we are doing it
-- Richard Feynman
If you just started with OpenVMS, you might wan to obtain a copy of this book:
http://theminimumyouneedtoknow.com/app_book.html
or find some free reputable on-line tutorial. OpenVMS is a real operating system and as such requires one do a bit of reading.
Stephen Hoffman
2017-02-21 15:26:15 UTC
Permalink
Raw Message
...OpenVMS is a real operating system and as such requires one do a bit
of reading.
This, of course, is how us long-time OpenVMS users prefer to
deliberately ignore or make excuses for problem areas, such as the user
interface for the accreted-not-designed user management subsystem.

Hopefully, VSI acquires the time and the budget and the skills
necessary to drain at least some parts of the user interface swamp.
--
Pure Personal Opinion | HoffmanLabs LLC
Jan-Erik Soderholm
2017-02-16 17:38:28 UTC
Permalink
Raw Message
it's not DISUSER'd That flag is not shown in the list of flags for the
user. Next step is to check the ownership on
SYS$SYSDEVICE:[000000]ROOT.DIR to ensure that matches [200,101] —
probably not a good idea to put every user in group 200, but that's
another security discussion and that's not related to this login-related
issue — and check the access on then SYS$SYSDEVICE:[ROOT]LOGIN.COM and on
any SYLOGIN.COM that might be present, and then If you've logged in
enough times and failed — 6 times so far — breakin evasion can also
activate and block subsequent attempts. SHOW INTRUSION to show the
intrusion database, DELETE/INTRUSION to delete it, then use AUTHORIZE to
reset the password to something (else) to test for that case.
Then do what you seemingly don't want to do, and go check the auditing
logs after attempting to log into the "root" user interactively. Attempt
to log into the new root user directly, without NFS involved.
The auditing and accounting logs are often your friend here. Use them.
If sufficient auditing is not enabled (SHOW AUDIT), then add in some
login-related audits, and login-failure-related audits.
It's not that I don't want to use the logs, I don't know how yet. I started
using OpenVMS on my Alpha a week ago.
Trying to log in directly on the OpenVMS machine or by ssh doesn't make a
difference. I also tried to delete the account and re-add it, and change
the password. All this results in the same.
But before I jump through a lot of hoops: I used a standard utility to add
a user, using only default values. Why isn't it just possible to login
after adding the user using this standard utility? To me as a VMS-newbie
this looks like a pretty useless utility (or useless defaults). Maybe there
is a simple explanation for OpenVMS users but I really want to understand
here.
Regards,
Marco
OK, so you can login using another user, right?

Lets say that it is SYSTEM (or another user with privileges).
Then you can try this when logged in as that user:

$ reply/enable
$ telnet localhost (and try to login as user root)

You should see something like:

$ reply/enabe
%%%%%%%%%%% OPCOM 16-FEB-2017 18:31:33.90 %%%%%%%%%%%
Operator <node>:<terminal> has been enabled, username <user>

...
...

$
$ telnet localhost
%TELNET-I-TRYING, Trying ... 127.0.0.1
%%%%%%%%%%% OPCOM 16-FEB-2017 18:31:37.10 %%%%%%%%%%%
Message from user INTERnet on <node>
TELNET Login from Host: LOCALHOST Port: nnnnn

...
...

Username: root
Password:

%%%%%%%%%%% OPCOM 16-FEB-2017 18:31:43.18 %%%%%%%%%%%
Message from user AUDIT$SERVER on <node>
Security alarm (SECURITY) and security audit (SECURITY) on <node>, system
id: 1019
Auditable event: Remote interactive login failure
Event time: 16-FEB-2017 18:31:43.17
PID: 00025CF9
Process name: _TNA6156:
Username: <login>
Terminal name: TNA6156, _TNA6156:, Host: LOCALHOST Locn:
_TNA6072:/NNN
Remote nodename: LOCALHOST
Remote node id: nnnnnnnn
Remote username: TELNET_7F000001
Status: %LOGIN-F-NOSUCHUSER, no such user

User authorization failure

Username: (exit with ctrl-Z)

$ reply /disable (to shutoff the logging to your terminal)

The "Status:" message above might have some interesting message.
In my case above there simply was no username called "root"...
Marco Beishuizen
2017-02-16 18:54:44 UTC
Permalink
Raw Message
Post by Jan-Erik Soderholm
OK, so you can login using another user, right?
Lets say that it is SYSTEM (or another user with privileges).
$ reply/enable
$ telnet localhost (and try to login as user root)
$ reply/enabe
%%%%%%%%%%% OPCOM 16-FEB-2017 18:31:33.90 %%%%%%%%%%%
Operator <node>:<terminal> has been enabled, username <user>
...
...
$
$ telnet localhost
%TELNET-I-TRYING, Trying ... 127.0.0.1
%%%%%%%%%%% OPCOM 16-FEB-2017 18:31:37.10 %%%%%%%%%%%
Message from user INTERnet on <node>
TELNET Login from Host: LOCALHOST Port: nnnnn
...
...
Username: root
%%%%%%%%%%% OPCOM 16-FEB-2017 18:31:43.18 %%%%%%%%%%%
Message from user AUDIT$SERVER on <node>
1019
Auditable event: Remote interactive login failure
Event time: 16-FEB-2017 18:31:43.17
PID: 00025CF9
Username: <login>
_TNA6072:/NNN
Remote nodename: LOCALHOST
Remote node id: nnnnnnnn
Remote username: TELNET_7F000001
Status: %LOGIN-F-NOSUCHUSER, no such user
User authorization failure
Username: (exit with ctrl-Z)
$ reply /disable (to shutoff the logging to your terminal)
The "Status:" message above might have some interesting message.
In my case above there simply was no username called "root"...
I can login as the SYSTEM user, which was created during installation.
Trying to telnet to localhost results in an "invalid password" in my case:

Username: root
Password:
%%%%%%%%%%% OPCOM 16-FEB-2017 19:46:19.00 %%%%%%%%%%%
Message from user AUDIT$SERVER on OVMS1
Security alarm (SECURITY) and security audit (SECURITY) on OVMS1, system
id: 102
5
Auditable event: Remote interactive login failure
Event time: 16-FEB-2017 19:46:18.99
PID: 0000023D
Process name: _TNA2:
Username: ROOT
Terminal name: TNA2:, _TNA2:, Host: LOCALHOST Locn:
_FTA3:/SYSTEM
Remote node id: 16777343
Remote node fullname: LOCALHOST
Remote username: TELNET_7F000001
Status: %LOGIN-F-INVPWD, invalid password

User authorization failure
--
A woman can look both moral and exciting -- if she also looks as if it
were quite a struggle.
-- Edna Ferber
Bob Koehler
2017-02-16 20:31:28 UTC
Permalink
Raw Message
Post by Marco Beishuizen
Status: %LOGIN-F-INVPWD, invalid password
well, that's pretty clear. the password you think you gave the
account does not match the one you actually geve the account.

go into authorize.exe and do a
mod root/password=somethingnew
Arne Vajhøj
2017-02-16 20:46:05 UTC
Permalink
Raw Message
Post by Bob Koehler
Post by Marco Beishuizen
Status: %LOGIN-F-INVPWD, invalid password
well, that's pretty clear. the password you think you gave the
account does not match the one you actually geve the account.
go into authorize.exe and do a
mod root/password=somethingnew
I have not done that since forever.

But something tells me:

UAF> MOD username/PASS=password/NOPWDEXP/PWDLIFE=0

Arne
Craig A. Berry
2017-02-16 20:57:40 UTC
Permalink
Raw Message
Post by Bob Koehler
Post by Marco Beishuizen
Status: %LOGIN-F-INVPWD, invalid password
well, that's pretty clear. the password you think you gave the
account does not match the one you actually geve the account.
go into authorize.exe and do a
mod root/password=somethingnew
and when you set the password make sure it includes only the (very
limited) set of characters that are valid in VMS passwords:

<http://h41379.www4.hpe.com/wizard/wiz_1175.html>

or set the PWDMIX flag on the account, which makes the passwords case
sensitive and adds more characters to what's allowed (sorry, don't have
the list handy).
Stephen Hoffman
2017-02-16 17:50:31 UTC
Permalink
Raw Message
Post by Marco Beishuizen
it's not DISUSER'd That flag is not shown in the list of flags for the
user. Next step is to check the ownership on >
SYS$SYSDEVICE:[000000]ROOT.DIR to ensure that matches [200,101] — >
probably not a good idea to put every user in group 200, but that's >
another security discussion and that's not related to this
login-related > issue — and check the access on then
SYS$SYSDEVICE:[ROOT]LOGIN.COM and > on any SYLOGIN.COM that might be
present, and then If you've logged in > enough times and failed — 6
times so far — breakin evasion can also > activate and block subsequent
attempts. SHOW INTRUSION to show the > intrusion database,
DELETE/INTRUSION to delete it, then use AUTHORIZE to > reset the
password to something (else) to test for that case.
Then do what you seemingly don't want to do, and go check the auditing
logs after attempting to log into the "root" user interactively. >
Attempt to log into the new root user directly, without NFS involved.
The auditing and accounting logs are often your friend here. Use them.
If sufficient auditing is not enabled (SHOW AUDIT), then add in some
login-related audits, and login-failure-related audits.
It's not that I don't want to use the logs, I don't know how yet. I
started using OpenVMS on my Alpha a week ago.
NFS is the deep end of the pool; not a particularly easy implementation
to get working for even some experienced users, and probably not the
best place to start learning about OpenVMS.

As for the commands, I've provided the basic DCL commands involved some
of the steps, or the files involved.

For the ownership and protection:
DIRECTORY/SECURITY SYS$SYSDEVICE:[000000]ROOT.DIR
DIRECTORY/SECURITY SYS$SYSDEVICE:[ROOT]LOGIN.COM
That latter DIRECTORY command may or will fail; if the LOGIN.COM file
is not yet present.

SHOW LOGICAL SYLOGIN will show whether there's a system-wide login in
use, but I'd guess not. Not unless this is an existing installation
that you're taking over. Then all bets are off.

ANALYZE /AUDIT /SINCE=TODAY SYS$MANAGER:SECURITY.AUDIT$JOURNAL or some
such set of qualifiers, and also the SHOW AUDIT command to see what
auditing is enabled, will get you started with auditing, if there's
anything in the logs.

HELP ANALYZE /AUDIT will show a quick review of the command syntax, and
the rest of the documentation is in the OpenVMS security manual.

The DCL dictionary — also in the documentation set — will have some
details on the SHOW INTRUSION and DELETE /INTRUSION commands, as will
the HELP text.

HELP ACCOUNT for help on the accounting utility, or the manuals...

The OpenVMS documentation is buried underneath here:

http://www8.hp.com/us/en/products/servers/openvms/documents.html

Usual path for reading through that whole mass of documentation is the
User's Manual first, then the DCL dictionary and maybe a few other
areas to get going, then — for administering systems — the System
Manager's Manuals (one or both volumes) and various other manuals
related to that task including the Guide to System Security, and — for
programming OpenVMS — the Programming Concepts manual and various other
OpenVMS and compiler-specific manuals. The TCP/IP Services
documentation is a separate shelf, and you'll probably want to read the
installation and configuration manual in that shelf.

You'll also find previous discussions of these commands in the
comp.os.vms newsgroup archives, and at various places around the 'net.

https://groups.google.com/forum/#!forum/comp.os.vms
Post by Marco Beishuizen
Trying to log in directly on the OpenVMS machine or by ssh doesn't make
a difference.
For all of the users, or just the root user?

I'll assume that the ssh server and related bits have been configured,
though — if that hasn't happened yet — that's an extra step on OpenVMS,
and involves installing TCP/IP Services (if it's not already installed)
or some other third-party IP stack, and then using
@SYS$MANAGER:TCPIP$CONFIG to configure the IP stack and start the
necessary servers including the ssh server, or whatever configuration
tool is used for the third-party IP stack, Some of this stuff sort-of
looks to work but fails oddly, if the servers and giblets are not as
specified in the TCP/IP Services manuals. Yes, there's a separate set
of manuals for that.

If the ssh server (daemon) is configured and running and logins fail,
there's something definitely odd with the local set-up or some local
file. That means reading the auditing logs or accounting data for
details.
Post by Marco Beishuizen
I also tried to delete the account and re-add it, and change the
password. All this results in the same.
That won't help.
Post by Marco Beishuizen
But before I jump through a lot of hoops: I used a standard utility to
add a user,
Ayup; that was clear.
Post by Marco Beishuizen
using only default values.
Ayup; that too was clear.
Post by Marco Beishuizen
Why isn't it just possible to login after adding the user using this
standard utility?
ADDUSER is usually customized. If it's used at all. (That's why
it's in the SYS$EXAMPLES examples area, and not in one of the "main"
application directories such as SYS$SYSTEM or SYS$MANAGER, FWIW.)
ADDUSER is also not commonly used by experienced OpenVMS folks, who
generally either have their own local procedures and tools to add
users, or — for lower-volume sites — they use the UAF (SET DEFAULT
SYS$SYSTEM, then RUN AUTHORIZE) commands such as ADD {user}
{/long/list/of/arcane/qualifiers} to add the necessary users; they
manage the users manually. Yes, it's possible to tie into LDAP for
authentication, but that's some extra steps, and not related to your
particular user lock-out discussion here.
Post by Marco Beishuizen
To me as a VMS-newbie this looks like a pretty useless utility (or
useless defaults). Maybe there is a simple explanation for OpenVMS
users but I really want to understand here.
Ayup. As I've been ranting about elsewhere and as recently as the
last day or two, that's because the defaults and the tools are an
excellent source of pain and grief. OpenVMS still presents itself to
users similarly to how it presented to users back in the 1980s and
1990s. Expectations of users have changed dramatically since then of
course, but the OpenVMS tools and defaults really haven't. As I keep
getting told by some folks around here — and as I've had to do, as have
most others — reading the OpenVMS manuals and learning the arcana is
the path to learning OpenVMS. I'd like to see this whole area
improved, but that's not going to happen for several years, at the
earliest. As I keep getting told around here, we will continue to
have experienced system administrators — "system managers" in
OpenVMS-speak — available, and who have had the time and investment to
read and understand the OpenVMS manuals, and to learn from experience.
Not that I find that particular belief to be persuasive. Or the
folks out-source this whole area to somebody else to deal with.
OpenVMS is just a cryptic beast, and very difficult to "wing it" with —
and knowledge of Linux or Unix or Windows does not really help all that
much with OpenVMS, and can sometimes just completely confuse things
with assumptions that just don't hold (on OpenVMS). Sorry.

If you're doing this commercially, there are folks that provide
services for OpenVMS, and that provide OpenVMS training. (disclosure:
I work for one) If you're a hobbyist, you're going to be learning a
whole lot about how computing was done in the 1980s and 1990s, via the
command line, and reading more than a little of the documentation.
Welcome to OpenVMS.
--
Pure Personal Opinion | HoffmanLabs LLC
Marco Beishuizen
2017-02-16 19:39:33 UTC
Permalink
Raw Message
NFS is the deep end of the pool; not a particularly easy implementation to
get working for even some experienced users, and probably not the best place
to start learning about OpenVMS.
Maybe I'll leave NFS for later then, but I'll probably try again soon
against my better judgement :).
As for the commands, I've provided the basic DCL commands involved some of
the steps, or the files involved.
[...]
http://www8.hp.com/us/en/products/servers/openvms/documents.html
Thanks for the hints, and I will try them out. Of course I googled a lot
and saw (and read) the documentation online, especially about NFS and
basic commands. Couldn't find much about when things do not work as
expected. It's definitely clear to me that I have to read a lot more.

[...]
The TCP/IP Services documentation is a separate shelf, and you'll probably
want to read the installation and configuration manual in that shelf.
You'll also find previous discussions of these commands in the comp.os.vms
newsgroup archives, and at various places around the 'net.
https://groups.google.com/forum/#!forum/comp.os.vms
I installed TCPIP and enabled some services, and afaict that all works
fine (Telnet, SSH). Tried to get a DECterm with Xephyr on the FreeBSD
machine but that didn't work either. Something for later too.
Post by Marco Beishuizen
Trying to log in directly on the OpenVMS machine or by ssh doesn't make a
difference.
For all of the users, or just the root user?
There are the STSTEM user which was added during install, this works fine.
And the ROOT user which was created by the ADDUSER.COM utility later, but
that account is inaccessible now for some reason.
I'll assume that the ssh server and related bits have been configured, though
— if that hasn't happened yet — that's an extra step on OpenVMS, and involves
installing TCP/IP Services (if it's not already installed) or some other
TCPIP is installed and is working afaict (like SSH and Telnet).
ADDUSER is usually customized. If it's used at all. (That's why it's in
the SYS$EXAMPLES examples area, and not in one of the "main" application
directories such as SYS$SYSTEM or SYS$MANAGER, FWIW.) ADDUSER is also not
commonly used by experienced OpenVMS folks, who generally either have their
own local procedures and tools to add users, or — for lower-volume sites —
they use the UAF (SET DEFAULT SYS$SYSTEM, then RUN AUTHORIZE) commands such
as ADD {user} {/long/list/of/arcane/qualifiers} to add the necessary users;
they manage the users manually. Yes, it's possible to tie into LDAP for
authentication, but that's some extra steps, and not related to your
particular user lock-out discussion here.
Post by Marco Beishuizen
To me as a VMS-newbie this looks like a pretty useless utility (or useless
defaults). Maybe there is a simple explanation for OpenVMS users but I
really want to understand here.
Ayup. As I've been ranting about elsewhere and as recently as the last day
or two, that's because the defaults and the tools are an excellent source of
pain and grief. OpenVMS still presents itself to users similarly to how it
presented to users back in the 1980s and 1990s. Expectations of users have
changed dramatically since then of course, but the OpenVMS tools and defaults
really haven't. As I keep getting told by some folks around here — and as
I've had to do, as have most others — reading the OpenVMS manuals and
learning the arcana is the path to learning OpenVMS. I'd like to see this
whole area improved, but that's not going to happen for several years, at the
earliest. As I keep getting told around here, we will continue to have
experienced system administrators — "system managers" in OpenVMS-speak
— available, and who have had the time and investment to read and understand
the OpenVMS manuals, and to learn from experience. Not that I find that
particular belief to be persuasive. Or the folks out-source this whole area
to somebody else to deal with. OpenVMS is just a cryptic beast, and very
difficult to "wing it" with — and knowledge of Linux or Unix or Windows does
not really help all that much with OpenVMS, and can sometimes just completely
confuse things with assumptions that just don't hold (on OpenVMS). Sorry.
If you're doing this commercially, there are folks that provide services for
OpenVMS, and that provide OpenVMS training. (disclosure: I work for one)
If you're a hobbyist, you're going to be learning a whole lot about how
computing was done in the 1980s and 1990s, via the command line, and reading
more than a little of the documentation. Welcome to OpenVMS.
Sincerely thanks for all this information. Next thing to do I guess for me
is to read a lot more about OpenVMS and it's differences with system
administration.

I use FreeBSD and NetBSD for 18 years now, and have a laptop with
Slackware installed. Also used OS/2 for years in the past, and of course
Windows. So it's not that I'm a newbie with all systems, but OpenVMS is
definitely something different. Not giving up though, the Alpha is mainly
for fun and learning. The PWS600au had NetBSD installed but I find that an
Alpha should run OpenVMS so I got a hobbyist license and installed it.

Regards,
Marco
--
History is on our side (as long as we can control the historians).
Stephen Hoffman
2017-02-16 23:32:38 UTC
Permalink
Raw Message
Post by Marco Beishuizen
Sincerely thanks for all this information. Next thing to do I guess for
me is to read a lot more about OpenVMS and it's differences with system
administration.
More detailed and specific login failure errors get written to the
auditing and accounting logs. For reasons of system security, far
more generic errors get written to the user that's attempting login.

One other (less likely) possibility here — but check the logs — is that
the startup blew out, and logins were never fully enabled. Issue the
SET LOGIN command with no qualifiers, and see if the interactive login
limit is set non-zero; to 64, by default. Users with OPER privilege —
SYSTEM has it, but your root user doesn't — are allowed to override the
login limits and access the system. But again, check the auditing or
accounting data.

I'll assume that all the licenses from that big batch of hobbyist PAKs
have been loaded. You'd mentioned you'd loaded the licenses in
another reply elsewhere, but your phrasing was somewhat ambiguous on
that; OpenVMS has licenses for all sorts of stuff, including two and
sometimes more licenses for just OpenVMS itself; the base license and
the user license. PAKs for networking and otherwise are also needed
here. If that whole PAK command procedure was invoked without errors,
you should have all the necessary PAKs loaded, though.

TCP/IP startup will have to be manually added to the startup. That's
probably already happened though, as you state you've been able to ssh
into the box as the SYSTEM user, and that that works.
Post by Marco Beishuizen
I use FreeBSD and NetBSD for 18 years now, and have a laptop with
Slackware installed. Also used OS/2 for years in the past, and of
course Windows. So it's not that I'm a newbie with all systems, but
OpenVMS is definitely something different.
Pretty much all of that experience will just serve to confuse or
frustrate or annoy you, particularly if you try to apply the terms and
concepts and even the norms from those other platforms. There are
some things common certainly, but — unless you're (also) familiar with
managing bespoke 1990s-era command-line servers, there's a whole lot
more that's different. That's from experience dealing with various of
those cited systems and with some other boxes, and with OpenVMS. It's
more a case of being easier if you forget you're experienced and start
reading from the User's Manual and the System Manager's manuals, and —
in this case — learning about the logging and accounting, and about the
intrusion database, and about directories and protections. Also
ensure the user is using a very simple password for further login
testing here; an ASCII password of alphanumerics only, no spaces or
other characters, to start with. And don't assume what's normal — NFS,
for instance — on other platforms is normal on OpenVMS. There are
times when I have trouble getting NFS configurations working between
OpenVMS and some other platforms for instance, and I've been at this a
while.
--
Pure Personal Opinion | HoffmanLabs LLC
Bob Koehler
2017-02-16 20:34:55 UTC
Permalink
Raw Message
Post by Marco Beishuizen
Pwdchange: (pre-expired)
Ah, there's a clue. The account is created b a pre-expired password.
The user must set it the first time he logs in.

Some ssh don't deal with that well.

Try going into authorize.exe and doing
mod root/nopwdexp
Marco Beishuizen
2017-02-16 20:06:22 UTC
Permalink
Raw Message
Post by Marco Beishuizen
I have OpenVMS running on a DEC PWS600au. In order to mount and use NFS
with a FreeBSD machine I want to add the user "root" to the OpenVMS
OpenVMS keeps denying logging in to the new root account, as if the
password is wrong or something.
Well, I got it fixed already! With some help of the internet, I forced
a change of the password of the root account by:

$ SET DEFAULT SYS$SYSTEM
$ MC AUTHORIZE
UAF> MODIFY username /PASSWORD=newpass /PWDEXPIRED

When logging in after this as root, I changed the password and the account
works. Now trying to get NFS working again, althought probably not the
easiest thing to do on OpenVMS.

Thanks for all the help though. Will need to read some more
documentation about OpenVMS.

Regards,
Marco
--
Q: How many Marxists does it take to screw in a lightbulb?
A: None: The lightbulb contains the seeds of its own revolution.
Loading...