Evaluating IRIS 4.87 and ran into tms authentication error

[Rob McKnight]

Our organization is exploring using IRIS in the near future.

I installed a new CentOS v7.6 server as well as DNF (still uses 'yum' by default) and then tried following the install instructions in the Admin Guide.

It failed miserably so I installed as many prerequisites as were listed. PostgreSQL v11 doesn't seem to be IRIS's preferred version (still looks for

v10 service name) but IRIS install was eventually successful. Right before an attempt was made to start the PostgreSQL DB using the old (v10) 

service name, there were four lines similar to "/bin/iris_ctl: line 72: /var/lib/pgsql/data/postgresql.conf: No such file or directory" but DB elements

were created.

The problem came when I attempted to start IRIS service. When I ran

# tail -f /var/log/iris/iris.stderr

I saw that the tms user (auto-created by the IRIS installer) was continually failing to authenticate and the service was going no further.

Does anyone know what the tms user's password is supposed to be? Looking at /etc/shadow it appears that the OS's tms and postgres 

users have blank passwords, but maybe a password command failed to execute properly during the IRIS install.

Thanks in advance.

[Lau, Douglas (MNIT)]

Hi Rob,

It looks like CentOS puts the PostgreSQL configuration file in a different location than Fedora.  Can you verify the location of postgresql.conf?

The errors you saw came from the iris_ctl shell script, which was just doing some configuration for you.  It creates a random password for the tms user and stores it in /var/lib/pgsql/.pgpass (note the dot in the name).

-Doug Lau

---

From: 'Rob McKnight' via IRIS ATMS <iri...@googlegroups.com>
Sent: Tuesday, March 5, 2019 2:17 PM
To: IRIS ATMS
Subject: Evaluating IRIS 4.87 and ran into tms authentication error

 

--
You received this message because you are subscribed to the Google Groups "IRIS ATMS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to irisits+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Rob McKnight]

Thanks for the info, Doug. I'm adding that to my install notes!

It looks like PostgreSQL v11 keeps its postgresql.conf here:  /var/lib/pgsql/11/data/postgresql.conf

Should I maybe create a symbolic link for /var/lib/pgsql/data pointing to /var/lib/pgsql/11/data so that IRIS can find the file?

Or do you have a better workaround?

I do see the file /var/lib/pgsql/.pgpass and it does have what looks to be a random password. Maybe solving the above path

issue will allow IRIS to find this file and authenticate correctly?

Thanks again.  Rob 

[Lau, Douglas (MNIT)]

I think the errors you saw were unrelated to the login problem.  The iris_ctl script was trying to add some configuration to the end of postgresql.conf.  Missing them  should not have any noticeable effect.

Can you check if the "tms" user was created in the database?

To do that, type "psql tms" as the postgres user.  At the psql prompt, type \du [enter]

-Doug Lau

---

From: 'Rob McKnight' via IRIS ATMS <iri...@googlegroups.com>

Sent: Tuesday, March 5, 2019 2:54 PM
To: IRIS ATMS
Subject: Re: Evaluating IRIS 4.87 and ran into tms authentication error

 

[Rob McKnight]

Thanks again for the assistance, Doug.

I su'ed to the postgres user and then typed:

$ psql tms

That got me to the tms=# prompt as follows;

$ psql tms

psql (9.2.24, server 11.2)

WARNING: psql version 9.2, server version 11.0.

         Some psql features might not work.

Type "help" for help.

tms=#

When I entered: \du

here's what I saw:

Role Name                              Attributes                                         Member of

pg_execute_server_program | Cannot login                                   | {}

pg_monitor                             | Cannot login                                   | {pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables}

 pg_read_all_settings             | Cannot login                                   | {}

 pg_read_all_stats                  | Cannot login                                   | {}

 pg_read_server_files             | Cannot login                                   | {}

 pg_signal_backend               | Cannot login                                   | {}

 pg_stat_scan_tables             | Cannot login                                   | {}

 pg_write_server_files            | Cannot login                                   | {}

 postgres                                | Superuser, Create role, Create DB, Replication | {}

 tms                                        |                                                        | {}

So it appears tms DB user didn't get set up properly?

What should I do about the PostgreSQL v11 path not being what's expected by the IRIS start script? If not a symbolic link,

just modify the service start command in the script?

Thanks again.  Rob 

[Lau, Douglas (MNIT)]

Rob,

It looks like the tms user got added correctly (the last line of the \du output was expected).

I wouldn't worry about the iris_ctl script -- that's not causing your login problem.  What is the error you get when you try to start IRIS?

-Doug Lau

---

From: 'Rob McKnight' via IRIS ATMS <iri...@googlegroups.com>

Sent: Tuesday, March 5, 2019 4:30 PM

[Rob McKnight]

Hello Doug,

It's a failed authentication for tms user.
From /var/log/iris/iris.stderr:

Suppressed: org.postgresql.util.PSQLException: FATAL: Ident authentication failed for user "tms"

(happens over and over again)

--------------------------------------------

On Wed, 3/6/19, Lau, Douglas (MNIT) <doug...@state.mn.us> wrote:

Subject: Re: Evaluating IRIS 4.87 and ran into tms authentication error

To: "iri...@googlegroups.com" <iri...@googlegroups.com>
Date: Wednesday, March 6, 2019, 4:39 AM

Rob,

It looks like the tms user got added correctly (the last
line of the \du output was expected).

I wouldn't worry about the iris_ctl script -- that's
not causing your login problem.  What is the error you get
when you try to start IRIS?

-Doug Lau

From:
'Rob McKnight' via IRIS ATMS <iri...@googlegroups.com>

Sent: Tuesday, March 5, 2019 2:17 PM

To: IRIS ATMS

Subject: Evaluating IRIS 4.87 and ran into tms
authentication error
 


Our organization is exploring using IRIS in
the near future.
I installed a new CentOS v7.6 server as well as DNF
(still uses 'yum' by default) and then tried
following the install instructions in the Admin Guide.
It failed miserably so I installed as many
prerequisites as were listed. PostgreSQL v11 doesn't
seem to be IRIS's preferred version (still looks
for
v10 service name) but IRIS install was eventually
successful. Right before an attempt was made to start the
PostgreSQL DB using the old (v10) 
service name, there were four lines similar to
"/bin/iris_ctl: line 72:

/var/lib/pgsql/data/ postgresql.conf: No such file or

[Lau, Douglas (MNIT)]

Can you check the pg_hba.conf file?  It should be somewhere similar to /var/lib/pgsql/data  (don't need the comments in the file)

-Doug Lau

---

From: 'Rob McKnight' via IRIS ATMS <iri...@googlegroups.com>

Sent: Wednesday, March 6, 2019 8:34 AM
To: iri...@googlegroups.com

 https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2F&amp;data=02%7C01%7Cdoug.lau%40state.mn.us%7C2fcb7717dd14490f132a08d6a240d8a2%7Ceb14b04624c445198f26b89c2159828c%7C0%7C1%7C636874796730431040&amp;sdata=jSvPxmvi3wFBfR0yyH%2FRGdAwTg828Wg2Mrc9qKpesrU%3D&amp;reserved=0 optout.

 
 
 
 
 
 
 
 --
 
 You received this message because you are subscribed to the
 Google Groups "IRIS ATMS" group.
 
 To unsubscribe from this group and stop receiving emails
 from it, send an email to
 irisits+u...@
 googlegroups.com.
 
 For more options, visit

 https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2F&amp;data=02%7C01%7Cdoug.lau%40state.mn.us%7C2fcb7717dd14490f132a08d6a240d8a2%7Ceb14b04624c445198f26b89c2159828c%7C0%7C1%7C636874796730431040&amp;sdata=jSvPxmvi3wFBfR0yyH%2FRGdAwTg828Wg2Mrc9qKpesrU%3D&amp;reserved=0 optout.

 
 
 
 
 
 
 
 --
 
 You received this message because you are subscribed to the
 Google Groups "IRIS ATMS" group.
 
 To unsubscribe from this group and stop receiving emails
 from it, send an email to
 irisits+u...@googlegroups.com.
 
 For more options, visit

 https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Foptout&amp;data=02%7C01%7Cdoug.lau%40state.mn.us%7C2fcb7717dd14490f132a08d6a240d8a2%7Ceb14b04624c445198f26b89c2159828c%7C0%7C1%7C636874796730431040&amp;sdata=zP7WYTYtimRsVUlmGEldAPKuiNDcsdT51wppPBWZU8w%3D&amp;reserved=0.

 
 
 
 
 --
 
 You received this message because you are subscribed to the
 Google Groups "IRIS ATMS" group.
 
 To unsubscribe from this group and stop receiving emails
 from it, send an email to irisits+u...@googlegroups.com.
 

 For more options, visit https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Foptout&amp;data=02%7C01%7Cdoug.lau%40state.mn.us%7C2fcb7717dd14490f132a08d6a240d8a2%7Ceb14b04624c445198f26b89c2159828c%7C0%7C1%7C636874796730431040&amp;sdata=zP7WYTYtimRsVUlmGEldAPKuiNDcsdT51wppPBWZU8w%3D&amp;reserved=0.

 

--
You received this message because you are subscribed to the Google Groups "IRIS ATMS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to irisits+u...@googlegroups.com.

For more options, visit https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Foptout&amp;data=02%7C01%7Cdoug.lau%40state.mn.us%7C2fcb7717dd14490f132a08d6a240d8a2%7Ceb14b04624c445198f26b89c2159828c%7C0%7C1%7C636874796730431040&amp;sdata=zP7WYTYtimRsVUlmGEldAPKuiNDcsdT51wppPBWZU8w%3D&amp;reserved=0.

[Rob McKnight]

Our path is /var/lib/pgsql/11/data.

Here's the contents of pg_hba.conf:

# "local" is for Unix domain socket connections only

local   all             all                                     peer

# IPv4 local connections:

host    all             all             127.0.0.1/32        ident

# IPv6 local connections:

host    all             all             ::1/128                 ident

# Allow replication connections from localhost, by a user with the

# replication privilege.

local   replication     all                                     peer

host    replication     all          27.0.0.1/32        ident

host    replication     all          ::1/128               ident

[Michael Janson]

Rob,

I'm guessing the problem could be that the tms user was created when you first ran the init script, but the password referenced by IRIS in /etc/iris/iris-server.properties was updated after running the script again.  I would try logging in to PostgreSQL as the postgres user and change the tms password to be what's located in /etc/iris/iris-server.properties.  Just a thought.

For more options, visit https://groups.google.com/d/optout.

[Rob McKnight]

That could well be, Michael.
When I first ran the iris install, I didn't have any of the prerequisites installed and
'dnf' wasn't able to install them properly. So after installing the prerequisites, I
re-ran the iris install and things completed successfully. But if the tms user was
created initially with a different password, maybe that's my problem. Thanks for
the suggestion.
--------------------------------------------

On Wed, 3/6/19, Michael Janson <michael.r...@gmail.com> wrote:

Subject: Re: Evaluating IRIS 4.87 and ran into tms authentication error
To: iri...@googlegroups.com

Date: Wednesday, March 6, 2019, 6:19 AM

[Lau, Douglas (MNIT)]

I think we found your problem.  Your Postgres is configured for "ident" authentication, but IRIS requires "password".

Can you change ident to password on the line for IPv4 local connections (127.0.0.1/32)?  Afterwards, you need to restart the postgres server.

-Doug Lau

---

From: 'Rob McKnight' via IRIS ATMS <iri...@googlegroups.com>

Sent: Wednesday, March 6, 2019 9:17 AM

For more options, visit https://groups.google.com/d/optout.

[Rob McKnight]

Thanks Doug! I'll make that change right now (and restart Postgres).

--------------------------------------------
On Wed, 3/6/19, Lau, Douglas (MNIT) <doug...@state.mn.us> wrote:

Subject: Re: Evaluating IRIS 4.87 and ran into tms authentication error
To: "iri...@googlegroups.com" <iri...@googlegroups.com>

Date: Wednesday, March 6, 2019, 6:23 AM

[Rob McKnight]

After making the change to pg_hba.conf and shutting down / restarting PostgreSQL,
here's what I'm seeing now in /var/log/iris/iris.stderr when I start IRIS:

# tail -20 /var/log/iris/iris.stderr
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at us.mn.state.dot.tms.server.SQLConnection.open(Unknown Source)
at us.mn.state.dot.tms.server.SQLConnection._createStatement(Unknown Source)
at us.mn.state.dot.tms.server.SQLConnection.createStatement(Unknown Source)
at us.mn.state.dot.tms.server.SQLConnection.getStatement(Unknown Source)
at us.mn.state.dot.tms.server.SQLConnection.query(Unknown Source)
at us.mn.state.dot.tms.server.IrisCapabilityImpl.lookup(Unknown Source)
at us.mn.state.dot.tms.server.MainServer.main(Unknown Source)

Suppressed: org.postgresql.util.PSQLException: FATAL: Ident authentication failed for user "tms"

at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:514)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:141)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:201)
... 13 more
IRIS 4.87.0 restarted @ Wed Mar 06 06:41:32 AKST 2019
Assertions are turned off.
IRIS Server active

The tms user authentication is still failing (haven't tried resetting its password yet)
and I'm seeing references to us.mn.state.dot.tms.server (should I modify something
to point to our own server?) but IRIS appears to have started.
Thanks again, Doug!

[Lau, Douglas (MNIT)]

The references to us.mn.state.dot.tms.server are just the Java package names for the code.  Don't worry about it.

I think most of those lines in the log are from before you restarted.  The new ones are the last 3, which look good.  You can delete the file and restart IRIS to be sure.

-Doug Lau

---

From: 'Rob McKnight' via IRIS ATMS <iri...@googlegroups.com>

Sent: Wednesday, March 6, 2019 9:47 AM
To: iri...@googlegroups.com

--
You received this message because you are subscribed to the Google Groups "IRIS ATMS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to irisits+u...@googlegroups.com.

For more options, visit https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Foptout&amp;data=02%7C01%7Cdoug.lau%40state.mn.us%7C3049d9b6b0794aa1340b08d6a24b04fe%7Ceb14b04624c445198f26b89c2159828c%7C0%7C1%7C636874840420967009&amp;sdata=9w2GAmmsB5PHOxHojCA5tTmOn5t7Y06WCEdBKFly3bo%3D&amp;reserved=0.

[Rob McKnight]

Thanks Doug. IRIS seems to be acting normally. I browsed to our server's
http://<server-name>/iris-client/
and saw the list of instructions for getting the Java client to work.
Thanks again for your asssitance!

--------------------------------------------
On Wed, 3/6/19, Lau, Douglas (MNIT) <doug...@state.mn.us> wrote:

Subject: Re: Evaluating IRIS 4.87 and ran into tms authentication error
To: "iri...@googlegroups.com" <iri...@googlegroups.com>

Date: Wednesday, March 6, 2019, 6:55 AM