Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

NMAS ship with eDirectory for NetWare

10 views
Skip to first unread message

HeCtOr

unread,
Feb 10, 2010, 10:48:19 AM2/10/10
to
I am currently on NetWare 6.5 with Support Pack 6 and was reading some
threads a year ago about NMAS logins failing due to a policy refresh that
can happen during an OES install or a NetWare support pack install.

The fix was an NMAS fix.

Does a newer NMAS come with SP8, or would I need to get a Security Services
patch, or an NMAS patch? It seems the distribution method for that has
changed a lot.


a...@novell.com

unread,
Feb 10, 2010, 11:23:20 AM2/10/10
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes, a newer NMAS should come with SP8, especially if you use eDirectory
8.8.x on there (8.8.5 patch 2 is current).

Good luck.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLct12AAoJEF+XTK08PnB5e4sQAIfSD5R5hzn4HNYObkUEqYxg
nFdrO+U18qjWjl89UbraAnDJy3fyYDZMMWMWVF3k1iESSGBnbVjZ1SscoPRM+tdC
0ZdtJDyWbwvSJ30LO3A3FUDj3Fss9ZPouYnSfTaT8Y/DSKDq5vgpxoQvfveZeKcQ
i25lcairCamfdBlEupoPdcOiBwL0j4+OhGfao3yGOBA3UU7cKWzH7cz1h1nC3hdG
MwvkTLzdjEPP26uv8ere+tMsxwZRQ2/WzYgW5iExTx/4FObeiyRgoSc88y8Kuxpr
xl0p51RT8cRTMI9zvG9uHNf49K0QhaTtNUqRpL2vOIDpY6llXXwunLqQaMSoKpWd
kXKnfQe8bQWtuTGDC73VMYHuCSaRuvYaJz7+teTHjpG9ip26b7rmqEY1MCT1hqns
9evCgvsJudnY74ZMwkipdNKCnBD2ghBIWJMr29ycuowW/eWeo1V6IULUSFcLeDG+
K5z7K5H+1soaHV3b1QkTkdu6hs4KuR8ctl4LIxU71YPfE1YGHX3LG2z8cyYIQcqk
Uf8neM6vsIVn7CmxiAzxeQjY20ykaUNWtaaUg7wfl3fMCKwxCg5QOf2l2uD5Q758
VeWmNnGlrDQ53JykvI8wevFs6hcbHCAPyB+AEBFiKEw3gZ1Sk9M8fSk9yvwZsDKO
TWEi8mpPZNhleAWke3j2
=AKCx
-----END PGP SIGNATURE-----

HeCtOr

unread,
Feb 15, 2010, 9:05:50 AM2/15/10
to
Then what are these Security Services patches?

<a...@novell.com> wrote in message
news:Y3Bcn.1318$yE3...@kovat.provo.novell.com...

a...@novell.com

unread,
Feb 15, 2010, 9:48:17 AM2/15/10
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

They're for 8.7.x. Go to 8.8.x with SP8 and you won't have 8.7.x.

Good luck.

On 02/15/2010 07:05 AM, HeCtOr wrote:
> Then what are these Security Services patches?
>
> <a...@novell.com> wrote in message
> news:Y3Bcn.1318$yE3...@kovat.provo.novell.com...

> Yes, a newer NMAS should come with SP8, especially if you use eDirectory
> 8.8.x on there (8.8.5 patch 2 is current).
>
> Good luck.
>
>
>
>
>
> On 02/10/2010 08:48 AM, HeCtOr wrote:
>>>> I am currently on NetWare 6.5 with Support Pack 6 and was reading some
>>>> threads a year ago about NMAS logins failing due to a policy refresh that
>>>> can happen during an OES install or a NetWare support pack install.
>>>>
>>>> The fix was an NMAS fix.
>>>>
>>>> Does a newer NMAS come with SP8, or would I need to get a Security
>>>> Services
>>>> patch, or an NMAS patch? It seems the distribution method for that has
>>>> changed a lot.
>>>>
>>>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLeV6sAAoJEF+XTK08PnB5MW8QAJlPgNE31odCKOOoyfJeW7OT
V0BbLeKWEY6KPJ3atJNNeGw3+F8GVtxLvinkeL+AftV1D2OeAevW+kAUgE4Bcifv
EPxYcRk3aLG9Az7BIkST+xEdMtPGYwgAlUOg21dKBe/kOHdhhIOYhZWBKBY44sL2
3lV0WVn44rpGfKIXYJwXD0/jBznVPR0mH2Gifyz3ak5K0BVMD8Tgu3APoiDQ4qEV
qBydb5dTT07st5p0Rc56B70eKiFpRntLIGypSqITEiE2V/7tOnpJxfBwj9wvoRtc
Dd6Bic97f0wwGELhwg3LiI/IOHQZjdnxrDyW9FKZIDXDN2LdpfSpNnQdZDlapLwW
wVWZgbjk7LBYVMBLOuIM0x9nRLrtjL+vt2xsA00/Wo4/wAp4gQV+MJfPBa+J20bp
gWMKC6cqePTPwqPOBcFKrjL6+n2cQBQWU4pkVJBqDlrsXIJQkFaDrI0t2enEiYKb
e7K5uvCMq+lY9zBeCcxirCm1+c3YRL1nbqRe+YnzkiA1J969U4dBo/UzE4df1skc
un6FaJpPjSKqL9WM5JCtIOiCKFVN24ytbWis64IxbmtvbzSLTVkjTN52Fd4jtvxC
txvdLPUIgc08j/pAmnZVY/dFv6HvRkkhLeHsUP7lAplg2P2wIJLukOD+4Z7dQbJt
r0nzMWZekERrf/1feNE4
=JY4w
-----END PGP SIGNATURE-----

Massimo Rosen

unread,
Feb 16, 2010, 6:43:04 AM2/16/10
to
Hi,

jedijeff wrote:
>
> There used to be a way to get the updated NMAS if you wanted to stay on
> edir 8.7, but I do not remember it.

Actually, it's much easier. They're simply combined post-SP patches for
nici, nmas and PKI. None of the existing security services patch applies
to SP8, they're all for older service packs. That's true totally
regardless of the installed eDir version. SP8 is current either way.

CU,
--
Massimo Rosen
Novell Product Support Forum Sysop
No emails please!
http://www.cfc-it.de

HeCtOr

unread,
Feb 16, 2010, 9:46:47 AM2/16/10
to
This is all very confusing now. I am looking at TID 7002047 regarding an
issue with NMAS login stop working.

I am on NetWare 6.5 SP6 and on eDirectory v8.7x.

I am trying to determine how to fix this issue. SS206 seems to be the last
security services patch. Does that have the new NMAS in it? Can I apply that
to SP6?

"Massimo Rosen" <mros...@SPAMcfc-it.de> wrote in message
news:4B7A84C7...@SPAMcfc-it.de...

HeCtOr

unread,
Feb 16, 2010, 9:52:24 AM2/16/10
to
SS206 needs to have eDirectory v8.7SP10 which I am pretty sure I do not
have.

The big picture is I am trying to get my NetWare servers which are on SP6 up
to date to SP8 and edirectory v8.8(maybe) before the end of general support.

I ran into this login bug when I tried to update a server to SP7.
Researching for weeks I found that SP7 changed the time on my SAS:Login
Policy Object which I assumed triggered the NMAS refresh and stopped all my
logins.

I am now very confused on how I get from Point A to Point B without
incurring this bug again.

"HeCtOr" <som...@uga.edu> wrote in message
news:rdyen.2825$yE3...@kovat.provo.novell.com...

Massimo Rosen

unread,
Feb 16, 2010, 12:46:13 PM2/16/10
to
Hi,

HeCtOr wrote:
>
> This is all very confusing now.

Actually, no. :) It's much less confusing than it initially seemed.

> I am looking at TID 7002047 regarding an
> issue with NMAS login stop working.

Yes.



> I am on NetWare 6.5 SP6 and on eDirectory v8.7x.

So you're seriously outdated, and that TID (which is two years newer
than your OS) doesn't reyll apply to you.



> I am trying to determine how to fix this issue.

You install SP8, and then the post-SP8 NMAS patch.

> SS206 seems to be the last
> security services patch.

No. It's the last *PRE*-SP8. SP8 obsoletes SS206. Don't get confused by
the current date of the SS206 patch. It's readme got updated, which
unfortunately also updates its release date.

> Does that have the new NMAS in it?

No! It's well over a year older than the NMAS patch mentioned in the
TID, and SS206 doesn't apply to SP8.

> Can I apply that
> to SP6?

Why would you want to? It's most definitely not tested against SP6. It
is a really pointless excercise to try to fix a current issue on such an
outdated SP version.

HeCtOr

unread,
Feb 16, 2010, 1:42:10 PM2/16/10
to
The scenario though, is as soon as I apply SP8 I will have the login issue
as the SP update will increment the attribute which causes the NMAS refresh
which could cause the Login issue.

I need to address the NMAS fix first.

"Massimo Rosen" <mros...@SPAMcfc-it.de> wrote in message

news:4B7AD9E4...@SPAMcfc-it.de...

Massimo Rosen

unread,
Feb 16, 2010, 2:13:57 PM2/16/10
to
Hi,

HeCtOr wrote:
>
> The scenario though, is as soon as I apply SP8 I will have the login issue
> as the SP update will increment the attribute which causes the NMAS refresh
> which could cause the Login issue.

I don't think so, no. AFAIK SP8 doesn't chnage anything on it's own on
the NMAS settings, as you already had SP7 in the tree.

> I need to address the NMAS fix first.

You can't.

HeCtOr

unread,
Feb 23, 2010, 10:20:21 AM2/23/10
to
I had the issue three times. Each time logins quit working until all the
Root servers were restarted, which was much longer than three minutes. I
suppose it really does depend on how much login traffic you are getting.

I will simply do this SP after hours this time.

"Massimo Rosen" <mros...@SPAMcfc-it.de> wrote in message

news:4B83EB93...@SPAMcfc-it.de...
> Hi,
>
> HeCtOr wrote:
>>
>> I had read somewhere about someone having this issue and tuning the NMAS
>> refresh on the server. I am unable to find that thread now. I am not sure
>> whether this helped, or fixed the problem though.
>>
>> My issue is with 6 servers holding [Root], I am now exposed to 6 outages
>> if
>> I chose to put SP8 on each of them.
>
> I think you're overly pessimistic here. I have updated literally
> hundreds of servers to SP8, and *never* had a single NMAS problem. I
> *do* know the issue though, when making changes to the NMAS methods or
> login policies, nmas login tends to stop working for several minutes.

HeCtOr

unread,
Feb 23, 2010, 9:20:56 AM2/23/10
to
I had read somewhere about someone having this issue and tuning the NMAS
refresh on the server. I am unable to find that thread now. I am not sure
whether this helped, or fixed the problem though.

My issue is with 6 servers holding [Root], I am now exposed to 6 outages if

I chose to put SP8 on each of them. I am trying to eliminate that risk, and
I thought the NMAS refresh setting would help, or possibly doing the patch
on the off-hours? The TID implies that may help.

"Massimo Rosen" <mros...@SPAMcfc-it.de> wrote in message

news:4B7AEE75...@SPAMcfc-it.de...

Massimo Rosen

unread,
Feb 23, 2010, 9:52:04 AM2/23/10
to
Hi,

HeCtOr wrote:
>
> I had read somewhere about someone having this issue and tuning the NMAS
> refresh on the server. I am unable to find that thread now. I am not sure
> whether this helped, or fixed the problem though.
>
> My issue is with 6 servers holding [Root], I am now exposed to 6 outages if
> I chose to put SP8 on each of them.

I think you're overly pessimistic here. I have updated literally


hundreds of servers to SP8, and *never* had a single NMAS problem. I
*do* know the issue though, when making changes to the NMAS methods or
login policies, nmas login tends to stop working for several minutes.

CU,

HeCtOr

unread,
Feb 23, 2010, 4:58:52 PM2/23/10
to
That is some nice information.

Is there a way to tell an SP not to update the SAS object referred to in the
TID?

"jedijeff" <jedi...@no-mx.forums.novell.com> wrote in message
news:jedijef...@no-mx.forums.novell.com...
>
> You can do an NMAS trace and look at the session ID. The session ID
> recycled from 0-64. IF this issue gets triggered you session ID will not
> recycle and keep incrementing--like in the 1000's.
>
> Remeber though a very busy server could have session ID at like 250 or
> something,,,but in the thousands means that deadlock has been
> triggered.
>
> If you do a new install simpley uncheck all the nmas issues. As far as
> installing SP's, there is some disagreement as to whether an SP install
> will modify the timestamp on the sas:login policy object. I know SP7 did
> on the first server I put it on, though some people say that cannot
> happen.
>
> I would go into dsbrowse and write down the timestamp of that object
> just incase. Then check it after your SP installs.

>> > 'Untitled Document' (http://www.cfc-it.de)
>
>
> --
> jeff@linux1:~> glxgears
> 120308 frames in 5.0 seconds = 24061.553 FPS
> ------------------------------------------------------------------------
> jedijeff's Profile: http://forums.novell.com/member.php?userid=4732
> View this thread: http://forums.novell.com/showthread.php?t=401164
>


HeCtOr

unread,
Feb 25, 2010, 8:48:28 AM2/25/10
to
I suppose I will just start applying SP8 and hope I do not have the login
issues that I did previously.

"jedijeff" <jedi...@no-mx.forums.novell.com> wrote in message
news:jedijef...@no-mx.forums.novell.com...
>

> i do not know of anyway to that.

>> >> > 'Untitled Document' ('Untitled Document' (http://www.cfc-it.de))


>> >
>> >
>> > --
>> > jeff@linux1:~> glxgears
>> > 120308 frames in 5.0 seconds = 24061.553 FPS
>> >
>> ------------------------------------------------------------------------

>> > jedijeff's Profile: 'NOVELL FORUMS - View Profile: jedijeff'
>> (http://forums.novell.com/member.php?userid=4732)
>> > View this thread: 'NMAS ship with eDirectory for NetWare - NOVELL
>> FORUMS' (http://forums.novell.com/showthread.php?t=401164)

HeCtOr

unread,
Feb 25, 2010, 11:19:51 AM2/25/10
to
Thank you very much.

Do you know what variables to change in an SP to be able to install it
silently, if I do not use Zenworks for Servers?

"jedijeff" <jedi...@no-mx.forums.novell.com> wrote in message
news:jedijef...@no-mx.forums.novell.com...
>

> what i would do if i were you--is monitor your nmas logins. just run a
> dstrace +nmas and look for the sessionID. do this on all your servers
> with Root, assuming security container has not been busted off. Also you
> need to monitor the modification timestamp for SAS:Login Policy Update.
> When that gets modified is when the NMAS refresh will happen. But for
> some reason SP8 issues a refresh. I believe some earlier support packs
> did not.
>
> here is a sample trace of nmas logins behaving normally:
> NMAS: [2009/02/17 9:16:12] 56: Server thread exited
>
> NMAS: [2009/02/17 9:16:12] 56: Pool thread 0x7478f348 work complete
>
> NMAS: [2009/02/17 9:17:35] 57: Destroy NMAS Session for reuse
>
> NMAS: [2009/02/17 9:17:35] 57: Create NMAS Session
>
> You can see the sessionID is below 63 and is incrementing.
>
> Now here was a server that had the deadlock issue:
> NMAS: [2009/02/17 8:46:00] 1276: Pool thread 0x7c013848 awake with new
> work
>
> NMAS: [2009/02/17 8:46:00] 1276: ClientPut: message size=8 queue Size
> 0
>
> NMAS: [2009/02/17 8:46:00] 1276: ClientPut: message size=626 queue
> Size 8
>
> NMAS: [2009/02/17 8:46:00] 1276: ClientGet: message size=8 queue Size
> 0
>
> NMAS: [2009/02/17 8:46:06] 1277: Create NMAS Session
>
> You can see the sessionID is well over 63 and not closing the sessions
> and recycling. At this point all you can do is reboot this particular
> server.
>
> Pretty much your only options. if you find a way to prevent an SP from
> issuing the refresh command please email me or post.


>
> HeCtOr;1938552 Wrote:
>> I suppose I will just start applying SP8 and hope I do not have the
>> login
>> issues that I did previously.

>> >[/color]

0 new messages