DA - dmadmin can login without valid password

Hi,

after Docbase cloning, the user dmadmin is able to login into the DA without a valid password. During the cloning process we changed the hostname. We processed the following steps:

1. Shutdown all the repositories on the target server 
2. Backup the database 
3. Rename the AEK file or rename it and move it some where else 
4. From sql on the database update dm_docbase_config_s set i_crypto_key = ' '
5. From sql on the database update dm_docbase_config_s set i_ticket_crypto_key = ' '
6. from sql: SQL> select r_object_id from dmi_vstamp_s where i_application = 'dm_docbase_config_crypto_key_init'; 
7. delete from dmi_object_type where r_object_id = 'returned r_object_id from above'; 
8. SQL> commit; 
9. SQL> delete from dmi_vstamp_s where r_object_id = 'returned r_object_id from step above' 
10. SQL> commit; 
11. SQL> select r_object_id from dmi_vstamp_s where i_application = ¿dm_docbase_config_ticket_crypto_key_init¿; 
12. SQL> delete from dmi_object_type where r_object_id = 'returned r_object_id from above'; 
13. SQL> delete from dmi_vstamp_s where r_object_id = 'returned r_object_id from step above' 
14. SQL> commit 
15. run this file from $DM_HOME/bin: dm_crypto_create 
16. - To re-encrypt the dbpasswd.txt file do the following 
cd $DM_HOME/bin 
17. dm_encrypt_password -repository <repository name> -rdbms -encrypt <database password> 
18. You need to do all modification on the database for each repository NOT just step 15!! 
19. Startup the repositories.

The trace output for the dmadmin login is :

Tue Apr 06 12:53:46 2010 123000: 3400[6016] AT 6016:

Final Auth Result=T, LOGON_NAME=dmadmin,

AUTHENTICATION_LEVEL=9,

OS_LOGON_NAME=dmadmin,

OS_LOGON_DOMAIN=s-waugz2favt01,

CLIENT_HOST_NAME=S-WAUGZ2FAVT01,

CLIENT_HOST_ADDR=192.168.213.66,

USER_LOGON_NAME_RESOLVED=1,

AUTHENTICATION_ONLY=0,

userID=110227b080000102,

USER_NAME=dmadmin,

USER_OS_NAME=dmadmin,

USER_LOGIN_NAME=dmadmin,

USER_LOGIN_DOMAIN=S-WAUGZ2FAVT01,

USER_EXTRA_CREDENTIAL[0]=S-WAUGZ2FAVT01,

USER_EXTRA_CREDENTIAL[1]=,

USER_EXTRA_CREDENTIAL[2]=,

USER_EXTRA_CREDENTIAL[3]=005056b157a0, USER_EXTRA_CREDENTIAL[4]=DM_TOKEN=AAAAAQAAAOQAAAACAAAAAUux81JPdFpSAAAAOGZhdn

Byb2QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAHMtd2F1Z3oyZmF2dDAxAAAAAATTAAAAAAAAAAAAAAAAAGZhdnByb2QAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAFMtV0FVR1oyRkFGGDAxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAMDA1MDU2YjE1N2EwAAAAZFZtcW5KczNZbVZOQm1RWEVrMVNlK2trSWhHMHZOQU

RjejZqK3laREZ2NVpDN1hrZDVjR0ZBPT0=,

USER_EXTRA_CREDENTIAL[5]=

From my point of view the authentication level 9 is not correct for dmadmin. How can i change the authentication level from 9 to 8?

Thanks.

Ragnar

Find more posts tagged with

Comments

bacham2

I suppose that your app server is installed on the same machine is Content Server and running as the Documentum installation owner account (dmadmin by default). That's generally not a good idea because it could be a security hole.This is probably what is happening in your case: Content Server opens the session because trusted login succeeds (because app server is running as dmadmin).

If you need to keep it that way, add the following line to the dfc.properties file used by DA:

dfc.session.allow_trusted_login = false

Hicham

rgriebel

Hi,

I suppose that your app server is
installed on the same machine is Content Server and running as the
Documentum installation owner account (dmadmin by default). That's
generally not a good idea because it could be a security hole.This is
probably what is happening in your case: Content Server opens the
session because trusted login succeeds (because app server is running
as dmadmin).If you need to keep it that way, add the following line to the dfc.properties file used by DA:dfc.session.allow_trusted_login = falseHicham

you are right, the application server is installed on the same machine. This is a test- and trainingsystem with a separated database, it's only available in our internal subnet. So, there is no reason to think about a security hole.

I added the line "dfc.session.allow_trusted_login=false" in my dfc.properties but without any result. Before restarting the Content Server and Application Server i deleted all caches. The user dmadmin can still login without a valid password. Strange!

Any other idea?

Thank

Ragnar

bacham2

1. Maybe DA is using a different dfc.properties than the one you changed.

2. Can it be that dmadmin has a blank password? Can you login from a remote machine (e.g. using iapi or idql or small DFC program) as dmadmin without password?

rgriebel

i cannot find any other dfc.properties... i tried to login from my local machine with iapi32.exe and blank password, this fails. When i try to connect from my local machine via iapi32 and enter the right password it works....

Can it be an cache problem?

Thanks.

Ragnar

Francois Dauberlieu

There is an option in the user object to allow login even if failed (can't remember the proper name though, check in the user management in DA), it is usually automatically set for the Docbase owner, if you switch it off, it might solve the problem

bacham2

If you mean failed_auth_attempt, that's something different. It doesn't explain the problem. Besides, I would be worried if such a "feature" existed (e.g. "please log me in even if I enter the wrong passord").

1. Can you dump the dm_user object for dmadmin and post it here?

2. You may have to turn on authentication trace to see what's going on. You can either do it with the apply method SET_OPTIONS or at server startup by adding -otrace_authentication option. Once enable, log in via DA as dmadmin and look at the docbase log. You may also want to login as a normal user to see the differences in the log.

rgriebel

Good morning,

here i am with the trace output of login attemps. The first one is another system user, this user cannot login without a valid password. The second is the trace from the dmadmin user.

Attached you will find the dmp of dmadmin user object.

Login User favprod (Systemuser), this user works correct
Wed Apr 07 10:06:35 2010 286000: 3304[5992] AT 5992: 
Final Auth Result=T, 
LOGON_NAME=favprod, 
AUTHENTICATION_LEVEL=8, 
OS_LOGON_NAME=dmadmin, 
OS_LOGON_DOMAIN=s-waugz2favt01, 
CLIENT_HOST_NAME=S-WAUGZ2FAVT01, 
CLIENT_HOST_ADDR=192.168.213.66, 
USER_LOGON_NAME_RESOLVED=1, 
AUTHENTICATION_ONLY=0, 
userID=110227b080000101, 
USER_NAME=favprod, 
USER_OS_NAME=favprod, 
USER_LOGIN_NAME=favprod, 
USER_LOGIN_DOMAIN=S-WAUGZ2FAVT01, 
USER_EXTRA_CREDENTIAL[0]=S-WAUGZ2FAVT01, 
USER_EXTRA_CREDENTIAL[1]=, 
USER_EXTRA_CREDENTIAL[2]=, 
USER_EXTRA_CREDENTIAL[3]=005056b157a0, 
USER_EXTRA_CREDENTIAL[4]=DM_TOKEN=AAAAAQAAAOQAAAACAAAAAUux81JPdFp
SAAAAOGZhdnByb2QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAHMtd2F1Z3oyZmF2dDAxAAAAAAAAAAAAAAAAA
AAAAAAAAGZhdnByb2QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFMtV0FVR1oyRk
FWVDAxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMDA1MDU
2YjE1N2EwAAAAZFZtcW5KczNZbVZOQm1RWEVrMVNlK2trSWhHMHZOQURjejZqK3la
REZ2NVpDN1hrZDVjR0ZBPT0=, 
USER_EXTRA_CREDENTIAL[5]=

Login User dmadmin (Systemuser), this user can login without a valid password
Wed Apr 07 10:07:02 2010 021000: 3304[5168] AT 5168: 
Final Auth Result=T, 
LOGON_NAME=dmadmin, 
AUTHENTICATION_LEVEL=9, 
OS_LOGON_NAME=dmadmin, 
OS_LOGON_DOMAIN=s-waugz2favt01, 
CLIENT_HOST_NAME=S-WAUGZ2FAVT01, 
CLIENT_HOST_ADDR=192.168.213.66, 
USER_LOGON_NAME_RESOLVED=1, 
AUTHENTICATION_ONLY=0, 
userID=110227b080000102, 
USER_NAME=dmadmin, 
USER_OS_NAME=dmadmin, 
USER_LOGIN_NAME=dmadmin, 
USER_LOGIN_DOMAIN=S-WAUGZ2FAVT01, 
USER_EXTRA_CREDENTIAL[0]=S-WAUGZ2FAVT01, 
USER_EXTRA_CREDENTIAL[1]=, 
USER_EXTRA_CREDENTIAL[2]=, 
USER_EXTRA_CREDENTIAL[3]=005056b157a0, 
USER_EXTRA_CREDENTIAL[4]=DM_TOKEN=AAAAAQAAAOQAAAACAAAAAUux81JPdFpS
AAAAOGZhdnByb2QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAHMtd2F1Z3oyZmF2dDAxAAAAAAAAAAAAAAAAAAAA
AAAAAGZhdnByb2QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFMtV0FVR1oyRkFWVD
AxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMDA1MDU2YjE1
N2EwAAAAZFZtcW5KczNZbVZOQm1RWEVrMVNlK2trSWhHMHZOQURjejZqK3laREZ2NV
pDN1hrZDVjR0ZBPT0=, 
USER_EXTRA_CREDENTIAL[5]=

Thanks

Ragnar

rgriebel

Note: In the trace output of login attempts you can see the variant AUTHENTICATION_LEVEL

bacham2

What I meant by "dump" is this:

retrieve,c,dm_user where user_name = 'dmadmin'

dump,c,l

Nothing to do with dump and load!

You can also dump it directly if you know the ID:

dump,c,110227b080000102

The trace you sent is not what I expected. Where did you get this from? If you turn on trace_authenticaiton, you should see the process of how Content Server tries out the various authentication mecanisms in the docbase log.

I noticed the DM_TOKEN=AAAAA... arguments. Are you using application access tokens?

rgriebel

Hi,

here is the dump output:

API>retrieve,c,dm_user where user_name = 'dmadmin'
...
110227b080000102
API>dump,c,l
...
USER ATTRIBUTES

  user_name                  : dmadmin
  user_os_name               : dmadmin
  user_address               : some_email@emc.com
  user_group_name            : docu
  user_privileges            : 16
  owner_def_permit           : 7
  world_def_permit           : 3
  group_def_permit           : 5
  default_folder             : /dmadmin
  user_db_name               : dmadmin
  description                : 
  acl_domain                 : dmadmin
  acl_name                   : dm_450227b080000102
  user_os_domain             : s-waugz2favt01
  home_docbase               : 
  user_state                 : 0
  client_capability          : 8
  globally_managed           : F
  user_delegation            : 
  workflow_disabled          : F
  alias_set_id               : 0000000000000000
  user_source                : 
  user_ldap_dn               : 
  user_xprivileges           : 0
  failed_auth_attempt        : -1
  user_admin                 : 
  user_global_unique_id      : s-waugz2favt01:dmadmin
  user_login_name            : dmadmin
  user_login_domain          : S-WAUGZ2FAVT01
  user_initials              : 
  user_password              : ****************
  user_web_page              : 
  first_failed_auth_utc_time : nulldate
  last_login_utc_time        : 4/6/2010 16:48:17
  deactivated_utc_time       : nulldate
  deactivated_ip_addr        : 
  restricted_folder_ids    []: <none>

SYSTEM ATTRIBUTES

  r_object_id                : 110227b080000102
  r_is_group                 : F
  r_modify_date              : 4/6/2010 18:50:31
  r_has_events               : F

APPLICATION ATTRIBUTES


INTERNAL ATTRIBUTES

  i_is_replica               : F
  i_vstamp                   : 62

I will search in the logfile for more Informations about the login attempts.

Thanks

Ragnar

rgriebel

Hi,

here are the login attempts.

Wed Apr 07 11:39:53 2010 823000: 3304[2140] AT 2140: Found dm_user.user_login_name(dmadmin), dm_user.user_login_domain(S-WAUGZ2FAVT01)
Wed Apr 07 11:39:53 2010 823000: 3304[2140] AT 2140: Start-AuthenticateDomain:LogonName(dmadmin), UserExtraDomain(), auth_protocol()
Wed Apr 07 11:39:53 2010 823000: 3304[2140] AT 2140: AuthenticateDomain - no domain required:
domainOverride(False), 
user_login_domain(S-WAUGZ2FAVT01), 
serverAuthTarget(s-waugz2favt01), 
userAuthTarget()
Wed Apr 07 11:39:53 2010 823000: 3304[2140] AT 2140: End-AuthenticateDomain:
Wed Apr 07 11:39:53 2010 823000: 3304[2140] AT 2140: success
Wed Apr 07 11:39:53 2010 823000: 3304[2140] AT 2140: Start-AuthenticateUserState:
UserLoginName(dmadmin), 
UserExtraDomain(S-WAUGZ2FAVT01) 
Wed Apr 07 11:39:53 2010 823000: 3304[2140] AT 2140: Start-AuthenticateUserState: 
Wed Apr 07 11:39:53 2010 823000: 3304[2140] AT 2140: dmStateForUser: auth_protocol() 
Wed Apr 07 11:39:53 2010 823000: 3304[2140] AT 2140: End-AuthenticateUserState:
Wed Apr 07 11:39:53 2010 823000: 3304[2140] AT 2140: success
Wed Apr 07 11:39:53 2010 823000: 3304[2140] AT 2140: Start-AuthenticateByTrust:
OSLogonName(dmadmin), 
UserLoginName(dmadmin), 
OSLogonDomain(s-waugz2favt01), 
UserExtraDomain(S-WAUGZ2FAVT01) 
Wed Apr 07 11:39:53 2010 823000: 3304[2140] AT 2140: End-AuthenticateByTrust:
Wed Apr 07 11:39:53 2010 823000: 3304[2140] AT 2140: success
Wed Apr 07 11:39:53 2010 823000: 3304[2140] AT 2140: Final Auth Result=T, 
LOGON_NAME=dmadmin, 
AUTHENTICATION_LEVEL=9, 
OS_LOGON_NAME=dmadmin, 
OS_LOGON_DOMAIN=s-waugz2favt01, 
CLIENT_HOST_NAME=S-WAUGZ2FAVT01, 
CLIENT_HOST_ADDR=192.168.213.66, 
USER_LOGON_NAME_RESOLVED=1, 
AUTHENTICATION_ONLY=0, 
userID=110227b080000102, 
USER_NAME=dmadmin, 
USER_OS_NAME=dmadmin, 
USER_LOGIN_NAME=dmadmin, 
USER_LOGIN_DOMAIN=S-WAUGZ2FAVT01, 
USER_EXTRA_CREDENTIAL[0]=S-WAUGZ2FAVT01, 
USER_EXTRA_CREDENTIAL[1]=, 
USER_EXTRA_CREDENTIAL[2]=, 
USER_EXTRA_CREDENTIAL[3]=005056b157a0, 
USER_EXTRA_CREDENTIAL[4]=DM_TOKEN=AAAAAQAAAOQAAAACAAAAAUux81JPdFpSAAAAOGZhdnByb2QAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHMtd2F1Z3oyZmF2dDAxAA
AAAAAAAAAAAAAAAAAAAAAAAGZhdnByb2QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFMtV0FVR1oyRkFWVDAxAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMDA1MDU2YjE1N2EwAAAAZFZtcW5KczNZbVZOQm1RWEV
rMVNlK2trSWhHMHZOQURjejZqK3laREZ2NVpDN1hrZDVjR0ZBPT0=, USER_EXTRA_CREDENTIAL[5]=
Wed Apr 07 11:39:58 2010 448000: 3304[5336] AT 5336: Start-AuthenticateUser: 
ClientHost(S-WAUGZ2FAVT01), 
LogonName(dmadmin), 
LogonOSName(dmadmin), 
LogonOSDomain(s-waugz2favt01), 
UserExtraDomain(), 
ServerDomain(s-waugz2favt01) 
Wed Apr 07 11:39:58 2010 448000: 3304[5336] AT 5336: Start-AuthenticateUserName: 
Wed Apr 07 11:39:58 2010 448000: 3304[5336] AT 5336: dmResolveNamesForCredentials: auth_protocol() 
Wed Apr 07 11:39:58 2010 448000: 3304[5336] AT 5336: End-AuthenticateUserName: dm_user.user_login_domain(S-WAUGZ2FAVT01)
Wed Apr 07 11:39:58 2010 448000: 3304[5336] AT 5336: success

The user session is started by AuthenticateByTrust... this is strange, because i set the parameter dfc.session.allow_trusted_login=false in the dfc.properties file. Currently I started a search in files with the expression "allow_trusted_login". Is there another way to to set this parameter?

Thanks

Ragnar

XdctmX

Which dfc.properties did you change? There is one under \YOURWEBAPP\webapps\da\WEB-INF\classes