|
|
 |
DCE-VMS ALPDCE04_014 DCE V1.4 OpenVMS Alpha ECO Summary
|
TITLE: DCE-VMS ALPDCE04_014 DCE V1.4 OpenVMS Alpha ECO Summary
Modification Date: 23-SEP-99
Modification Type: Updated Kit Supersedes ALPDCE03_014
NOTE: An OpenVMS saveset or PCSI installation file is stored
on the Internet in a self-expanding compressed file.
The name of the compressed file will be kit_name-dcx_vaxexe
for OpenVMS VAX or kit_name-dcx_axpexe for OpenVMS Alpha.
Once the file is copied to your system, it can be expanded
by typing RUN compressed_file. The resultant file will
be the OpenVMS saveset or PCSI installation file which
can be used to install the ECO.
Copyright (c) Compaq Computer Corporation 1999. All rights reserved.
PRODUCT: Distributed Computing Environment For OpenVMS (DCE)
OP/SYS: DIGITAL OpenVMS Alpha
SOURCE: Compaq Computer Corporation
ECO INFORMATION:
ECO Kit Name: ALPDCE04_014
ECO Kits Superseded by This ECO Kit: ALPDCE03_014
ALPDCE02_014
ALPDCE01_014
ECO Kit Approximate Size: 29,916 Blocks
Saveset A - 90 Blocks
Saveset B - 29,826 Blocks
Kit Applies To: OpenVMS Alpha V6.2, V6.2-1H2,
V6.2-1H3, V7.1,
V7.1-1H1, V7.1-1H2
System/Cluster Reboot Necessary: No (See Installation Notes)
Rolling Re-boot Supported: Not Applicable
Installation Rating: 2 - To be installed on all systems running
the listed version(s) of OpenVMS and
using the following feature(s):
This remedial kit contains many Year 2000
related fixes. Any system running DCE
must have this kit installed.
Kit Dependencies:
The following remedial kit(s) must be installed BEFORE
installation of this kit:
None
In order to receive all the corrections listed in this
kit, the following remedial kits should also be installed:
None
ECO KIT SUMMARY:
An ECO kit exists for DCE V1.4 on OpenVMS Alpha V6.2, V6.2-1H2,
V6.2-1H3, V7.1, V7.1-1H1, V7.1-1H2.
This kit addresses the following problems:
PROBLEMS ADDRESSED IN ALPDCE04_014 KIT:
o Fix memory leaks in DCE DECnet OSI Socket interface image
DCE daemons and DCE user applications terminate abnormally due
to with page file exhaustion. For Example, DCE endpoint
mapper, DCE$RPCD, aborts unexpectedly on systems where DECnet
OSI is a supported DCE protocol. Examination of the rpcd out
file shows insufficient dynamic memory errors.
$ type Dce$Specific:[Var.Rpc.Adm]DCE$RPCD.Out
(socket) (SOCKET_MEM_ALLOC) *** FATAL ERROR at SOCKMEM.C;1\293 ***
%SYSTEM-F-INSFMEM, insufficient dynamic memory%CMA-F-EXCCOP,
exception raised;
VMS condition code follows
Please note, there are still memory management problems with
DCE when DCEnet OSI as used as a transport. If you site
requires 24 by 7 operation, it you can disable DECnet OSI as a
DCE protocol if you have no application requirementto use OSI.
Installation of the DECthreads kit, ALPTHREADS04_071 is highly
recommended on Alpha V7.1 systems. Page file leakage of DCE
process is greatly reduced after the installation of the
ALPTHREADS04_071 kit.
Three memory leaks were fixed in the DCE OSI socket interface
routines.
o Work-arounds:
Disable DECnet OSI as a DCE transport by defining
RPC_SUPPORTED_PROTSEQS or by defining the DECnet OSI socket
shareable image to null with:
$Define/Sys/Exec DCE$SOCKSHR_DNET_OSI NL:
o Eliminate two zero block files left in the credentials cache
directory after a dce_login followed by a kdestroy.
When a dce_login is performed, six files are created in the
credentials cache directory,
DCE$SPECIFIC:[VAR.SECURITY.CREDS]. An example is the
following files:
16 029D9101.;2 1-OCT-1998 15:28:18.37
17 029D9101.;1 1-OCT-1998 15:28:17.76
18 029D9102.;1 1-OCT-1998 15:28:19.27
19 029D9200.;1 1-OCT-1998 15:28:19.02
20 029D9200.DATA;1 1-OCT-1998 15:28:19.38
21 029D9200.NC;1 1-OCT-1998 15:28:19.18
After a kdestroy, two files remain from the original login.
In the login example above, the following files are left:
16 029D9101.;1 1-OCT-1998 15:28:17.76
17 029D9102.;1 1-OCT-1998 15:28:19.27
DCE uses UNIX style file processing. When creating the
initial cache file, 029D9101 in the example above, a version 1
file is created by allocate_krb5_info call from
sec_login_pvt_setup_identity. A subsequent call to
krb5_cc_initialize opens this file with the requirement to
create a new version. On VMS this creates version 2 of the
file.
When sec_login_set_context is called later during login, a
similar problem happens. To create the CC data file like
029D9200.DATA;1 in the example above, a temporary file is
used. The temporary file is created, closed and then reopened
creating two files (029D9200.;1 and 029D9200.;2). The second
version of the file is populated with the data and renamed to
029D9200.DATA. The first version is left.
o Allow dce login password input from a command procedure
DCE login fails when the input for the password is not
obtained from a terminal. The login fails with the error
below:
$ rgy_edit
Current site is: registry server at /.../adu26a_cell/subsys/dce/sec
/master
l cell_admin
-dce-
login: Credentials cache I/O operation failed XXX Error in input
password. Login failed.
exit
bye
o Work-arounds:
Perform a DCE_LOGIN prior to using DCE utilities. Limit
procedures to run only until the current login expires.
o Allow the Credentials Cache Cleanup interval to be adjusted.
Every one hour, the sec_clientd daemons deletes stale
credentials files out of the DCE credentials cache directory.
If run in debug mode, the daemons deletes the files every five
minutes. The interval is not adjustable. Changes were made
to make the interval adjustable between 5 minutes and one
hour. The interval cannot be greater than 60 minutes or less
than 5 minutes.
To set the interval, define the logical
FCC_CCACHE_CLEANUP_INTERVAL, to the number of minutes between
cache cleanups. The logical may be defined at the system
level, or may be defined in the sec_clientd startup command
procedure. If you change the interval while the security
client daemon is running, the new interval will be effective
after the next credentials cache cleanup.
o New version V5.0 of TCP/IP services for OpenVMS will cause
configuration failures in DCE setup procedures.
**** IMPORTANT NOTICE ****
If you have customized the DCE$SETUP.com at your site, you should
remove the DCE$SETUP.com and DCE$SETUP_UCX.com installed by this
procedure after installation. The site specific customizations
will need to be made to the new versions of the command procedures
and installed at a later time
For example if you have increased DCE daemon quotas in
DCE$SETUP.COM for using MULTINET, you will have to make the quota
adjustments to the version of DCE$SETUP.COM supplied in this kit.
**** END NOTICE ****
A new version of TCP/IP services for OpenVMS is shipping which
eliminates some of the UCX commands used by the DCE$SETUP.COM
and DCE$SETUP_UCX.COM procedures.
o Work-arounds:
Manually edit the setup files.
o Fix DCE$SETUP start of configure failures after the
installation of Multinet 4.1 B-X
Updates to multinet changed the BGO device characteristics
breaking old logic checking if multinet was installed.
o Fix problem where accounts created from VMS 1.4 and V1.5
system could not be used in rpc authentication calls to NT DCE
2.2 and Unix DCE 3.0 servers.
An account created from a V1.4 or V1.5 OpenVMS system via
rgy_edit caused a principal unknown error to be returned from
a NT 2.2 or UNIX 3.0 system when the principal account was
used in an rpc_binding_set_auth_info() call.
o Restart of RPCD or PERF server fails with "unable to bind
socket".
Attempting to restart a DCE server with a well known endpoint, such
as RPCD (port 135) or PERF server (port 2001) failed with "unable
to bind socket" error, when there is no process using the port.
This problem is corrected.
Attempting to restart a DCE server with a well known endpoint,
such as RPCD (port 135) or PERF server (port 2001) fails with
an "unable to bind socket" error, when there is no process
using the port. Restart of RPCD could fail with a message
that RPCD was already running. Client incoming packets
referencing the well-known endpoint create Port Control Blocks
for the endpoint. A socket cannot be bound to a port with an
existing PCB unless the SO_REUSEADDRESS socket option is set.
Problems addressed in the ALPDCE03_014 kit:
o Configuring an OpenVMS DCE 1.4 client into a Gradient server
running on NT 4.0 results in the following error:
Establishing security environment for principal "cell_admin" . . .
**************************** ERROR ****************************
*** An error occurred while setting up the security environment
*** using principal name "cell_admin"
Error: Cannot validate identity for principal "cell_admin"
who are you failed (dce / rpc) 236094202
%SYSTEM-F-ABORT, abort
o Servers abort with the following error messages:
+ Listening...
(socket) rpc__socket_disp_select
*** FATAL ERROR at SOCKDISPATCH.C;1\3668***
%CMA-F-EXCCOP, exception raised; VMS condition code follows
-SYSTEM-F-OPCCUS, opcode reserved to customer fault at
PC=FFFFFFFF80538638,PS=0
%SYSTEM-F-ABORT, abort
o User applications passing fixed arrays containing structures
between Alpha OpenVMS and other platforms encounter corruption
in the array contents.
o IDL compiler does not find file in a search list:
$ define idl_sources W1:[GUY.DCE_EXAMPLES.TEST1],
W1:[GUY.DCE_EXAMPLES]
$ Directory W1:[GUY.DCE_EXAMPLES.TEST1]
TEST1.IDL;1 3/3 6-JAN-1993 10:54:38.21 (RWED,RWED,,RE,)
Total of 1 file, 3/3 blocks.
$ sho log idl_sources
"IDL_SOURCES" = "W1:[GUY.DCE_EXAMPLES.TEST1]" (LNM$PROCESS_TABLE)
= "W1:[GUY.DCE_EXAMPLES]"
$ set def idl_sources
$idl test1
%IDL-E-OPENREAD, Unable to open idl_sources:[guy]test1.idl
for read access
%IDL-E-SYSERRMSG, System error message: no such file or directory
%IDL-F-COMPABORT, Compilation aborted
Problems addressed in the ALPDCE02_014 kit:
o The ALPDCE01_014 remedial kit did not install on OpenVMS Alpha
hardware versions. The ALPDCE02_014 remedial kit corrects
this.
Problems addressed in the ALPDCE01_014 kit:
o When the security server is not running, sec_login_refresh_identity()
returns an undocumented status code, 336760967. The documentation
states that the sec_rgy_server_unavailable status code should be
returned. Example programs from OSF and other vendors show the
refresh thread testing for the sec_rgy_server_unavailable status
to determine if the refresh should be retried.
o Executing any RPCLM command results in a fault invalid bound
message on Alpha systems.
$RPCLM String Binding of Server:ncadg_ip_udp:16.32.80.42[2301]
RPCLM> inq
%CMA-F-EXCCOPLOS, exception raised; some information lost
-DCERPC-E-FAULTINVALIDBOU, fault invalid bound (DCE / RPC)
o In the directory DCE$SPECIFIC:[KRB5], there are hundreds of
versions of KRB5KDC_RCACHE created by the DCE$SECD process.
These files do get cleaned up during a CLEAN operation but,
they are not cleaned up during a start or restart of DCE.
o If you do not include prior to including
the header will not compile because it uses the datatype FILE*.
o Attempting a kinit on an OpenVMS system results in the
following error:
$ kinit cell_admin
$5$dkb0:[sys0.syscommon.][sysexe]dce$kinit.exe;4: Malformed
representation of principal when parsing name T@
o When an 'Illegal state transition' occurs, the correct state
is not reported. The code corrupts the state before
reporting it. A state of 255 is reported and is meaningless
because it is the code for No State.
o Print 4 digit years on output from DCE processes. Allow four
digit data inputs from DCE administration functions. Fix leap
year calculations for years after 2017.
o It has been discovered that OSF/DCE has a potential problem in
the security server that could allow for a denial of service
attack.
If a principal, group, or organization is greater than 1024
characters (including the cell name, so the actual name limit
is less than 1024) when passed to security daemon (secd), it
will cause secd core dump. The buffer is overrun causing
memory corruption. In certain cases, the lookup attempt (or
add or whatever) on the client will then rebind to another
secd to make the request, eventually crashing all security
daemons in the cell.
o The new Pathway IP version can cause DCE setup to abort
abruptly with error messages. Pathway changes the output of
an image that returns the Pathway version. This causes output
parsing routines to fail because they search for runtime on
the line containing the version.
INSTALLATION NOTES:
Install this kit with the VMSINSTAL utility by logging into the
SYSTEM account, and typing the following at the DCL prompt:
@SYS$UPDATE:VMSINSTAL ALPDCE04_014 [location of the saveset]
The saveset location may be a tape drive, CD, or a disk directory
that contains the kit saveset.
No reboot is necessary after successful installation of the kit.
|
Files on this server are as follows:
|
»alpdce04_014.README
».CHKSUM
»alpdce04_014.a-dcx_axpexe
»alpdce04_014.b-dcx_axpexe
»alpdce04_014.CVRLET_TXT
|
