SEARCH CONTACT US SUPPORT SERVICES PRODUCTS STORE
United States    
COMPAQ STORE | PRODUCTS | SERVICES | SUPPORT | CONTACT US | SEARCH
gears
compaq support options
support home
software & drivers
ask Compaq
reference library
support forum
frequently asked questions
support tools
warranty information
service centers
contact support
product resources
parts for your system
give us feedback
associated links
.
} what's new
.
} contract access
.
} browse patch tree
.
} search patches
.
} join mailing list
.
} feedback
.
patches by topic
.
} DOS
.
} OpenVMS
.
} Security
.
} Tru64 Unix
.
} Ultrix 32
.
} Windows
.
} Windows NT
.
connection tools
.
} nameserver lookup
.
} traceroute
.
} ping
DCE-VMS VAXDCE03_014 DCE V1.4 for OpenVMS VAX ECO Summary

TITLE: DCE-VMS VAXDCE03_014 DCE V1.4 for OpenVMS VAX ECO Summary Modification Date: 23-SEP-99 Modification Type: Updated Kit Supersedes VAXDCE02_014 NOTE: An OpenVMS saveset or PCSI installation file is stored on the Internet in a self-expanding compressed file. The name of the compressed file will be kit_name-dcx_vaxexe for OpenVMS VAX or kit_name-dcx_axpexe for OpenVMS Alpha. Once the file is copied to your system, it can be expanded by typing RUN compressed_file. The resultant file will be the OpenVMS saveset or PCSI installation file which can be used to install the ECO. Copyright (c) Compaq Computer Corporation 1999. All rights reserved. PRODUCT: Distributed Computing Environment (DCE) For OpenVMS VAX OP/SYS: OpenVMS VAX SOURCE: Compaq Computer Corporation ECO INFORMATION: ECO Kit Name: VAXDCE03_014 ECO Kits Superseded by This ECO Kit: VAXDCE02_014 ECO Kit Approximate Size: 15336 Blocks Saveset A - 108 Blocks Saveset B - 15228 Blocks Kit Applies To: DCE V1.4 OpenVMS VAX V5.5-2, V5.5-2H4, V6.2, V7.1 System/Cluster Reboot Necessary: No (See Installation Instructions) Installation Rating: 2 - To be installed on all systems running the listed versions of OpenVMS and using the following feature: This remedial kit contains many Year 2000 related fixes. Any customer running DCE must install this kit. ECO KIT SUMMARY: An ECO kit exists for DCE V1.4 on OpenVMS VAX V5.5-2, V5.5-2H4, V6.2, V7.1. This kit addresses the following problems: PROBLEMS ADDRESSED IN VAXDCE03_014 KIT: o Fix memory leaks in DCE DECnet OSI Socket interface image DCE daemons and DCE user applications terminate abnormally due to with page file exhaustion. For Example, DCE endpoint mapper, DCE$RPCD, aborts unexpectedly on systems where DECnet OSI is a supported DCE protocol. Examination of the rpcd out file shows insufficient dynamic memory errors. $ type Dce$Specific:[Var.Rpc.Adm]DCE$RPCD.Out (socket) (SOCKET_MEM_ALLOC) *** FATAL ERROR at SOCKMEM.C;1\293 *** %SYSTEM-F-INSFMEM, insufficient dynamic memory%CMA-F-EXCCOP, exception raised; VMS condition code follows Please note, there are still memory management problems with DCE when DCEnet OSI as used as a transport. If you site requires 24 by 7 operation, it you can disable DECnet OSI as a DCE protocol if you have no application requirement to use OSI. Installation of the DECthreads kit, ALPTHREADS04_071 is highly recommended on Alpha V7.1 systems. Page file leakage of DCE process is greatly reduced after the installation of the ALPTHREADS04_071 kit. o Work-arounds: Disable DECnet OSI as a DCE transport by defining RPC_SUPPORTED_PROTSEQS or by defining the DECnet OSI socket shareable image to null with: $Define/Sys/Exec DCE$SOCKSHR_DNET_OSI NL: o Eliminate two zero block files left in the credentials cache directory after a dce_login followed by a kdestroy. When a dce_login is performed, six files are created in the credentials cache directory, DCE$SPECIFIC:[VAR.SECURITY.CREDS]. An example is the following files: 16 029D9101.;2 1-OCT-1998 15:28:18.37 17 029D9101.;1 1-OCT-1998 15:28:17.76 18 029D9102.;1 1-OCT-1998 15:28:19.27 19 029D9200.;1 1-OCT-1998 15:28:19.02 20 029D9200.DATA;1 1-OCT-1998 15:28:19.38 21 029D9200.NC;1 1-OCT-1998 15:28:19.18 After a kdestroy, two files remain from the original login. In the login example above, the following files are left: 16 029D9101.;1 1-OCT-1998 15:28:17.76 17 029D9102.;1 1-OCT-1998 15:28:19.27 DCE uses UNIX style file processing. When creating the initial cache file, 029D9101 in the example above, a version 1 file is created by allocate_krb5_info call from sec_login_pvt_setup_identity. A subsequent call to krb5_cc_initialize opens this file with the requirement to create a new version. On VMS this creates version 2 of the file. When sec_login_set_context is called later during login, a similar problem happens. To create the CC data file like 029D9200.DATA;1 in the example above, a temporary file is used. The temporary file is created, closed and then reopened creating two files (029D9200.;1 and 029D9200.;2). The second version of the file is populated with the data and renamed to 029D9200.DATA. The first version is left. o Allow dce login password input from a command procedure DCE login fails when the input for the password is not obtained from a terminal. The login fails with the error below: $ rgy_edit Current site is: registry server at /.../adu26a_cell/subsys/dce/ sec/master l cell_admin -dce- login: Credentials cache I/O operation failed XXX Error in input password. Login failed. exit bye VMS DCE implementation of krb5_read_password routine allowed entry of a password only when the input device was a terminal. The VMS specific routine prevents the inputted password from being echoed at the user terminal. The VMS routine prevents the use of a command procedure to input passwords. While not a good idea, other implementation of dce allow password to be input from scripts. o Work-arounds: Perform a DCE_LOGIN prior to using DCE utilities. Limit procedures to run only until the current login expires. o Allow the Credentials Cache Cleanup interval to be adjusted. Every one hour, the sec_clientd daemons deletes stale credentials files out of the DCE credentials cache directory. If run in debug mode, the daemons deletes the files every five minutes. The interval is not adjustable. Changes were made to make the interval adjustable between 5 minutes and one hour. The interval cannot be greater than 60 minutes or less than 5 minutes. To set the interval, define the logical FCC_CCACHE_CLEANUP_INTERVAL, to the number of minutes between cache cleanups. The logical may be defined at the system level, or may be defined in the sec_clientd startup command procedure. If you change the interval while the security client daemon is running, the new interval will be effective after the next credentials cache cleanup. o New version V5.0 of TCP/IP services for OpenVMS will cause configuration failures in DCE setup procedures. **** IMPORTANT NOTICE **** If you have customized the DCE$SETUP.com at your site, you should remove the DCE$SETUP.com and DCE$SETUP_UCX.com installed by this procedure after installation. The site specific customizations will need to be made to the new versions of the command procedures and installed at a later time For example if you have increased DCE daemon quotas in DCE$SETUP.COM for using MULTINET, you will have to make the quota adjustments to the version of DCE$SETUP.COM supplied in this kit. **** END NOTICE **** A new version of TCP/IP services for OpenVMS is shipping which eliminates some of the UCX commands used by the DCE$SETUP.COM and DCE$SETUP_UCX.COM procedures. o Work-arounds: Manually edit the setup files. o Fix DCE$SETUP start of configure failures after the installation of Multinet 4.1 B-X Updates to multinet changed the BGO device characteristics breaking old logic checking if multinet was installed. o Fix problem where accounts created from VMS 1.4 and V1.5 system could not be used in rpc authentication calls to NT DCE 2.2 and Unix DCE 3.0 servers. An account created from a V1.4 or V1.5 OpenVMS system via rgy_edit caused a principal unknown error to be returned from a NT 2.2 or UNIX 3.0 system when the principal account was used in an rpc_binding_set_auth_info() call. Since day one rgy_edit on VMS has sent garbage in the flags fields of the admin_part (sec_rgy_admin_t) argument to sec_rgy_acct_add(); It appears the garbage has been ingnored until recent updates to the security server in the 1.2.2 OSF base to implement a new "user to user" authentication feature. Accounts created from VMS would work in some cases and would not work in many cases. Whether it worked or not depended on a bit being set in one of the garbage arguments. o Restart of RPCD or PERF server fails with "unable to bind socket". Attempting to restart a DCE server with a well known endpoint, such as RPCD (port 135) or PERF server (port 2001) failed with "unable to bind socket" error, when there is no process using the port. This problem is corrected. Attempting to restart a DCE server with a well known endpoint, such as RPCD (port 135) or PERF server (port 2001) fails with an "unable to bind socket" error, when there is no process using the port. Restart of RPCD could fail with a message that RPCD was already running. Client incoming packets referencing the well-known endpoint create Port Control Blocks for the endpoint. A socket cannot be bound to a port with an existing PCB unless the SO_REUSEADDRESS socket option is set. PROBLEMS ADDRESSED IN VAXDCE02_014: o When a file required for an IDL compile was not located in the first location in a directory logical name search list, the IDL compile fails with: %IDL-E-OPENREAD, Unable to open idl_sources:[guy]test1.idl for read access %IDL-E-SYSERRMSG, System error message: no such file or directory %IDL-F-COMPABORT, Compilation aborted o User applications passing fixed arrays containing structures between Alpha VMSand other platforms encounter corruption in the array contents. o DCE Servers die with the following error messages: + Listening... (socket) rpc__socket_disp_select *** FATAL ERROR at SOCKDISPATCH.C;1\3668 ** %CMA-F-EXCCOP, exception raised; VMS condition code follows -SYSTEM-F-OPCCUS, opcode reserved to customer fault at PC=FFFFFFFF80538638,PS=000001B %SYSTEM-F-ABORT, abort o Configuring a OpenVMS DCE 1.4 client into a Gradient server running on NT4.0 results in the following error: Establishing security environment for principal "cell_admin" . . . **************************** ERROR **************************** *** An error occurred while setting up the security environment *** using principal name "cell_admin" Error: Cannot validate identity for principal "cell_admin" who are you failed (dce / rpc) 236094202 %SYSTEM-F-ABORT, abort PROBLEMS ADDRESSED IN VAXDCE01_014: o When the security server is not running, sec_login_refresh_identity() returns an undocumented status code, 336760967. The documentation states that the sec_rgy_server_unavailable status code should be returned. Example programs from OSF and other vendors show the refresh thread testing for the sec_rgy_server_unavailable status to determine if the refresh should be retried o Executing any RPCLM command results in a fault invalid bound message on Alpha systems. $RPCLM String Binding of Server:ncadg_ip_udp:16.32.80.42[2301] RPCLM> inq %CMA-F-EXCCOPLOS, exception raised; some information lost -DCERPC-E-FAULTINVALIDBOU, fault invalid bound (DCE / RPC) o In the directory DCE$SPECIFIC:[KRB5] there are hundreds of versions of KRB5KDC_RCACHE created in it by the DCE$SECD process. These files do get cleaned up during a CLEAN operation but, they are not cleaned up during a start or restart of DCE. o If you do not include prior to including the header will not compile because it uses the datatype FILE*. o Attempting a kinit on an OpenVMS system results in the error below: $ kinit cell_admin $5$dkb0:[sys0.syscommon.][sysexe]dce$kinit.exe;4: Malformed representation of principal when parsing name T@ o When an 'Illegal state transition' occurs, the correct state is not reported. The code clobbered the state before reporting it. A state of 255 is reported and is meaningless because it is the code for No State. o Print 4 digit years on output from DCE processes. Allow four digit data inputs from DCE administration functions. Fix leap year calculations for years after 2017. o It has been discovered that OSF/DCE has a potential problem in the security server that could allow for a denial of service attack. If a principal, group, or organization is greater than 1024 characters (including the cell name, so the actual name limit is less than 1024) when passed to security daemon (secd), it will cause secd core dump. The buffer is overrun causing memory corruption. In certain cases, the lookup attempt (or add or whatever) on the client will then rebind to another secd to make the request, eventually crashing all security daemons in the cell. o The new Pathway IP version can cause DCE setup to abort abruptly with error messages. Pathway changes the output of an image that returns the Pathway version. This causes output parsing routines to fail because they search for runtime on the line containing the version. INSTALLATION NOTES: Install this kit with the VMSINSTAL utility by logging into the SYSTEM account, and typing the following at the DCL prompt: @SYS$UPDATE:VMSINSTAL VAXDCE03_014 [location of the saveset] The saveset location may be a tape drive, or a disk directory that contains the kit saveset. No reboot is necessary after successful installation of the kit. However, DCE must be re-started after the kit is installed to complete the installation of the new DCE images. DCE can be restarted with the comand @SYS$MANAGER:DCE$SETUP START



This patch can be found at any of these sites:

Colorado Site
Georgia Site



Files on this server are as follows:

vaxdce03_014.README
.CHKSUM
vaxdce03_014.a-dcx_vaxexe
vaxdce03_014.b-dcx_vaxexe
vaxdce03_014.CVRLET_TXT

privacy and legal statement