BU041013_EW01

Failure during or after rolling upgrade of a TruCluster Server with Enhanced (C2) security

Tru64 UNIX

Evolving business value

Related links

DESCRIPTION
Login failures may occur as a result of a rolling upgrade of a TruCluster Server with Enhanced Security (C2) enabled. The failures may be exhibited in two different ways:

1. With the following error message:

Can't rewrite protected password entry for user

2. With the following set of error messages:

login: Ignoring log file: /var/tcb/files/dblogs/log.00001: magic number 0, not 8
login: log_get: read: I/O error
Can't rewrite protected password entry for user

The problem may occur after the initial reboot of the lead cluster member or after the rolling upgrade is completed and the "clu_upgrade switch" procedure has been run.

The problem will not occur if you do not run the prpasswdd daemon on your TruCluster.

SCOPE

This problem may occur when doing a rolling upgrade of a TruCluster Server running Enhanced Security (C2) to V5.1B PK3 or higher.

RESOLUTION

This Engineering Advisory presents details of the problem and how to correct the problem if you have encountered it.

Case I - Preventing the problem

To prevent this problem take the following steps before performing a rolling upgrade of a TruCluster Server running Enhanced Security (C2):

1) Disable the prpasswdd from running on the cluster:

# rcmgr -c set PRPASSWDD_ARGS \
     "`rcmgr get PRPASSWDD_ARGS` -disable"

2) Stop the prpasswdd on every node in the cluster:

# /sbin/init.d/prpasswd stop

3) Do the rolling upgrade procedure through the "clu_upgrade switch" step and reboot all the cluster members.

4) If PRPASSWDD_ARGS did not exist before this upgrade (i.e. "rcmgr get PRPASSWDD_ARGS" at this point shows only " -disable"), just delete PRPASSWDD_ARGS:

# rcmgr -c delete PRPASSWDD_ARGS

5) If PRPASSWDD_ARGS existed before this upgrade, reset PRPASSWDD_ARGS to the original string:

# rcmgr -c set PRPASSWDD_ARGS \
     "`rcmgr get PRPASSWDD_ARGS | sed 's/ -disable//'`"

6) Check that PRPASSWDD_ARGS is now set to what you'd expect:

# rcmgr get PRPASSWDD_ARGS

7) Start the prpasswdd on every node in the cluster:

# /sbin/init.d/prpasswd start

8) Complete the rolling upgrade.

Case II - Correcting the problem

If you have already encountered the problem, follow these steps to clear it:

1) Restart the prpasswdd daemon on every node in the Cluster:

# /sbin/init.d/prpasswd restart

2) Reboot the lead cluster member.

3) Check to see if the problem has been resolved. If it has been resolved, you are finished.

If you still see the problem, continue to step 4.

4) Try to force a change to the auth database. To do this:

a) Use edauth to add a harmless field to an account, the exact commands
depend on your editor. For example, pick an account that does not have
a vacation set and add u_vacation_end:

# edauth

s/:u_lock@:/u_vacation_end#0:u_lock@:/

w

q

b) Check to see that the u_vacation_end#0 field was added to the account:

# edauth -g

c) Use edauth to remove the u_vacation_end#0 field from the account.

d) If the edauth command(s) fail, do not stop, continue with the
following instructions.

5) Check to see if the problem has been resolved. If it has been resolved, you are finished.

If you still see the problem, observe the following warning and continue to step 6:

WARNING: Do the following procedure only if:

• you have encountered the described problem while doing a rolling upgrade of a Trucluster running Enhanced Security;
• you have tried steps 1) through 5) above and
• ALL user authentications (i.e. logins) still fail.

If you attempt the following procedure at any other time it can cause authentication failures:

6) disable logins on the cluster by creating the file "/etc/nologin":

# touch /etc/nologin

7) disable the prpasswdd from running on the cluster:

# rcmgr -c set PRPASSWDD_ARGS \
       "`rcmgr get PRPASSWDD_ARGS` -disable"

8) Stop the prpasswdd on every node in the cluster:

# /sbin/init.d/prpasswd stop

9) Force a checkpoint of the db_checkpoint, using the db_checkpoint command with the -1 option (the number one, not lowercase L):

# /usr/tcb/bin/db_checkpoint -1 -h /var/tcb/files

Continue with the instructions even if this command fails.

10) Delete the files in the dblogs directory:

# rm -f /var/tcb/files/dblogs/*

11) Force a change to the auth database. Do this by:

a) Use edauth to add a harmless field to an account, the exact commands
depend on your editor. For example, pick an account that does not have
a vacation set and:

# edauth

s/:u_lock@:/u_vacation_end#0:u_lock@:/

w

q

b) Check to see that the u_vacation_end#0 field was added to the account:

# edauth -g

c) Use edauth to remove the u_vacation_end#0 field from the account.

d) If the edauth command fails, STOP, contact HP support.

12) If PRPASSWDD_ARGS did not exist before starting this procedure (i.e. "rcmgr get PRPASSWDD_ARGS" at this point shows only " -disable"), just delete PRPASSWDD_ARGS:

# rcmgr -c delete PRPASSWDD_ARGS

13) if PRPASSWDD_ARGS existed before this procedure, reset PRPASSWDD_ARGS to the original string:

# rcmgr -c set PRPASSWDD_ARGS \
    "`rcmgr get PRPASSWDD_ARGS | sed 's/ -disable//'`"

14) Check that PRPASSWDD_ARGS is now set to what you'd expect

# rcmgr get PRPASSWDD_ARGS

15) Start the prpasswdd on every node in the cluster:

# /sbin/init.d/prpasswd start

16) Re-enable logins on the cluster by deleting the file "/etc/nologin":

# rm /etc/nologin

17) Check to see if the problem has been resolved. If it has not, contact HP support.