[Info-vax] Need to set up a special purpose account

[Stephen Hoffman]

On 2016-10-07 16:25:24 +0000, Tom Adams said:

> On Friday, October 7, 2016 at 11:38:34 AM UTC-4, Stephen Hoffman wrote:
>> 
>> Please review and follow the steps involved in setting up anonymous  
>> access.  You've most likely missed a step in the setup of the anonymous 
>>  username.
> 
> I checked those in the documentation here:
> 
> http://h41379.www4.hpe.com/doc/83final/6526/6526pro_040.html#bottom_040

Please post the SYSUAF anonymous username entry, the anonymous and 
FTP-related logical names, directory ownerships, and DIRECTORY 
/SECURITY of the anonymous directory and the anonymous log area.

>> Please see if a login with a valid username and password works.
> 
> It works with other account usernames and passwords.

That implies that the configuration error — whether DISUSER flag or 
other such — is something specific to the anonymous login, or the 
ownership of the anonymous directory, or some related logical name.   
That also implies that the local network is working correctly, and that 
there isn't a firewall in the way.    Verify the logical names, the 
anonymous directory and anonymous login directory ownership (usually 
[ANONY,ANONYMOUS]), and the rest of the baggage.

>> Please also review the FTP server logs on the target system, looking 
>> for indications of errors or issues.
> 
> The log is totally empty even though I have tried to login multiple times.

Next step is reviewing and confirming the changes, and checking system 
accounting data for any details on the connection or login failures.

>> Please ensure that your system-wide login is readable or at least  
>> executable by all users.
> 
> Not sure what that means.

The system wide login is SYLOGIN.COM.   Make sure that DCL command 
procedure is world readable, or at least world executable.   Most 
systems have that SYLOGIN around, and I've met more than a few that 
have everybody logging in as privileged or in the right group to access 
that file or a constituent file, and access failures blow out CAPTIVE 
login attempts.

> But there are no restriction on accounts except those specified in the UAF

So you have checked the flags on the anonymous user, specifically 
looking for DISUSER or other settings that might block the login?

> It's frustrating.  I could have just set up a restricted account and 
> that would have worked right off the bat.

You're on OpenVMS.   This system is not designed to work "right off the 
bat".    This system is designed to (usually) work the way that the 
detailed recipes in the docs describe — once the proper docs are 
located — and with error handling, troubleshooting and related details 
usually not included in that same part of the documentation, and all of 
this requiring more than a little experience.   As much as I think that 
approach stinks, and that that approach is outdated, and that that 
approach is long overdue for a rethink and a wholesale replacement.   
But I digress.

> I may just blow away the anonymous account and create my own restricted 
> account.

Best to figure out what's going on here.   Blowing away accounts or 
directories can get TCP/IP Services confused or even more tangled, 
unfortunately.   I've had TCPIP$CONFIG tip over in that logic on 
several occasions.   Why the tool even gets itself into these 
situations is another discussion.  That and other such tools should 
have just created all the user entries, all the directories, and the 
rest, in one place, and allowed folks to enable or disable the entries 
and services individually if and as needed, as that's far less complex 
than dealing with directory creations and such all over the place.   We 
aren't on dinky VAX boxes anymore, after all.


-- 
Pure Personal Opinion | HoffmanLabs LLC