10 Replies Latest reply on Sep 4, 2013 9:41 AM by Mike Jones

    Issue with tcptunnel

    Yanick Girouard

      Just out of curiosity, I've tried to make the tcptunnel work for a dev server and although I seemed to have the RBAC right and that I see it's letting me connect, it disconnects immediately after receiving the first bytes of data. In the NSH console, I see this:

       

      GMA-371066# tcptunnel -d -c 50011 -s whmm24701.cgicti

      tcptunnel: Fri Aug 30 11:42:18 2013 ( -1 ) bind() to port 50011 succeeded

      tcptunnel: Fri Aug 30 11:42:18 2013 ( -1 ) listen() succeeded.

      tcptunnel: Fri Aug 30 11:42:26 2013 ( -1 ) accept() succeeded.

      tcptunnel: Fri Aug 30 11:42:26 2013 ( -1 ) recv'd 19 bytes of DATA from client.

      tcptunnel: Fri Aug 30 11:42:26 2013 ( -1 ) _bob_write -1 bytes of DATA to server. No error. No error.

      tcptunnel: Fri Aug 30 11:42:26 2013 ( -1 ) recv'd 19 bytes of DATA from server.. No error.

      tcptunnel: Fri Aug 30 11:42:26 2013 ( -1 ) sent 19 bytes of DATA to client.

      tcptunnel: Fri Aug 30 11:42:26 2013 ( -1 ) Client disconnected.

       

      And in the agent log, I see this:

       

      SYSTEM (TCP_Tunnel_Test:yanick.girouard): tcptunnel: command: "tcptunnel" not authorized

      SYSTEM (TCP_Tunnel_Test:yanick.girouard): tcptunnel: User TCP_Tunnel_Test:yanick.girouard authorized to create TCP Tunnel

      BladeLogicRSCD@WHMM24701->CGIOM@WHMM24701:PrivilegeMapped (TCP_Tunnel_Test:yanick.girouard): tcptunnel: tcptunnel -d -c 50011 -s whmm24701.cgicti

      BladeLogicRSCD@WHMM24701->CGIOM@WHMM24701:PrivilegeMapped (TCP_Tunnel_Test:yanick.girouard): tcptunnel: Tunnel peer server 10.254.193.49:50011. Target Host Name = <whmm24701.cgicti>    Target Server Port = <3389>

      BladeLogicRSCD@WHMM24701->CGIOM@WHMM24701:PrivilegeMapped (TCP_Tunnel_Test:yanick.girouard): tcptunnel: Tunnel peer server 10.254.193.49:50011. Connect to the Target Server Port 3389 succeeded.

      BladeLogicRSCD@WHMM24701->CGIOM@WHMM24701:PrivilegeMapped (TCP_Tunnel_Test:yanick.girouard): tcptunnel: Tunnel Server for peer <10.254.193.49:50011> disconnecting. read() of DATA from server failed. No error.

       

      Anyone know what's missing?

        • 1. Re: Issue with tcptunnel
          Alan Nakashian-Holsberg

          Yanick,

           

          I have found a number of opened defects on TCPTUNNEL, I will review them and get back to you.  See if they are playing into this at all.

           

          Alan

          • 2. Re: Issue with tcptunnel
            Mike Jones

            Have you got NSH proxy enabled, it is required for tcptunnel

            • 3. Re: Issue with tcptunnel
              Yanick Girouard

              Yes I do. I wouldn't be able to issue NSH commands against target servers if I wasn't The RBAC wouldn't let me.

              • 4. Re: Issue with tcptunnel
                Mike Jones

                I should have read the log you posted more carefully

                 

                How are you assigning the tcptunnel authorization to the role you are connecting with ?

                 

                You can add it manually as a test to the users file by putting the following against the user/role                        rw,map=adminaccount,commands=CM:tcptunnel

                • 5. Re: Re: Issue with tcptunnel
                  Yanick Girouard

                  I did it using a new role I created which has the agentinfo and tcptunnel commands in it and the Server.* auth as well. I added that role (both command and auth) to the ACL of a test server, and pushed the ACL. I can see it properly in the users file as you described.

                   

                  Here's the line from my users file:

                   

                  TCP_Tunnel_Test:yanick.girouard  rw,map=CGIOM,commands=CM:agentinfo:tcptunnel

                   

                  That said, I don't think it's the auth because it does say it authorized me for tcptunnel if you look in the log (after it said it didn't... which is odd).

                   

                  SYSTEM (TCP_Tunnel_Test:yanick.girouard): tcptunnel: command: "tcptunnel" not authorized

                  SYSTEM (TCP_Tunnel_Test:yanick.girouard): tcptunnel: User TCP_Tunnel_Test:yanick.girouard authorized to create TCP Tunnel


                  Don't forget it does show me that it's listening and created the tunnel before it disconnect though. (See my original post for the NSH shell part). The disconnection happens only when I click the Connect button on the RDP dialog, so when my client tries to initiate the RDP protocol over the tunnel.

                  • 6. Re: Re: Issue with tcptunnel
                    Mike Jones

                    What rights does the CGIOM account have - is it an administrator on the Windows box, we used to use none admin user for RDP role but hit an issue with some Windows 2003 servers for one of our customers, I think the log entires were similar - might be able to go back and find out

                    • 7. Re: Re: Issue with tcptunnel
                      Yanick Girouard

                      CGIOM is a member of the Administrators group and I can manually RDP to that server using it. It's a Windows 2008 server, but I also tried on a Windows 2003 server. The Windows 2008 didn't even connect (issue above) but the 2003 seemed to just hang after I clicked Connect. I just don't want to mix issues right now, so let's concentrate on the Windows 2008 one (the issue above).

                      • 8. Re: Issue with tcptunnel
                        Mike Jones

                        I have tried to manually establish a connection as you have above on a working server and it will not work, I do not get the same error message as you but it does not connect.

                         

                        I can manually establish a connection if I use the same RDP file as we use in our RDP tunnel custom command.

                         

                        Can you try the same ?

                         

                        So establish the tcptunnel then use "mstsc rdpfilename /v:localhost:50011" you can download a copy of our RDP file from this post on communities https://communities.bmc.com/message/343867 (or you can now that I have just edited it)

                        • 9. Re: Issue with tcptunnel
                          Yanick Girouard

                          Wait... what just happened? It worked when I used your .rdp file, but if I create a new one from my default settings and try that one it won't work. I'd like to know what is the setting that made the difference. Trying to compare now... but if you know off hand what setting could have caused this, let me know!

                           

                          Thanks!

                          • 10. Re: Issue with tcptunnel
                            Mike Jones

                            I have looked into this in more detail and the only line required in the rdp file is enablecredsspsupport:i:0

                            Interestingly if it is changed to enablecredsspsupport:i:1 then you are able to connect to servers with NLA enabled but not to servers without which might change my RfE idea slightly https://communities.bmc.com/ideas/2981