'[ net-snmp-Bugs-1437985 ] SNMPv3 : A user can belong to only one group.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       net-snmp-bugs
Subject:    [ net-snmp-Bugs-1437985 ] SNMPv3 : A user can belong to only one group.
From:       "SourceForge.net" <noreply () sourceforge ! net>
Date:       2006-02-24 16:48:30
Message-ID: E1FCg7K-0006B6-TT () sc8-sf-web2 ! sourceforge ! net
[Download RAW message or body]

Bugs item #1437985, was opened at 2006-02-24 02:29
Message generated for change (Comment added) made by nobody
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=112694&aid=1437985&group_id=12694

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: agent
Group: linux
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: SNMPv3 : A user can belong to only one group.

Initial Comment:
net-snmp version 5.2.1.2
Operating System : Linux (debian).

When using SNMPv3, if a user belongs to more than one
group only the first group is taken in account to grant
access rights. With a configuration of this type : 

#       sec.name  source          community
com2sec paranoid  localhost         public
com2sec readonly  localhost         public

####
# Second, map the security names into group names:

#               sec.model  sec.name
group MyROSystem v1        paranoid
group MyROSystem v2c       paranoid
group MyROSystem usm       usertest
group MyROGroup v1         readonly
group MyROGroup v2c        readonly
group MyROGroup usm        usertest

####
# Third, create a view for us to let the groups have
rights to:

#           incl/excl subtree                          mask
#view all    included  .1          80
view system included  .1.3.6.1.2.1.1
view ifaces  included  .1.3.6.1.2.1.2

####
# Finally, grant the 2 groups access to the 1 view with
different
# write permissions:

#                context sec.model sec.level match 
read   write  notif
access MyROSystem ""      usm       priv   exact 
system none   none
access MyROGroup ""       usm       priv   exact 
ifaces    none   none

with : "createUser usertest MD5 tsttsttst DES tsttsttst"

and the agent launched by : "/usr/sbin/snmpd -Lsd -Lf
/dev/null -p /var/run/snmpd.pid"

You can do : 
$ /usr/bin/snmpget -v 3 -n "" -u usertest -l authPriv
-a MD5 -A tsttsttst -x DES -X tsttsttst 127.0.0.1
.1.3.6.1.2.1.1.3.0

SNMPv2-MIB::sysUpTime.0 = Timeticks: (20569) 0:03:25.69

But : 

/usr/bin/snmpget -v 3 -n "" -u usertest -l authPriv -a
MD5 -A tsttsttst -x DES -X tsttsttst 127.0.0.1
.1.3.6.1.2.1.2.1.0

IF-MIB::ifNumber.0 = No Such Object available on this
agent at this OID

Whereas "IF-MIB::ifNumber.0" is reachable when you
suppress the group "MyROSystem"

When I look at traces using -D -f options for the
agent, I can see the agentt doesn't search for more
than one group before it sends its answer.

regards,

--
Xavier Plattard

xavier.plattard@evidian.com

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2006-02-24 08:48

Message:
Logged In: NO 

By the way, I noticed the same kind of behaviour with 2
security names created with com2sec that have the same
community. If each one belongs to one group, and each group
is binded to one view, the agent grant access to only the
first view for this community...

--
Xavier Plattard

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2006-02-24 08:23

Message:
Logged In: NO 

By the way, I noticed the same kind of behaviour with 2
security names created with com2sec that have the same
community. If each one belongs to one group, and each group
is binded to one view, the agent grant access to only the
first view for this community...

--
Xavier Plattard

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2006-02-24 08:01

Message:
Logged In: NO 

By the way, I noticed the same kind of behaviour with 2
security names created with com2sec that have the same
community. If each one belongs to one group, and each group
is binded to one view, the agent grant access to only the
first view for this community...

--
Xavier Plattard

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=112694&aid=1437985&group_id=12694


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Net-snmp-bugs mailing list
Net-snmp-bugs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-bugs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic