NMAS logins fail to NetWare servers after updating NMAS Login Methods or NMAS Login Sequences

  • 7002047
  • 10-Mar-2009
  • 26-Apr-2012

Environment

Novell eDirectory 8.8.x for NetWare 6.5
Novell eDirectory 8.7.3 for NetWare 6.5

Situation

NMAS logins fail to NetWare servers after installing or updating a NMAS Login Method
NMAS logins fail to NetWare servers after updating a NMAS Login Sequence
NMAS logins fail to NetWare servers after changing the NMAS Login Delay on the Login Policy
NMAS logins fail to NetWare servers after installing a new OES2 SP1 server into the tree
NMAS threads grow very large, as seen in a DSTRACE with +NMAS +TIME flags enabled
NMAS authentication to NetWare servers fail
NMAS login problems persist until the server is restarted.

Resolution

NMAS 3.3.1.3 FTF for NetWare has been released to resolve this problem. Download the patch at https://download.novell.com


Workaround:

It is possible to set a NMAS console command that will change the default behavior of checking for NMAS Login Method and NMAS Login Sequence updates on every NMAS client login.  By setting the "nmas RefreshRate minutes", clients will no longer check for NMAS Method or Sequence updates on each login; however, NMAS will check at the specified interval.

This setting is documented in the NMAS admin guide:

The command for NetWare servers is as follows:

nmas RefreshRate minutes

Example:  nmas RefrehRate 600

Where minutes is the number of minutes you want NMAS to check if there have been any updates to any NMAS login method and/or NMAS login sequence in the Security Container.  As this is not persistent after a server restart, it needs to be added to the autoexec.ncf.  Furthermore, this change must be made to every NetWare server.

Normally NMAS login methods and NMAS login sequences are static and don't change often, so setting this to a high value like 10 hours (600 minutes or greater) shouldn't cause a problem. 

If you have updated a NMAS Login Method,  NMAS Login Sequence, or NMAS Setting (such as NMAS Login Delay), and you don't want to wait to reach the interval, you could always force a NMAS refresh from the NetWare console by issuing the command "NMAS REFRESHPOLICY"

Additional Information

By default, each time an NMAS client login happens, NMAS checks to see if the SAS:Login Policy Update attribute on the Login Policy object has been updated since NMAS loaded. (this happens on every NMAS client login and is on a per server basis). 

NMAS reads the SAS:Login Policy Update attribute timestamp on the Login Policy.Security object to see if there have been any changes to a NMAS login method and/or NMAS login sequence.  If during a NMAS Client login we've identified that the SAS:Login Policy Update attribute has changed, NMAS attempts to issue an nmas refreshpolicy, which will"refresh" the NMAS login methods and NMAS login sequences on the server the client logged into.

There is a potential that if the the "nmas refreshpolicy" happens during peak login times, it is possible to get into a deadlock-type of issue and all NMAS client logins back up behind the "nmas refresh".