Troubleshooting NMAS -1660 errors with NMAS Login Methods
(Last modified: 29Nov2005)
This document (10091495) is provided subject to the disclaimer at the end of this document.
Troubleshooting NMAS -1660 errors with NMAS Login Methods
Novell NetWare 5.1
Novell NetWare 6.0
Novell NetWare 6.5
Native File Access for Windows
Native File Access for Macintosh
There is one more possible scenario when this error may be returned. When connecting to a CIFS/AFP server that does not hold a replica of the user requesting a connection, NMAS on that server will find another server running NMAS that does hold a replica of that user. Once it finds that other NMAS server it will request the remote NMAS server to resolve and authenticate the user. In order to do that successfully the remote NMAS server must be able to load the login method from DS. In the event that the remote NMAS server is a non-NetWare server, such as eDirectory for Windows, the login will fail with a -1660 Login Sequence Invalid error. This will happen because the Windows server, although running eDirectory and NMAS, cannot load the lsmcifs.nlm. This issue is being addressed in a new release of NMAS that is expected to be available in the NetWare 6.5 SP2 time frame.
One other thing to check that will cause this error is to make sure the NW 6.5 server is NOT running CIFS version 1.x, or in otherwords NW 6.5 should not be running CIFS modules from NW 5.1/6.0. If the NW 6.5 server is running CIFS modules from NW 5.1/6.0 (unsupported) AND the only login method loaded in the tree is lsmcifs2.nlm then attempts to login will fail with a -1660 error. The reason for that is that the NW 6.0 modules will be looking for the lsmcifs login method and it will not exist...thus the "invalid login method" error. CIFS modules from NW 6.0 are unaware and unable to use the lsmcifs2.nlm (Windows Native File Access login method for NW 6.5) and will never ask to use it. Running CIFS version 1.x modules on a NW 6.5 server is unsupported and not recommended although it may work it will also definitely cause UNICODE problems.
When failing to login to a NetWare server via CIFS or AFP (NFAP) with a bad username or password error, one of the first steps in troubleshooting the issue is to obtain an NMAS log (nmasmon * SYS:\ETC\NMAS.txt trunc). That log will envariably let you know what the exact error is. This document is dedicated to troubleshooting problems that can cause the server to return an NMAS error -1660.
-1660 0xFFFFF984 NMAS_E_SEQUENCE_NOT_FOUND The specified NMAS login sequence is invalid.
The specified NMAS login sequence is invalid.
The actual error in the NMAS log normally looks like this:
0: ERROR: -1660 CanDo
0: ERROR: -1660 NMAS Manager
Although the error says the login method is invalid it is also possible that this server simply can't load the login method. Login methods are stored in DS as stream files. Once a login method is loaded into DS that is the login method that all NMAS servers will use. The login methods are located in the Security container under Authorized Login Methods. Each NMAS server performing an authentication using an NFAP login method must have rights to read the Authorized Login Methods container and also be able to reach a server with a replica of ROOT. The server must be able to reach a replica of ROOT because that is where the Security Container is located, unless it has been partitioned off. If the Security container has been partitioned off then the server must be able to reach a replica of the partition which holds the Security container.
There are currently 4 separate login methods/sequences for NetWare, 2 for NW 5.1/6.0 and 2 for NW 6.5. Below is a break down of which method is associated with which OS version as well as the appropriate method to sequence names including the real name of each NLM. When checking to see if a login method is loaded at the server console as compared to what you see in ConsoleOne you'll notice that the login sequence, method, and NLM names match on NW 6.0, but they do not match in NW 6.5. With NW 6.5 the method and sequence names match, but the actual NLM that loads on the server is different. Checking for the appropriate login method/sequence in console one will display one name, but in NW 6.5 when checking "modules <nlm name>" it won't match what is seen in console one.
CIFS login method = lsmcifs
CIFS login sequence = lsmcifs
CIFS login method nlm name = lsmcifs.nlm
AFP login method = lsmafp
AFP login sequence = lsmafp
AFP login method nlm name = lsmafp.nlm
CIFS login method = Windows Native File Access
CIFS login sequence = Windows Native File Access
CIFS login method nlm name = lsmcifs2.nlm
AFP login method = Macintosh Native File Access
AFP login sequence = Macintosh Native file Access
AFP login method nlm name = lsmafp3.nlm
Below are some suggestions on how to resolve -1660 errors. The examples used are for lsmcifs.nlm, but the steps and principles are exactly the same for lsmafp.nlm, Macintosh Native File Access, and Windows Native File Access login sequences/methods.
1. Ensure the login method is loading at the server (lsmcifs.nlm, lsmcifs2.nlm, lsmafp.nlm, or lsmafp3.nlm)
a. Check at the server console to see if lsmcifs.nlm is loaded. (modules lsmcifs)
b. If not then do a "nmas refreshpolicy" at the console
c. Check to see if is loaded now.
d. If it is then test the login
e. If it is not then check to be sure the NCP server object has rights to read the Security | Authorized Login Methods container.
i. If it doesnt have rights then make an explicit assignment for this server, do an nmas refreshpolicy, and test.
ii. If it does have rights then continue
f. Add a replica of root to the server and do steps b, c, and d again.
i. This will ensure access to the security container.
2. Check to be sure that the correct login method is associated its corresponding login sequence.
a. Highlight the Security container in ConsoleOne.
b. In the right side window go to properties of the LOGIN POLICY object.
c. Under the general tab you will see a drop down box. Select the lsmcifs login sequence.
d. Notice the two windows called "Available Login Methods" and "Selected Login Methods".
e. Make sure that under the selected login methods the ONLY login method is lsmcifs.
NOTE: Each NFAP login sequence can have ONLY ONE login method associated with it. That association is made by placing the correct login method in the "Selected Login Methods" window. The login sequence name and login method name will always match. For instance, if the selected login sequence is "lsmcifs" then the login method that should appear in the selected login methods window is "lsmcifs". Likewise if the selected login sequence is "Windows Native File Access" then the correct method to associate would be "Windows Native File Access". The same goes for lsmafp and Macintosh Native File Access.
3. Update the login method via ConsoleOne
a. Security | Authorized Login Methods | lsmcifs <--properties of this lower right hand corner is an update button
b. Expand the lsmafp Authorized Login Methods using the following path:
i. Tree/Security/Authorized Login Methods
c. Right click on the Authorized Login Method "lsmcifs".
d. Select Properties from the popup menu.
e. Select the "General" tab at the top
f. Click on the "Update Method" button in the lower right corner.
g. Follow the on-screen instructions accepting all defaults.
i. When asked for a configuration file, browse to the configuration file (config.txt) which should be located in sys:\public\nmas\methods\cifs. The lsmafp.nlm.lmo file should also be located in this directory.
h. When the update has completed, you will see a Login Method Update Summary dialog indicating that the update has been processed.
i. The next time a cifs user logs in, he will get the new login methods.
j. There is no need to restart any servers.
i. Succeed = Finished
ii. Fail = Continue to step 3.
4. Delete/Recreate the lsmcifs login SEQUENCE
a. Delete the login method
i. Load Console One and go to the Security Container.
ii. Highlight the Login Policy, right click and go to Properties.
iii. Go to Defined Login Sequences drop down list and select LSMCIFS.
iv. On the same page, go to the Selected Login Methods box and highlight LSMCIFS.
v. Under the Selected Login Methods box, select Delete Sequence.
vi. Verify that the LSMCIFS is gone by looking at the drop down box of the Defined Login Sequences.
vii. Hit Apply and close the screen.
viii. Expand the Security container to expose the blue icons with keys.
ix. Go to Details on the Authorized Login Methods.
x. Delete the LSMCIFS key icon.
b. Reinstall the login method
i. Go to the Security container.
ii. Right-click the Authorized Login Methods and select New>Object> SAS:NMAS Login Method.
iii. Browse to the location of the config.txt
iv. Select the config.txt file
1. accept all defaults
2. hit the OK button.
v. Do NMAS REFRESHPOLICY at the server consoleall other NMAS servers.
1. Succeed = Finished
a. Be sure to do an NMAS REFRESHPOLICY on all other NMAS server so that they get the update.
It has been seen on occasion that running an NMAS REFRESHPOLICY does not always successfully unload the login method. If after following these steps the problem persists it is probable that the login method is not getting refreshed. In that case manually unload the login method nlm at the server console (i.e unload lsmcifs2) and then do an NMAS REFRESHPOLICY to force it to read the updated module from DS.
|Document Title:||Troubleshooting NMAS -1660 errors with NMAS Login Methods|
|Novell Product Class:||NetWare|
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.