Discussion:
Help in getting inform work in v3
Fatima Peter
2010-04-07 20:15:36 UTC
Permalink
Hello,
We are using net-snmp version 5.5. I have v1/v2c/v3 traps working
fine and inform also seems to work well in v2c. We have tested it with
snmptrapd as well as with a 3rd party vendor tool.

I seem to have problem getting inform work in v3. The informRequest
goes out to snmptrapd which immediately sends a report back. We have
captured this exchange in wireshark. Following is how trap is
configured:

snmptrap -v 3 -t 1 -r 3 -e 0x80001f888085b94c4882d8bc4b -l noauth -u
inter -n inter -Ci <ipaddr>:162


Though the engineID in Inform request matches the authoratative
engineID in the report, from what I can see it seems to fail because
of "unknwon engineID"
reports says:
error-status: noError
error-Index: 0

Is there anything wrong in the way we configure the trap? I have tried
without the "-n <name>" also.

I would really appreciate your help in resolving the issue.

Thanks in advance,
Fatima
Fatima Peter
2010-04-07 20:20:50 UTC
Permalink
I meant:
snmpd-trapsess -v 3 -t 1 -r 3 -e 0x80001f888085b94c4882d8bc4b -l
noauth -u inter -Ci 10.10.16.118:162

or

snmpd-trapsess -v 3 -t 1 -r 3 -e 0x80001f888085b94c4882d8bc4b -l
noauth -u inter -n inter -Ci 10.10.16.118:162

Here is my snmptrapd.conf file:
"
# snmptrapd.conf

doNotRetainNotificationLogs yes

#authCommunity log,execute,net public
authCommunity log,execute public

authUser log,execute inter

createUser -e 0x80001f888085b94c4882d8bc4b inter

traphandle .1.3.6.1.6.3.1.1.5.3 log
"

I invoke snmptrapd like below to accept informs:
sudo /usr/local/sbin/snmptrapd -Dsnmptrapd -C -c /etc/snmptrapd.conf
-Lf <filename>

Thanks,
Fatima
Post by Fatima Peter
Hello,
  We are using net-snmp version 5.5. I have v1/v2c/v3 traps working
fine and inform also seems to work well in v2c. We have tested it with
snmptrapd as well as with a 3rd party vendor tool.
  I seem to have problem getting inform work in v3. The informRequest
goes out to snmptrapd which immediately sends a report back. We have
captured this exchange in wireshark. Following is how trap is
snmptrap -v 3 -t 1 -r 3 -e 0x80001f888085b94c4882d8bc4b -l noauth -u
inter -n inter -Ci <ipaddr>:162
Though the engineID in Inform request matches the authoratative
engineID in the report, from what I can see it seems to fail because
of "unknwon engineID"
  error-status: noError
  error-Index: 0
Is there anything wrong in the way we configure the trap? I have tried
without the "-n <name>" also.
I would really appreciate your help in resolving the issue.
Thanks in advance,
Fatima
Fatima Peter
2010-04-09 02:16:50 UTC
Permalink
Hi,
More on the inform issue in v3. I decided to use "snmptrap" and
"snmptrapd" both running 5.5 and here are the details. I am not sure
whether this is a config issue or there is some issue with inform in
v3.

I have snmptrad running on the local host.

I sent an inform message to the trap-server with the following command:

$ sudo snmptrap -Ci -v 3 -e 0x80001f888085b94c4882d8bc4b -l noauth -u
inter localhost 0 linkUp.0
t->local =
t->remote =
sock = 3 flags = 0x0
local_addr: 0.0.0.0 0.0.0.0 162
snmpinform: Timeout (Sub-id not found: (top) -> linkUp)

Since snmptrap did not complain, it did send the message out and did
not get response from snmptrapd.

At the snmptrapd, with some debugs enabled, I am getting the following errors:

snmp_parse: Parsed SNMPv3 message (secName:inter,
secLevel:noAuthNoPriv): USM unknown engineID
snmp_parse: Parsed SNMPv3 message (secName:inter,
secLevel:noAuthNoPriv): USM unknown engineID
snmp_parse: Parsed SNMPv3 message (secName:inter,
secLevel:noAuthNoPriv): USM unknown security name (no such user
exists)

Following is my snmptrapd.conf file:

"
# snmptrapd.conf

doNotRetainNotificationLogs yes

#authCommunity log,execute,net public
authCommunity log,execute public

authUser log,execute inter
createUser -e 0x80001f888085b94c4882d8bc4b inter

traphandle .1.3.6.1.6.3.1.1.5.3 log
"

Is there anything missing in the config file?

I am looking forward to any help on this issue.

Thanks,
Fatima

---------- Forwarded message ----------
From: Fatima Peter <***@gmail.com>
Date: Wed, Apr 7, 2010 at 1:20 PM
Subject: Re: Help in getting inform work in v3
To: net-snmp-***@lists.sourceforge.net


I meant:
snmpd-trapsess -v 3 -t 1 -r 3 -e 0x80001f888085b94c4882d8bc4b -l
noauth -u inter -Ci 10.10.16.118:162

or

snmpd-trapsess -v 3 -t 1 -r 3 -e 0x80001f888085b94c4882d8bc4b -l
noauth -u inter -n inter -Ci 10.10.16.118:162

Here is my snmptrapd.conf file:
"
# snmptrapd.conf

doNotRetainNotificationLogs yes

#authCommunity log,execute,net public
authCommunity log,execute   public

authUser log,execute    inter

createUser -e 0x80001f888085b94c4882d8bc4b inter

traphandle .1.3.6.1.6.3.1.1.5.3 log
"

I invoke snmptrapd like below to accept informs:
sudo /usr/local/sbin/snmptrapd -Dsnmptrapd -C -c /etc/snmptrapd.conf
-Lf <filename>

Thanks,
Fatima
Post by Fatima Peter
Hello,
  We are using net-snmp version 5.5. I have v1/v2c/v3 traps working
fine and inform also seems to work well in v2c. We have tested it with
snmptrapd as well as with a 3rd party vendor tool.
  I seem to have problem getting inform work in v3. The informRequest
goes out to snmptrapd which immediately sends a report back. We have
captured this exchange in wireshark. Following is how trap is
snmptrap -v 3 -t 1 -r 3 -e 0x80001f888085b94c4882d8bc4b -l noauth -u
inter -n inter -Ci <ipaddr>:162
Though the engineID in Inform request matches the authoratative
engineID in the report, from what I can see it seems to fail because
of "unknwon engineID"
  error-status: noError
  error-Index: 0
Is there anything wrong in the way we configure the trap? I have tried
without the "-n <name>" also.
I would really appreciate your help in resolving the issue.
Thanks in advance,
Fatima
Dave Shield
2010-04-09 09:56:31 UTC
Permalink
$ sudo snmptrap ....
Why "sudo"?
Sending an SNMP request does not require special privileges,
so there seems no reason to run this as root.
....-Ci -v 3 -e 0x80001f888085b94c4882d8bc4b -l noauth -u inter localhost
OK so far.
.... 0 linkUp.0
Why "linkUp.0" ?
The OID of the notification is simply "linkUp" - .1.3.6.1.6.3.1.1.5.4

Don't get confused between notifications and scalar objects.

(Strictly speaking, the linkUp trap also needs several payload varbinds,
but it's sensible to get the basic request working first)
t->local =
t->remote =
sock = 3 flags = 0x0
local_addr: 0.0.0.0 0.0.0.0 162
What are these?
I assume they're not specified on the command line,
so presumably this is output from the snmptrap command.

They look like debug statements, but I'm unclear where they are coming
from. You don't seem to be turning on any debugging....
snmpinform: Timeout (Sub-id not found: (top) -> linkUp)
Since snmptrap did not complain....
Err.... what do you think the line immediately above is?
It's the "snmptrap -Ci" command (i.e. "snmpinform"), complaining
that it doesn't recognise the trap OID that you have asked for.
.... it did send the message out and did not get response from snmptrapd.
My guess is that the trap was *not* sent (because of the error above),
and this is why it wasn't received by snmptrapd, not any acknowledgement
received.

If you want to check whether the request is sent or not (rather than guessing)
use the '-d' flag. This works for both "snmptrap" (was the request sent?)
and "snmptrapd" (was it received?)

To specify the trap OID robustly, use the MIB name as well
i.e.
IF-MIB::linkUp

Dave
Fatima Peter
2010-04-09 10:53:11 UTC
Permalink
Thanks Dave for the response.

snmptrap is sending inform message but is not getting inform response
back. I enabled debug with -d and here is the exchange. If I entered
just ".1.3.6.1.6.3.1.1.5.4.", I got an usage error: The t->local etc
are output from snmptrap. It is sending INFORM(A6) but getting
REPORT(A8) back:

"
$ snmptrap -d -Ci -v 3 -e 80001F88807AB9545CF73FBE4B -l noauth -u
inter localhost 0 .1.3.6.1.6.3.1.1.5.4.0
t->local =
t->remote = 
sock = 3 flags = 0x0
local_addr: 0.0.0.0 0.0.0.0 162

Sending 137 bytes to UDP: [127.0.0.1]:162->[0.0.0.0]
0000: 30 81 86 02 01 03 30 11 02 04 0E 87 D1 92 02 03 0.....0.........
0016: 00 FF E3 04 01 04 02 01 03 04 22 30 20 04 0D 80 .........."0 ...
0032: 00 1F 88 80 7A B9 54 5C F7 3F BE 4B 02 01 00 02 ....z.T\.?.K....
0048: 01 00 04 05 69 6E 74 65 72 04 00 04 00 30 4A 04 ....inter....0J.
0064: 0D 80 00 1F 88 80 7A B9 54 5C F7 3F BE 4B 04 00 ......z.T\.?.K..
0080: A6 37 02 04 5E CC 46 D4 02 01 00 02 01 00 30 29 .7..^.F.......0)
0096: 30 0D 06 08 2B 06 01 02 01 01 03 00 43 01 00 30 0...+.......C..0
0112: 18 06 0A 2B 06 01 06 03 01 01 04 01 00 06 0A 2B ...+...........+
0128: 06 01 06 03 01 01 05 04 00 .........


Received 113 bytes from UDP: [127.0.0.1]:162->[0.0.0.0]
0000: 30 6F 02 01 03 30 11 02 04 0E 87 D1 92 02 03 00 0o...0..........
0016: FF E3 04 01 00 02 01 03 04 23 30 21 04 0D 80 00 .........#0!....
0032: 1F 88 80 C0 83 74 3C 5C 98 BE 4B 02 01 01 02 02 .....t<\..K.....
0048: 36 FE 04 05 69 6E 74 65 72 04 00 04 00 30 32 04 6...inter....02.
0064: 0D 80 00 1F 88 80 C0 83 74 3C 5C 98 BE 4B 04 00 ........t<\..K..
0080: A8 1F 02 04 5E CC 46 D4 02 01 00 02 01 00 30 11 ....^.F.......0.
0096: 30 0F 06 0A 2B 06 01 06 03 0F 01 01 04 00 41 01 0...+.........A.
0112: 12 .


Resending 137 bytes to UDP: [127.0.0.1]:162->[0.0.0.0]
0000: 30 81 86 02 01 03 30 11 02 04 0E 87 D1 93 02 03 0.....0.........
0016: 00 FF E3 04 01 04 02 01 03 04 22 30 20 04 0D 80 .........."0 ...
0032: 00 1F 88 80 7A B9 54 5C F7 3F BE 4B 02 01 00 02 ....z.T\.?.K....
0048: 01 00 04 05 69 6E 74 65 72 04 00 04 00 30 4A 04 ....inter....0J.
0064: 0D 80 00 1F 88 80 7A B9 54 5C F7 3F BE 4B 04 00 ......z.T\.?.K..
0080: A6 37 02 04 5E CC 46 D4 02 01 00 02 01 00 30 29 .7..^.F.......0)
0096: 30 0D 06 08 2B 06 01 02 01 01 03 00 43 01 00 30 0...+.......C..0
0112: 18 06 0A 2B 06 01 06 03 01 01 04 01 00 06 0A 2B ...+...........+
0128: 06 01 06 03 01 01 05 04 00 .........


Received 113 bytes from UDP: [127.0.0.1]:162->[0.0.0.0]
0000: 30 6F 02 01 03 30 11 02 04 0E 87 D1 93 02 03 00 0o...0..........
0016: FF E3 04 01 00 02 01 03 04 23 30 21 04 0D 80 00 .........#0!....
0032: 1F 88 80 C0 83 74 3C 5C 98 BE 4B 02 01 01 02 02 .....t<\..K.....
0048: 36 FF 04 05 69 6E 74 65 72 04 00 04 00 30 32 04 6...inter....02.
0064: 0D 80 00 1F 88 80 C0 83 74 3C 5C 98 BE 4B 04 00 ........t<\..K..
0080: A8 1F 02 04 5E CC 46 D4 02 01 00 02 01 00 30 11 ....^.F.......0.
0096: 30 0F 06 0A 2B 06 01 06 03 0F 01 01 04 00 41 01 0...+.........A.
0112: 13 .

.........................
"
The snmptrapd gets the informRequest and dumps this out:

"
snmp_parse: Parsed SNMPv3 message (secName:inter,
secLevel:noAuthNoPriv): USM unknown security name (no such user
exists)
snmp_parse: Parsed SNMPv3 message (secName:inter,
secLevel:noAuthNoPriv): USM unknown security name (no such user
exists)
snmp_parse: Parsed SNMPv3 message (secName:inter,
secLevel:noAuthNoPriv): USM unknown security name (no such user
exists)
"

Following is my trapd config file:
"
# snmptrapd.conf

doNotRetainNotificationLogs yes

#authCommunity log,execute,net public
authCommunity log,execute public

authUser log,execute inter
createUser -e 0x80001f888085b94c4882d8bc4b inter

traphandle .1.3.6.1.6.3.1.1.5.3 log
"

Thanks in advance,
Fatima
Post by Dave Shield
$ sudo snmptrap ....
Why "sudo"?
Sending an SNMP request does not require special privileges,
so there seems no reason to run this as root.
  ....-Ci -v 3 -e 0x80001f888085b94c4882d8bc4b -l noauth -u inter localhost
OK so far.
  ....  0 linkUp.0
Why "linkUp.0" ?
The OID of the notification is simply "linkUp" - .1.3.6.1.6.3.1.1.5.4
Don't get confused between notifications and scalar objects.
(Strictly speaking, the linkUp trap also needs several payload varbinds,
but it's sensible to get the basic request working first)
t->local =
t->remote =
sock = 3 flags = 0x0
local_addr: 0.0.0.0 0.0.0.0 162
What are these?
I assume they're not specified on the command line,
so presumably this is output from the snmptrap command.
They look like debug statements, but I'm unclear where they are coming
from.   You don't seem to be turning on any debugging....
snmpinform: Timeout (Sub-id not found: (top) -> linkUp)
Since snmptrap did not complain....
Err.... what do you think the line immediately above is?
It's the "snmptrap -Ci" command (i.e. "snmpinform"), complaining
that it doesn't recognise the trap OID that you have asked for.
 .... it did send the message out and did not get response from snmptrapd.
My guess is that the trap was *not* sent (because of the error above),
and this is why it wasn't received by snmptrapd, not any acknowledgement
received.
If you want to check whether the request is sent or not (rather than guessing)
use the '-d' flag.   This works for both "snmptrap" (was the request sent?)
and "snmptrapd"  (was it received?)
To specify the trap OID robustly, use the MIB name as well
i.e.
   IF-MIB::linkUp
Dave
Dave Shield
2010-04-09 11:28:26 UTC
Permalink
Post by Fatima Peter
snmptrap is sending inform message but is not getting inform response
back. I enabled debug with -d and here is the exchange. If I entered
just ".1.3.6.1.6.3.1.1.5.4.", I got an usage error: The t->local etc
are output from snmptrap. It is sending INFORM(A6) but getting
That seems to be an "usmStatsUnknownEngineID" report.

What happens if you omit the '-e' flag from both the snmptrap
command, and the snmptrapd.conf file?

Dave
Manjit
2010-04-09 11:41:22 UTC
Permalink
To receive inform the snmptrapd.conf need not to have -e engineID .
Please check
http://www.net-snmp.org/wiki/index.php/TUT:Configuring_snmptrapd_to_receive_SNMPv3_notifications#Configuring_a_SNMPv3_INFORM_User

If you remove -e from snmptrap command then also snmptrapd will receive
infrom because it will do an engineID probe and send the infrom with
correct engineID.
Correct me if i am wrong.
Post by Dave Shield
Post by Fatima Peter
snmptrap is sending inform message but is not getting inform response
back. I enabled debug with -d and here is the exchange. If I entered
just ".1.3.6.1.6.3.1.1.5.4.", I got an usage error: The t->local etc
are output from snmptrap. It is sending INFORM(A6) but getting
That seems to be an "usmStatsUnknownEngineID" report.
What happens if you omit the '-e' flag from both the snmptrap
command, and the snmptrapd.conf file?
Dave
------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Net-snmp-coders mailing list
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Fatima Peter
2010-04-09 15:30:33 UTC
Permalink
Dave,
If we remove the "engineID" from "snmptrap", I think the other end
will reject due to engineID. I an anycase, I tried it and here is what
I found. "snmptrapd" responds to the first message probably with the
engineID which "snmptrap" is not responding to correctly.

At the "snmptrap" end:
"
snmptrap -d -Ci -v 3 -l noauth -u inter localhost 0 .1.3.6.1.6.3.1.1.5.4.0
t->local =
t->remote = 
sock = 3 flags = 0x0
local_addr: 0.0.0.0 0.0.0.0 162

Sending 64 bytes to UDP: [127.0.0.1]:162->[0.0.0.0]
0000: 30 3E 02 01 03 30 11 02 04 74 8D 82 59 02 03 00 0>...0...t..Y...
0016: FF E3 04 01 04 02 01 03 04 10 30 0E 04 00 02 01 ..........0.....
0032: 00 02 01 00 04 00 04 00 04 00 30 14 04 00 04 00 ..........0.....
0048: A0 0E 02 04 24 08 1F CF 02 01 00 02 01 00 30 00 ....$.........0.


Received 108 bytes from UDP: [127.0.0.1]:162->[0.0.0.0]
0000: 30 6A 02 01 03 30 11 02 04 74 8D 82 59 02 03 00 0j...0...t..Y...
0016: FF E3 04 01 00 02 01 03 04 1E 30 1C 04 0D 80 00 ..........0.....
0032: 1F 88 80 D4 74 A6 01 7D 45 BF 4B 02 01 01 02 02 ....t..}E.K.....
0048: 00 AE 04 00 04 00 04 00 30 32 04 0D 80 00 1F 88 ........02......
0064: 80 D4 74 A6 01 7D 45 BF 4B 04 00 A8 1F 02 04 24 ..t..}E.K......$
0080: 08 1F CF 02 01 00 02 01 00 30 11 30 0F 06 0A 2B .........0.0...+
0096: 06 01 06 03 0F 01 01 04 00 41 01 10 .........A..


Sending 138 bytes to UDP: [127.0.0.1]:162->[0.0.0.0]
0000: 30 81 87 02 01 03 30 11 02 04 74 8D 82 58 02 03 0.....0...t..X..
0016: 00 FF E3 04 01 04 02 01 03 04 23 30 21 04 0D 80 ..........#0!...
0032: 00 1F 88 80 D4 74 A6 01 7D 45 BF 4B 02 01 01 02 .....t..}E.K....
0048: 02 00 AE 04 05 69 6E 74 65 72 04 00 04 00 30 4A .....inter....0J
0064: 04 0D 80 00 1F 88 80 D4 74 A6 01 7D 45 BF 4B 04 ........t..}E.K.
0080: 00 A6 37 02 04 24 08 1F CE 02 01 00 02 01 00 30 ..7..$.........0
0096: 29 30 0D 06 08 2B 06 01 02 01 01 03 00 43 01 00 )0...+.......C..
0112: 30 18 06 0A 2B 06 01 06 03 01 01 04 01 00 06 0A 0...+...........
0128: 2B 06 01 06 03 01 01 05 04 00 +.........

"
At the "snmptrapd" end, I see:
"
snmp_parse: Parsed SNMPv3 message (secName:inter, secLevel:noAuthNoPriv):

Received 64 bytes from UDP: [127.0.0.1]:37875->[127.0.0.1]
0000: 30 3E 02 01 03 30 11 02 04 74 8D 82 59 02 03 00 0>...0...t..Y...
0016: FF E3 04 01 04 02 01 03 04 10 30 0E 04 00 02 01 ..........0.....
0032: 00 02 01 00 04 00 04 00 04 00 30 14 04 00 04 00 ..........0.....
0048: A0 0E 02 04 24 08 1F CF 02 01 00 02 01 00 30 00 ....$.........0.

snmp_parse: Parsed SNMPv3 message (secName:, secLevel:noAuthNoPriv):
USM unknown engineID

Sending 108 bytes to UDP: [127.0.0.1]:37875->[127.0.0.1]
0000: 30 6A 02 01 03 30 11 02 04 74 8D 82 59 02 03 00 0j...0...t..Y...
0016: FF E3 04 01 00 02 01 03 04 1E 30 1C 04 0D 80 00 ..........0.....
0032: 1F 88 80 D4 74 A6 01 7D 45 BF 4B 02 01 01 02 02 ....t..}E.K.....
0048: 00 AE 04 00 04 00 04 00 30 32 04 0D 80 00 1F 88 ........02......
0064: 80 D4 74 A6 01 7D 45 BF 4B 04 00 A8 1F 02 04 24 ..t..}E.K......$
0080: 08 1F CF 02 01 00 02 01 00 30 11 30 0F 06 0A 2B .........0.0...+
0096: 06 01 06 03 0F 01 01 04 00 41 01 10 .........A..


Received 138 bytes from UDP: [127.0.0.1]:37875->[127.0.0.1]
0000: 30 81 87 02 01 03 30 11 02 04 74 8D 82 58 02 03 0.....0...t..X..
0016: 00 FF E3 04 01 04 02 01 03 04 23 30 21 04 0D 80 ..........#0!...
0032: 00 1F 88 80 D4 74 A6 01 7D 45 BF 4B 02 01 01 02 .....t..}E.K....
0048: 02 00 AE 04 05 69 6E 74 65 72 04 00 04 00 30 4A .....inter....0J
0064: 04 0D 80 00 1F 88 80 D4 74 A6 01 7D 45 BF 4B 04 ........t..}E.K.
0080: 00 A6 37 02 04 24 08 1F CE 02 01 00 02 01 00 30 ..7..$.........0
0096: 29 30 0D 06 08 2B 06 01 02 01 01 03 00 43 01 00 )0...+.......C..
0112: 30 18 06 0A 2B 06 01 06 03 01 01 04 01 00 06 0A 0...+...........
0128: 2B 06 01 06 03 01 01 05 04 00 +.........

"

Thanks,
Fatima
Post by Dave Shield
Post by Fatima Peter
snmptrap is sending inform message but is not getting inform response
back. I enabled debug with -d and here is the exchange. If I entered
just ".1.3.6.1.6.3.1.1.5.4.", I got an usage error: The t->local etc
are output from snmptrap. It is sending INFORM(A6) but getting
That seems to be an "usmStatsUnknownEngineID" report.
What happens if you omit the '-e' flag from both the snmptrap
command, and the snmptrapd.conf file?
Dave
Dave Shield
2010-04-12 09:33:59 UTC
Permalink
  If we remove the "engineID" from "snmptrap", I think the other end
will reject due to engineID.
Not quite.
If you remove engineID from the "snmptrap -Ci" call, then the client
will first probe the trap receiver to determine the appropriate engine ID.
This ID will then be used to send the notification.


Note that this only applies to "snmptrap -Ci" (aka "snmpinform").
Unacknowledged SNMPv3 traps (i.e. without the -Ci flag) work
differently.

There's a tutorial page on the project website that explains this
in more detail.

Dave
Manjit
2010-04-12 10:08:28 UTC
Permalink
Hi All,
I believe if you send a snmp inform request with *noauth p*rotocol,
snmptrapd.conf need to be configure differently:
Follwing are working for me :
snmptrap -d -Ci -v 3 -l noauth -u informtest localhost 0
.1.3.6.1.6.3.1.1.5.4.0

Content of snmptrapd.conf :
disableAuthorization yes

Or you need to change the authentication protocol eg
snmptrap -d -Ci -v 3 -a SHA -A mypassword -x AES -X mypassword -l
authPriv -u informtest localhost 0 .1.3.6.1.6.3.1.1.5.4.0

content of snmptrapd.conf :
createUser informtest SHA mypassword AES
authUser log,execute,net informtest

Regards,
Manjit
Post by Dave Shield
Post by Fatima Peter
If we remove the "engineID" from "snmptrap", I think the other end
will reject due to engineID.
Not quite.
If you remove engineID from the "snmptrap -Ci" call, then the client
will first probe the trap receiver to determine the appropriate engine ID.
This ID will then be used to send the notification.
Note that this only applies to "snmptrap -Ci" (aka "snmpinform").
Unacknowledged SNMPv3 traps (i.e. without the -Ci flag) work
differently.
There's a tutorial page on the project website that explains this
in more detail.
Dave
------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Net-snmp-coders mailing list
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Fatima Peter
2010-04-12 13:20:44 UTC
Permalink
What Manjit says seems to be correct.

It worked fine even when I specify the "-e <engineID" in the
"snmptrap" call for all users but for the "noauth" user.
So, for "noauth" user, we have to specify "disableAuthorization yes"
in the snmptrapd confguration.

Without the "-e <engineID>", it goes through engineID discovery first.
I also found that the engineID of "snmptrapd" changes at every
invocation as 2nd part of engineID seems to be the "start time" of
snmptrapd.

Thanks,
Fatima
Post by Manjit
Hi All,
I believe if you send a snmp inform request with *noauth p*rotocol,
snmptrap -d -Ci -v 3 -l noauth -u informtest localhost 0
.1.3.6.1.6.3.1.1.5.4.0
disableAuthorization yes
Or you need to change the authentication protocol eg
snmptrap -d -Ci -v 3 -a SHA -A mypassword -x AES -X mypassword -l authPriv
-u informtest localhost 0 .1.3.6.1.6.3.1.1.5.4.0
createUser informtest SHA mypassword AES
authUser log,execute,net informtest
Regards,
Manjit
Post by Dave Shield
 If we remove the "engineID" from "snmptrap", I think the other end
will reject due to engineID.
Not quite.
If you remove engineID from the "snmptrap -Ci" call, then the client
will first probe the trap receiver to determine the appropriate engine ID.
This ID will then be used to send the notification.
Note that this only applies to "snmptrap -Ci"   (aka "snmpinform").
Unacknowledged SNMPv3 traps (i.e. without the -Ci flag) work
differently.
There's a tutorial page on the project website that explains this
in more detail.
Dave
------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Net-snmp-coders mailing list
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Wes Hardaker
2010-04-12 20:49:27 UTC
Permalink
FP> So, for "noauth" user, we have to specify "disableAuthorization yes"
FP> in the snmptrapd confguration.

You don't have to; instead you need to still configure a user in the
usmTable for snmptrapd and authorization that allows noauth.

FP> I also found that the engineID of "snmptrapd" changes at every
FP> invocation as 2nd part of engineID seems to be the "start time" of
FP> snmptrapd.

Only if it can't write to the persistent storage directory (which
defaults to /var/net-snmp)
--
Wes Hardaker
Please mail all replies to net-snmp-***@lists.sourceforge.net
Manjit
2010-04-13 05:02:27 UTC
Permalink
Hi,
How to configure a user for noauth using snmptrapd.conf.

Regards,
Manjit
Post by Wes Hardaker
FP> So, for "noauth" user, we have to specify "disableAuthorization yes"
FP> in the snmptrapd confguration.
You don't have to; instead you need to still configure a user in the
usmTable for snmptrapd and authorization that allows noauth.
FP> I also found that the engineID of "snmptrapd" changes at every
FP> invocation as 2nd part of engineID seems to be the "start time" of
FP> snmptrapd.
Only if it can't write to the persistent storage directory (which
defaults to /var/net-snmp)
Dave Shield
2010-04-13 07:07:42 UTC
Permalink
Post by Manjit
Hi,
How to configure a user for noauth using snmptrapd.conf.
$ man snmptrapd.conf

authUser TYPES [-s MODEL] USER [LEVEL [OID | -v VIEW ]]
authorises SNMPv3 notifications with the specified user to trig-
ger the types of processing listed. By default, this will
accept authenticated requests. (authNoPriv or authPriv). The
LEVEL field can be used to allow unauthenticated notifications
(noauth)


So an entry such as

authUser log,execute inter

would allow processing of authenticated notifications from the user 'inter',
while

authUser log,execute inter noauth

would allow processing of *all* traps (including noAuthNoPriv) from that user.

Dave

Loading...