Hi Wes, Thanks for your quick reply.
I beg to differ that the missing data is not useful. It might not matter so much with the lowest security level (-l noAuthNoPriv), but I've moved on to authenticated traps, and it fails. There is profound difference in SNMPv3 in sending a trap to (!) a user (what net-snmp is doing) or as (!) a user (what it should do). I hope the following makes sense: I added a new user 'authUser' via 'createUser' to <host1> /var/net-snmp/snmpd.conf; (createUser authUser MD5 AuthPassword) Sending a Get Request works fine: snmpget -v 3 -u authUser -l authNoPriv -a MD5 -A AuthPassword udp:<host1>.westhawk.co.uk:161 sysContact.0 SNMPv2-MIB::sysContact.0 = STRING: Tim Panton, [EMAIL PROTECTED] However, net-snmp (on <host1>) isn't able to send an authentication failure trap to <host2> as user 'authUser', because it cannot find the user's usm details. **** /etc/snmp/snmpd.conf: authtrapenable 1 trapsess -v 3 -l authNoPriv -u authUser -a MD5 -A AuthPassword <host2>:162 **** /var/log/net-snmpd.log: usm: USM processing has begun (offset 89) trace: usm_get_user(): snmpusm.c, 2982: usm: getting user authUser trace: usm_get_user_from_list(): snmpusm.c, 2998: usm: match on user authUser trace: usm_get_user_from_list(): snmpusm.c, 3004: usm: no match on engineID () trace: usm_rgenerate_out_msg(): snmpusm.c, 1403: usm: Unknown User trace: _sess_async_send(): snmp_api.c, 4816: sess_async_send: encoding failure snmpd: send_trap: USM unknown security name (no such user exists) I assume that is because it tries to find the details of 'authUser' on <host2> instead of it's own local 'authUser'. It might seem I should be able to work around this problem by configuring (using snmpusm) the details of 'authUser' on <host2>. However, net-snmp would then send the authentication and timeliness parameters of <host2> and not <host1>. Therefor the PDU would be discarded by <host2> as not being authentic. Thanks, Birgit On Mon, Feb 06, 2006 at 09:16:08PM -0800, Wes Hardaker wrote: > >>>>> On Mon, 6 Feb 2006 18:22:23 +0000, Birgit Arkesteijn <[EMAIL > >>>>> PROTECTED]> said: > > Birgit> trapsess -v 3 -l noAuthNoPriv -u noAuthUser <host>:162 > > Birgit> I receive the PDU fine, but I noticed that the trap doesn't have the > Birgit> correct authoritative engine ID, engine boots and engine time; > > Birgit> However, (as far as my knowledge goes for SNMPv3) when sending > Birgit> traps in SNMPv3, the engine acts as an authoritative engine > Birgit> and should therefor sends its own (!) authoritative engine ID, > Birgit> engine boots and engine time, and not the synchronisation > Birgit> parameters of the other party. > > That's true, the agent should be sending it's own engineid, boots and > time assuming you're sending a trap and not an inform. > > Birgit> Unless my understanding and assumptions are incorrect, it seems that > Birgit> the net-snmp behaviour is incorrect. > > Yes, I'd agree. Though the usefulness of the missing data is pretty > much 0, but that doesn't excuse that it should be filling it in > anyway. > > > -- > Wes Hardaker > Sparta, Inc. -- -- Birgit Arkesteijn, [EMAIL PROTECTED], -- Westhawk Ltd, Albion Wharf, 19 Albion Street, Manchester M1 5LN, UK -- tel.: +44 (0)161 237 0660 -- <URL: http://www.westhawk.co.uk> ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
