From cassio at clrgomes.com.br Thu May 1 14:58:33 2008 From: cassio at clrgomes.com.br (=?iso-8859-1?Q?C=E1ssio_Lu=EDs_Reis_Gomes?=) Date: Thu, 1 May 2008 11:58:33 -0300 Subject: [tac_plus] Enable Secret Message-ID: <001b01c8ab9b$d48fbed0$7daf3c70$@com.br> Hello I would like to set up a specifi ?enable secret? per group, but I?m not getting good results. Could you help me to define this item? Thanks, Cassio -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080501/5047a969/attachment.html From dan.schmidt at uplinkdata.com Thu May 1 22:15:52 2008 From: dan.schmidt at uplinkdata.com (Dan Schmidt) Date: Thu, 1 May 2008 16:15:52 -0600 Subject: [tac_plus] Re: Let's discuss some new features In-Reply-To: References: Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC1BD453@che-exch-003.uplinkdata.com> Sounds like a great idea! -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Kiss Gabor (Bitman) Sent: Wednesday, April 30, 2008 2:54 AM To: tac_plus at shrubbery.net Subject: [tac_plus] Let's discuss some new features Dear folks, I plan to do some enhancements of tac_plus daemon. It would be lovely if network manager can assign individual attributes based not only on username but - host (NAS) address/name - terminal line (console, async/modem, vty etc.) - connection time (workdays, weekend, day and night etc.) However this requires more sophisticated database backend practically speaking a relational database. Sqlite seems to be a good choice. Configure script would accept --with-sqlite option on systems where libsqlite is available. At startup or when catching HUP signal daemon read the usual configuration file and fills database with approprate record. Database could be in memory entirely (i.e. no external file) so daemon would be acting as a black box that cannot be distinguish from the current one. Lookout is the same but there is a V8 engine under the hood. :-) Moreover I wish to keep backward compaibility of config file. So I'm thinking on some new syntax elements that could describe the above functionality. I mean somethink like this: ----------------------------------- acl = local_net_acl { permit = ^172\.16\.192\. } user = melany_local { ifhost = local_net_acl { service = exec { priv-lvl = 15 } } service = exec { priv-lvl = 2 } member = working_girl } time = business_hours { permit = Mo-Fr,8-15:30 } group = working_girl { iftime = business_hours { default service = permit } default service = deny } ----------------------------------- What is your opinion? Gabor _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From heas at shrubbery.net Fri May 2 17:02:53 2008 From: heas at shrubbery.net (john heasley) Date: Fri, 2 May 2008 10:02:53 -0700 Subject: [tac_plus] Re: Let's discuss some new features In-Reply-To: References: Message-ID: <20080502170253.GF13792@shrubbery.net> Wed, Apr 30, 2008 at 10:54:14AM +0200, Kiss Gabor (Bitman): > Dear folks, > > I plan to do some enhancements of tac_plus daemon. > It would be lovely if network manager can assign individual > attributes based not only on username but > - host (NAS) address/name Are you implying DNS? I do not think that DNS/names and security work well together. I also think that authentication daemons should not be dependant upon DNS, which may be broken. > - terminal line (console, async/modem, vty etc.) this too seems dodgy, afaik there is not standard way of representing these by name and and two implementations (or versions) could be different. > - connection time (workdays, weekend, day and night etc.) > > However this requires more sophisticated database backend practically > speaking a relational database. Sqlite seems to be a good choice. > Configure script would accept --with-sqlite option on systems > where libsqlite is available. At startup or when catching HUP signal > daemon read the usual configuration file and fills database > with approprate record. Database could be in memory entirely (i.e. no > external file) so daemon would be acting as a black box that > cannot be distinguish from the current one. I prefer not sqllite. berkeley db is a better choice IMO, since it does rely on any additional sources. though i suppose it could be distributed with tacacs. at least sqlite's license is digestible. > Lookout is the same but there is a V8 engine under the hood. :-) > > Moreover I wish to keep backward compaibility of config file. > So I'm thinking on some new syntax elements that could describe > the above functionality. as for the config file, i'd like to see the parser rewritten in yacc/lex, but i have nothing working yet. > I mean somethink like this: > > ----------------------------------- > acl = local_net_acl { > permit = ^172\.16\.192\. > } > > user = melany_local { > ifhost = local_net_acl { > service = exec { > priv-lvl = 15 > } > } > service = exec { > priv-lvl = 2 > } > member = working_girl > } > > time = business_hours { > permit = Mo-Fr,8-15:30 > } > > group = working_girl { > iftime = business_hours { > default service = permit > } > default service = deny > } > ----------------------------------- > > What is your opinion? > > Gabor > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From cassio at clrgomes.com.br Fri May 2 19:54:04 2008 From: cassio at clrgomes.com.br (Cassio Gomes) Date: Fri, 2 May 2008 16:54:04 -0300 Subject: [tac_plus] Re: Enable Secret References: <001b01c8ab9b$d48fbed0$7daf3c70$@com.br> <05CC562AFB5A9446A1BC3F66AD04A3BC1BD473@che-exch-003.uplinkdata.com> Message-ID: <000801c8ac8e$49024c40$0401a8c0@iuser.iroot.adidom.com> NO, where can I find it? Thanks, Cassio ----- Original Message ----- From: "Dan Schmidt" To: "C?ssio Lu?s Reis Gomes" ; Sent: Friday, May 02, 2008 16:15 Subject: RE: [tac_plus] Enable Secret Have you tried the tac_enab_new patch? -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of C?ssio Lu?s Reis Gomes Sent: Thursday, May 01, 2008 8:59 AM To: tac_plus at shrubbery.net Subject: [tac_plus] Enable Secret Hello I would like to set up a specifi "enable secret" per group, but I'm not getting good results. Could you help me to define this item? Thanks, Cassio -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080501/5047a969/attachment.html _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From dan.schmidt at uplinkdata.com Fri May 2 19:15:06 2008 From: dan.schmidt at uplinkdata.com (Dan Schmidt) Date: Fri, 2 May 2008 13:15:06 -0600 Subject: [tac_plus] Re: Enable Secret In-Reply-To: <001b01c8ab9b$d48fbed0$7daf3c70$@com.br> References: <001b01c8ab9b$d48fbed0$7daf3c70$@com.br> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC1BD473@che-exch-003.uplinkdata.com> Have you tried the tac_enab_new patch? -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of C?ssio Lu?s Reis Gomes Sent: Thursday, May 01, 2008 8:59 AM To: tac_plus at shrubbery.net Subject: [tac_plus] Enable Secret Hello I would like to set up a specifi "enable secret" per group, but I'm not getting good results. Could you help me to define this item? Thanks, Cassio -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080501/5047a969/attachment.html _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From kissg at ssg.ki.iif.hu Sat May 3 12:34:11 2008 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Sat, 3 May 2008 14:34:11 +0200 (CEST) Subject: [tac_plus] Re: Let's discuss some new features In-Reply-To: <20080502170253.GF13792@shrubbery.net> References: <20080502170253.GF13792@shrubbery.net> Message-ID: > > I plan to do some enhancements of tac_plus daemon. > > It would be lovely if network manager can assign individual > > attributes based not only on username but > > - host (NAS) address/name > > Are you implying DNS? I do not think that DNS/names and security work well > together. I also think that authentication daemons should not be dependant > upon DNS, which may be broken. I don't intend to use DNS more intensively than the current version does. User may choose if he want IP addresses to be resolved or not. > > - terminal line (console, async/modem, vty etc.) > > this too seems dodgy, afaik there is not standard way of representing these > by name and and two implementations (or versions) could be different. It is up to the user. I just give him the loaded gun. It is him who must pull the trigger. :-) BTW loaded gun. I've got a new idea! TACACS+ server could also measure the time passed between prompt and user response as well as password errors. It is possible to make decisions on this. E.g. daemon can think that 10+ second reponse time is like a panic code on PIN locked doors. User is forced to enter and security guards must be alarmed. (I'm not serious. :-) > > - connection time (workdays, weekend, day and night etc.) > > > > However this requires more sophisticated database backend practically > > speaking a relational database. Sqlite seems to be a good choice. > > Configure script would accept --with-sqlite option on systems > > where libsqlite is available. At startup or when catching HUP signal > > daemon read the usual configuration file and fills database > > with approprate record. Database could be in memory entirely (i.e. no > > external file) so daemon would be acting as a black box that > > cannot be distinguish from the current one. > > I prefer not sqllite. berkeley db is a better choice IMO, since it does > rely on any additional sources. though i suppose it could be distributed Like tcpwrapper or S/Key. It is just an additional and _optional_ library. I'd keep the original config search routines for backward compatibility. Berkeley DB has less functionality than any relational database system. > with tacacs. at least sqlite's license is digestible. > as for the config file, i'd like to see the parser rewritten in yacc/lex, Oh well. This is my another secret plan. :-) I just did not dare to suggest two dramatical code change at the same time. > but i have nothing working yet. I respect the power of YACC but I not an expert of formal languages. Creating a new parser is beyond me if I am alone. Gabor From doctor at mcc.ac.uk Tue May 6 07:52:04 2008 From: doctor at mcc.ac.uk (Mike Richardson) Date: Tue, 6 May 2008 08:52:04 +0100 Subject: [tac_plus] "Process Write Failure" problem Message-ID: <20080506075203.GQ3055@jadzia.mcc.ac.uk> Hiya, We've been using Tacacs+ for quite a while now but recently noticed a problem. When the tacacs daemon tries to execute an external script this can happen: cfg_get_value: name=b4ckup isuser=1 attr=after rec=1 cfg_get_value: recurse group = backup cfg_get_pvalue: returns /usr/local/tacacs/bin/tac_switch.pl $user $name $address After authorization call: /usr/local/tacacs/bin/tac_switch.pl $user $name $address substitute: /usr/local/tacacs/bin/tac_switch.pl $user $name $address Dollar substitution: /usr/local/tacacs/bin/tac_switch.pl b4ckup 10.100.182.2 130.88.249.16 input service=shell input cmd=copy input cmd-arg=running-config input cmd-arg=startup-config input cmd-arg= 10.100.182.2: Process write failure cmd /usr/local/tacacs/bin/tac_switch.pl $user $name $address returns 1 (unconditional deny) cfg_get_hvalue: name=10.100.182.2 attr=key cfg_get_hvalue: no host named 10.100.182.2 cfg_get_phvalue: returns NULL authorization query for 'b4ckup' tty2 from 10.100.182.2 rejected However it happens at random. The same command can be run several times from the same switch within seconds and will sometimes work and sometimes won't. I know that's quite vague so here are some more details. We had a 100% success rate when the software was run on a couple of Dell servers running Debian Etch. Then I installed the same software on a couple of HP Proliants and got the above problem with about a 30-40% failure rate. That's now settles to about a 1% failure rate. I've no idea what's changed. I've installed the same software on some Xen virtual servers (on the same Dell hardware as above) and got 30-40% failure rate. The software in use was the F4.0.4-10 version. I upgraded to the -15 version with exactly the same results. The external program being run has been replaced with a a couple of very simple scripts ('print "....", exit 0') written in both perl and bash and gives the same 30-40% failure rate. My uneducated guess is that there is a problem with the interprocess communication. Do you need any more debugging output? Anything I can do to help? Mike -- Mike Richardson Networks IT Services, University of Manchester *Plain text only please - attachments stripped on arrival* From Klaus_Peters at mckinsey.com Fri May 9 14:46:52 2008 From: Klaus_Peters at mckinsey.com (Klaus_Peters at mckinsey.com) Date: Fri, 9 May 2008 16:46:52 +0200 Subject: [tac_plus] PAM authentication issue with TAC_PLUS Message-ID: Hi, First of all - thank you for the development of the Tacacs+ daemon - I've been using it for quite some time and it has proven to be a very stable, nice piece of software. I am looking for Directoy integration of the Cisco login and woul like to use PAM authentication. The documentation says this can be accomplished by : 4). Authentication using PAM (Pluggable Authentication Modules) Assuming that your OS supports it, tac_plus can be configured to use PAM for authentication, which may make it possible to use LDAP, SecureID, etc if you have the appropriate PAM module. Use may require configuration of the PAM libraries themselves; see their documentation. user = fred { login = PAM } what I am getting when putting login = PAM into the config file is: tac_plus -C /etc/tacacs/tacacs.conf -l /var/log/tac_plus.log Error: expecting 'file', 'cleartext', 'nopassword', or 'des' keyword after 'login =' on line 33 Can you please shed some light on this error? Do I have to set the PAM support during compilation? thanks and regards Klaus Peters +=========================================================+ This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. +=========================================================+ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080509/2a4d6793/attachment.html From cwalstrom at zayoms.com Thu May 22 16:50:28 2008 From: cwalstrom at zayoms.com (Chad Walstrom) Date: Thu, 22 May 2008 11:50:28 -0500 Subject: [tac_plus] Debian Package for tacacs+? Message-ID: <4835A454.1020606@zayoms.com> Has anyone ever approached you to build a Debian or Ubuntu package? I'm a Debian developer (chewie at wookimus.net) working at an ISP/Managed Services company, and we have need for your version of the software. I'll be working on making a package for internal use and would like to contribute it. Thanks, Chad Walstrom cwalstrom at zayoms.com chewie at debian.org From kissg at ssg.ki.iif.hu Fri May 23 04:45:24 2008 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Fri, 23 May 2008 06:45:24 +0200 (CEST) Subject: [tac_plus] Re: Debian Package for tacacs+? In-Reply-To: <4835A454.1020606@zayoms.com> References: <4835A454.1020606@zayoms.com> Message-ID: > Has anyone ever approached you to build a Debian or Ubuntu package? I'm One of my colleagues did it. Gabor > a Debian developer (chewie at wookimus.net) working at an ISP/Managed > Services company, and we have need for your version of the software. > I'll be working on making a package for internal use and would like to > contribute it. From fabrizio.gerardi at eng.it Wed May 28 14:25:02 2008 From: fabrizio.gerardi at eng.it (Fabrizio Gerardi) Date: Wed, 28 May 2008 16:25:02 +0200 Subject: [tac_plus] before/after authorization scripts Message-ID: <20080528162502.b12d737dw0scsow0@webmail.eng.it> Dear sir, I really appreciate your tacacs+ daemon. I currently use it to get a centralized method to cope with AAA Now I'm facing a really tricky issue I could not solve as far. Basically I need to set a different privilege level depending on which device the user is trying to connect. This because we use devices from different brands which of course have different numbers standing for "privilege level". As far as I know current version of your daemon cannot do that by itself. Anyway I read on the user guide about the possibility to call a before/after authorization script. So I prepared a script: after some checks on device name it exits with exit code 2 and write a line on standard output that is supposed to change the privilege level. (i.e. echo "priv-lvl=15" in case of a Cisco device). Well, this script just doesn't work. I tried several combinations without success. There is no documentation about the syntax to be used nor I could find any examples. Could you please give me a piece of advise? Kind regards, Fabrizio Gerardi From dan.schmidt at uplinkdata.com Thu May 29 20:01:18 2008 From: dan.schmidt at uplinkdata.com (Dan Schmidt) Date: Thu, 29 May 2008 14:01:18 -0600 Subject: [tac_plus] single connection Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC1BD6CE@che-exch-003.uplinkdata.com> Has anybody ever seen this error with tac_plus? I only get it on some routers, and only when using single-connection May 28 22:39:06: TPLUS: Error occurs in reading packet header, shutdown the single connection May 28 22:39:49: TPLUS: Error occurs in reading packet header, shutdown the single connection From heas at shrubbery.net Thu May 29 21:03:31 2008 From: heas at shrubbery.net (john heasley) Date: Thu, 29 May 2008 14:03:31 -0700 Subject: [tac_plus] Re: single connection In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BC1BD6CE@che-exch-003.uplinkdata.com> References: <05CC562AFB5A9446A1BC3F66AD04A3BC1BD6CE@che-exch-003.uplinkdata.com> Message-ID: <20080529210331.GE24141@shrubbery.net> Thu, May 29, 2008 at 02:01:18PM -0600, Dan Schmidt: > Has anybody ever seen this error with tac_plus? I only get it on some > routers, and only when using single-connection > > May 28 22:39:06: TPLUS: Error occurs in reading packet header, shutdown > the single connection > May 28 22:39:49: TPLUS: Error occurs in reading packet header, shutdown > the single connection > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus I'd guess that the server times-out, or one side or the other gets confused (ie: FSM error). From heas at shrubbery.net Thu May 29 21:29:26 2008 From: heas at shrubbery.net (john heasley) Date: Thu, 29 May 2008 14:29:26 -0700 Subject: [tac_plus] Re: before/after authorization scripts In-Reply-To: <20080528162502.b12d737dw0scsow0@webmail.eng.it> References: <20080528162502.b12d737dw0scsow0@webmail.eng.it> Message-ID: <20080529212926.GH24141@shrubbery.net> Wed, May 28, 2008 at 04:25:02PM +0200, Fabrizio Gerardi: > Dear sir, > > I really appreciate your tacacs+ daemon. > I currently use it to get a centralized method to cope with AAA > > Now I'm facing a really tricky issue I could not solve as far. > Basically I need to set a different privilege level depending on which > device the user is trying to connect. This because we use devices from > different brands which of course have different numbers standing for > "privilege level". > As far as I know current version of your daemon cannot do that by itself. > Anyway I read on the user guide about the possibility to call a > before/after authorization script. So I prepared a script: after some > checks on device name it exits with exit code 2 and write a line on > standard output that is supposed to change the privilege level. (i.e. > echo "priv-lvl=15" in case of a Cisco device). > Well, this script just doesn't work. I tried several combinations > without success. > There is no documentation about the syntax to be used nor I could find > any examples. have not tried this myself, but expect it to work. Enable authorization debugging and examine the logs. From dan.schmidt at uplinkdata.com Thu May 29 21:18:56 2008 From: dan.schmidt at uplinkdata.com (Dan Schmidt) Date: Thu, 29 May 2008 15:18:56 -0600 Subject: [tac_plus] Re: before/after authorization scripts In-Reply-To: <20080528162502.b12d737dw0scsow0@webmail.eng.it> References: <20080528162502.b12d737dw0scsow0@webmail.eng.it> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC1BD6D7@che-exch-003.uplinkdata.com> See, now here's another person who would like to have different levels of access depending on the device. Short answer is that you can't. Bitman was thinking about making a patch. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Fabrizio Gerardi Sent: Wednesday, May 28, 2008 8:25 AM To: tac_plus at shrubbery.net Subject: [tac_plus] before/after authorization scripts Dear sir, I really appreciate your tacacs+ daemon. I currently use it to get a centralized method to cope with AAA Now I'm facing a really tricky issue I could not solve as far. Basically I need to set a different privilege level depending on which device the user is trying to connect. This because we use devices from different brands which of course have different numbers standing for "privilege level". As far as I know current version of your daemon cannot do that by itself. Anyway I read on the user guide about the possibility to call a before/after authorization script. So I prepared a script: after some checks on device name it exits with exit code 2 and write a line on standard output that is supposed to change the privilege level. (i.e. echo "priv-lvl=15" in case of a Cisco device). Well, this script just doesn't work. I tried several combinations without success. There is no documentation about the syntax to be used nor I could find any examples. Could you please give me a piece of advise? Kind regards, Fabrizio Gerardi _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From john at sackheads.org Fri May 30 16:06:12 2008 From: john at sackheads.org (John Payne) Date: Fri, 30 May 2008 12:06:12 -0400 Subject: [tac_plus] Cisco VPN 3000 Message-ID: <9C976A0C-FD86-43DD-939F-A0CAF4D844B6@sackheads.org> I'm getting the feeling I'm the only one using the NAC_address (connect_origin) field regularly, as neither Juniper nor Force10 populate it :( Anyhoo. With the VPN 3000, I'm noticing that identity->NAC_address is getting 3 extra characters appended. I suspect it's because rem_addr_len is off-by-3, but as it hasn't otherwise affected operation, I'm not sure if this is a potential crash waiting to happen. As I know that all my device that do send connect_origin are going to be IP addresses, I think I can work around this.... but it does draw my attention to the lack of data validation in do_start(), for example: identity.NAC_address = tac_make_string(p, (int)start- >rem_addr_len); p += start->rem_addr_len; ... bcopy(p, authen_data.client_data, start->data_len); If rem_addr_len is wrong, isn't it possible for client_data to now contain data from uninitialized memory (past the "end" of pak)? From dan.schmidt at uplinkdata.com Thu May 29 21:32:18 2008 From: dan.schmidt at uplinkdata.com (Dan Schmidt) Date: Thu, 29 May 2008 15:32:18 -0600 Subject: [tac_plus] Re: single connection In-Reply-To: <20080529210331.GE24141@shrubbery.net> References: <05CC562AFB5A9446A1BC3F66AD04A3BC1BD6CE@che-exch-003.uplinkdata.com> <20080529210331.GE24141@shrubbery.net> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BC1BD6D8@che-exch-003.uplinkdata.com> Thanks for kindly for your reply. The symptoms are that, if multiple sessions are opened - one right after the other, exactly every other session fails to contact the tacacs server (defaults to local authentication) spitting out that debug message. Perhaps it is a bug on the 7600's, as the 6500's in that city are completely fine. (And 3750's, ect.) Single-connection was implemented in CiscoSecure Release 1.0.1 - is it fully supported in tac_plus? Obviously, the work around is to disable single connection, but that creates more connections to the tacacs server. -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Thursday, May 29, 2008 3:04 PM To: Dan Schmidt Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] single connection Thu, May 29, 2008 at 02:01:18PM -0600, Dan Schmidt: > Has anybody ever seen this error with tac_plus? I only get it on some > routers, and only when using single-connection > > May 28 22:39:06: TPLUS: Error occurs in reading packet header, shutdown > the single connection > May 28 22:39:49: TPLUS: Error occurs in reading packet header, shutdown > the single connection > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus I'd guess that the server times-out, or one side or the other gets confused (ie: FSM error).