[one-users] x509 Auth Failing after 24 hours
Anthony Tiradani
tiradani at fnal.gov
Fri Dec 16 14:18:36 PST 2011
ok, I am getting somewhere I think... (version OpenNebula 3.1.0 -
taken from the oned.log)
So the first problem was that AUTH_DRIVERwas set to core. Once I
manually updated it to x509, I started seeing actual error messages in
the oned.log.
Fri Dec 16 15:26:40 2011 [ReM][D]: HostPoolInfo method invoked
Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: LOG I 1 Command
execution fail: /var/lib/one/remotes/auth/x509/authenticate oneadmin
<encrypted password> <encrypted proxy>
Fri Dec 16 15:26:40 2011 [AuM][I]: Command execution fail:
/var/lib/one/remotes/auth/x509/authenticate oneadmin <encrypted
password> <encrypted proxy>
Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: LOG E 1 Certificate
subject missmatch
Fri Dec 16 15:26:40 2011 [AuM][I]: Certificate subject missmatch
Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: LOG I 1 ExitCode: 255
Fri Dec 16 15:26:40 2011 [AuM][I]: ExitCode: 255
Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: AUTHENTICATE
FAILURE 1 Certificate subject missmatch
Fri Dec 16 15:26:40 2011 [AuM][E]: Auth Error: Certificate subject missmatch
Fri Dec 16 15:26:40 2011 [ReM][E]: [HostPoolInfo] User couldn't be
authenticated, aborting call.
So from what I can tell, the dn is encrypted then base64 encoded prior
to insertion into the database. The problem is that there does not seem
to be a corresponding decode/decrypt operation prior to passing the
password to the authenticate script.
The docs suggest that there should be a --plain option for the password
that can be used with the DNs however that seems to have been removed
from the oneuser utility.
Any suggestions on how to proceed?
Thanks,
Anthony Tiradani
tiradani at fnal.gov
+1 630 840 4479
On 12/16/2011 12:39 PM, Anthony Tiradani wrote:
> Quick question: I have my oneadmin user setup for x509
> authentication... at least I thought I did. When I query the one.db
> database, I see:
>
> 0|oneadmin|<USER><ID>0</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>oneadmin</NAME><PASSWORD>Hash/Encrypted
> Value Goes
> Here</PASSWORD><AUTH_DRIVER>core</AUTH_DRIVER><ENABLED>1</ENABLED><TEMPLATE></TEMPLATE></USER>
>
> If I have it setup for x509, why do I see "core" as my AUTH_DRIVER?
> Also, what is in the password field? Is that the encrypted DN or
> something else?
>
> Thanks,
>
> Anthony Tiradani
> tiradani at fnal.gov
> +1 630 840 4479
>
>
> On 12/16/2011 11:53 AM, Daniel Molina wrote:
>> Hi,
>>
>> On 16 December 2011 05:01, Anthony Tiradani <tiradani at fnal.gov> wrote:
>>> I should also mention that this is an OpenNebula 3.1 installation (via the
>>> rpm) on Scientific Linux 6.1. I have the DEBUG setting set to 3 which
>>> according to the comments in oned.conf should be the most verbose.
>>>
>> The logs should show more information, something like:
>>
>> Fri Dec 16 09:49:45 2011 [AuM][D]: Message received: AUTHENTICATE SUCCESS 1526 -
>>
>> and in case of FAILURE it will contain information about it
>>
>>> In trying to debug, I used the authenticate script in
>>> /var/lib/one/remotes/auth/x509 which imports and uses
>>> /usr/lib/one/ruby/x509_auth.rb. If I take the token that is decrypted from
>>> the file /var/lib/one/.one/one_x509 I can perform openssl operations on it
>>> and verify it. If I run the values through the authenticate script, I find
>>> that there is a problem parsing the CA chain. When it calculates the hash
>>> value for the CA, it is dropping a leading 0 which makes the file path
>>> invalid. Could this be the problem?
>> Would yo mind to try with a symlink and check if that fixes the problem?
>>
>> Kind regards.
>>
>>> Thanks,
>>>
>>> Anthony Tiradani
>>> tiradani at fnal.gov
>>> +1 630 840 4479
>>>
>>>
>>> On 12/15/11 5:07 PM, Anthony Tiradani wrote:
>>>
>>> This is the only message I get in oned.log:
>>>
>>> Thu Dec 15 17:05:47 2011 [ReM][E]: [HostPoolInfo] User couldn't be
>>> authenticated, aborting call.
>>>
>>> I am running onehost list when I see that error.
>>>
>>> Anthony Tiradani
>>> tiradani at fnal.gov
>>> +1 630 840 4479
>>>
>>>
>>> On 12/15/2011 03:40 PM, Ruben S. Montero wrote:
>>>
>>> Hi,
>>>
>>> Could you send the messages in oned.log file? You should see there
>>> messages from the driver describing the error...
>>>
>>> Cheers
>>>
>>> Ruben
>>>
>>> On Thu, Dec 15, 2011 at 5:31 PM, Anthony Tiradani <tiradani at fnal.gov> wrote:
>>>
>>> Hi,
>>>
>>> I am trying to setup OpenNebula with x509 authentication. I am using
>>> sqlite as the DB back end for now. I am following the documentation
>>> here: http://opennebula.org/documentation:rel3.0:x509_auth
>>>
>>> I've configured everything correctly as far as I can tell. I can
>>> successfully use x509 to login, but after 24 hours (no matter what I set
>>> the expire time to with the --time argument) I get error messages saying
>>> that the user couldn't be authenticated.
>>>
>>> I've tried re-running the "oneuser login ..." command to no avail. The
>>> only thing that works is if I delete one.db and restart OpenNebula.
>>> Then I can log in just fine, but all the configuration that I have done
>>> is lost. What do I have to do to fix this?
>>>
>>> Thanks,
>>>
>>> --
>>> Anthony Tiradani
>>> tiradani at fnal.gov
>>> +1 630 840 4479
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20111216/704e264b/attachment-0003.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4076 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20111216/704e264b/attachment-0003.bin>
More information about the Users
mailing list