[one-users] x509 Auth Failing after 24 hours

Anthony Tiradani tiradani at fnal.gov
Mon Dec 19 07:32:56 PST 2011


Hi,

So are you telling me that version 3.1 == version 3.2?  If so, can you
please point me to the page that explains the version numbering system? 
Once you gave me the hint that I was actually using version 3.2 (not
version 3.1, which is what I thought I downloaded), I finally found the
links to the 3.2 documentation.

Thanks,

Anthony Tiradani
tiradani at fnal.gov
+1 630 840 4479


On 12/16/2011 04:39 PM, Ruben S. Montero wrote:
> Hi
>
> This error
>
> Fri Dec 16 15:26:40 2011 [AuM][E]: Auth Error: Certificate subject
> missmatch
>
> Usually means that the DN registered in the OpenNebula db (i.e. the
> password of the user) is different from that used to generate the
> token. Have you created the user as explained in [1]?
>
> [1] http://www.opennebula.org/documentation:rel3.2:x509_auth
>
> Cheers
>
> Ruben
>
> PS: You are using a devel version, the documentation for that release
> is in http://www.opennebula.org/documentation:rel3.2.
>
> On Fri, Dec 16, 2011 at 11:18 PM, Anthony Tiradani <tiradani at fnal.gov
> <mailto:tiradani at fnal.gov>> wrote:
>
>     ok, I am getting somewhere I think...  (version  OpenNebula 3.1.0
>     - taken from the oned.log)
>
>     So the first problem was that AUTH_DRIVERwas set to core.  Once I
>     manually updated it to x509, I started seeing actual error
>     messages in the oned.log.
>
>     Fri Dec 16 15:26:40 2011 [ReM][D]: HostPoolInfo method invoked
>     Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: LOG I 1
>     Command execution fail:
>     /var/lib/one/remotes/auth/x509/authenticate oneadmin <encrypted
>     password> <encrypted proxy>
>
>     Fri Dec 16 15:26:40 2011 [AuM][I]: Command execution fail:
>     /var/lib/one/remotes/auth/x509/authenticate oneadmin <encrypted
>     password> <encrypted proxy>
>     Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: LOG E 1
>     Certificate subject missmatch
>
>     Fri Dec 16 15:26:40 2011 [AuM][I]: Certificate subject missmatch
>     Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: LOG I 1
>     ExitCode: 255
>
>     Fri Dec 16 15:26:40 2011 [AuM][I]: ExitCode: 255
>     Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: AUTHENTICATE
>     FAILURE 1 Certificate subject missmatch
>
>     Fri Dec 16 15:26:40 2011 [AuM][E]: Auth Error: Certificate subject
>     missmatch
>     Fri Dec 16 15:26:40 2011 [ReM][E]: [HostPoolInfo] User couldn't be
>     authenticated, aborting call.
>
>     So from what I can tell, the dn is encrypted then base64 encoded
>     prior to insertion into the database.  The problem is that there
>     does not seem to be a corresponding decode/decrypt operation prior
>     to passing the password to the authenticate script.
>
>     The docs suggest that there should be a --plain option for the
>     password that can be used with the DNs however that seems to have
>     been removed from the oneuser utility.
>
>     Any suggestions on how to proceed?
>
>
>     Thanks,
>
>     Anthony Tiradani
>     tiradani at fnal.gov <mailto:tiradani at fnal.gov>
>     +1 630 840 4479 <tel:%2B1%20630%20840%204479>
>
>
>     On 12/16/2011 12:39 PM, Anthony Tiradani wrote:
>>     Quick question:  I have my oneadmin user setup for x509
>>     authentication... at least I thought I did.  When I query the one.db
>>     database, I see:
>>
>>     0|oneadmin|<USER><ID>0</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>oneadmin</NAME><PASSWORD>Hash/Encrypted
>>     Value Goes
>>     Here</PASSWORD><AUTH_DRIVER>core</AUTH_DRIVER><ENABLED>1</ENABLED><TEMPLATE></TEMPLATE></USER>
>>
>>     If I have it setup for x509, why do I see "core" as my AUTH_DRIVER? 
>>     Also, what is in the password field?  Is that the encrypted DN or
>>     something else?
>>
>>     Thanks,
>>
>>     Anthony Tiradani
>>     tiradani at fnal.gov <mailto:tiradani at fnal.gov>
>>     +1 630 840 4479 <tel:%2B1%20630%20840%204479>
>>
>>
>>     On 12/16/2011 11:53 AM, Daniel Molina wrote:
>>>     Hi,
>>>
>>>     On 16 December 2011 05:01, Anthony Tiradani <tiradani at fnal.gov> <mailto:tiradani at fnal.gov> wrote:
>>>>     I should also mention that this is an OpenNebula 3.1 installation (via the
>>>>     rpm) on Scientific Linux 6.1.  I have the DEBUG setting set to 3 which
>>>>     according to the comments in oned.conf should be the most verbose.
>>>>
>>>     The logs should show more information, something like:
>>>
>>>     Fri Dec 16 09:49:45 2011 [AuM][D]: Message received: AUTHENTICATE SUCCESS 1526 -
>>>
>>>     and in case of FAILURE it will contain information about it
>>>
>>>>     In trying to debug, I used the authenticate script in
>>>>     /var/lib/one/remotes/auth/x509 which imports and uses
>>>>     /usr/lib/one/ruby/x509_auth.rb.  If I take the token that is decrypted from
>>>>     the file /var/lib/one/.one/one_x509 I can perform openssl operations on it
>>>>     and verify it.  If I run the values through the authenticate script, I find
>>>>     that there is a problem parsing the CA chain.  When it calculates the hash
>>>>     value for the CA, it is dropping a leading 0 which makes the file path
>>>>     invalid.  Could this be the problem?
>>>     Would yo mind to try with a symlink and check if that fixes the problem?
>>>
>>>     Kind regards.
>>>
>>>>     Thanks,
>>>>
>>>>     Anthony Tiradani
>>>>     tiradani at fnal.gov <mailto:tiradani at fnal.gov>
>>>>     +1 630 840 4479 <tel:%2B1%20630%20840%204479>
>>>>
>>>>
>>>>     On 12/15/11 5:07 PM, Anthony Tiradani wrote:
>>>>
>>>>     This is the only message I get in oned.log:
>>>>
>>>>     Thu Dec 15 17:05:47 2011 [ReM][E]: [HostPoolInfo] User couldn't be
>>>>     authenticated, aborting call.
>>>>
>>>>     I am running onehost list when I see that error.
>>>>
>>>>     Anthony Tiradani
>>>>     tiradani at fnal.gov <mailto:tiradani at fnal.gov>
>>>>     +1 630 840 4479 <tel:%2B1%20630%20840%204479>
>>>>
>>>>
>>>>     On 12/15/2011 03:40 PM, Ruben S. Montero wrote:
>>>>
>>>>     Hi,
>>>>
>>>>     Could you send the messages in oned.log file? You should see there
>>>>     messages from the driver describing the error...
>>>>
>>>>     Cheers
>>>>
>>>>     Ruben
>>>>
>>>>     On Thu, Dec 15, 2011 at 5:31 PM, Anthony Tiradani <tiradani at fnal.gov> <mailto:tiradani at fnal.gov> wrote:
>>>>
>>>>     Hi,
>>>>
>>>>     I am trying to setup OpenNebula with x509 authentication.  I am using
>>>>     sqlite as the DB back end for now.  I am following the documentation
>>>>     here: http://opennebula.org/documentation:rel3.0:x509_auth
>>>>
>>>>     I've configured everything correctly as far as I can tell.  I can
>>>>     successfully use x509 to login, but after 24 hours (no matter what I set
>>>>     the expire time to with the --time argument) I get error messages saying
>>>>     that the user couldn't be authenticated.
>>>>
>>>>     I've tried re-running the "oneuser login ..." command to no avail.  The
>>>>     only thing that works is if I delete one.db and restart OpenNebula.
>>>>     Then I can log in just fine, but all the configuration that I have done
>>>>     is lost.  What do I have to do to fix this?
>>>>
>>>>     Thanks,
>>>>
>>>>     --
>>>>     Anthony Tiradani
>>>>     tiradani at fnal.gov <mailto:tiradani at fnal.gov>
>>>>     +1 630 840 4479 <tel:%2B1%20630%20840%204479>
>>>>
>>>>
>>>>
>>>>     _______________________________________________
>>>>     Users mailing list
>>>>     Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
>>>>     http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>>
>>>>
>>>>
>>>>
>>>>     _______________________________________________
>>>>     Users mailing list
>>>>     Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
>>>>     http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>>
>>>>
>>>>     _______________________________________________
>>>>     Users mailing list
>>>>     Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
>>>>     http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>>
>>
>>     _______________________________________________
>>     Users mailing list
>>     Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
>>     http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>     _______________________________________________
>     Users mailing list
>     Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
>     http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
>
>
> -- 
> Dr. Ruben Santiago Montero
> Associate Professor (Profesor Titular), Complutense University of Madrid
>
> URL: http://dsa-research.org/doku.php?id=people:ruben
> Weblog: http://blog.dsa-research.org/?author=7
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20111219/4ccfee7c/attachment-0003.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4076 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20111219/4ccfee7c/attachment-0003.bin>


More information about the Users mailing list