[one-users] x509 Auth Failing after 24 hours
Anthony Tiradani
tiradani at fnal.gov
Mon Dec 19 07:32:56 PST 2011
Hi,
So are you telling me that version 3.1 == version 3.2? If so, can you
please point me to the page that explains the version numbering system?
Once you gave me the hint that I was actually using version 3.2 (not
version 3.1, which is what I thought I downloaded), I finally found the
links to the 3.2 documentation.
Thanks,
Anthony Tiradani
tiradani at fnal.gov
+1 630 840 4479
On 12/16/2011 04:39 PM, Ruben S. Montero wrote:
> Hi
>
> This error
>
> Fri Dec 16 15:26:40 2011 [AuM][E]: Auth Error: Certificate subject
> missmatch
>
> Usually means that the DN registered in the OpenNebula db (i.e. the
> password of the user) is different from that used to generate the
> token. Have you created the user as explained in [1]?
>
> [1] http://www.opennebula.org/documentation:rel3.2:x509_auth
>
> Cheers
>
> Ruben
>
> PS: You are using a devel version, the documentation for that release
> is in http://www.opennebula.org/documentation:rel3.2.
>
> On Fri, Dec 16, 2011 at 11:18 PM, Anthony Tiradani <tiradani at fnal.gov
> <mailto:tiradani at fnal.gov>> wrote:
>
> ok, I am getting somewhere I think... (version OpenNebula 3.1.0
> - taken from the oned.log)
>
> So the first problem was that AUTH_DRIVERwas set to core. Once I
> manually updated it to x509, I started seeing actual error
> messages in the oned.log.
>
> Fri Dec 16 15:26:40 2011 [ReM][D]: HostPoolInfo method invoked
> Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: LOG I 1
> Command execution fail:
> /var/lib/one/remotes/auth/x509/authenticate oneadmin <encrypted
> password> <encrypted proxy>
>
> Fri Dec 16 15:26:40 2011 [AuM][I]: Command execution fail:
> /var/lib/one/remotes/auth/x509/authenticate oneadmin <encrypted
> password> <encrypted proxy>
> Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: LOG E 1
> Certificate subject missmatch
>
> Fri Dec 16 15:26:40 2011 [AuM][I]: Certificate subject missmatch
> Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: LOG I 1
> ExitCode: 255
>
> Fri Dec 16 15:26:40 2011 [AuM][I]: ExitCode: 255
> Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: AUTHENTICATE
> FAILURE 1 Certificate subject missmatch
>
> Fri Dec 16 15:26:40 2011 [AuM][E]: Auth Error: Certificate subject
> missmatch
> Fri Dec 16 15:26:40 2011 [ReM][E]: [HostPoolInfo] User couldn't be
> authenticated, aborting call.
>
> So from what I can tell, the dn is encrypted then base64 encoded
> prior to insertion into the database. The problem is that there
> does not seem to be a corresponding decode/decrypt operation prior
> to passing the password to the authenticate script.
>
> The docs suggest that there should be a --plain option for the
> password that can be used with the DNs however that seems to have
> been removed from the oneuser utility.
>
> Any suggestions on how to proceed?
>
>
> Thanks,
>
> Anthony Tiradani
> tiradani at fnal.gov <mailto:tiradani at fnal.gov>
> +1 630 840 4479 <tel:%2B1%20630%20840%204479>
>
>
> On 12/16/2011 12:39 PM, Anthony Tiradani wrote:
>> Quick question: I have my oneadmin user setup for x509
>> authentication... at least I thought I did. When I query the one.db
>> database, I see:
>>
>> 0|oneadmin|<USER><ID>0</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>oneadmin</NAME><PASSWORD>Hash/Encrypted
>> Value Goes
>> Here</PASSWORD><AUTH_DRIVER>core</AUTH_DRIVER><ENABLED>1</ENABLED><TEMPLATE></TEMPLATE></USER>
>>
>> If I have it setup for x509, why do I see "core" as my AUTH_DRIVER?
>> Also, what is in the password field? Is that the encrypted DN or
>> something else?
>>
>> Thanks,
>>
>> Anthony Tiradani
>> tiradani at fnal.gov <mailto:tiradani at fnal.gov>
>> +1 630 840 4479 <tel:%2B1%20630%20840%204479>
>>
>>
>> On 12/16/2011 11:53 AM, Daniel Molina wrote:
>>> Hi,
>>>
>>> On 16 December 2011 05:01, Anthony Tiradani <tiradani at fnal.gov> <mailto:tiradani at fnal.gov> wrote:
>>>> I should also mention that this is an OpenNebula 3.1 installation (via the
>>>> rpm) on Scientific Linux 6.1. I have the DEBUG setting set to 3 which
>>>> according to the comments in oned.conf should be the most verbose.
>>>>
>>> The logs should show more information, something like:
>>>
>>> Fri Dec 16 09:49:45 2011 [AuM][D]: Message received: AUTHENTICATE SUCCESS 1526 -
>>>
>>> and in case of FAILURE it will contain information about it
>>>
>>>> In trying to debug, I used the authenticate script in
>>>> /var/lib/one/remotes/auth/x509 which imports and uses
>>>> /usr/lib/one/ruby/x509_auth.rb. If I take the token that is decrypted from
>>>> the file /var/lib/one/.one/one_x509 I can perform openssl operations on it
>>>> and verify it. If I run the values through the authenticate script, I find
>>>> that there is a problem parsing the CA chain. When it calculates the hash
>>>> value for the CA, it is dropping a leading 0 which makes the file path
>>>> invalid. Could this be the problem?
>>> Would yo mind to try with a symlink and check if that fixes the problem?
>>>
>>> Kind regards.
>>>
>>>> Thanks,
>>>>
>>>> Anthony Tiradani
>>>> tiradani at fnal.gov <mailto:tiradani at fnal.gov>
>>>> +1 630 840 4479 <tel:%2B1%20630%20840%204479>
>>>>
>>>>
>>>> On 12/15/11 5:07 PM, Anthony Tiradani wrote:
>>>>
>>>> This is the only message I get in oned.log:
>>>>
>>>> Thu Dec 15 17:05:47 2011 [ReM][E]: [HostPoolInfo] User couldn't be
>>>> authenticated, aborting call.
>>>>
>>>> I am running onehost list when I see that error.
>>>>
>>>> Anthony Tiradani
>>>> tiradani at fnal.gov <mailto:tiradani at fnal.gov>
>>>> +1 630 840 4479 <tel:%2B1%20630%20840%204479>
>>>>
>>>>
>>>> On 12/15/2011 03:40 PM, Ruben S. Montero wrote:
>>>>
>>>> Hi,
>>>>
>>>> Could you send the messages in oned.log file? You should see there
>>>> messages from the driver describing the error...
>>>>
>>>> Cheers
>>>>
>>>> Ruben
>>>>
>>>> On Thu, Dec 15, 2011 at 5:31 PM, Anthony Tiradani <tiradani at fnal.gov> <mailto:tiradani at fnal.gov> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I am trying to setup OpenNebula with x509 authentication. I am using
>>>> sqlite as the DB back end for now. I am following the documentation
>>>> here: http://opennebula.org/documentation:rel3.0:x509_auth
>>>>
>>>> I've configured everything correctly as far as I can tell. I can
>>>> successfully use x509 to login, but after 24 hours (no matter what I set
>>>> the expire time to with the --time argument) I get error messages saying
>>>> that the user couldn't be authenticated.
>>>>
>>>> I've tried re-running the "oneuser login ..." command to no avail. The
>>>> only thing that works is if I delete one.db and restart OpenNebula.
>>>> Then I can log in just fine, but all the configuration that I have done
>>>> is lost. What do I have to do to fix this?
>>>>
>>>> Thanks,
>>>>
>>>> --
>>>> Anthony Tiradani
>>>> tiradani at fnal.gov <mailto:tiradani at fnal.gov>
>>>> +1 630 840 4479 <tel:%2B1%20630%20840%204479>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
>
>
> --
> Dr. Ruben Santiago Montero
> Associate Professor (Profesor Titular), Complutense University of Madrid
>
> URL: http://dsa-research.org/doku.php?id=people:ruben
> Weblog: http://blog.dsa-research.org/?author=7
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20111219/4ccfee7c/attachment-0003.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4076 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20111219/4ccfee7c/attachment-0003.bin>
More information about the Users
mailing list