[one-users] Sunstone issue

Faarooq Lowe lowe at fnal.gov
Thu Oct 20 08:48:05 PDT 2011


Hi Daniel,

Well we have some progress.  We found this last night, I saw the bug and 
I had actually tried your setting in the doc first then I changed the 
setting back to what you currently have.

Now here is the other interesting development.

We are using x509 to authenticate across the board and our KCA 
credentials work fine using command line and running one commands from 
the shell.  However, when we attempt to log into sunstone we receive the 
following error:

Wed Oct 19 13:11:20 2011 [AuM][I]: Command execution fail: 
/var/lib/one/remotes/auth/server/authentica
te lowe </SUBJECT of the certificate> <HUGE hash string>
Wed Oct 19 13:11:20 2011 [AuM][D]: Message received: LOG E 617 login 
token expired

Wed Oct 19 13:11:20 2011 [AuM][I]: login token expired
Wed Oct 19 13:11:20 2011 [AuM][D]: Message received: LOG I 617 ExitCode: 255

Wed Oct 19 13:11:20 2011 [AuM][I]: ExitCode: 255
Wed Oct 19 13:11:20 2011 [AuM][D]: Message received: AUTHENTICATE 
FAILURE 617 login token expired

Wed Oct 19 13:11:20 2011 [AuM][E]: Auth Error: login token expired
Wed Oct 19 13:11:20 2011 [ReM][E]: [UserInfo] User couldn't be 
authenticated, aborting call.
Wed Oct 19 13:11:20 2011 [ReM][D]: UserPoolInfo method invoked
Wed Oct 19 13:11:20 2011 [AuM][D]: Message received: LOG I 618 ExitCode: 0

Now using our x509 DOE certificate we are allowed to get in.  Now the 
only difference I see is our KCA has a colon in it as opposed to our DOE 
which does not.  I recall hearing there were issues with colons and 
parsing, is that still an issue in the general release?  If not, is 
there a fix that should be applied to our installation?


On 10/20/11 5:20 AM, Daniel Molina wrote:
>
>
> On 19 October 2011 18:36, Faarooq Lowe <lowe at fnal.gov 
> <mailto:lowe at fnal.gov>> wrote:
>
>     Ok, I ran it without strace and I didn't notice anything in the
>     sunstone.log but I did finallly see something in oned.log
>
>     Here goes.
>
>     oned.log
>
>     Wed Oct 19 11:28:03 2011 [ReM][D]: UserInfo method invoked
>     Wed Oct 19 11:28:03 2011 [AuM][D]: Message received: AUTHENTICATE
>     FAILURE 13950 Authentication protocol 'server' not available
>
>     Wed Oct 19 11:28:03 2011 [AuM][E]: Auth Error: Authentication
>     protocol 'server' not available
>     Wed Oct 19 11:28:03 2011 [ReM][E]: [UserInfo] User couldn't be
>     authenticated, aborting call.
>
>
> Ok, now the error is different. You have to add the server 
> authentication to the oned.conf AUTH_MAD section and restart opennebula:
>
> AUTH_MAD = [
>     executable = "one_auth_mad",
>     arguments = "--authn x509, server"
> ]
>
> There was a bug in the x509 documentation, I have just fixed it:
> http://www.opennebula.org/documentation:rel3.0:x509_auth?&#opennebula_configuration_for_using_x509_with_the_public_cloud_servers_and_sunstone 
> <http://www.opennebula.org/documentation:rel3.0:x509_auth?&#opennebula_configuration_for_using_x509_with_the_public_cloud_servers_and_sunstone>
>
> -- 
> Daniel Molina
> Project Engineer
> OpenNebula - The Open Source Toolkit for Cloud Computing
> www.OpenNebula.org <http://www.OpenNebula.org> | @dmamolina

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20111020/1db76476/attachment-0003.htm>


More information about the Users mailing list