[one-users] x509 Auth Failing after 24 hours

Ruben S. Montero rubensm at dacya.ucm.es
Fri Dec 16 14:39:25 PST 2011


Hi

This error

Fri Dec 16 15:26:40 2011 [AuM][E]: Auth Error: Certificate subject missmatch

Usually means that the DN registered in the OpenNebula db (i.e. the
password of the user) is different from that used to generate the token.
Have you created the user as explained in [1]?

[1] http://www.opennebula.org/documentation:rel3.2:x509_auth

Cheers

Ruben

PS: You are using a devel version, the documentation for that release is in
http://www.opennebula.org/documentation:rel3.2.

On Fri, Dec 16, 2011 at 11:18 PM, Anthony Tiradani <tiradani at fnal.gov>wrote:

> **
> ok, I am getting somewhere I think...  (version  OpenNebula 3.1.0 - taken
> from the oned.log)
>
> So the first problem was that AUTH_DRIVERwas set to core.  Once I manually
> updated it to x509, I started seeing actual error messages in the oned.log.
>
> Fri Dec 16 15:26:40 2011 [ReM][D]: HostPoolInfo method invoked
> Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: LOG I 1 Command
> execution fail: /var/lib/one/remotes/auth/x509/authenticate oneadmin
> <encrypted password> <encrypted proxy>
>
> Fri Dec 16 15:26:40 2011 [AuM][I]: Command execution fail:
> /var/lib/one/remotes/auth/x509/authenticate oneadmin <encrypted password>
> <encrypted proxy>
> Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: LOG E 1 Certificate
> subject missmatch
>
> Fri Dec 16 15:26:40 2011 [AuM][I]: Certificate subject missmatch
> Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: LOG I 1 ExitCode: 255
>
> Fri Dec 16 15:26:40 2011 [AuM][I]: ExitCode: 255
> Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: AUTHENTICATE FAILURE
> 1 Certificate subject missmatch
>
> Fri Dec 16 15:26:40 2011 [AuM][E]: Auth Error: Certificate subject
> missmatch
> Fri Dec 16 15:26:40 2011 [ReM][E]: [HostPoolInfo] User couldn't be
> authenticated, aborting call.
>
> So from what I can tell, the dn is encrypted then base64 encoded prior to
> insertion into the database.  The problem is that there does not seem to be
> a corresponding decode/decrypt operation prior to passing the password to
> the authenticate script.
>
> The docs suggest that there should be a --plain option for the password
> that can be used with the DNs however that seems to have been removed from
> the oneuser utility.
>
> Any suggestions on how to proceed?
>
>
> Thanks,
>
> Anthony Tiradanitiradani at fnal.gov+1 630 840 4479
>
>
> On 12/16/2011 12:39 PM, Anthony Tiradani wrote:
>
> Quick question:  I have my oneadmin user setup for x509
> authentication... at least I thought I did.  When I query the one.db
> database, I see:
>
> 0|oneadmin|<USER><ID>0</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>oneadmin</NAME><PASSWORD>Hash/Encrypted
> Value Goes
> Here</PASSWORD><AUTH_DRIVER>core</AUTH_DRIVER><ENABLED>1</ENABLED><TEMPLATE></TEMPLATE></USER>
>
> If I have it setup for x509, why do I see "core" as my AUTH_DRIVER?
> Also, what is in the password field?  Is that the encrypted DN or
> something else?
>
> Thanks,
>
> Anthony Tiradanitiradani at fnal.gov+1 630 840 4479
>
>
> On 12/16/2011 11:53 AM, Daniel Molina wrote:
>
>  Hi,
>
> On 16 December 2011 05:01, Anthony Tiradani <tiradani at fnal.gov> <tiradani at fnal.gov> wrote:
>
>  I should also mention that this is an OpenNebula 3.1 installation (via the
> rpm) on Scientific Linux 6.1.  I have the DEBUG setting set to 3 which
> according to the comments in oned.conf should be the most verbose.
>
>
>  The logs should show more information, something like:
>
> Fri Dec 16 09:49:45 2011 [AuM][D]: Message received: AUTHENTICATE SUCCESS 1526 -
>
> and in case of FAILURE it will contain information about it
>
>
>  In trying to debug, I used the authenticate script in
> /var/lib/one/remotes/auth/x509 which imports and uses
> /usr/lib/one/ruby/x509_auth.rb.  If I take the token that is decrypted from
> the file /var/lib/one/.one/one_x509 I can perform openssl operations on it
> and verify it.  If I run the values through the authenticate script, I find
> that there is a problem parsing the CA chain.  When it calculates the hash
> value for the CA, it is dropping a leading 0 which makes the file path
> invalid.  Could this be the problem?
>
>  Would yo mind to try with a symlink and check if that fixes the problem?
>
> Kind regards.
>
>
>  Thanks,
>
> Anthony Tiradanitiradani at fnal.gov+1 630 840 4479
>
>
> On 12/15/11 5:07 PM, Anthony Tiradani wrote:
>
> This is the only message I get in oned.log:
>
> Thu Dec 15 17:05:47 2011 [ReM][E]: [HostPoolInfo] User couldn't be
> authenticated, aborting call.
>
> I am running onehost list when I see that error.
>
> Anthony Tiradanitiradani at fnal.gov+1 630 840 4479
>
>
> On 12/15/2011 03:40 PM, Ruben S. Montero wrote:
>
> Hi,
>
> Could you send the messages in oned.log file? You should see there
> messages from the driver describing the error...
>
> Cheers
>
> Ruben
>
> On Thu, Dec 15, 2011 at 5:31 PM, Anthony Tiradani <tiradani at fnal.gov> <tiradani at fnal.gov> wrote:
>
> Hi,
>
> I am trying to setup OpenNebula with x509 authentication.  I am using
> sqlite as the DB back end for now.  I am following the documentation
> here: http://opennebula.org/documentation:rel3.0:x509_auth
>
> I've configured everything correctly as far as I can tell.  I can
> successfully use x509 to login, but after 24 hours (no matter what I set
> the expire time to with the --time argument) I get error messages saying
> that the user couldn't be authenticated.
>
> I've tried re-running the "oneuser login ..." command to no avail.  The
> only thing that works is if I delete one.db and restart OpenNebula.
> Then I can log in just fine, but all the configuration that I have done
> is lost.  What do I have to do to fix this?
>
> Thanks,
>
> --
> Anthony Tiradanitiradani at fnal.gov+1 630 840 4479
>
>
>
> _______________________________________________
> Users mailing listUsers at lists.opennebula.orghttp://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
>
>
> _______________________________________________
> Users mailing listUsers at lists.opennebula.orghttp://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
> _______________________________________________
> Users mailing listUsers at lists.opennebula.orghttp://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
> _______________________________________________
> Users mailing listUsers at lists.opennebula.orghttp://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>


-- 
Dr. Ruben Santiago Montero
Associate Professor (Profesor Titular), Complutense University of Madrid

URL: http://dsa-research.org/doku.php?id=people:ruben
Weblog: http://blog.dsa-research.org/?author=7
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20111216/7d673375/attachment-0002.htm>


More information about the Users mailing list