<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Daniel,<br>
<br>
Well we have some progress. We found this last night, I saw the bug
and I had actually tried your setting in the doc first then I
changed the setting back to what you currently have. <br>
<br>
Now here is the other interesting development.<br>
<br>
We are using x509 to authenticate across the board and our KCA
credentials work fine using command line and running one commands
from the shell. However, when we attempt to log into sunstone we
receive the following error:<br>
<br>
Wed Oct 19 13:11:20 2011 [AuM][I]: Command execution fail:
/var/lib/one/remotes/auth/server/authentica<br>
te lowe </SUBJECT of the certificate> <HUGE hash
string><br>
Wed Oct 19 13:11:20 2011 [AuM][D]: Message received: LOG E 617 login
token expired<br>
<br>
Wed Oct 19 13:11:20 2011 [AuM][I]: login token expired<br>
Wed Oct 19 13:11:20 2011 [AuM][D]: Message received: LOG I 617
ExitCode: 255<br>
<br>
Wed Oct 19 13:11:20 2011 [AuM][I]: ExitCode: 255<br>
Wed Oct 19 13:11:20 2011 [AuM][D]: Message received: AUTHENTICATE
FAILURE 617 login token expired<br>
<br>
Wed Oct 19 13:11:20 2011 [AuM][E]: Auth Error: login token expired<br>
Wed Oct 19 13:11:20 2011 [ReM][E]: [UserInfo] User couldn't be
authenticated, aborting call.<br>
Wed Oct 19 13:11:20 2011 [ReM][D]: UserPoolInfo method invoked<br>
Wed Oct 19 13:11:20 2011 [AuM][D]: Message received: LOG I 618
ExitCode: 0<br>
<br>
Now using our x509 DOE certificate we are allowed to get in. Now
the only difference I see is our KCA has a colon in it as opposed to
our DOE which does not. I recall hearing there were issues with
colons and parsing, is that still an issue in the general release?
If not, is there a fix that should be applied to our installation?<br>
<br>
<br>
On 10/20/11 5:20 AM, Daniel Molina wrote:
<blockquote
cite="mid:CAPvywewSFzk4+o8-c0n6pM=J99vQmr0-3SeaXvaGeE8tR=nE8w@mail.gmail.com"
type="cite"><br>
<br>
<div class="gmail_quote">On 19 October 2011 18:36, Faarooq Lowe <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:lowe@fnal.gov">lowe@fnal.gov</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div bgcolor="#FFFFFF" text="#000000">Ok, I ran it without
strace and I didn't notice anything in the sunstone.log but
I did finallly see something in oned.log<br>
<br>
Here goes. <br>
<br>
oned.log <br>
<br>
Wed Oct 19 11:28:03 2011 [ReM][D]: UserInfo method invoked<br>
Wed Oct 19 11:28:03 2011 [AuM][D]: Message received:
AUTHENTICATE FAILURE 13950 Authentication protocol 'server'
not available<br>
<br>
Wed Oct 19 11:28:03 2011 [AuM][E]: Auth Error:
Authentication protocol 'server' not available<br>
Wed Oct 19 11:28:03 2011 [ReM][E]: [UserInfo] User couldn't
be authenticated, aborting call.</div>
</blockquote>
</div>
<br>
Ok, now the error is different. You have to add the server
authentication to the oned.conf AUTH_MAD section and restart
opennebula:
<div><br>
</div>
<div><span class="Apple-style-span" style="color: rgb(34, 34, 34);
font-family: arial, sans-serif; font-size: 13px;
background-color: rgb(255, 255, 255); ">AUTH_MAD = [<br>
executable = "one_auth_mad",</span></div>
<div><span class="Apple-style-span" style="color: rgb(34, 34, 34);
font-family: arial, sans-serif; font-size: 13px;
background-color: rgb(255, 255, 255); "> arguments =
"--authn x509, server"<br>
]</span></div>
<div><br>
</div>
<div>There was a bug in the x509 documentation, I have just fixed
it:</div>
<div>
<div><a moz-do-not-send="true"
href="http://www.opennebula.org/documentation:rel3.0:x509_auth?&#opennebula_configuration_for_using_x509_with_the_public_cloud_servers_and_sunstone">http://www.opennebula.org/documentation:rel3.0:x509_auth?&#opennebula_configuration_for_using_x509_with_the_public_cloud_servers_and_sunstone</a></div>
<div><br>
</div>
-- <br>
Daniel Molina<br>
Project Engineer<br>
OpenNebula - The Open Source Toolkit for Cloud Computing<br>
<a moz-do-not-send="true" href="http://www.OpenNebula.org"
target="_blank">www.OpenNebula.org</a> | @dmamolina<br>
</div>
</blockquote>
<br>
</body>
</html>