Hey Werner,
Thanks for the report, it appears there was a bug in FreeIPMI that would
have made the bug easier to understand.
According to your dump, 'set session privilege level' is reporting a
completion code of 0x80. The "bad completion code" error message is
because it doesn't recognize the error code. Looking deeper I have:
----
/* IPMI_CMD_SET_SESSION_PRIVILEGE_LEVEL */
#define
IPMI_COMP_CODE_SET_SESSION_PRIVILEGE_LEVEL_REQUESTED_LEVEL_NOT_AVAILABLE_FOR_USER
0x81
#define
IPMI_COMP_CODE_SET_SESSION_PRIVILEGE_LEVEL_REQUESTED_LEVEL_EXCEEDS_USER_PRIVILEGE_LIMIT
0x82
#define
IPMI_COMP_CODE_SET_SESSION_PRIVILEGE_LEVEL_CANNOT_DISABLE_USER_LEVEL_AUTHENTICATION
0x83
----
So I don't have a macro for 0x80. It ends up, this is in error. I
off-by-oned each of the above macros. They are supposed to be 0x80-0x82
instead of 0x81-0x83.
So I'll need to fix that. I've pushed this into the
freeipmi-1-5-0-stable branch if you could try it out? (github mirror
https://github.com/chu11/freeipmi-mirror). Unfortunately, my systems
can't reproduce this error (likely b/c they are not implementing IPMI
security correctly).
But onto your error, so instead of "bad completion code" it should have
given you a cleaner error message of something like "privilege level
cannot be obtained". I bet that the new firmware fixed this security
flaw, which is now leading to this problem.
It likely means that you are trying to connect to a IPMI user on the
system that has too low of a privilege level for what ipmi-sel requires.
ipmi-sel defaults to OPERATOR privilege so I bet the IPMI user has a max
privilege of USER. So if you connect to a user with appropriate
privileges, it should work.
You may be able to get away with setting "--privilege-level=USER" on
ipmi-sel. IIRC the OPERATOR privileges are needed for some more
advanced features, which you may not need/be using.
Al
On Wed, 2016-06-08 at 15:00 +0200, Werner Fischer wrote:
> Hi Al,
>
> after an update of the IPMI firmware (from v3.15 to 3.40) on four
> systems with Supermicro X9DR7-LN4F mainboard, IPMI queries with ipmi-sel
> or ipmi-sensors via LAN fail with the following error:
>
> ipmi_ctx_open_outofband_2_0: bad completion code
>
> We have already tried to upload the firmware again (without preserving
> configuration), but this did not help.
>
> We are using this command (ipmi.cfg has username/password):
> /usr/sbin/ipmi-sel -h [IP] --config-file /etc/ipmi/ipmi.cfg
> --driver-type=LAN_2_0 --output-event-state --interpret-oem-data
> --entity-sensor-names --sensor-types=all
>
> We also executed the command with --debug. I've attached the output
> (partially, because I'm not sure whether there may be sensitive data in
> it as RAKP can be brute-force attacked).
>
> Of course we could try to remove power down the servers and pull power
> chords, and test again. But as these are production systems I'd want to
> ask whether you have any idea or if there is a workaround.
>
> PS: with firmware v3.15 we had no issues. I have tested the firmware
> 3.40 on another system with X9SCM-F, but I do not get any errors there.
>
> Thanks for your help,
> best regards,
> Werner
> _______________________________________________
> Freeipmi-users mailing list
> Freeipmi-users@gnu.org
> https://lists.gnu.org/mailman/listinfo/freeipmi-users
--
Albert Chu
ch...@llnl.gov
Computer Scientist
High Performance Systems Division
Lawrence Livermore National Laboratory
_______________________________________________
Freeipmi-users mailing list
Freeipmi-users@gnu.org
https://lists.gnu.org/mailman/listinfo/freeipmi-users
