Re: [storage-discuss] ACL and microsoft initiator

Tue, 14 Nov 2006 09:12:02 -0800 

Sorry, I completely misread you email message.

Just so that we're clear I'd like to restate the steps to setup an ACL.

(1) Create an initiator object.

    iscsitadm create initiator -n <full_iqn_string> <friendly_name>

    So, in your case it would be something like:
iscsitadm create initiator -n iqn.1991-05.com.microsoft:issrv2 issrv2 

(2) Add the initiator object to each target.

    iscsitadm modify target -l <initiator> <target_name>

    In your case it would be:

    iscsitadm modify target -l issrv2 mydisk
At this point only issrv2 would see the target mydisk when using SendTargets as the discovery method. Now, that doesn't prevent another initiator from logging in to the target if it knows the full target iSCSI name. For that you'll need to add CHAP authentication. 

(3) set up the CHAP name and secret for the target.

    iscsitadm modify admin -H <chap username>
    iscsitadm modify admin -C

    With the -C option you'll be prompted to enter a password twice.
    This string must be between 12 and 16 characters. It also must
    be different from the the initiators CHAP secret.

(4) Add the CHAP information for the initiator object.

    iscsitadm modify initiator -H <chap username> issrv2
    iscsitadm modify initiator -C issrv2
At this point the target will require the unidirectional authentication. You'll need to setup the CHAP secret on the Windows hosts. I'm not sure how that's done so I can't help you there.
All of this doesn't answer you're original question though. As I stated I wanted to clearly outline what is required so that you could look at these steps and verify that you've done everything correctly. In particular, I'm wondering if step #1 was done right. It could have been a cut and paste error, but normally the output of 'iscsitadm list target -v' would display the friendly name for the initiator and not the full iSCSI name as you're original email would so. Could you send me the output of 'iscsitadm list initiator -v'? 

Thanks,
On Nov 14, 2006, at 7:47 AM, Garry Harper wrote:


Hi Rick,

Thanks for the quick response.

I am using ms initiator 2.1 (I think)
I am not seeing any dropouts, it works fine without setting the ACL, but 
obviously I don't want to leave it so anyone can connect to my lun.
I tried setting the acl to the node id of my initiator but it then just doesn't show up on my list of luns for that target in the ms initiator. 

I was wondering if the acl works with an alias and not the initiator
node id.

Regards
Garry
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: 14 November 2006 14:40
To: Garry Harper
Cc: [email protected]
Subject: Re: [storage-discuss] ACL and microsoft initiator

I'm currently working this problem. When I did my original testing
with the Windows initiator (version 1.0) I didn't have any problems
and could connect just fine. With the latest initiator it repeatedly
drops the connection after sending a SCSI INQUIRY command with the
VPD bit set and requesting Page 0 information.

I've looked for log files on the Windows host and could not find any
which point out the problem. So, it'll mean looking at network traces
to see if I can determine what's wrong.

On Nov 14, 2006, at 6:01 AM, Garry Harper wrote:


Hi,

i have installed iscsi target on solaris x64 and presented luns to
the ms initiator.

i am now trying to secure the lus son no one else can see them

my initiators node name is iqn.1991-05.com.microsoft:issrv2

i run the comand:

iscsitadmin modify target --acl iqn.1991-05.com.microsoft:issrv2
mydisk
it returns ok

i run the comand:
iscsitadmin list target -v
it returns:
Target:  mydisk
iscsi Name iqn.1986-03.com.sun......etc
ACL List:
initiator:  iqn.1991-05.com.microsoft:issrv2
etc...

when i now try to connect from my windows server it doesnt show the
lun.

does the ACL use the alias rather than the node name?
if so how do i set the alias on the MSD iscsi initiator?

Regards
GArry


This message posted from opensolaris.org
_______________________________________________
storage-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/storage-discuss


----
[EMAIL PROTECTED]

A good friend will come and bail you out of jail...but, a true friend
will be sitting next to you saying, "Damn...that was fun!"





----
[EMAIL PROTECTED]
A good friend will come and bail you out of jail...but, a true friend will be sitting next to you saying, "Damn...that was fun!" 



_______________________________________________
storage-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/storage-discuss

Reply via email to