Hi Daniel,
Well we have some progress. We found this last night, I saw the bug and
I had actually tried your setting in the doc first then I changed the
setting back to what you currently have.
Now here is the other interesting development.
We are using x509 to authenticate across the board and our KCA
credentials work fine using command line and running one commands from
the shell. However, when we attempt to log into sunstone we receive the
following error:
Wed Oct 19 13:11:20 2011 [AuM][I]: Command execution fail:
/var/lib/one/remotes/auth/server/authentica
te lowe </SUBJECT of the certificate> <HUGE hash string>
Wed Oct 19 13:11:20 2011 [AuM][D]: Message received: LOG E 617 login
token expired
Wed Oct 19 13:11:20 2011 [AuM][I]: login token expired
Wed Oct 19 13:11:20 2011 [AuM][D]: Message received: LOG I 617 ExitCode: 255
Wed Oct 19 13:11:20 2011 [AuM][I]: ExitCode: 255
Wed Oct 19 13:11:20 2011 [AuM][D]: Message received: AUTHENTICATE
FAILURE 617 login token expired
Wed Oct 19 13:11:20 2011 [AuM][E]: Auth Error: login token expired
Wed Oct 19 13:11:20 2011 [ReM][E]: [UserInfo] User couldn't be
authenticated, aborting call.
Wed Oct 19 13:11:20 2011 [ReM][D]: UserPoolInfo method invoked
Wed Oct 19 13:11:20 2011 [AuM][D]: Message received: LOG I 618 ExitCode: 0
Now using our x509 DOE certificate we are allowed to get in. Now the
only difference I see is our KCA has a colon in it as opposed to our DOE
which does not. I recall hearing there were issues with colons and
parsing, is that still an issue in the general release? If not, is
there a fix that should be applied to our installation?
On 10/20/11 5:20 AM, Daniel Molina wrote:
On 19 October 2011 18:36, Faarooq Lowe <l...@fnal.gov
<mailto:l...@fnal.gov>> wrote:
Ok, I ran it without strace and I didn't notice anything in the
sunstone.log but I did finallly see something in oned.log
Here goes.
oned.log
Wed Oct 19 11:28:03 2011 [ReM][D]: UserInfo method invoked
Wed Oct 19 11:28:03 2011 [AuM][D]: Message received: AUTHENTICATE
FAILURE 13950 Authentication protocol 'server' not available
Wed Oct 19 11:28:03 2011 [AuM][E]: Auth Error: Authentication
protocol 'server' not available
Wed Oct 19 11:28:03 2011 [ReM][E]: [UserInfo] User couldn't be
authenticated, aborting call.
Ok, now the error is different. You have to add the server
authentication to the oned.conf AUTH_MAD section and restart opennebula:
AUTH_MAD = [
executable = "one_auth_mad",
arguments = "--authn x509, server"
]
There was a bug in the x509 documentation, I have just fixed it:
http://www.opennebula.org/documentation:rel3.0:x509_auth?&#opennebula_configuration_for_using_x509_with_the_public_cloud_servers_and_sunstone
<http://www.opennebula.org/documentation:rel3.0:x509_auth?&#opennebula_configuration_for_using_x509_with_the_public_cloud_servers_and_sunstone>
--
Daniel Molina
Project Engineer
OpenNebula - The Open Source Toolkit for Cloud Computing
www.OpenNebula.org <http://www.OpenNebula.org> | @dmamolina
_______________________________________________
Users mailing list
Users@lists.opennebula.org
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
