[Linux-cluster] fence_ipmilan Faiing for 'Administrator' user

Digimer lists at alteeve.ca
Tue Feb 5 04:46:01 UTC 2013 

On 02/04/2013 10:12 PM, Zama Ques wrote:
> 
> 
> ------------------------------------------------------------------------
> *From:* Digimer <lists at alteeve.ca>
> *To:* Zama Ques <queszama at yahoo.in>; linux clustering
> <linux-cluster at redhat.com>
> *Sent:* Monday, 4 February 2013 6:23 PM
> *Subject:* Re: [Linux-cluster] fence_ipmilan Faiing for 'Administrator' user
> 
> On 02/04/2013 05:42 AM, Zama Ques wrote:
>> Hi All ,
>>
>> Need help in configuring IPMI_Lan as fencing device for my cluster . The
>> servers I am using are of make HP ProLiant
>>
>> Since fence_ipmilan internally uses ipmitool , I was trying to
>> understand the use of ipmitool . For that purpose , I initially created
>> a user named 'admin' using ipmitool.
>>
>> =====
>>
>> |# ipmitool user list 2
>> ID  Name            Callin  Link Auth  IPMI Msg  Channel Priv Limit
>> 1  Administrator    true    false      true      ADMINISTRATOR
>> 2  admin            true    false      true      USER
>> 3  (Empty User)    true    false      false      NO ACCESS
>> 4  (Empty User)    true    false      false      NO ACCESS
>> ______________________________
>>
>> ]# ipmitool channel getciphers ipmi 2
>> ID  IANA    Auth Alg        Integrity Alg  Confidentiality Alg
>> 0    N/A    none            none            none         
>> 1    N/A    hmac_sha1      none            none         
>> 2    N/A    hmac_sha1      hmac_sha1_96    none         
>> 3    N/A    hmac_sha1      hmac_sha1_96    aes_cbc_128 
>>
>> =====
>>
>> Using the 'admin' user , I am able to execute IPMI commands successfully.
>>
>> =====
>> ]#  ipmitool -I lanplus -H 192.168.2.153 -U admin -L USER chassis status
>> System Power        : on
>> Power Overload      : false
>> Power Interlock      : inactive
>> Main Power Fault    : false
>> ......
>> ......
>> -----------------------
>> ]# fence_ipmilan -L USER -a 192.168.2.153 -P lanplus  -l admin -p
> xxxxxxx -T 4  -o status -v
>> Getting status of IPMI:192.168.2.153...Spawning: '/usr/bin/ipmitool -I
> lanplus -H '192.168.2.153' -U 'ssdg' -L 'USER' -P '[set]' -v chassis
> power status'...
>> Chassis power = On
>> Done
>> =======
>>
>>
>> But the same above commands fails if I use the 'Administrator' User.
>>
>> =====
>> #  ipmitool -I lanplus -H 192.168.2.153 -U Administrator -L
> ADMINISTRATOR chassis status
>> Password:
>> Error: Unable to establish IPMI v2 / RMCP+
>>  session
>> Error sending Chassis Status command
>>
>> #  ipmitool -I lanplus -H 192.168.2.153 -U Administrator  chassis status
>> Password:
>> Error: Unable to establish IPMI v2 / RMCP+ session
>> Error sending Chassis Status command
>> =======
>>
>> I am using the default password for 'Administrator' user ||which is 
> printed on a little cardboard card attached to the server
>>
>> Kindly guide where I went wrong ?
>>
>> Thanks in Advance
>> Zaman
>> |
> 
>> This appears to be a problem below fence_ipmilan.
> 
>> My first guess would be that something is lower-casing the "A". Can you
>> create a user "administrator" and if so, does that work? Have you tried
>> putting the user name in double-quotes (no idea if that would make a
>> difference)? ie: '... -U "Administrator" ...'?
> 
> Thanks Digimer for the reply.
> 
> Was able to verify that proper alphabet case is being used for
> 'Administrator' user.
> 
> ====
> # fence_ipmilan -L ADMINISTRATOR -a 192.168.2.153 -P lanplus  -l
> Administrator  -p "XXX" -T 4  -o status -v
> Getting status of IPMI:192.168.2.153...Spawning: '/usr/bin/ipmitool -I
> lanplus -H '192.168.2.153' -U 'Administrator' -L 'ADMINISTRATOR' -P
> '[set]' -v chassis power status'...
> Chassis power = Unknown
> Failed
> ====
> 
> Looks like it was not taking the default password for 'Administrator' user.
> 
> ====
> # ipmitool user test 1 20 XXX
> Set User Password command failed (user 1): Unknown (0x80)
> Failure: password incorrect
> # ipmitool user test 1 16 XXX
> Set User Password command failed (user 1): Unknown (0x80)
> Failure: password incorrect
> -----
> # ipmitool user test 2 16 xxxx
> Success
> # ipmitool user test 2 20 xxxx
> Success
> ====
> 
> Changed privilege for 'admin' user to ADMINISTRATOR so that it can
> perform fencing.
> 
> ====
> ]# ipmitool user list 2
> ID  Name             Callin  Link Auth  IPMI Msg   Channel Priv Limit
> 1   Administrator    true    false      true       ADMINISTRATOR
> 2   admin             true    false      true       ADMINISTRATOR
> ====
> 
> Digimer , can you please let me know whether for performing fencing ,
> ADMINISTRATOR level privilege is needed or lower privilege levels can
> perform fencing ?
> 
> ===
>    1   Callback level
>    2   User level
>    3   Operator level
>    4   Administrator level
> ===
> Thanks
> Zaman

It probably depends on your hardware and it's implementation. I would
guess not though, given how ... dramatic a fence action is.

-- 
Digimer
Papers and Projects: https://alteeve.ca/w/
What if the cure for cancer is trapped in the mind of a person without
access to education?

More information about the Linux-cluster mailing list