Errors after restore
98 views
Skip to first unread message
Tom Cole
Jul 15, 2015, 1:04:59 PM7/15/15
to priva...@googlegroups.com
Someone deleted my VM yesterday with my PI server, so I recreated it and restored the DB. Now I have 2 "errors"
1) Tokens already in DB fail with "wrong otp pin" even though no pin was used
2) Client IP is always 127.0.0.1
Server info below:
privacyIDEA configuration documentation
=======================================
* System: QTXSNPI01.atl.careerbuilder.com
* Date: 2015-07-15 13:03
PI.cfg
------
PI_HSM: **default**
PI_LOGFILE: **/var/log/privacyidea/privacyidea.log**
PI_AUDIT_KEY_PUBLIC: **/etc/privacyidea/public.pem**
PI_PEPPER: **6bLB1JquhkQTby48RRnyStl7**
PI_ENCFILE: **/etc/privacyidea/enckey**
For security reason we do not display the SQL URI, as it may contain the
database credentials.
PI_AUDIT_MODULE: **privacyidea.lib.auditmodules.sqlaudit**
PI_LOGLEVEL: **20**
PI_AUDIT_KEY_PRIVATE: **/etc/privacyidea/private.pem**
SUPERUSER_REALM: **['super']**
.. note:: The SUPERUSER_REALM is a list of defined realms where the users
will have administrative rights when logging in to the web UI.
Local Admins
------------
In addition to the SUPERUSER_REALM there are local administrators stored in
the database. The following administrators are defined:
* **admin** <ad...@localhost.com>
System Base Configuration
-------------------------
__timestamp__: **2015-07-14 15:37:35.912288**
IncFailCountOnFalsePin: **True**
Resolver Configuration
----------------------
The following resolvers are defined. Resolvers are connections to user stores.
To learn more about resolvers read [#resolvers]_.
cbatl-ldap
~~~~~~~~~~~~~~~~~~
* Name of the resolver: cbatl-ldap
* Type of the resolver: ldapresolver
Configuration
.............
BINDDN: **cbatl\paldap**
AUTHTYPE: **NTLM**
LDAPFILTER: **(&(sAMAccountName=%s)(objectClass=person))**
LDAPBASE: **CN=Users,DC=atl,DC=careerbuilder,DC=com**
LDAPURI: **ldap://10.240.70.9**
LDAPSEARCHFILTER: **(sAMAccountName=*)(objectClass=person)**
UIDTYPE: **DN**
BINDPW: **Cb4netops!**
USERINFO: **{ "username": "sAMAccountName", "surname" : "sn", "givenname" : "givenName" }**
TIMEOUT: **5**
SIZELIMIT: **500**
NOREFERRALS: **1**
LOGINNAMEATTRIBUTE: **sAMAccountName**
Realm Configuration
-------------------
Several resolvers are grouped into realms.
To learn more about realms read [#realms]_.
The following realms have been defined from the resolvers:
cbatl
~~~~~~~~~~~~~~~
* Name of the realm: cbatl
**This is the default realm!**
Users in the default realm can authenticate without specifying the realm.
Users not in the default realm always need to specify the realm.
The following resolvers are configured in this realm:
* Name: cbatl-ldap
Priority: None
Type: ldapresolver
Policy Configuration
--------------------
Policies define the behaviour of privacyIDEA.
To learn more about policies read [#policies]_.
The following policies are defined in your system:
Web_Timeout
~~~~~~~~~~~~~~~~~
user: **[u'*']**
resolver: **[]**
active: **True**
adminrealm: **[]**
condition: **0**
realm: **[]**
client: **[]**
time: ****
action: **{u'logout_time': u'300'}**
scope: **webui**
Token_Defaults
~~~~~~~~~~~~~~~~~
user: **[u'*']**
resolver: **[]**
active: **True**
adminrealm: **[]**
condition: **0**
realm: **[u'cbatl']**
client: **[]**
time: ****
action: **{u'max_token_per_user': u'1', u'tokenlabel': u'<r>\\<u>'}**
scope: **enrollment**
Self_Service
~~~~~~~~~~~~~~~~~
user: **[u'*']**
resolver: **[]**
active: **True**
adminrealm: **[]**
condition: **0**
realm: **[u'cbatl']**
client: **[]**
time: ****
action: **{u'enrollTOTP': True, u'enable': True, u'resync': True, u'delete': True}**
scope: **user**
Machine Configuration
---------------------
**TODO**
Token Configuration
-------------------
**TODO**
CA Configuration
----------------
**TODO**
.. [#resolvers] http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.htm
.. [#realms] http://privacyidea.readthedocs.org/en/latest/configuration/realms.html
.. [#policies] http://privacyidea.readthedocs.org/en/latest/policies/index.h
1) Tokens already in DB fail with "wrong otp pin" even though no pin was used
2) Client IP is always 127.0.0.1
Server info below:
privacyIDEA configuration documentation
=======================================
* System: QTXSNPI01.atl.careerbuilder.com
* Date: 2015-07-15 13:03
PI.cfg
------
PI_HSM: **default**
PI_LOGFILE: **/var/log/privacyidea/privacyidea.log**
PI_AUDIT_KEY_PUBLIC: **/etc/privacyidea/public.pem**
PI_PEPPER: **6bLB1JquhkQTby48RRnyStl7**
PI_ENCFILE: **/etc/privacyidea/enckey**
For security reason we do not display the SQL URI, as it may contain the
database credentials.
PI_AUDIT_MODULE: **privacyidea.lib.auditmodules.sqlaudit**
PI_LOGLEVEL: **20**
PI_AUDIT_KEY_PRIVATE: **/etc/privacyidea/private.pem**
SUPERUSER_REALM: **['super']**
.. note:: The SUPERUSER_REALM is a list of defined realms where the users
will have administrative rights when logging in to the web UI.
Local Admins
------------
In addition to the SUPERUSER_REALM there are local administrators stored in
the database. The following administrators are defined:
* **admin** <ad...@localhost.com>
System Base Configuration
-------------------------
__timestamp__: **2015-07-14 15:37:35.912288**
IncFailCountOnFalsePin: **True**
Resolver Configuration
----------------------
The following resolvers are defined. Resolvers are connections to user stores.
To learn more about resolvers read [#resolvers]_.
cbatl-ldap
~~~~~~~~~~~~~~~~~~
* Name of the resolver: cbatl-ldap
* Type of the resolver: ldapresolver
Configuration
.............
BINDDN: **cbatl\paldap**
AUTHTYPE: **NTLM**
LDAPFILTER: **(&(sAMAccountName=%s)(objectClass=person))**
LDAPBASE: **CN=Users,DC=atl,DC=careerbuilder,DC=com**
LDAPURI: **ldap://10.240.70.9**
LDAPSEARCHFILTER: **(sAMAccountName=*)(objectClass=person)**
UIDTYPE: **DN**
BINDPW: **Cb4netops!**
USERINFO: **{ "username": "sAMAccountName", "surname" : "sn", "givenname" : "givenName" }**
TIMEOUT: **5**
SIZELIMIT: **500**
NOREFERRALS: **1**
LOGINNAMEATTRIBUTE: **sAMAccountName**
Realm Configuration
-------------------
Several resolvers are grouped into realms.
To learn more about realms read [#realms]_.
The following realms have been defined from the resolvers:
cbatl
~~~~~~~~~~~~~~~
* Name of the realm: cbatl
**This is the default realm!**
Users in the default realm can authenticate without specifying the realm.
Users not in the default realm always need to specify the realm.
The following resolvers are configured in this realm:
* Name: cbatl-ldap
Priority: None
Type: ldapresolver
Policy Configuration
--------------------
Policies define the behaviour of privacyIDEA.
To learn more about policies read [#policies]_.
The following policies are defined in your system:
Web_Timeout
~~~~~~~~~~~~~~~~~
user: **[u'*']**
resolver: **[]**
active: **True**
adminrealm: **[]**
condition: **0**
realm: **[]**
client: **[]**
time: ****
action: **{u'logout_time': u'300'}**
scope: **webui**
Token_Defaults
~~~~~~~~~~~~~~~~~
user: **[u'*']**
resolver: **[]**
active: **True**
adminrealm: **[]**
condition: **0**
realm: **[u'cbatl']**
client: **[]**
time: ****
action: **{u'max_token_per_user': u'1', u'tokenlabel': u'<r>\\<u>'}**
scope: **enrollment**
Self_Service
~~~~~~~~~~~~~~~~~
user: **[u'*']**
resolver: **[]**
active: **True**
adminrealm: **[]**
condition: **0**
realm: **[u'cbatl']**
client: **[]**
time: ****
action: **{u'enrollTOTP': True, u'enable': True, u'resync': True, u'delete': True}**
scope: **user**
Machine Configuration
---------------------
**TODO**
Token Configuration
-------------------
**TODO**
CA Configuration
----------------
**TODO**
.. [#resolvers] http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.htm
.. [#realms] http://privacyidea.readthedocs.org/en/latest/configuration/realms.html
.. [#policies] http://privacyidea.readthedocs.org/en/latest/policies/index.h
Tom Cole
Jul 15, 2015, 1:20:23 PM7/15/15
to priva...@googlegroups.com
Forgot to mention - New tokens work fine
Cornelius Kölbel
Jul 15, 2015, 1:30:16 PM7/15/15
to priva...@googlegroups.com
If you reinstalled privacyIDEA and you restored the database then old
token will not work.
The old tokens in the database will only work with the encryption
key /etc/privacyidea/enckey. This is used
1. to encrypt otp secrets, that are used to calculate the OTP values
2. hash or encrypt OTP pins, which may lead to "wrong pin".
3. and encrypt LDAP bindpw.
Please reset the OTP PIN of a token and check again.
Resyncronize the token, as the counter in the token might be much bigger
than the counter in the database.
Regarding the Client IP:
Were you using FreeRADIUS, too?
Then the request would originate from localhost.
Kind regards
Cornelius
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/3fd41270-0277-413a-a4e0-cf07f2d3a34a%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
token will not work.
The old tokens in the database will only work with the encryption
key /etc/privacyidea/enckey. This is used
1. to encrypt otp secrets, that are used to calculate the OTP values
2. hash or encrypt OTP pins, which may lead to "wrong pin".
3. and encrypt LDAP bindpw.
Please reset the OTP PIN of a token and check again.
Resyncronize the token, as the counter in the token might be much bigger
than the counter in the database.
Regarding the Client IP:
Were you using FreeRADIUS, too?
Then the request would originate from localhost.
Kind regards
Cornelius
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/3fd41270-0277-413a-a4e0-cf07f2d3a34a%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Tom Cole
Jul 15, 2015, 1:37:06 PM7/15/15
to Cornelius Kölbel, priva...@googlegroups.com
well crap - teaches me to
not pay attention - thanks for the heads up. I will get the password
changed. I will test the other options and see what happens.
Thanks
Thanks
July 15, 2015 at 13:30
If you reinstalled privacyIDEA and you restored the database then old
token will not work.
The old tokens in the database will only work with the encryption
key /etc/privacyidea/enckey. This is used
1. to encrypt otp secrets, that are used to calculate the OTP values
2. hash or encrypt OTP pins, which may lead to "wrong pin".
3. and encrypt LDAP bindpw.
Please reset the OTP PIN of a token and check again.
Resyncronize the token, as the counter in the token might be much bigger
than the counter in the database.
Regarding the Client IP:
Were you using FreeRADIUS, too?
Then the request would originate from localhost.
Kind regards
Cornelius
July 15, 2015 at 13:04
You received this message because you are subscribed to a topic in the Google Groups "privacyidea" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/privacyidea/w5CFAn3FnIY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to privacyidea...@googlegroups.com.
Tom Cole
Jul 15, 2015, 1:53:25 PM7/15/15
to Cornelius Kölbel, priva...@googlegroups.com
Ok - since there are no
OTP pins how do I reset them? We don't use pins.
July 15, 2015 at 13:30
If you reinstalled privacyIDEA and you restored the database then old
token will not work.
The old tokens in the database will only work with the encryption
key /etc/privacyidea/enckey. This is used
1. to encrypt otp secrets, that are used to calculate the OTP values
2. hash or encrypt OTP pins, which may lead to "wrong pin".
3. and encrypt LDAP bindpw.
Please reset the OTP PIN of a token and check again.
Resyncronize the token, as the counter in the token might be much bigger
than the counter in the database.
Regarding the Client IP:
Were you using FreeRADIUS, too?
Then the request would originate from localhost.
Kind regards
Cornelius
July 15, 2015 at 13:04
You received this message because you are subscribed to a topic in the Google Groups "privacyidea" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/privacyidea/w5CFAn3FnIY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to privacyidea...@googlegroups.com.
Cornelius Kölbel
Jul 15, 2015, 3:48:52 PM7/15/15
to priva...@googlegroups.com
Hi Tom,
you can either reset the PIN by setting an empty PIN or...
if you are not using PIN or password at all (only OTP value), then you
can define a policy:
scope: authentication
action: otppin=none
http://privacyidea.readthedocs.org/en/latest/policies/authentication.html#otppin
Then users will only authenticate with 123456.
Kind regards
Cornelius
you can either reset the PIN by setting an empty PIN or...
if you are not using PIN or password at all (only OTP value), then you
can define a policy:
scope: authentication
action: otppin=none
http://privacyidea.readthedocs.org/en/latest/policies/authentication.html#otppin
Then users will only authenticate with 123456.
Kind regards
Cornelius
Tom Cole
Jul 15, 2015, 4:14:50 PM7/15/15
to priva...@googlegroups.com
Ok - that didnt work, but now I get this error:
DataError: (DataError) (1406, "Data too long for column 'info' at row 1") 'INSERT INTO pidea_audit (date, signature, action, success, serial, token_type, user, realm, administrator, action_detail, info, privacyidea_server, client, loglevel, clearance_level) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)' (datetime.datetime(2015, 7, 15, 16, 13, 5, 474569), '', 'POST /validate/check', 0, None, None, u'jomunoz.site', u'cbatl', None, '', u"'ascii' codec can't decode byte 0xdb in position 0: ordinal not in range(128)", '127.0.0.1', '127.0.0.1', None, None)
DataError: (DataError) (1406, "Data too long for column 'info' at row 1") 'INSERT INTO pidea_audit (date, signature, action, success, serial, token_type, user, realm, administrator, action_detail, info, privacyidea_server, client, loglevel, clearance_level) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)' (datetime.datetime(2015, 7, 15, 16, 13, 5, 474569), '', 'POST /validate/check', 0, None, None, u'jomunoz.site', u'cbatl', None, '', u"'ascii' codec can't decode byte 0xdb in position 0: ordinal not in range(128)", '127.0.0.1', '127.0.0.1', None, None)
Tom Cole
Jul 15, 2015, 4:17:37 PM7/15/15
to priva...@googlegroups.com
and even with the rule I am still gtting wrong otp pin
No_OTPPIN
No_OTPPIN
~~~~~~~~~~~~~~~~~
user: **[u'*']**
resolver: **[]**
active: **True**
adminrealm: **[]**
condition: **0**
realm: **[u'cbatl']**
client: **[]**
time: ****
action: **{u'otppin': u'none'}**
scope: **authentication**
scope: **authentication**
Cornelius Kölbel
Jul 15, 2015, 4:20:40 PM7/15/15
to priva...@googlegroups.com
When do you get the error?
Can you please look into the log file or send the logfile with the
entries leading to the database error?
The system is trying to write something into the info column.
This might be a result to a faulty decryption.
resulting an a non-ascii character.
Anyway - if you really installed PI anew and just used the old database
without the enckey, than the old OTP data would be lost.
Kind regards
Cornelius
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
Can you please look into the log file or send the logfile with the
entries leading to the database error?
The system is trying to write something into the info column.
This might be a result to a faulty decryption.
resulting an a non-ascii character.
Anyway - if you really installed PI anew and just used the old database
without the enckey, than the old OTP data would be lost.
Kind regards
Cornelius
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/9a6a18d2-048f-45ab-b2d8-611d9238a710%40googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
Tom Cole
Jul 15, 2015, 4:22:35 PM7/15/15
to priva...@googlegroups.com
So my best option is to have everyone do a new token.
Tom Cole
Jul 15, 2015, 4:26:20 PM7/15/15
to priva...@googlegroups.com
Here is the full error:
[2015-07-15 16:16:35,734][23371][140372868679424][INFO][privacyidea.lib.auditmodules.sqlaudit:130] using the connect string mysql://pi:hGaKJN_1ZgPJ@localhost/pi
[2015-07-15 16:16:35,756][23371][140372868679424][INFO][privacyidea.lib.user:186] user u'jomunoz.site' found in resolver u'cbatl-ldap'
[2015-07-15 16:16:35,756][23371][140372868679424][INFO][privacyidea.lib.user:187] userid resolved to 'CN=Johan Munoz,CN=Users,DC=atl,DC=careerbuilder,DC=com'
[2015-07-15 16:16:35,772][23371][140372868679424][INFO][privacyidea.lib.user:186] user u'jomunoz.site' found in resolver u'cbatl-ldap'
[2015-07-15 16:16:35,772][23371][140372868679424][INFO][privacyidea.lib.user:187] userid resolved to 'CN=Johan Munoz,CN=Users,DC=atl,DC=careerbuilder,DC=com'
[2015-07-15 16:16:35,788][23371][140372868679424][INFO][privacyidea.lib.user:186] user u'jomunoz.site' found in resolver u'cbatl-ldap'
[2015-07-15 16:16:35,788][23371][140372868679424][INFO][privacyidea.lib.user:187] userid resolved to 'CN=Johan Munoz,CN=Users,DC=atl,DC=careerbuilder,DC=com'
[2015-07-15 16:16:35,804][23371][140372868679424][INFO][privacyidea.lib.user:186] user u'jomunoz.site' found in resolver u'cbatl-ldap'
[2015-07-15 16:16:35,804][23371][140372868679424][INFO][privacyidea.lib.user:187] userid resolved to 'CN=Johan Munoz,CN=Users,DC=atl,DC=careerbuilder,DC=com'
[2015-07-15 16:16:35,883][23371][140372868679424][ERROR][privacyidea.app:1423] Exception on /validate/check [POST]
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1817, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1477, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1381, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1475, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1461, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 87, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 87, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/decorators.py", line 67, in check_user_or_serial_in_request_wrapper
f_result = func(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 87, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/validate.py", line 179, in check
result, details = check_user_pass(user, password, options=options)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 77, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 192, in auth_user_passthru
return wrapped_function(user_object, passw, options)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 77, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 117, in auth_user_has_no_token
return wrapped_function(user_object, passw, options)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 77, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 152, in auth_user_does_not_exist
return wrapped_function(user_object, passw, options)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 125, in log_wrapper
f_result = func(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", line 1690, in check_user_pass
options=options)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 125, in log_wrapper
f_result = func(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", line 1747, in check_token_list
options=options)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokenclass.py", line 357, in authenticate
otp_counter = self.check_otp(otpval, options=options)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/totptoken.py", line 318, in check_otp
symetric=True)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 125, in log_wrapper
f_result = func(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/HMAC.py", line 129, in checkOtp
otpval = self.generate(c)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/HMAC.py", line 104, in generate
hmac = self.hmac(counter=counter, key=key)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/HMAC.py", line 73, in hmac
dig = str(self.secretObj.hmac_digest(data_input, self.hashfunc))
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/crypto.py", line 112, in hmac_digest
self._setupKey_()
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/crypto.py", line 144, in _setupKey_
akey = decrypt(self.val, self.iv)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 125, in log_wrapper
f_result = func(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/crypto.py", line 341, in decrypt
ret = hsm.decrypt(input, iv, id)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/security/default.py", line 388, in decrypt
eof = output.rfind(u"\x01\x02")
UnicodeDecodeError: 'ascii' codec can't decode byte 0xdb in position 0: ordinal not in range(128)
[2015-07-15 16:16:35,884][23371][140372868679424][ERROR][privacyidea.lib.auditmodules.sqlaudit:239] exception DataError('(DataError) (1406, "Data too long for column \'info\' at row 1")',)
[2015-07-15 16:16:35,885][23371][140372868679424][ERROR][privacyidea.lib.auditmodules.sqlaudit:240] DATA: {'info': u"'ascii' codec can't decode byte 0xdb in position 0: ordinal not in range(128)", 'realm': u'cbatl', 'success': False, 'privacyidea_server': '127.0.0.1', 'client_user_agent': None, 'client': '127.0.0.1', 'user': u'jomunoz.site', 'action_detail': '', 'action': 'POST /validate/check'}
[2015-07-15 16:16:35,885][23371][140372868679424][ERROR][privacyidea.lib.auditmodules.sqlaudit:241] Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/auditmodules/sqlaudit.py", line 231, in finalize_log
self.session.commit()
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 721, in commit
self.transaction.commit()
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 354, in commit
self._prepare_impl()
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 334, in _prepare_impl
self.session.flush()
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 1818, in flush
self._flush(objects)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 1936, in _flush
transaction.rollback(_capture_exception=True)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/util/langhelpers.py", line 58, in __exit__
compat.reraise(exc_type, exc_value, exc_tb)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 1900, in _flush
flush_context.execute()
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/unitofwork.py", line 372, in execute
rec.execute(self)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/unitofwork.py", line 525, in execute
uow
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/persistence.py", line 64, in save_obj
table, insert)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/persistence.py", line 569, in _emit_insert_statements
execute(statement, params)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 662, in execute
params)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 761, in _execute_clauseelement
compiled_sql, distilled_params
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 874, in _execute_context
context)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 1024, in _handle_dbapi_exception
exc_info
File "/usr/lib/python2.7/dist-packages/sqlalchemy/util/compat.py", line 196, in raise_from_cause
reraise(type(exception), exception, tb=exc_tb)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 867, in _execute_context
context)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/default.py", line 324, in do_execute
cursor.execute(statement, parameters)
File "/usr/lib/python2.7/dist-packages/MySQLdb/cursors.py", line 174, in execute
self.errorhandler(self, exc, value)
File "/usr/lib/python2.7/dist-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
raise errorclass, errorvalue
DataError: (DataError) (1406, "Data too long for column 'info' at row 1") 'INSERT INTO pidea_audit (date, signature, action, success, serial, token_type, user, realm, administrator, action_detail, info, privacyidea_server, client, loglevel, clearance_level) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)' (datetime.datetime(2015, 7, 15, 16, 16, 35, 883625), '', 'POST /validate/check', 0, None, None, u'jomunoz.site', u'cbatl', None, '', u"'ascii' codec can't decode byte 0xdb in position 0: ordinal not in range(128)", '127.0.0.1', '127.0.0.1', None, None)
[2015-07-15 16:16:35,734][23371][140372868679424][INFO][privacyidea.lib.auditmodules.sqlaudit:130] using the connect string mysql://pi:hGaKJN_1ZgPJ@localhost/pi
[2015-07-15 16:16:35,756][23371][140372868679424][INFO][privacyidea.lib.user:186] user u'jomunoz.site' found in resolver u'cbatl-ldap'
[2015-07-15 16:16:35,756][23371][140372868679424][INFO][privacyidea.lib.user:187] userid resolved to 'CN=Johan Munoz,CN=Users,DC=atl,DC=careerbuilder,DC=com'
[2015-07-15 16:16:35,772][23371][140372868679424][INFO][privacyidea.lib.user:186] user u'jomunoz.site' found in resolver u'cbatl-ldap'
[2015-07-15 16:16:35,772][23371][140372868679424][INFO][privacyidea.lib.user:187] userid resolved to 'CN=Johan Munoz,CN=Users,DC=atl,DC=careerbuilder,DC=com'
[2015-07-15 16:16:35,788][23371][140372868679424][INFO][privacyidea.lib.user:186] user u'jomunoz.site' found in resolver u'cbatl-ldap'
[2015-07-15 16:16:35,788][23371][140372868679424][INFO][privacyidea.lib.user:187] userid resolved to 'CN=Johan Munoz,CN=Users,DC=atl,DC=careerbuilder,DC=com'
[2015-07-15 16:16:35,804][23371][140372868679424][INFO][privacyidea.lib.user:186] user u'jomunoz.site' found in resolver u'cbatl-ldap'
[2015-07-15 16:16:35,804][23371][140372868679424][INFO][privacyidea.lib.user:187] userid resolved to 'CN=Johan Munoz,CN=Users,DC=atl,DC=careerbuilder,DC=com'
[2015-07-15 16:16:35,883][23371][140372868679424][ERROR][privacyidea.app:1423] Exception on /validate/check [POST]
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1817, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1477, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1381, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1475, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1461, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 85, in policy_wrapper
response = wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 87, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 87, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/decorators.py", line 67, in check_user_or_serial_in_request_wrapper
f_result = func(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 87, in policy_wrapper
return wrapped_function(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/api/validate.py", line 179, in check
result, details = check_user_pass(user, password, options=options)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 77, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 192, in auth_user_passthru
return wrapped_function(user_object, passw, options)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 77, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 117, in auth_user_has_no_token
return wrapped_function(user_object, passw, options)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 77, in policy_wrapper
return self.decorator_function(wrapped_function, *args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 152, in auth_user_does_not_exist
return wrapped_function(user_object, passw, options)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 125, in log_wrapper
f_result = func(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", line 1690, in check_user_pass
options=options)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 125, in log_wrapper
f_result = func(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", line 1747, in check_token_list
options=options)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokenclass.py", line 357, in authenticate
otp_counter = self.check_otp(otpval, options=options)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/totptoken.py", line 318, in check_otp
symetric=True)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 125, in log_wrapper
f_result = func(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/HMAC.py", line 129, in checkOtp
otpval = self.generate(c)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/HMAC.py", line 104, in generate
hmac = self.hmac(counter=counter, key=key)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/HMAC.py", line 73, in hmac
dig = str(self.secretObj.hmac_digest(data_input, self.hashfunc))
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/crypto.py", line 112, in hmac_digest
self._setupKey_()
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/crypto.py", line 144, in _setupKey_
akey = decrypt(self.val, self.iv)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 125, in log_wrapper
f_result = func(*args, **kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/crypto.py", line 341, in decrypt
ret = hsm.decrypt(input, iv, id)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/security/default.py", line 388, in decrypt
eof = output.rfind(u"\x01\x02")
UnicodeDecodeError: 'ascii' codec can't decode byte 0xdb in position 0: ordinal not in range(128)
[2015-07-15 16:16:35,884][23371][140372868679424][ERROR][privacyidea.lib.auditmodules.sqlaudit:239] exception DataError('(DataError) (1406, "Data too long for column \'info\' at row 1")',)
[2015-07-15 16:16:35,885][23371][140372868679424][ERROR][privacyidea.lib.auditmodules.sqlaudit:240] DATA: {'info': u"'ascii' codec can't decode byte 0xdb in position 0: ordinal not in range(128)", 'realm': u'cbatl', 'success': False, 'privacyidea_server': '127.0.0.1', 'client_user_agent': None, 'client': '127.0.0.1', 'user': u'jomunoz.site', 'action_detail': '', 'action': 'POST /validate/check'}
[2015-07-15 16:16:35,885][23371][140372868679424][ERROR][privacyidea.lib.auditmodules.sqlaudit:241] Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/auditmodules/sqlaudit.py", line 231, in finalize_log
self.session.commit()
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 721, in commit
self.transaction.commit()
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 354, in commit
self._prepare_impl()
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 334, in _prepare_impl
self.session.flush()
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 1818, in flush
self._flush(objects)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 1936, in _flush
transaction.rollback(_capture_exception=True)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/util/langhelpers.py", line 58, in __exit__
compat.reraise(exc_type, exc_value, exc_tb)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 1900, in _flush
flush_context.execute()
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/unitofwork.py", line 372, in execute
rec.execute(self)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/unitofwork.py", line 525, in execute
uow
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/persistence.py", line 64, in save_obj
table, insert)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/persistence.py", line 569, in _emit_insert_statements
execute(statement, params)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 662, in execute
params)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 761, in _execute_clauseelement
compiled_sql, distilled_params
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 874, in _execute_context
context)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 1024, in _handle_dbapi_exception
exc_info
File "/usr/lib/python2.7/dist-packages/sqlalchemy/util/compat.py", line 196, in raise_from_cause
reraise(type(exception), exception, tb=exc_tb)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 867, in _execute_context
context)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/default.py", line 324, in do_execute
cursor.execute(statement, parameters)
File "/usr/lib/python2.7/dist-packages/MySQLdb/cursors.py", line 174, in execute
self.errorhandler(self, exc, value)
File "/usr/lib/python2.7/dist-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
raise errorclass, errorvalue
DataError: (DataError) (1406, "Data too long for column 'info' at row 1") 'INSERT INTO pidea_audit (date, signature, action, success, serial, token_type, user, realm, administrator, action_detail, info, privacyidea_server, client, loglevel, clearance_level) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)' (datetime.datetime(2015, 7, 15, 16, 16, 35, 883625), '', 'POST /validate/check', 0, None, None, u'jomunoz.site', u'cbatl', None, '', u"'ascii' codec can't decode byte 0xdb in position 0: ordinal not in range(128)", '127.0.0.1', '127.0.0.1', None, None)
Cornelius Kölbel
Jul 15, 2015, 4:33:43 PM7/15/15
to priva...@googlegroups.com
Hi Tom,
ahem. Well, the idea is that the database administrator is not able to
steal sensitive data. Or sensitive data can not be read if transmitted
over IP to the database without SSL.
So several data in the database is encrypted.
The encryption is performed using an encryption key in the simplest way
in the file specified in the pi.cfg with the key PI_ENCFILE.
(see
http://privacyidea.readthedocs.org/en/latest/installation/system/inifile.html)
So if you want to have a complete backup, you should at least backup the
enckey file once and the database every now and then.
Yes. If you just recovered the database, this database is...
...data garbage.
There might be a more elaborate chapter about backup and restore...
If you are running VMs the easiest way is to make a backup of the VM -
somewhere in the start. Later you can create snapshots/backups of the
database...
Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/dc797822-5055-47e9-bb3d-f72362787693%40googlegroups.com.
ahem. Well, the idea is that the database administrator is not able to
steal sensitive data. Or sensitive data can not be read if transmitted
over IP to the database without SSL.
So several data in the database is encrypted.
The encryption is performed using an encryption key in the simplest way
in the file specified in the pi.cfg with the key PI_ENCFILE.
(see
http://privacyidea.readthedocs.org/en/latest/installation/system/inifile.html)
So if you want to have a complete backup, you should at least backup the
enckey file once and the database every now and then.
Yes. If you just recovered the database, this database is...
...data garbage.
There might be a more elaborate chapter about backup and restore...
If you are running VMs the easiest way is to make a backup of the VM -
somewhere in the start. Later you can create snapshots/backups of the
database...
Kind regards
Cornelius
Cornelius Kölbel
Jul 15, 2015, 4:35:42 PM7/15/15
to priva...@googlegroups.com
What kind of tokens did you enroll?
Smartphone App, SMS?
Using hardware token you could just import the seedfile again.
Kind regards
Cornelius
Am Mittwoch, den 15.07.2015, 13:22 -0700 schrieb Tom Cole:
> https://groups.google.com/d/msgid/privacyidea/dc797822-5055-47e9-bb3d-f72362787693%40googlegroups.com.
Smartphone App, SMS?
Using hardware token you could just import the seedfile again.
Kind regards
Cornelius
Am Mittwoch, den 15.07.2015, 13:22 -0700 schrieb Tom Cole:
Tom Cole
Jul 15, 2015, 4:38:13 PM7/15/15
to priva...@googlegroups.com
Darn - and garbage day was Monday. Dont worry, this time I took a snapshot of the VM, just in case.
Cornelius Kölbel
Jul 15, 2015, 4:41:07 PM7/15/15
to priva...@googlegroups.com
See inline comments
The OTP value is about to be calculated by the server.
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/HMAC.py", line 129, in checkOtp
otpval = self.generate(c)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/HMAC.py", line 104, in generate
hmac = self.hmac(counter=counter, key=key)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/HMAC.py", line 73, in hmac
dig = str(self.secretObj.hmac_digest(data_input, self.hashfunc))
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/crypto.py", line 112, in hmac_digest
self._setupKey_()
In reads the encrypted key from the database
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/crypto.py", line 144, in _setupKey_
akey = decrypt(self.val, self.iv)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 125, in log_wrapper
f_result = func(*args, **kwds)
and tries to decrypt it, to use it to calculate the HOTP
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/crypto.py", line 341, in decrypt
ret = hsm.decrypt(input, iv, id)
...and fails to decrypt a.k.a. only gets garbarge from the decryption
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/d9414ca9-9e9c-43e6-a0f2-2156fd47c7ad%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Cornelius Kölbel
Jul 15, 2015, 4:47:48 PM7/15/15
to priva...@googlegroups.com
Hm. But don't let Larry also delete the VM together with the snapshot!
> https://groups.google.com/d/msgid/privacyidea/20978ca1-0fe5-41fb-8ee4-bb4926f48c60%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages