core-iscsi <-> wasabi target, mutual login -> no go!

3 views
Skip to first unread message

Albert Pauw

unread,
Jun 19, 2006, 2:55:16 PM6/19/06
to Core-iSCSI
Core-iscsi seems to work fine, except the mutual login, which still
doesn't work.

Some of the login parts work, but when core-iscsi offers the following
value pairs:

CHAP_N=
CHAP_R=
CHAP_I=
CHAP_C=

(left the values out)

The login reponse from the target is 0x23 (out of resources), status:
Out of resources (0x302).

Albert

William Studenmund

unread,
Jun 19, 2006, 11:00:42 PM6/19/06
to Core-...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sounds like core-iscsi is trying to use mutual auth during no-name
discovery. That won't work, as all of the mutual CHAP info is tied to
specific nodes. Since there's no node, there's no info for mutual auth.

I thought there'd been a fix for core-iscsi for this?

Take care,

Bill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEl2TgDJT2Egh26K0RAuQPAJ97j6gK8pukj5p7T9Nqy6EDcItChQCfSqIi
vIlEe0Ap92K46TzQZ2IqK5E=
=0TG+
-----END PGP SIGNATURE-----

Nicholas A. Bellinger

unread,
Jun 20, 2006, 2:21:32 AM6/20/06
to Core-...@googlegroups.com
Greetings gents,

Core-iSCSI needs one more element added to auth_conn_t.. A few minor
changes to core-iscsi-tools/src also..

I have a few other minor updates for core-iscsi-tools, let me know if
this works and will kick out v3.4..

Thanks!

--
Nicholas A. Bellinger <n...@kernel.org>

core-iscsi:

Index: iscsi_auth.h
===================================================================
--- iscsi_auth.h (revision 3910)
+++ iscsi_auth.h (working copy)
@@ -37,6 +37,7 @@
unsigned int auth_id;
int role;
int channel_id;
+ int discovery;
unsigned short int tpgt;
char initiatorname[MAX_INITIATORNAME];
void *auth_protocol;

core-iscsi-tools:

Index: core-iscsi/include/iscsi_auth.h
===================================================================
--- core-iscsi/include/iscsi_auth.h (revision 3175)
+++ core-iscsi/include/iscsi_auth.h (working copy)
@@ -37,6 +37,7 @@
unsigned int auth_id;
int role;
int channel_id;
+ int discovery;
unsigned short int tpgt;
char initiatorname[MAX_INITIATORNAME];
void *auth_protocol;
Index: core-iscsi/src/initiator_authd.c
===================================================================
--- core-iscsi/src/initiator_authd.c (revision 3175)
+++ core-iscsi/src/initiator_authd.c (working copy)
@@ -105,7 +105,7 @@
return;
}

-static auth_conn_t *get_auth_conn (unsigned int auth_id, unsigned int
sid, unsigned short cid)
+static auth_conn_t *get_auth_conn (unsigned int auth_id, unsigned int
sid, unsigned short cid, int session_type)
{
int i;

@@ -120,6 +120,7 @@
auth_table[i].auth_id = auth_id;
auth_table[i].sid = sid;
auth_table[i].cid = cid;
+ auth_table[i].discovery = session_type;
return(&auth_table[i]);
}
}
@@ -293,7 +294,7 @@
}

if (!(auth_conn = get_auth_conn(iscsi_auth.auth_id,
- iscsi_auth.sid, iscsi_auth.cid))) {
+ iscsi_auth.sid, iscsi_auth.cid,
iscsi_auth.session_type))) {
iscsi_auth.type[0] = '2';
goto out;
}
Index: core-iscsi/src/initiator_chap.c
===================================================================
--- core-iscsi/src/initiator_chap.c (revision 3175)
+++ core-iscsi/src/initiator_chap.c (working copy)
@@ -327,7 +327,7 @@

PRINT("[client] Sending CHAP_R=0x%s\n", response);

- if (!auth->authenticate_target) {
+ if (!auth->authenticate_target || auth->discovery) {
PRINT("\n");
return(0);

Albert Pauw

unread,
Jun 20, 2006, 3:06:34 AM6/20/06
to Core-iSCSI
Hi Nicholas,

I am at work right now (yeah, someone has to earn a living) but will
try your patch when I am back home.

Let you know what happens then,

thanks

Albert

Albert Pauw

unread,
Jun 20, 2006, 2:18:52 PM6/20/06
to Core-iSCSI
The patch didn't do the trick. I have send the ethereal trace
separately to Nicholas.

Albert

n...@kernel.org

unread,
Jun 20, 2006, 2:58:14 PM6/20/06
to Core-iSCSI
Hi Albert,

I just got a chance to test this myself and the patch is doing the
correct thing by only sending CHAP_N and CHAP_R in the final login
request of the SecurityNegotiation phase w/ T_BIT set during a
discovery session.

After looking at the logs you sent this morning, it appears that the
initiator is still sending the CHAP_I and CHAP_C during discovery. Can
you double check that both patches where applied to core-iscsi and
core-iscsi-tools?

Thanks,

--nab

Albert Pauw

unread,
Jun 20, 2006, 3:35:01 PM6/20/06
to Core-iSCSI
I have rechecked and the patches are in. No authentication works fine,
as well as initiator authentication, but the mutual part fails.

Can you see anything in the ethereal trace I send you?

Albert

Nicholas A. Bellinger

unread,
Jun 20, 2006, 3:44:00 PM6/20/06
to Core-...@googlegroups.com

Yes, I noticed that CHAP_N, CHAP_R, CHAP_I and CHAP_C are still getting
sent. I just tested this with the same patch applied and I am seeing
only CHAP_N and CHAP_R in the response.

Hmm, try adding a printf() in core-iscsi-tools and lets make sure the
discovery bit is getting sent down to initiator-authd:

Index: core-iscsi/src/initiator_chap.c
===================================================================
--- core-iscsi/src/initiator_chap.c (revision 3175)
+++ core-iscsi/src/initiator_chap.c (working copy)

@@ -327,7 +327,8 @@



PRINT("[client] Sending CHAP_R=0x%s\n", response);

- if (!auth->authenticate_target) {

+ printf("auth->discovery: %d\n", auth->discovery);


+ if (!auth->authenticate_target || auth->discovery) {
PRINT("\n");
return(0);
}

Also, feel free to compile initiator-authd in debug mode by enabling
DEBUG_CHAP=1 in core-iscsi-tools/core-iscsi/MCONFIG. You will also need
to modify /etc/init.d/initiator at line 97 to get output from
initiator-authd to goto stdin.

Thanks,

--
Nicholas A. Bellinger <n...@linux-mips.org>

Nicholas A. Bellinger

unread,
Jun 20, 2006, 3:48:15 PM6/20/06
to Core-...@googlegroups.com
A quick correction..

On Tue, 2006-06-20 at 12:44 -0700, Nicholas A. Bellinger wrote:
> On Tue, 2006-06-20 at 12:35 -0700, Albert Pauw wrote:
> > I have rechecked and the patches are in. No authentication works fine,
> > as well as initiator authentication, but the mutual part fails.
> >
> > Can you see anything in the ethereal trace I send you?
> >
>
> Yes, I noticed that CHAP_N, CHAP_R, CHAP_I and CHAP_C are still getting
> sent. I just tested this with the same patch applied and I am seeing
> only CHAP_N and CHAP_R in the response.

The last line should have been:

'I just tested this with the same patch applied and I am seeing only
CHAP_N and CHAP_R in the last request of the security negotiation
phase.'

Thanks!

Albert Pauw

unread,
Jun 20, 2006, 4:10:47 PM6/20/06
to Core-iSCSI
> Hmm, try adding a printf() in core-iscsi-tools and lets make sure the
> discovery bit is getting sent down to initiator-authd:

This is really weird, the printf message is never printed.

Would you mind sending me through e-mail your version of the tools and
core-iscsi, so I know I have exactly the same version.

Albert

Nicholas A. Bellinger

unread,
Jun 20, 2006, 4:11:46 PM6/20/06
to Core-...@googlegroups.com

This is with core-iscsi-v1.6.2.6 and core-iscsi-v3.3 with the previously
mentioned patch. Are you seeing any initiator-authd output when
core-iscsi-tools/core-iscsi/MCONFIG:DEBUG_CHAP = 1 is enabled?

Albert Pauw

unread,
Jun 20, 2006, 4:25:39 PM6/20/06
to Core-iSCSI
Nope,

nothing, sorry. I am using tools v3.3 and core-iscsi 1.6.2.6

Albert

Nicholas A. Bellinger

unread,
Jun 20, 2006, 4:23:02 PM6/20/06
to Core-...@googlegroups.com
On Tue, 2006-06-20 at 13:25 -0700, Albert Pauw wrote:
> Nope,
>
> nothing, sorry. I am using tools v3.3 and core-iscsi 1.6.2.6
>

Is the line in /etc/rc.d/init.d/initiator that dumps output from
initiator-authd to /dev/null disabled? You can also try starting up
stack as usual, killing initiator-authd manually, restarting
with /sbin/initiator-authd. At this point all output should be going to
stdout.

Nicholas A. Bellinger

unread,
Jun 20, 2006, 4:24:36 PM6/20/06
to Core-...@googlegroups.com
One more thing, initiator-authd is not running when 'make install' is
called from the patched core-iscsi-tools directory, yes?

Thanks,

--
Nicholas A. Bellinger <n...@linux-mips.org>

Albert Pauw

unread,
Jun 21, 2006, 1:54:41 AM6/21/06
to Core-iSCSI
No, forgot about that, maybe why I wouldn't see the printf.

My fault, sorry, I hope we can tackle this soon.

Let you know tonight.

Thanks,

Albert

Albert Pauw

unread,
Jun 21, 2006, 6:47:08 AM6/21/06
to Core-iSCSI
What I will do is remove core-iscsi-tools and core-iscsi and start from
scratch, insert the patch and see what happens.

Albert

Albert Pauw

unread,
Jun 21, 2006, 1:22:28 PM6/21/06
to Core-iSCSI
Ok, I managed to get more info, it still doesn't work with a new
install of the tools and initiator, but:

dmesg:

iSCSI: iscsi_can_queue = 128
iSCSI: iscsi_cmd_per_lun = 64
iSCSI: iscsi_sg_tablesize = 32
iSCSI Core Stack[1] - Spawned 4 thread set(s) (8 total threads).
iSCSI Core Stack[1] - Set iSCSI Node/Initiator Name to
iqn.2006-05.net.homeunix.pauw.orange
iCHANNEL[0]: Generated iSID: 0x80 a3 0d 49 00 00
iCHANNEL[0] - Setting max_sectors: 256
scsi1 : Core-iSCSI Initiator Stack v1.6.2.6 on Linux/i686
2.6.16-1.2133_FC5
iCHANNEL[0] - Allocated Linux SCSI Host with ID: 1
Received OK response from Core-iSCSI Authentication Daemon, continuing.
iscsi_handle_authetication:108: ***ERROR*** sock_recvmsg() returned 0
iscsi_initiator_do_authentication:454: ***ERROR*** Received unknown
error from Core-iSCSI Authentication Daemon.
iscsi_initiator_start_negotiation:754: ***ERROR*** iSCSI Login
negotiation failed.
iscsi_handle_authetication:108: ***ERROR*** sock_recvmsg() returned 0
iscsi_handle_authetication:108: ***ERROR*** sock_recvmsg() returned 0
iscsi_initiator_do_authentication:454: ***ERROR*** Received unknown
error from Core-iSCSI Authentication Daemon.
iscsi_initiator_start_negotiation:754: ***ERROR*** iSCSI Login
negotiation failed.
iscsi_handle_authetication:108: ***ERROR*** sock_recvmsg() returned 0
iscsi_handle_authetication:108: ***ERROR*** sock_recvmsg() returned 0
iscsi_initiator_do_authentication:454: ***ERROR*** Received unknown
error from Core-iSCSI Authentication Daemon.
iscsi_initiator_start_negotiation:754: ***ERROR*** iSCSI Login
negotiation failed.
iscsi_handle_authetication:108: ***ERROR*** sock_recvmsg() returned 0

and /var/log/messages:

Jun 21 19:18:55 orange kernel: iSCSI: iscsi_can_queue = 128
Jun 21 19:18:55 orange kernel: iSCSI: iscsi_cmd_per_lun = 64
Jun 21 19:18:55 orange kernel: iSCSI: iscsi_sg_tablesize = 32
Jun 21 19:18:55 orange kernel: iSCSI Core Stack[1] - Spawned 4 thread
set(s) (8 total threads).
Jun 21 19:18:56 orange kernel: iSCSI Core Stack[1] - Set iSCSI
Node/Initiator Name to iqn.2006-05.net.homeunix.pauw.orange
Jun 21 19:18:56 orange kernel: iCHANNEL[0]: Generated iSID: 0x80 a3 0d
49 00 00
Jun 21 19:18:56 orange kernel: iCHANNEL[0] - Setting max_sectors: 256
Jun 21 19:18:56 orange kernel: scsi1 : Core-iSCSI Initiator Stack
v1.6.2.6 on Linux/i686 2.6.16-1.2133_FC5
Jun 21 19:18:56 orange kernel: iCHANNEL[0] - Allocated Linux SCSI Host
with ID: 1
Jun 21 19:18:56 orange kernel: Received OK response from Core-iSCSI
Authentication Daemon, continuing.
Jun 21 19:19:21 orange kernel: iscsi_handle_authetication:108:
***ERROR*** sock_recvmsg() returned 0
Jun 21 19:19:21 orange kernel: iscsi_initiator_do_authentication:454:
***ERROR*** Received unknown error from Core-iSCSI Authentication
Daemon.
Jun 21 19:19:21 orange kernel: iscsi_initiator_start_negotiation:754:
***ERROR*** iSCSI Login negotiation failed.
Jun 21 19:19:21 orange kernel: iscsi_handle_authetication:108:
***ERROR*** sock_recvmsg() returned 0
Jun 21 19:19:48 orange kernel: iscsi_handle_authetication:108:
***ERROR*** sock_recvmsg() returned 0
Jun 21 19:19:48 orange kernel: iscsi_initiator_do_authentication:454:
***ERROR*** Received unknown error from Core-iSCSI Authentication
Daemon.
Jun 21 19:19:48 orange kernel: iscsi_initiator_start_negotiation:754:
***ERROR*** iSCSI Login negotiation failed.
Jun 21 19:19:48 orange kernel: iscsi_handle_authetication:108:
***ERROR*** sock_recvmsg() returned 0
Jun 21 19:20:15 orange kernel: iscsi_handle_authetication:108:
***ERROR*** sock_recvmsg() returned 0
Jun 21 19:20:15 orange kernel: iscsi_initiator_do_authentication:454:
***ERROR*** Received unknown error from Core-iSCSI Authentication
Daemon.
Jun 21 19:20:15 orange kernel: iscsi_initiator_start_negotiation:754:
***ERROR*** iSCSI Login negotiation failed.
Jun 21 19:20:15 orange kernel: iscsi_handle_authetication:108:
***ERROR*** sock_recvmsg() returned 0
Jun 21 19:20:42 orange kernel: iscsi_handle_authetication:108:
***ERROR*** sock_recvmsg() returned 0
Jun 21 19:20:42 orange kernel: iscsi_initiator_do_authentication:454:
***ERROR*** Received unknown error from Core-iSCSI Authentication
Daemon.
Jun 21 19:20:42 orange kernel: iscsi_initiator_start_negotiation:754:
***ERROR*** iSCSI Login negotiation failed.
Jun 21 19:20:42 orange kernel: iscsi_handle_authetication:108:
***ERROR*** sock_recvmsg() returned 0
Jun 21 19:21:09 orange kernel: iscsi_handle_authetication:108:
***ERROR*** sock_recvmsg() returned 0
Jun 21 19:21:09 orange kernel: iscsi_initiator_do_authentication:454:
***ERROR*** Received unknown error from Core-iSCSI Authentication
Daemon.
Jun 21 19:21:09 orange kernel: iscsi_initiator_start_negotiation:754:
***ERROR*** iSCSI Login negotiation failed.
Jun 21 19:21:09 orange kernel: iscsi_handle_authetication:108:
***ERROR*** sock_recvmsg() returned 0
Jun 21 19:21:09 orange kernel: iCHANNEL[0] - **ERROR** - Reached
maximum login attempts 5, aborting iSCSI login to 10.0.0.1:3260

And the relevant bits from the logfile of the target itself:

Jun 21 18:08:12 utarget_fsdisk Unable to perform mutual CHAP to
initiator iqn.2006-05.net.homeunix.pauw.orange for target (null) - no
password available
Jun 21 18:08:12 utarget_fsdisk Unable to perform mutual CHAP to
initiator iqn.2006-05.net.homeunix.pauw.orange for target (null) - no
password available
Jun 21 18:08:14 utarget_fsdisk Unable to perform mutual CHAP to
initiator iqn.2006-05.net.homeunix.pauw.orange for target (null) - no
password available
Jun 21 18:08:14 utarget_fsdisk Unable to perform mutual CHAP to
initiator iqn.2006-05.net.homeunix.pauw.orange for target (null) - no
password available
Jun 21 18:08:16 utarget_fsdisk Unable to perform mutual CHAP to
initiator iqn.2006-05.net.homeunix.pauw.orange for target (null) - no
password available
Jun 21 18:08:16 utarget_fsdisk Unable to perform mutual CHAP to
initiator iqn.2006-05.net.homeunix.pauw.orange for target (null) - no
password available
Jun 21 18:08:16 utarget_fsdisk Login errors generated too quickly on
this portal. Temporarily suspending logging.
Jun 21 18:08:16 utarget_fsdisk Login errors generated too quickly on
this portal. Temporarily suspending logging.

n...@kernel.org

unread,
Jun 22, 2006, 3:19:03 AM6/22/06
to Core-iSCSI
Greetings Albert,

When you have a chance please grab another capture, I will double check
if any other detection logic for mutual authentication discovery
session that need to be updated..

Thanks again for your debugging work!

Albert Pauw

unread,
Jun 22, 2006, 3:50:13 AM6/22/06
to Core-iSCSI
Just for the record, you want an ethereal trace?

Albert

n...@kernel.org

unread,
Jun 22, 2006, 3:55:56 AM6/22/06
to Core-iSCSI
An ethereal trace, as well as the output from initiator-authd if
possible.

--nab

Albert Pauw

unread,
Jun 23, 2006, 12:04:19 AM6/23/06
to Core-iSCSI
Sent the part of /var/log/messages and an ethereal trace to you
yesterday evening.

Hope you can find what's going on.

Albert

Reply all
Reply to author
Forward
0 new messages