[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Freeipmi-devel] fiid_obj_get: maximum_privilege_for_cipher_suite_3:
|
From: |
Al Chu |
|
Subject: |
Re: [Freeipmi-devel] fiid_obj_get: maximum_privilege_for_cipher_suite_3: no data set |
|
Date: |
Mon, 15 Nov 2010 16:10:17 -0800 |
Hi Peter,
It's as I suspected:
> =====================================================
> Get LAN Configuration Parameters Response
> =====================================================
> [ 2h] = cmd[ 8b]
> [ 0h] = comp_code[ 8b]
> [ 1h] = present_revision[ 4b]
> [ 1h] = oldest_revision_parameter[ 4b]
> [ 4h] = cipher_suite_entry_count[ 4b]
> [ 0h] = reserved[ 4b]
This says there are 4 cipher suites to read.
> =====================================================
> Get LAN Configuration Parameters Response
> =====================================================
> [ 2h] = cmd[ 8b]
> [ 0h] = comp_code[ 8b]
> [ 1h] = present_revision[ 4b]
> [ 1h] = oldest_revision_parameter[ 4b]
> [ 0h] = reserved[ 8b]
> [ 0h] = cipher_suite_id_entry_A[ 8b]
> [ 1h] = cipher_suite_id_entry_B[ 8b]
> [ 2h] = cipher_suite_id_entry_C[ 8b]
> [ 3h] = cipher_suite_id_entry_D[ 8b]
This shows which ones are supported, and it properly shows 4 of them.
> =====================================================
> Get LAN Configuration Parameters Response
> =====================================================
> [ 2h] = cmd[ 8b]
> [ 0h] = comp_code[ 8b]
> [ 1h] = present_revision[ 4b]
> [ 1h] = oldest_revision_parameter[ 4b]
> [ 55h] = reserved[ 8b]
> [ 5h] = maximum_privilege_for_cipher_suite_1[ 4b]
> [ 5h] = maximum_privilege_for_cipher_suite_2[ 4b]
> fiid_obj_get: maximum_privilege_for_cipher_suite_3: no data set
This is supposed to tell us what the maximum privilege level for those 4
cipher suites are, but the command only returns 2. Uh oh ...
I'll need to think about how to work around this. Maybe if this
happens, I could have bmc-config output "Unknown" or something, and it's
up to the user to force the configuration of something. Let me think
about this and get back to you with a patch ...
Al
On Mon, 2010-11-15 at 16:00 -0800, Peter Selby wrote:
> Thanks for the quick response!
>
> ipmiping doesn't work, either from the host or from a neighbour. I'm
> pretty sure it's not a network issue, but I'll double-check, and try a
> hard-reset.
>
> Here's the output of debug:
>
> bmc-config --checkout --section=Rmcpplus_Conf_Privilege --debug
> =====================================================
> Get Device ID Request
> =====================================================
> [ 1h] = cmd[ 8b]
> =====================================================
> Get Device ID Response
> =====================================================
> [ 1h] = cmd[ 8b]
> [ 0h] = comp_code[ 8b]
> [ 0h] = device_id[ 8b]
> [ 3h] = device_revision.revision[ 4b]
> [ 0h] = device_revision.reserved1[ 3b]
> [ 0h] = device_revision.sdr_support[ 1b]
> [ 1h] = firmware_revision1.major_revision[ 7b]
> [ 0h] = firmware_revision1.device_available[ 1b]
> [ 22h] = firmware_revision2.minor_revision[ 8b]
> [ 2h] = ipmi_version_major[ 4b]
> [ 0h] = ipmi_version_minor[ 4b]
> [ 1h] = additional_device_support.sensor_device[ 1b]
> [ 1h] = additional_device_support.sdr_repository_device[ 1b]
> [ 1h] = additional_device_support.sel_device[ 1b]
> [ 1h] = additional_device_support.fru_inventory_device[ 1b]
> [ 1h] = additional_device_support.ipmb_event_receiver[ 1b]
> [ 0h] = additional_device_support.ipmb_event_generator[ 1b]
> [ 1h] = additional_device_support.bridge[ 1b]
> [ 1h] = additional_device_support.chassis_device[ 1b]
> [ F85h] = manufacturer_id.id[20b]
> [ 0h] = manufacturer_id.reserved1[ 4b]
> [ 0h] = product_id[16b]
> =====================================================
> Get Channel Info Command Request
> =====================================================
> [ 42h] = cmd[ 8b]
> [ 0h] = channel_number[ 4b]
> [ 0h] = reserved[ 4b]
> =====================================================
> Get Channel Info Command Response
> =====================================================
> [ 42h] = cmd[ 8b]
> [ 0h] = comp_code[ 8b]
> [ 0h] = actual_channel_number[ 4b]
> [ 0h] = actual_channel_number.reserved[ 4b]
> [ 1h] = channel_medium_type[ 7b]
> [ 0h] = channel_medium_type.reserved[ 1b]
> [ 1h] = channel_protocol_type[ 5b]
> [ 0h] = channel_protocol_type.reserved[ 3b]
> [ 0h] = active_session_count[ 6b]
> [ 0h] = session_support[ 2b]
> [ 1BF2h] = vendor_id[24b]
> [ FFFFh] = auxiliary_channel_info[16b]
> =====================================================
> Get Channel Info Command Request
> =====================================================
> [ 42h] = cmd[ 8b]
> [ 1h] = channel_number[ 4b]
> [ 0h] = reserved[ 4b]
> =====================================================
> Get Channel Info Command Response
> =====================================================
> [ 42h] = cmd[ 8b]
> [ CCh] = comp_code[ 8b]
> [ 0h] = actual_channel_number[ 4b]
> [ 0h] = actual_channel_number.reserved[ 4b]
> [ 1h] = channel_medium_type[ 7b]
> [ 0h] = channel_medium_type.reserved[ 1b]
> [ 1h] = channel_protocol_type[ 5b]
> [ 0h] = channel_protocol_type.reserved[ 3b]
> [ 0h] = active_session_count[ 6b]
> [ 0h] = session_support[ 2b]
> [ 1BF2h] = vendor_id[24b]
> [ FFFFh] = auxiliary_channel_info[16b]
> =====================================================
> Get Channel Info Command Request
> =====================================================
> [ 42h] = cmd[ 8b]
> [ 2h] = channel_number[ 4b]
> [ 0h] = reserved[ 4b]
> =====================================================
> Get Channel Info Command Response
> =====================================================
> [ 42h] = cmd[ 8b]
> [ 0h] = comp_code[ 8b]
> [ 2h] = actual_channel_number[ 4b]
> [ 0h] = actual_channel_number.reserved[ 4b]
> [ 4h] = channel_medium_type[ 7b]
> [ 0h] = channel_medium_type.reserved[ 1b]
> [ 1h] = channel_protocol_type[ 5b]
> [ 0h] = channel_protocol_type.reserved[ 3b]
> [ 0h] = active_session_count[ 6b]
> [ 2h] = session_support[ 2b]
> [ 1BF2h] = vendor_id[24b]
> [ FFFFh] = auxiliary_channel_info[16b]
> =====================================================
> Get User Access Command Request
> =====================================================
> [ 44h] = cmd[ 8b]
> [ 2h] = channel_number[ 4b]
> [ 0h] = reserved1[ 4b]
> [ 1h] = user_id[ 6b]
> [ 0h] = reserved2[ 2b]
> =====================================================
> Get User Access Command Response
> =====================================================
> [ 44h] = cmd[ 8b]
> [ 0h] = comp_code[ 8b]
> [ 3h] = max_channel_user_ids[ 6b]
> [ 0h] = reserved1[ 2b]
> [ 2h] = current_channel_user_ids[ 6b]
> [ 0h] = user_id_enable_status[ 2b]
> [ 1h] = current_channel_fixed_names[ 6b]
> [ 0h] = reserved2[ 2b]
> [ 2h] = user_privilege_level_limit[ 4b]
> [ 1h] = user_ipmi_messaging[ 1b]
> [ 1h] = user_link_authentication[ 1b]
> [ 0h] = user_restricted_to_callback[ 1b]
> [ 0h] = reserved3[ 1b]
> #
> # Section Rmcpplus_Conf_Privilege Comments
> #
> # If your system supports IPMI 2.0 and Serial-over-LAN (SOL),cipher suite IDs
> # may be configurable below. In the Rmcpplus_Conf_Privilege section, maximum
> # user privilege levels allowed for authentication under IPMI 2.0 (including
> # Serial-over-LAN) are set for each supported cipher suite ID. Each
> cipher suite
> # ID supports different sets of authentication, integrity, and encryption
> # algorithms for IPMI 2.0. Typically, the highest privilege level any username
> # configured should set for support under a cipher suite ID. This is typically
> # "Administrator".
> #
> Section Rmcpplus_Conf_Privilege
> =====================================================
> Get LAN Configuration Parameters Request
> =====================================================
> [ 2h] = cmd[ 8b]
> [ 2h] = channel_number[ 4b]
> [ 0h] = reserved1[ 3b]
> [ 0h] = get_parameter[ 1b]
> [ 16h] = parameter_selector[ 8b]
> [ 0h] = set_selector[ 8b]
> [ 0h] = block_selector[ 8b]
> =====================================================
> Get LAN Configuration Parameters Response
> =====================================================
> [ 2h] = cmd[ 8b]
> [ 0h] = comp_code[ 8b]
> [ 1h] = present_revision[ 4b]
> [ 1h] = oldest_revision_parameter[ 4b]
> [ 4h] = cipher_suite_entry_count[ 4b]
> [ 0h] = reserved[ 4b]
> =====================================================
> Get LAN Configuration Parameters Request
> =====================================================
> [ 2h] = cmd[ 8b]
> [ 2h] = channel_number[ 4b]
> [ 0h] = reserved1[ 3b]
> [ 0h] = get_parameter[ 1b]
> [ 17h] = parameter_selector[ 8b]
> [ 0h] = set_selector[ 8b]
> [ 0h] = block_selector[ 8b]
> =====================================================
> Get LAN Configuration Parameters Response
> =====================================================
> [ 2h] = cmd[ 8b]
> [ 0h] = comp_code[ 8b]
> [ 1h] = present_revision[ 4b]
> [ 1h] = oldest_revision_parameter[ 4b]
> [ 0h] = reserved[ 8b]
> [ 0h] = cipher_suite_id_entry_A[ 8b]
> [ 1h] = cipher_suite_id_entry_B[ 8b]
> [ 2h] = cipher_suite_id_entry_C[ 8b]
> [ 3h] = cipher_suite_id_entry_D[ 8b]
> =====================================================
> Get LAN Configuration Parameters Request
> =====================================================
> [ 2h] = cmd[ 8b]
> [ 2h] = channel_number[ 4b]
> [ 0h] = reserved1[ 3b]
> [ 0h] = get_parameter[ 1b]
> [ 18h] = parameter_selector[ 8b]
> [ 0h] = set_selector[ 8b]
> [ 0h] = block_selector[ 8b]
> =====================================================
> Get LAN Configuration Parameters Response
> =====================================================
> [ 2h] = cmd[ 8b]
> [ 0h] = comp_code[ 8b]
> [ 1h] = present_revision[ 4b]
> [ 1h] = oldest_revision_parameter[ 4b]
> [ 55h] = reserved[ 8b]
> [ 5h] = maximum_privilege_for_cipher_suite_1[ 4b]
> [ 5h] = maximum_privilege_for_cipher_suite_2[ 4b]
> fiid_obj_get: maximum_privilege_for_cipher_suite_3: no data set
>
> On Mon, Nov 15, 2010 at 3:55 PM, Al Chu <address@hidden> wrote:
> > Hi Peter,
> >
> > Assuming you're using a recent version of FreeIPMI, there's probably
> > some IPMI non-compliance going on on your motherboard. The short guess
> > is that the motherboard isn't properly reporting things to bmc-config
> > correctly, and bmc-config gets confused and gives up. There's been a
> > few IPMI issues for the HP DL145 already reported to me. Lets see if we
> > can figure out what's going on. Can you send me the --debug output.
> > Since the problem appears just in that section, how about running this
> > to shorten the output
> >
> > bmc-config --checkout --section=Rmcpplus_Conf_Privilege --debug
> >
> >> Any idea what could be wrong, or how to fix it? And could this be the
> >> reason the network won't come up?
> >
> > Although it's always possible, it's unlikely this is the cause of IPMI
> > over LAN not working. Can you get an ipmiping (/usr/sbin/ipmiping) to
> > work? If yes that would point to it being an authentication problem
> > (e.g. username/password/privilege, etc.), if no, possibly a more basic
> > networking issue (subnetting, routing, etc.).
> >
> > I haven't played with this motherboard specifically, but a few recent
> > ones I've encountered require you to hard-reset (e.g. power button push)
> > the motherboard for configuration changes to "stick". It certainly
> > can't hurt to try.
> >
> > Al
> >
> > On Mon, 2010-11-15 at 15:29 -0800, Peter Selby wrote:
> >> Hi guys,
> >>
> >> I'm trying to configure the BMC on an HP ProLiant DL145 G2 using
> >> bmc-config. IPMI over LAN is not working; it should have a fixed IP,
> >> but it won't respond to anything.
> >>
> >> When I try to dump the BMC config, I get:
> >>
> >> $ bmc-config --checkout
> >> ...
> >> Section Rmcpplus_Conf_Privilege
> >> fiid_obj_get: maximum_privilege_for_cipher_suite_3: no data set
> >> $
> >>
> >> Everything prior to that dumps okay. Adding the section (and
> >> subsequent SOL_Conf section) manually, I get two possible results:
> >>
> >> * Empty Rmcpplus_Conf_Privilege: Config commits successfully, but a
> >> checkout results in the same problem
> >> * Rmcpplus_Conf_Privilege filled in based on the bmc-config.conf
> >> manpage (with Maximum_Privilege_Cipher_Suite_Id_0-through-4 or 12): I
> >> get the same error, fiid_obj_get:
> >> maximum_privilege_for_cipher_suite_3: no data set
> >>
> >> Any idea what could be wrong, or how to fix it? And could this be the
> >> reason the network won't come up?
> >>
> >> Thanks,
> >>
> >> Peter
> >>
> >> _______________________________________________
> >> Freeipmi-devel mailing list
> >> address@hidden
> >> http://BLOCKEDBLOCKEDlists.gnu.org/mailman/listinfo/freeipmi-devel
> >>
> > --
> > Albert Chu
> > address@hidden
> > Computer Scientist
> > High Performance Systems Division
> > Lawrence Livermore National Laboratory
> >
> >
>
--
Albert Chu
address@hidden
Computer Scientist
High Performance Systems Division
Lawrence Livermore National Laboratory
- [Freeipmi-devel] fiid_obj_get: maximum_privilege_for_cipher_suite_3: no data set, Peter Selby, 2010/11/15
- Re: [Freeipmi-devel] fiid_obj_get: maximum_privilege_for_cipher_suite_3: no data set, Al Chu, 2010/11/15
- Message not available
- Re: [Freeipmi-devel] fiid_obj_get: maximum_privilege_for_cipher_suite_3: no data set,
Al Chu <=
- Message not available
- Re: [Freeipmi-devel] fiid_obj_get: maximum_privilege_for_cipher_suite_3: no data set, Al Chu, 2010/11/16
- [Freeipmi-devel] Set Boot Device Parameter in ipmi-chassis-config, Liebig, Holger, 2010/11/17
- Re: [Freeipmi-devel] Set Boot Device Parameter in ipmi-chassis-config, Al Chu, 2010/11/17
- RE: [Freeipmi-devel] Set Boot Device Parameter in ipmi-chassis-config, Liebig, Holger, 2010/11/18
- RE: [Freeipmi-devel] Set Boot Device Parameter in ipmi-chassis-config, Al Chu, 2010/11/18
- RE: [Freeipmi-devel] Set Boot Device Parameter in ipmi-chassis-config, Liebig, Holger, 2010/11/22
- Message not available
- Re: [Freeipmi-devel] fiid_obj_get: maximum_privilege_for_cipher_suite_3: no data set, Al Chu, 2010/11/16
- Re: [Freeipmi-devel] fiid_obj_get: maximum_privilege_for_cipher_suite_3: no data set, Al Chu, 2010/11/17
- Message not available
- Message not available
- Re: [Freeipmi-devel] fiid_obj_get: maximum_privilege_for_cipher_suite_3: no data set, Al Chu, 2010/11/17
- Message not available
- Re: [Freeipmi-devel] fiid_obj_get: maximum_privilege_for_cipher_suite_3: no data set, Al Chu, 2010/11/17