Re: [Freeipmi-users] ipmi_ctx_open_outofband_2_0: bad completion code (Supermicro X9DR7-LN4F, firmware 3.40)

[Chu, Al]

Hi Werner,

> PS: he also told me that he is using CentOS 6 with freeipmi-1.2.1-7. Do
> you think that the problem could be also somehow come from this older
> version?

It's hard to say definitively since that was so long ago.  Looking through the 
news file, there doesn't seem to be any major changes in the areas that could 
effect this.

Al

________________________________________
From: Werner Fischer address@hidden
Sent: Wednesday, June 15, 2016 2:41 AM
To: Chu, Al
Cc: address@hidden
Subject: Re: [Freeipmi-users] ipmi_ctx_open_outofband_2_0: bad completion code 
(Supermicro X9DR7-LN4F, firmware 3.40)

Hi Al,

On Mit, 2016-06-08 at 10:22 -0700, Albert Chu wrote:
> Hey Werner,
>
> Thanks for the report, it appears there was a bug in FreeIPMI that would
> have made the bug easier to understand.
> [...] So I'll need to fix that.  I've pushed this into the
> freeipmi-1-5-0-stable branch if you could try it out?  (github mirror
> https://github.com/chu11/freeipmi-mirror).  Unfortunately, my systems
> can't reproduce this error (likely b/c they are not implementing IPMI
> security correctly).
We have not tested this yet. I have tried to reproduce it on my test
system (I have used admin priv. in my previous tests, so I have hoped to
get the error when using user priv.) But still (also with "user" priv.)
I do not get the error on my system with X9SCM-F with the same firmware
(v3.40) The admin who  has the problem on his production systems has a
X9DR7-LN4F, also with fw v3.40)

> But onto your error, so instead of "bad completion code" it should have
> given you a cleaner error message of something like "privilege level
> cannot be obtained".  I bet that the new firmware fixed this security
> flaw, which is now leading to this problem.
>
> It likely means that you are trying to connect to a IPMI user on the
> system that has too low of a privilege level for what ipmi-sel requires.
> ipmi-sel defaults to OPERATOR privilege so I bet the IPMI user has a max
> privilege of USER.  So if you connect to a user with appropriate
> privileges, it should work.
>
> You may be able to get away with setting "--privilege-level=USER" on
> ipmi-sel.  IIRC the OPERATOR privileges are needed for some more
> advanced features, which you may not need/be using.
He has had --privilege-level=USER already. I have now asked him to
create a user with OPERATOR priv., and I'll forward you his feedback as
soon as I get the info.

He also told me that he always configures some settings with bmc-config
every time after he does an firmware upgrade. He will send me this
configuration, maybe the error only arises with some special
bmc-settings. I'll take a look on that, and try if I can then reproduce
the issue.

PS: he also told me that he is using CentOS 6 with freeipmi-1.2.1-7. Do
you think that the problem could be also somehow come from this older
version?

I'll keep you updated,
best regards,
Werner