User couldn't be authenticated, aborting call. GUI says invalid username or password


(Vasanth Kumar S) #1

all “one” commands failing with “User couldn’t be authenticated, aborting call”

It was working fine earlier and suddenly the GUI had no access of login.

Tried changing password for one admin user, auth files and DB in the process of fixing opennebula service failed to start

FE
CentOS 7.4
Opennebula 5.6.1

No helpful traces in logs…

Thanks in advance.
Vasanth


(Alejandro Huertas) #2

Hi @vasanthsg

Make sure you change the password correctly, in your version passwords are hashed using SHA1, so if you change user password directly in the database you have to input the correct SHA1 of your password.

Also your database might be corrupted, so please try to restore a backup (if you have it) if not, try to restore the password.


(Vasanth Kumar S) #3

Hi Alejandro Huertas,
Thanks for the quick response .

I did try changing them correctly. But I used the plain password in DB.

However, when I attempted to hash it, I am thrown with more errors

onevm list

[one.vmpool.info] User couldn’t be authenticated, aborting call.

Could you pls advice on the steps to change it in all required places ?


(Alejandro Huertas) #4

Of course!

First of all you calculate the sha1 of your password, you can use http://www.sha1-online.com/

Then you go inside the database if it’s mysql you just log in, if it’s sqlite you just sqlite3 /var/lib/one/one.db.

Inside of the database you execute select body from user_pool where oid=<USER_ID>;, you copy that content to an editor, for example vim. You go to the <PASSWORD> field and change the content of CDATA with the new hash. Finally you copy the result.

So back again to the database you execute: update user_pool set body='<PASTE HERE>' where oid= <USER_ID>;. Now you log out and try again using CLI or Sunstone.


(Vasanth Kumar S) #5

Thanks again Alejandro.

I am using mysql. and I used
GRANT ALL PRIVILEGES ON opennebula.* TO ‘oneadmin’ IDENTIFIED BY ‘StrongPassword’;

to set the password. So, should i replace the “StrongPassword” hash within this or should use the “select body…” ?


(Alejandro Huertas) #6

Nono, don’t change your mysql password, just execute the queries I told you, this is a change in the opennebula database, not in the database server.


(Vasanth Kumar S) #7

MariaDB [opennebula]> select body from user_pool where oid=<oneadmin>;

ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘<oneadmin>’ at line 1


(Alejandro Huertas) #8

The oid is the ID of the user, so you have to put 0 because it’s oneadmin so the query is select body from user_pool where oid=0;


(Vasanth Kumar S) #9

Great. Yes, Got the DB is updated with the new hash.

But the onevm list is failing with
Address family not supported by protocol - socket(2)

May be another issue somewhere :frowning_face:


(Alejandro Huertas) #10

Please make oneuser show, does it work?


(Vasanth Kumar S) #11

$oneuser show

Address family not supported by protocol - socket(2)

But the oned is not started. when I start, the oned.logs shows as

Error creating oneadmin user: NAME is already taken by USER 0.


(Vasanth Kumar S) #12

Password file /var/lib/one//.one/sunstone_auth already exists but OpenNebula is boostraping the database. Check your database configuration in oned.conf.

one start
oned failed to start
/bin/one: line 117: 18047 Terminated $ONE_SCHEDULER


(Alejandro Huertas) #13

Your OpenNebula is trying to boostrap the database, maybe there is something wrong. So backup your files in /var/lib/one/.one , remove all the contents inside /var/lib/one/.one except the one_auth, then try again.


(Vasanth Kumar S) #14

Yes, tried that and all *_auth files got created but opennebula.service is in failed state. opennebula.sunstone is running.

$ oneuser show is throwing an error as below

Address family not supported by protocol - socket(2)


(Vasanth Kumar S) #15

Should I drop the database and recreate fresh?


(Alejandro Huertas) #16

I think is the best option, so save a backup of the database, then drop it, create a new one and start OpenNebula again.


(Vasanth Kumar S) #17

Dropped the DB, recreated it and $one start started without errors

But opennebula.service is still falling to start.

The oned.log shows up as follows
Thu Mar 14 17:54:08 2019 [Z0][MAD][E]: MAD did not answer INIT command

Thu Mar 14 17:54:08 2019 [Z0][ONE][E]: Could not load driver

Thu Mar 14 17:54:28 2019 [Z0][AuM][D]: Message received: LOG I 1 Command execution failed (exit code: 255): /var/lib/one/remotes/auth/server_cipher/authenticate

Thu Mar 14 17:54:28 2019 [Z0][AuM][I]: Command execution failed (exit code: 255): /var/lib/one/remotes/auth/server_cipher/authenticate

Thu Mar 14 17:54:28 2019 [Z0][AuM][D]: Message received: LOG E 1 bad decrypt

Thu Mar 14 17:54:28 2019 [Z0][AuM][I]: bad decrypt

Thu Mar 14 17:54:28 2019 [Z0][AuM][D]: Message received: AUTHENTICATE FAILURE 1 bad decrypt

Thu Mar 14 17:54:28 2019 [Z0][AuM][E]: Auth Error: bad decrypt

Thu Mar 14 17:54:28 2019 [Z0][ReM][D]: Req:5120 UID:-1 one.documentpool.info invoked , -2, -1, -1, 100

Thu Mar 14 17:54:28 2019 [Z0][ReM][E]: Req:5120 UID:- one.documentpool.info result FAILURE [one.documentpool.info] User couldn’t be authenticated, aborting call.

Thu Mar 14 17:54:35 2019 [Z0][ReM][D]: Req:5392 UID:0 one.zone.raftstatus invoked

Thu Mar 14 17:54:35 2019 [Z0][ReM][D]: Req:5392 UID:0 one.zone.raftstatus result SUCCESS, “<RAFT><SERVER_ID>-1<…”

Thu Mar 14 17:54:35 2019 [Z0][ReM][D]: Req:9552 UID:0 one.vmpool.info invoked , -2, -1, -1, -1

Thu Mar 14 17:54:35 2019 [Z0][ReM][D]: Req:9552 UID:0 one.vmpool.info result SUCCESS, “<VM_POOL></VM_POOL>”

Thu Mar 14 17:54:35 2019 [Z0][ReM][D]: Req:768 UID:0 one.vmpool.info invoked , -2, -1, -1, -1

Thu Mar 14 17:54:35 2019 [Z0][ReM][D]: Req:768 UID:0 one.vmpool.info result SUCCESS, “<VM_POOL></VM_POOL>”

Thu Mar 14 17:54:37 2019 [Z0][ReM][D]: Req:1616 UID:0 one.zone.raftstatus invoked

Thu Mar 14 17:54:37 2019 [Z0][ReM][D]: Req:1616 UID:0 one.zone.raftstatus result SUCCESS, “<RAFT><SERVER_ID>-1<…”

Thu Mar 14 17:54:37 2019 [Z0][ReM][D]: Req:9552 UID:0 one.vmpool.info invoked , -2, -1, -1, -1

Thu Mar 14 17:54:37 2019 [Z0][ReM][D]: Req:9552 UID:0 one.vmpool.info result SUCCESS, “<VM_POOL></VM_POOL>”

Thu Mar 14 17:54:37 2019 [Z0][ReM][D]: Req:7472 UID:0 one.vmpool.info invoked , -2, -1, -1, -1

Thu Mar 14 17:54:37 2019 [Z0][ReM][D]: Req:7472 UID:0 one.vmpool.info result SUCCESS, “<VM_POOL></VM_POOL>”

But the good news is $oneuser show throws results now


(Alejandro Huertas) #18

That are good news! Can you login into Sunstone?