[gPXE] Fwd: Re:Re: why?username and password is right , but can't boot?
Marty Connor
mdc at etherboot.org
Wed Mar 17 17:09:09 EDT 2010
Nice debugging, Kevin!
Kevin Tran wrote on 3/17/10 6:08 AM:
> Current code only handles challenge response that is string of hex
> numbers that started with either “0x”. The challenge sent back by
> this target is in base64 format. I think we need to add base64 (per
> RFC 3720) format support in order to solve this problem. The
> description of this format is in RFC 3720:
>
> base64-constant: base64 constant encoded as a string that starts
> with "0b" or "0B" followed by 1 or more digits or letters or plus
> or slash or equal. The encoding is done according to [RFC2045]
> and each character, except equal, represents a base64 digit or a
> 6-bit binary string. Base64-constants are used to encode
> numerical-values or binary strings. When used to encode
> numerical values, the excessive use of leading 0 digits (encoded
> as A) is discouraged. The string following 0B (or 0b) represents
> a base64 number that starts with the most significant base64
> digit, followed by all other digits in decreasing order of
> significance and ending with the least-significant base64 digit;
> the least significant base64 digit may be optionally followed by
> pad digits (encoded as equal) that are not considered as part of
> the number. When used to encode binary strings, base64-constants
> have an implicit
> byte-length that includes six bits for every character of the
> constant, excluding trailing equals (i.e., a base64-constant of n
> base64 characters excluding the trailing equals has a byte-length
> of ((the integer part of) (n*3/4)). Correctly encoded base64
> strings cannot have n values of 1, 5 ... k*4+1.
>
> This support is already in Open-ISCSI Initiator.
>
> static int
> acl_text_to_data(const char *text, unsigned char *data,
> unsigned int *data_length)
> {
> int status;
> unsigned int text_length;
>
> status = acl_chk_string(text, 2 + 2 * AUTH_LARGE_BINARY_MAX_LEN + 1,
> &text_length);
> if (status)
> return status;
>
> if (text[0] == '0'&& (text[1] == 'x' || text[1] == 'X')) {
> /* skip prefix */
> text += 2;
> text_length -= 2;
> status = acl_hex_to_data(text, text_length, data, data_length);
> } else if (text[0] == '0'&& (text[1] == 'b' || text[1] == 'B')) {
> /* skip prefix */
> text += 2;
> text_length -= 2;
> status = acl_base64_to_data(text, data, data_length);
> } else
> status = 1; /* prefix not recognized. */
>
> return status;
> }
>
>
> So my initial proposed fix WILL not work. Sorry….
>
> Regards,
>
> Kevin
>
> From: Kevin Tran
> Sent: Wednesday, March 17, 2010 1:59 AM
> To: 'lsq726'
> Cc: 'gpxe at etherboot.org'
> Subject: RE: Re:Re: [gPXE] Fwd: Re:Re: why?username and password is right , but can't boot?
>
> Hi,
> I was looking at the network trace that was captured between the MSFT iSCSI initiator and iSCSI target. That explains everything work correctly. :)
>
> LSQ726 sent me another trace (88888..). I looked at the trace and the iSCSI code and I think I know that the problem is.
>
>
> 1. gPXE sent out iSCSI login command with CHAP_A=5.
>
> [cid:image003.png at 01CAC57C.8BD88580]
>
>
> 2. iSCSI target sent back iSCSI response with CHAP_A,CHAP_I, and CHAP_C
>
> [cid:image004.png at 01CAC57C.8BD88580]
>
>
> 3. CHAP processing code rejected the challenge because it didn’t start with “0x”.
>
> static int iscsi_handle_chap_c_value ( struct iscsi_session *iscsi,
> const char *value ) {
> char buf[3];
> char *endp;
> uint8_t byte;
> unsigned int i;
>
> /* Check and strip leading "0x" */
> if ( ( value[0] != '0' ) || ( value[1] != 'x' ) ) {
> DBGC ( iscsi, "iSCSI %p saw invalid CHAP challenge \"%s\"\n",
> iscsi, value );
> return -EPROTO;
> }
> value += 2;
>
> I don’t think there is such a requirement. If it starts with “0x”, then it should skip two bytes. I can double-check the specs tomorrow. For now, can you recompile the code with the following changes:
>
> /* Check and strip leading "0x" */
> if ( ( value[0] == '0' )&& ( (value[1] == 'x') || (value[1] == ‘X’)) ) {
>
> value += 2;
> }
>
> Regards,
>
> Kevin
>
> From: Kevin Tran
> Sent: Tuesday, March 16, 2010 11:32 PM
> To: 'lsq726'
> Cc: gpxe at etherboot.org
> Subject: RE: Re:Re: [gPXE] Fwd: Re:Re: why?username and password is right , but can't boot?
>
> You need to check your configuration. Based on the network trace, the response to “Read Capacity10” was 1GB.
>
> [cid:image005.png at 01CAC57C.8BD88580]
>
>
> From: lsq726 [mailto:lsq726 at 163.com]
> Sent: Tuesday, March 16, 2010 11:25 PM
> To: Kevin Tran
> Subject: Re:Re: [gPXE] Fwd: Re:Re: why?username and password is right , but can't boot?
>
> HI,
> The partition is 10GB
> PLEASE GPXE.RAR
>
>
>
> 在2010-03-17 14:09:01,"Kevin Tran"<ktran at broadcom.com> 写道:
>
> Hi,
>
> I looked at the network trace briefly and I didn't see anything obviously wrong.
>
>
>
> 1. gPXE did login to the iSCSI target successfully with CHAP authentication (one-way).
>
> 2. The partition is only 1Gbyte and the partition is NTFS based on the MBR and Disk Inquiry response.
>
>
>
> [cid:image006.png at 01CAC57C.8BD88580]
>
> 3. There were a lot of READ/WRITE IO’s from the initiator after login.
>
> 4. The last operations were iSCSI logout and then TCP connection was closed.
>
>
>
> In normal Win2k3/Win2K8 or Linux iSCSI boot, gPXE passes iSCSI parameters + CHAP information to the OS initiator via iBFT. OS initiator then does iSCSI login again with the iSCSI target. I didn’t see such operations. In addition, Windows partition is normally 5GB to 15GB which depends on the favor of the OS and user’s setup.
>
>
>
> What are you trying to boot?
>
>
>
> Regards!
>
>
>
> Kevin
>
>
>
>
>
> -----Original Message-----
> From: gpxe-bounces at etherboot.org<mailto:gpxe-bounces at etherboot.org> [mailto:gpxe-bounces at etherboot.org<mailto:gpxe-bounces at etherboot.org>] On Behalf Of Marty Connor
> Sent: Tuesday, March 16, 2010 9:58 PM
> To: gpxe at etherboot.org<mailto:gpxe at etherboot.org>
> Subject: [gPXE] Fwd: Re:Re: why?username and password is right , but can't boot?
>
>
>
> Forwarding. Perhaps this will be helpful in debugging this issue.
>
>
>
> -------- Original Message --------
>
> Subject: Re:Re: [gPXE] why?username and password is right ,but can't boot?
>
> Date: Wed, 17 Mar 2010 09:43:12 +0800 (CST)
>
> From: lsq726<lsq726 at 163.com<mailto:lsq726 at 163.com>>
>
> To: Marty Connor<mdc at etherboot.org<mailto:mdc at etherboot.org>>
>
>
>
> SERVER ISCSI STARWIND 'S TWO LOG FILE
>
>
>
>
>
>
>
> 2010-03-17 09:17:06"Marty Connor"<mdc at etherboot.org<mailto:mdc at etherboot.org>>
>
>> lsq726 wrote on 3/16/10 8:30 PM:
>
>>> why?username and password is right ,but can't boot?
>
>>> please see photo
>
>>
>
>> I also notice that you are getting a _lot_ of RXE (Receive Errors)
>
>>
>
>> It looks a lot like you may have some sort of network configuration error.
>
>>
>
>> And could you turn on CONSOLE_SERIAL and paste text instead of sending
>
>> pictures?
>
>>
>
>> If your setup boots when if there is no password, then it could easily
>
>> be some arcane Windows security policy issue.
>
>>
>
>> Getting Windows to log in detail what it doesn't like and why it is
>
>> rejecting the connection will probably help a lot. Perhaps the server
>
>> is even already logging and you just need to look into it.
>
>>
>
>> A quick web search suggests that there is lot of information out there
>
>> dealing with Windows iSCSI CHAP authentication on the server side.
>
>>
>
>> / Marty /
>
>>
>
>>
>
>
>
>
>
>
> _______________________________________________
> gPXE mailing list
> gPXE at etherboot.org
> http://etherboot.org/mailman/listinfo/gpxe
More information about the gPXE
mailing list