Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-72-2269066.1
Update Date:2017-06-26
Keywords:
Solution Type  Problem Resolution Sure

Solution  2269066.1 :   Ipmitool Fails With "Unable to establish IPMI v2 / RMCP+ session" When Using AD Userid  

Related Items 
    

  • Exalytics In-Memory Machine X5-4
    •  
Related Categories 
    

  • PLA-Support>Eng Systems>Exalytics>Oracle Exalytics>DB: Exalytics_EST
    •  






In this Document


Symptoms


Cause


Solution



Created from <SR 3-14907952011>


Applies to:  

Exalytics In-Memory Machine X5-4 - Version All Versions to All Versions [Release All Releases]
Information in this document applies to any platform.



Symptoms


When using a local userid the gui, ssh and ipmitool commands all works however below error is coming up when using AD userid to access ipmitool:


Invalid user name
Error: Unable to establish LAN session
Failed to open LAN interface
Sun OEM cli command failed


for type lanplus


RAKP 2 message indicates an error : unauthorized name
Error: Unable to establish IPMI v2 / RMCP+ session
Sun OEM cli command failed


Note that ssh and the gui all work fine using the same AD userid.

The firmware version is:


    

  • SP firmware 3.2.6.20.a
    • 

  • SP firmware build number: 110631
    • 

  • SP firmware date: Sat Jun 11 03:00:40 EDT 2016
    • 

  • SP filesystem version: 0.2.10
    • 



 


Cause


The main technical problem is, that for the RMCP/RMCP+ protocol for authentication the password has to be known on both ends of the communication in order to verify the user. For LDAP, this information is not available to the BMC, since it is available only at the LDAP server. Other access methods to the BMC, such as http/telnet/ssh etc. can query this information from the user (interactively) and pass this to the LDAP server for verification/authentication before granting access. This is typically performed with a bind operation to the LDAP server.


For instance, in the quite easy case of RMCP and MD5 Authentication, the MD5 hash for every command after the activate session is build as hash over the user’s password, the session Id, the raw ipmi command data, the sequence number and again the user’s password. The BMC performs the same steps to verify/authenticate the command. While ipmitool has been given the password as parameter, the BMC has no way of retrieving the plain password for a given user from the LDAP server. Only local user information is available to the BMC. Also note, that in most cases the password itself is not stored in plain on the LDAP server, but only in hashed or encrypted form.



 


Solution


ipmitool does not support Domain/AD/LDAP username.
However, as a work around use plain/password authentication in the RMCP protocol, which would transmit the (Domain) password in plain over the wire
Also note that RMCP protocol specifies only 16 bytes as maximum username length, which puts a hard limit to the domain and/or username.
 



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback