From owner-freebsd-stable@FreeBSD.ORG  Wed Jul 13 09:43:57 2011
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B9ADD106566C
	for <freebsd-stable@freebsd.org>; Wed, 13 Jul 2011 09:43:57 +0000 (UTC)
	(envelope-from linuxmail@4lin.net)
Received: from mail.4lin.net (mail.4lin.net [IPv6:2a01:4f8:130:6021::50])
	by mx1.freebsd.org (Postfix) with ESMTP id 00B298FC12
	for <freebsd-stable@freebsd.org>; Wed, 13 Jul 2011 09:43:56 +0000 (UTC)
Received: from localhost (angelica.4lin.net [127.0.0.1])
	by mail.4lin.net (Postfix) with ESMTP id 9DD9633575
	for <freebsd-stable@freebsd.org>; Wed, 13 Jul 2011 11:48:39 +0200 (CEST)
X-Virus-Scanned: amavisd-new at mail.4lin.net
Received: from mail.4lin.net ([127.0.0.1])
	by localhost (mail.4lin.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id zh2YgIv3d--j for <freebsd-stable@freebsd.org>;
	Wed, 13 Jul 2011 11:48:31 +0200 (CEST)
Received: from [130.83.160.152] (pcdenny.rbg.informatik.tu-darmstadt.de
	[130.83.160.152])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.4lin.net (Postfix) with ESMTPSA id 92A8933490
	for <freebsd-stable@freebsd.org>; Wed, 13 Jul 2011 11:48:31 +0200 (CEST)
From: Denny Schierz <linuxmail@4lin.net>
To: freebsd-stable <freebsd-stable@freebsd.org>
Content-Type: multipart/signed; micalg="pgp-sha1";
	protocol="application/pgp-signature";
	boundary="=-zg2rQOCgVr+ENqKMXIXl"
Date: Wed, 13 Jul 2011 11:50:10 +0200
Message-ID: <1310550610.13539.12.camel@pcdenny>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.3 
Subject: istgt: getting authentification working with CHAP
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2011 09:43:57 -0000


--=-zg2rQOCgVr+ENqKMXIXl
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

hi,

since a while I try to get authentication working, but something is
missing or wrong:

My HowTo is: http://zewaren.net/site/?q=3Dnode/70

If I try from Windows7 or Ubuntu 10.4 discovery devices, I get nothing
back:

:~ # iscsiadm  -m discovery -t st -p san:3261
:~ #

But, discovery authentication works, I think.

my istgt Config:

auth.conf:
----------

[AuthGroup1]
  Comment "Group for Backup Disks"
  Auth "iqn.2011-07.san:virtual175" "between12and16"

[AuthGroup9999]
  Comment "Group for discovery"
  Auth "iqn.2011-07.san:discoverer"  "discovermenow"

[AuthGroup10000]
  Comment "Group for unit controller"
  Auth "ctluser" "test" "mutualuser" "mutualsecret"


istgtcontrol.conf
-----------------

[Global]
    Comment      "ISTGT control configuration"
    Timeout      60
    AuthMethod   CHAP Mutual
    Auth         "ctluser" "test" "mutualuser" "mutualsecret"
    Host         localhost
    Port         3259
    TargetName   "iqn.2011-07.san:backup01"
    Lun          0
    Flags        "ro"
    Size         "auto"


istgt.conf:
------------------
[Global]
    Comment                  "Global section"
    NodeBase                 "iqn.2011-07.san"
    PidFile                  /var/run/istgt.pid
    AuthFile                 /usr/local/etc/istgt/auth.conf
    MediaDirectory           /var/istgt
    LogFacility              "local7"
    Timeout                  30
    NopInInterval            20

    DiscoveryAuthMethod      CHAP
    DiscoveryAuthGroup AuthGroup9999

    MaxSessions              32
    MaxConnections           8
    MaxBurstLength           1048576
    MaxRecvDataSegmentLength 262144
    MaxR2T                   64
    MaxOutstandingR2T 16
    DefaultTime2Wait 2
    DefaultTime2Retain 60
    MaxBurstLength 1048576

[UnitControl]
    Comment                  "Unit Controller"
    AuthMethod               CHAP Mutual
    AuthGroup                AuthGroup10000
    Portal                   UC1 127.0.0.1:3259
    Netmask                  127.0.0.1

[PortalGroup1]
    Comment                  "Portal Group 1"
    Portal                   DA2 192.168.1.1:3261

[InitiatorGroup1]
    Comment                  "Initiator Group 1"
    InitiatorName            "iqn.2011-07.san:virtual175"
    #InitiatorName            "ALL"
    Netmask                  192.168.1.0/24

[LogicalUnit1]
    Comment                  "Backup01 (iqn.2011-07.san:backup01)"
    TargetName               backup01
    TargetAlias              "Backup01"

    Mapping                  PortalGroup1 InitiatorGroup1
    AuthMethod               CHAP
    AuthGroup                AuthGroup1
    UseDigest                Auto
    UnitType                 Disk
    QueueDepth              32
    LUN0           Storage /failover/lsipool01/backup01  13631488MB


If I change the InitiatorName from "iqn.2011-07.san:virtual175" to
"ALL", then I can login into the device ..., discover works too.

any suggestions ?

--=-zg2rQOCgVr+ENqKMXIXl
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEABECAAYFAk4dak4ACgkQKlzhkqt9P+D6hQCdHMkVnrcPCc0x5s2kIaRW+74e
lG8AoJWEwwHZSZPNS35onrgzsIxEqpzc
=Eplb
-----END PGP SIGNATURE-----

--=-zg2rQOCgVr+ENqKMXIXl--