istgt: getting authentification working with CHAP

Denny Schierz linuxmail at 4lin.net
Wed Jul 13 09:43:57 UTC 2011


hi,

since a while I try to get authentication working, but something is
missing or wrong:

My HowTo is: http://zewaren.net/site/?q=node/70

If I try from Windows7 or Ubuntu 10.4 discovery devices, I get nothing
back:

:~ # iscsiadm  -m discovery -t st -p san:3261
:~ #

But, discovery authentication works, I think.

my istgt Config:

auth.conf:
----------

[AuthGroup1]
  Comment "Group for Backup Disks"
  Auth "iqn.2011-07.san:virtual175" "between12and16"

[AuthGroup9999]
  Comment "Group for discovery"
  Auth "iqn.2011-07.san:discoverer"  "discovermenow"

[AuthGroup10000]
  Comment "Group for unit controller"
  Auth "ctluser" "test" "mutualuser" "mutualsecret"


istgtcontrol.conf
-----------------

[Global]
    Comment      "ISTGT control configuration"
    Timeout      60
    AuthMethod   CHAP Mutual
    Auth         "ctluser" "test" "mutualuser" "mutualsecret"
    Host         localhost
    Port         3259
    TargetName   "iqn.2011-07.san:backup01"
    Lun          0
    Flags        "ro"
    Size         "auto"


istgt.conf:
------------------
[Global]
    Comment                  "Global section"
    NodeBase                 "iqn.2011-07.san"
    PidFile                  /var/run/istgt.pid
    AuthFile                 /usr/local/etc/istgt/auth.conf
    MediaDirectory           /var/istgt
    LogFacility              "local7"
    Timeout                  30
    NopInInterval            20

    DiscoveryAuthMethod      CHAP
    DiscoveryAuthGroup AuthGroup9999

    MaxSessions              32
    MaxConnections           8
    MaxBurstLength           1048576
    MaxRecvDataSegmentLength 262144
    MaxR2T                   64
    MaxOutstandingR2T 16
    DefaultTime2Wait 2
    DefaultTime2Retain 60
    MaxBurstLength 1048576

[UnitControl]
    Comment                  "Unit Controller"
    AuthMethod               CHAP Mutual
    AuthGroup                AuthGroup10000
    Portal                   UC1 127.0.0.1:3259
    Netmask                  127.0.0.1

[PortalGroup1]
    Comment                  "Portal Group 1"
    Portal                   DA2 192.168.1.1:3261

[InitiatorGroup1]
    Comment                  "Initiator Group 1"
    InitiatorName            "iqn.2011-07.san:virtual175"
    #InitiatorName            "ALL"
    Netmask                  192.168.1.0/24

[LogicalUnit1]
    Comment                  "Backup01 (iqn.2011-07.san:backup01)"
    TargetName               backup01
    TargetAlias              "Backup01"

    Mapping                  PortalGroup1 InitiatorGroup1
    AuthMethod               CHAP
    AuthGroup                AuthGroup1
    UseDigest                Auto
    UnitType                 Disk
    QueueDepth              32
    LUN0           Storage /failover/lsipool01/backup01  13631488MB


If I change the InitiatorName from "iqn.2011-07.san:virtual175" to
"ALL", then I can login into the device ..., discover works too.

any suggestions ?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20110713/ac6e9f85/attachment.pgp


More information about the freebsd-stable mailing list