[SOLVED] User couldn't be authenticated - Sunstone


I have a problem with Sunstone authentication. When an user try authenticate in Sunstone, occurs this error:

OpenNebula is not running or there was a server exception. Please check the server logs

In oned.log have:
Wed May 8 03:01:58 2019 [Z0][ReM][D]: Req:4560 UID:0 one.user.info invoked , -1
Wed May 8 03:01:58 2019 [Z0][ReM][D]: Req:4560 UID:0 one.user.info result SUCCESS, “0<GID…”
Wed May 8 03:01:58 2019 [Z0][ReM][D]: Req:2112 UID:-1 one.user.info invoked , -1
Wed May 8 03:01:58 2019 [Z0][ReM][E]: Req:2112 UID:- one.user.info result FAILURE
[one.user.info] User couldn’t be authenticated, aborting call.

I’ve already checked it the credential of serveradmin user in files stored in /var/lib/one/.one/ and comparated with database information:

# oneuser show 1
ID              : 1
NAME            : serveradmin
GROUP           : oneadmin
PASSWORD        : xxxxd5b02cb1c3b9d39a2dad7aab5b7f733exxxx
AUTH_DRIVER     : core
ENABLED         : Yes

# cat /var/lib/one/.one/sunstone_auth

# echo -n "<sanitized_pass>" | sha1sum

It was working perfectly, and I suspect that the problem may have occurred after an “oneuser chauth” command.
In command line, one* commands working perfectly.
I’ve already tried restore user_pool table and restart opennebula and opennebula-sunstone services, but the problem persist.

I using Opennebula 5.6.2. Can anyone help-me please??

Hello @gbernardes

Try the following:

  • cat /var/lib/one/.one/sunstone_auth this is serveradmin:password
  • oneuser passwd serveradmin password --sha1
  • Restart opennebula.
  • Restart sunstone.

Hi @ahuertas.

I tried:
# cat /var/lib/one/.one/sunstone_auth
# oneuser passwd serveradmin --password-- --sha1
# systemctl restart opennebula
# systemctl restart opennebula-sunstone

But the same error persists. Do you have any other ideas? Is there any way to get more information (debug level is already in 3)?

Is the PASSWORD field of oneuser show serveradmin the same as the sha1 of the password in the sunstone_auh?


Yes. See:

# oneuser show 1
ID              : 1
NAME            : serveradmin
GROUP           : oneadmin
PASSWORD        : xxxxd5b02cb1c3b9d39a2dad7aab5b7f733exxxx
AUTH_DRIVER     : core
ENABLED         : Yes

# echo -n "=password=" | sha1sum

Hi @ahuertas and others ,
Seeing here, the error is generated by line 272 of the file sunstone_server.rb. So the check that fails is line 270. How to know exactly what failed?
Any have ideas or suggestions?

265: client  = $cloud_auth.client(result, session[:active_zone_endpoint])
266: user_id = OpenNebula::User::SELF
268:  user    = OpenNebula::User.new_with_id(user_id, client)
269:  rc = user.info
270:  if OpenNebula.is_error?(rc)
271:       logger.error { rc.message }
272:       return [500, ""]  <=== This is the return
273:  end

It’s seems that the password is wrong.

Try the following (don’t do it in production environment):

  • Backup your database and /var/lib/one/.one.
  • Remove your database and the content of .one folder.
  • Restart everything again.

Does it work?


I’m using MySQL database. In this case, I should create a empty database for this test?

Yes, drop the current one and create an empty one.

1 Like


Yes, with a empty DB and removed .one files was possbile to login. How do fix the production?

The problem was solved! :grinning:

I did this:

  • Copied the value of field ‘body’ of table user_pool of serveradmin user in test database;
    testDB: mysql> SELECT body FROM user_pool where uid=‘1’
  • Updated in production DB the field ‘body’ of table user_pool of serveradmin;
    productionDB: mysql> UPDATE user_pool set body=’<USER><ID>1…</TEMPLATE>
    </USER>’ WHERE uid=‘1’;
  • Copied file sunstone_auth of test for production.
    # cp /var/lib/one/.one-test/sunstone_auth /var/lib/one/.one/sunstone_auth

@ahuertas Many thanks for your help and cooperation!

That was the solution I was going to give you, nice to hear the problem is solved!

1 Like

I have the same problem but I am making use of SqLite. How do I go about it?

so the summary of this is that the commands don’t really work, correct?
they just don’t properly update the value in the database, and the user is then left alone to edit the xml themselves.

  • so first the ONE UI doesn’t work
  • then there is actually NO WAY at all to fix this using the ONE cli, although all the commands exist. They just don’t work.
  • then we leave the most dangerous task to the user
  • and just to make it really clear we don’t care, the whole thing requires a downtime of the cloud controller where no failed VM could be restarted
  • and, to make it more fun, we have caching that interferes with password changes

And an issue like that is existing since like 7 years, and all we do is write howtos how to squeeze the XML out of the database and then manually fix it (but of course no DTD to even validate, and of course no single howto shows the steps in clear with a password and it’s SHA1 hash.

If I ever find any hope again i’ll just open an issue in the bugtracker because this is so sad.
and then i’d ask you to upvote is so no more people in the future need to waste time just because the commands here do things and then don’t actually do them.

What command or Sunstone dialog is not working?

Extra care needs to be taken at the time of changing the password of oneadmin and serveradmin. If you change the password of oneadmin but do not update the auth file for the CLI, you just locked yourself out of the system (using the CLI at least).

These changes (again, admin credentials, not regular users) have some nuances (explained here: http://docs.opennebula.org/5.10/operation/users_groups_management/manage_users.html#change-credentials-for-oneadmin-or-serveradmin)