Hi Brian, On Sat, 2017-02-25 at 11:11 -0800, Brian Andrus wrote: > Hopefully this is the right place to ask. > > I am trying to set up an iscsi target that can be connected to by more > than one client. > > I am able to connect from the first client, but the second one shows: > iscsiadm: initiator reported error (24 - iSCSI login failed due to > authorization failure) The authorization failure means the initiator IQN that is connecting doesn't have an NodeACLs configured for the target IQN, and the target IQN is not running in demo-mode (eg: generate_node_acls=0 + cached_dynamic_acls=0). > > # cat /etc/iscsi/initiatorname.iscsi > InitiatorName=InitiatorName=iqn.2017-01.net.firstspot.he:node02 > > On the target system, I have: > > # targetcli ls > o- / > ......................................................................................................................... > [...] > o- backstores > .............................................................................................................. > [...] > | o- block > .................................................................................................. > [Storage Objects: 1] > | | o- ZFS > .............................................................................. > [/dev/zd0 (2.0TiB) write-thru activated] > | o- fileio > ................................................................................................. > [Storage Objects: 0] > | o- pscsi > .................................................................................................. > [Storage Objects: 0] > | o- ramdisk > ................................................................................................ > [Storage Objects: 0] > o- iscsi > ............................................................................................................ > [Targets: 1] > | o- iqn.2017-01.net.firstspot.borg01:disk1 > ............................................................................ > [TPGs: 1] > | o- tpg1 > ............................................................................................... > [no-gen-acls, no-auth] > | o- acls > .......................................................................................................... > [ACLs: 2] > | | o- iqn.2017-01.net.firstspot.he:node01 > .................................................................. > [Mapped LUNs: 1] > | | | o- mapped_lun0 > ................................................................................... > [lun0 block/ZFS (rw)] > | | o- iqn.2017-01.net.firstspot.he:node02 > .................................................................. > [Mapped LUNs: 1] > | | o- mapped_lun0 > ................................................................................... > [lun0 block/ZFS (rw)] > | o- luns > .......................................................................................................... > [LUNs: 1] > | | o- lun0 > ........................................................................................... > [block/ZFS (/dev/zd0)] > | o- portals > .................................................................................................... > [Portals: 1] > | o- 0.0.0.0:3260 > ..................................................................................................... > [OK] > o- loopback > ......................................................................................................... > [Targets: 0] > # tail /var/log/messages > Feb 25 10:46:39 borg01 kernel: iSCSI Initiator Node: > initiatorname=iqn.2017-01.net.firstspot.he:node02 is not authorized to > access iSCSI target portal group: 1. > Feb 25 10:46:39 borg01 kernel: iSCSI Login negotiation failed. > > My confusion is the initiatorname looks to be appropriate. It matches > what the client has. > Is there something more that needs set? This is CentOS 7.3 > Strange, I see the confusion now. The targetcli output for the second NodeACL does seem match the dmesg error..? What does your /sys/kernel/config/target/iscsi/$TARGET_IQN/tpgt_1/acls/ look like..? Does "iqn.2017-01.net.firstspot.he:node02" exist as a directory in the underlying configfs..? -- To unsubscribe from this list: send the line "unsubscribe target-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
