On Thu, Apr 22, 2021 at 5:04 PM Cem Zafer <cemzafer(a)gmail.com> wrote:
Hi Ilya,
Yes you are correct, I have set auth_allow_insecure_global_id_reclaim to false.
Host ceph-common package version is 16.2.0 and the cluster ceph -v output is as follows.
root@ceph100:~# ceph -v
ceph version 16.2.1 (afb9061ab4117f798c858c741efa6390e48ccf10) pacific (stable)
Regards.
Right, so because you set auth_allow_insecure_global_id_reclaim to false,
older userspace clients, in this case 16.2.0, are not allowed to connect
because they won't reclaim their global_id in a secure fashion. See
https://docs.ceph.com/en/latest/security/CVE-2021-20288/
for details.
Thanks,
Ilya
>
> On Thu, Apr 22, 2021 at 4:49 PM Ilya Dryomov <idryomov(a)gmail.com> wrote:
>>
>> On Thu, Apr 22, 2021 at 3:24 PM Cem Zafer <cemzafer(a)gmail.com> wrote:
>> >
>> > Hi,
>> > I have recently add a new host to ceph and copied /etc/ceph directory to
>> > the new host. When I execute the simple ceph command as "ceph -s",
get the
>> > following error.
>> >
>> > 021-04-22T14:50:46.226+0300 7ff541141700 -1 monclient(hunting):
>> > handle_auth_bad_method server allowed_methods [2] but i only support [2]
>> > 2021-04-22T14:50:46.226+0300 7ff540940700 -1 monclient(hunting):
>> > handle_auth_bad_method server allowed_methods [2] but i only support [2]
>> > 2021-04-22T14:50:46.226+0300 7ff533fff700 -1 monclient(hunting):
>> > handle_auth_bad_method server allowed_methods [2] but i only support [2]
>> > [errno 13] RADOS permission denied (error connecting to the cluster)
>> >
>> > When I looked at the syslog on the ceph cluster node, I saw that message
>> > too.
>> >
>> > Apr 22 14:51:40 ceph100 bash[27979]: debug 2021-04-22T11:51:40.684+0000
>> > 7fe4d28cb700 0 cephx server client.admin: attempt to reclaim global_id
>> > 264198 without presenting ticket
>> > Apr 22 14:51:40 ceph100 bash[27979]: debug 2021-04-22T11:51:40.684+0000
>> > 7fe4d28cb700 0 cephx server client.admin: could not verify old ticket
>> >
>> > Anyone can help me out or assist to the right direction or link?
>>
>> Hi Cem,
>>
>> I take it that you upgraded to one of 14.2.20, 15.2.11 or 16.2.1
>> releases and then set auth_allow_insecure_global_id_reclaim to false?
>>
>> What version of ceph-common package is installed on that host? What is
>> the output of "ceph -v"?
>>
>> Thanks,
>>
>> Ilya