ProLiant Servers (ML,DL,SL)
1745918 Members
4537 Online
108723 Solutions
New Discussion юеВ

Re: Lan access to IPMI 2.0 on DL145GL2

 
Edouard Bourguignon
Occasional Contributor

Lan access to IPMI 2.0 on DL145GL2

After upgrading the Lights-Out 100i Remote Management firmware to 1.21, the admin user accessing the IPMI via the LAN channel is restricted to USER privilege.

# ipmitool -I lanplus -H 192.168.111.224 -L
Administrator -U admin -P admin session info active
session handle : 2
slot count : 4
active sessions : 1
user id : 3
privilege level : USER
session type : IPMIv2/RMCP+
channel number : 0x02
console ip : 192.168.111.220
console mac : 00:00:00:00:00:00
console port : 32775

How to proceed for enabling admin users to get an Administrator privilege on the IPMI LAN Channel? Is it possible to downgrade??

Thanks
4 REPLIES 4
The Spartan
Trusted Contributor

Re: Lan access to IPMI 2.0 on DL145GL2

Hi,

Did check in hp.com site - there is no previous version of fmware. Seems you shall not be able to downgrade the firmware.

Since you are now able to access as a User, what are the priveleges you are missing.

Raghav
If you are keen to win, you should be willing to lose.
Edouard Bourguignon
Occasional Contributor

Re: Lan access to IPMI 2.0 on DL145GL2

The privilege we are missing is the control of the chassis power. We need to remotely shuting down or powering up our servers and the USER privilege level has not this permission. It's ok since users shouldn't be able to do this, but admin users should have this ability even if they are accessing the IPMI via the LAN channel.
So how can we set an unrestricted access on this channel?

Brian_Murdoch
Honored Contributor

Re: Lan access to IPMI 2.0 on DL145GL2

Hi,

I don't know if LO-100i firmware 1.22 will resolve this but it is available at the DL145 download link. You may also need later system BIOS together with the LO-100i firmware. V2.14 is available here too.
http://h18023.www1.hp.com/support/files/server/us/locate/69_6155.html#8

Regards,

Brian
Brian_Murdoch
Honored Contributor

Re: Lan access to IPMI 2.0 on DL145GL2

Edouard,

I think the problem lies with the local admin account which is set by default to user priviledge. This must have been reset back to default by the firmware update.

If you run ipmitool on the DL145 G2 locally you can list the current settings and change them. I took the following information from a document on this for the DL145 G1.

I hope this helps.

Brian

Configuring accounts locally with ipmitool

After installing ipmitool and OpenIPMI with the ipmi files loaded and the character device file created, ipmitool can be used to configure accounts. The first step is to find out what accounts exist on the interface. This task can be accomplished by issuing the following command:

ipmitool -I open userinfo list 2

where 2 is the channel number that the IPMI interface is set to in the RBSU. This command should list the user accounts currently configured on the interface. By default, it should come up with three: , Operator, and admin. All three accounts have user level access and only the admin account is enabled. TAKE NOTE OF THE USER IDs ASSOCIATED WITH EACH ACCOUNT - THE USER IDs WILL BE NEEDED FOR CONFIGURING THE ACCOUNTS. For the purpose of this article, the null user account it is 1, the Operator user account is id 2 and the admin account is id 3.

To set the admin account with administrator priveleges, issue the following command:

ipmitool -I open channel setaccess 2 3 privilege=4 (assuming the IPMI interface is on channel 2)

To set the operator account with operator privileges, issue the following command:

ipmitool -I open channel setaccess 2 2 privilege=3 (assuming the IPMI interface is on channel 2)

To enable the null user account, issue the following command:

ipmitool -I open user enable 1 2 (assuming the IPMI interface is on channel 2)

To enable the operator account, issue the following command:

ipmitool -I open user enable 2 2 (assuming the IPMI interface is on channel 2)