[Serusers] Registration - 401 Unauthorized
Jan Janak
jan at iptel.org
Mon Mar 17 14:05:58 CET 2003
No I realized that you are using a CVS snapshot. Please download latest
CVS snapshot and try again. If still doesn't work, enable debugging in
the config script and send me your ser log. It should contain some
information on unsuccessful authentication attempt.
Clients are supposed to retry with proper credentials if they receive a
401.
Digest authentication works like this:
1) Phone sends a REGISTER without digest credentials
2) SER replies with 401 and includes digest challenge in the reply
3) Phone asks for username/password (if not preconfigured)
4) Phone sends another REGISTER containing digest credentials
5) SER sends 200 OK if the credentials are correct, otherwise it sends
401 again
regards, Jan.
On 17-03 14:02, Anton Yurchenko wrote:
> Jan Janak wrote:
>
> >Hello,
> >
> >according to your config file, auth_realm1 should be set to phila.dg and
> >not to dg, try to change it.
> >
> >
> I changed this, as you may see from dump of mysql db, I have a row in
> subscriber table that has user phila1 and realm phila.dg, but this
> produces the same results. I turned on the logging for mysql queries but
> I see no request made to the database. tha database is up of course, and
> the logging is functioning properly.
> Is the 401 reply a valid one? should the phone reply to is in the normal
> circumstanses? And the request to ser from phone does not carry any
> username/passwd info. Is this normal?
> I tried using sipsak for this:
>
> sipsak -a phila1 -s sip:phila1 at phila.dg
>
> but that produces the same responce.
>
> > Jan.
> >
> >On 14-03 10:28, Anton Yurchenko wrote:
> >
> >
> >>Jan Janak wrote:
> >>
> >>
> >>
> >>>Hello,
> >>>
> >>>first check that you have configured your phone with correct username
> >>>and password. Also uncomment all the modparams in the default config
> >>>script that are related to auth module.
> >>>
> >>>If still doesn't work, make sure that requests comming from your phone
> >>>contain digest credentials. If still doesn't work and you are sure that
> >>>you have configured your phone properly, create message dumps using
> >>>ngrep utility and send them to us along with your configuration script
> >>>and ser log files.
> >>>
> >>>
> >>>
> >>>
> >>>The SUBSCRIBE is probably an attempt of your phone to subscribe to
> >>>presence of some user, but I cannot say that for sure without seeing the
> >>>whole SUBSCRIBE message.
> >>>
> >>>
> >>>
> >>>
> >>you are right this is for mailbox :)
> >>
> >>here is my setup:
> >>
> >>
> >>on the phone I have set up:
> >>
> >>user_name1: phila
> >>
> >>auth_realm1: dg
> >>auth_user1: phila
> >>auth_pass1: phila
> >>
> >>
> >>host 172.20.0.50 is runn9ing ser. Phone is 172.20.0.199
> >>
> >>also attached is the dump in tcpdump binary format of the registration
> >>proccess( sorry I dont have ngrep)
> >>and I dont see anything in ser logfile( it writes to /var/log/messages).
> >>
> >>
> >>-----------------------------------------------------------------------------
> >>ser.cfg
> >>-----------------------------------------------------------------------------
> >>
> >>#
> >># $Id: ser.cfg,v 1.12 2002/10/21 02:40:06 jiri Exp $
> >>#
> >># simple quick-start config script
> >>#
> >>
> >># ----------- global configuration parameters ------------------------
> >>
> >>debug=9 # debug level (cmd line: -dddddddddd)
> >>fork=yes
> >>log_stderror=no # (cmd line: -E)
> >>check_via=no # (cmd. line: -v)
> >>dns=no # (cmd. line: -r)
> >>rev_dns=no # (cmd. line: -R)
> >>port=5060
> >>children=1
> >>fifo="/tmp/ser_fifo"
> >>sip_warning=yes
> >>
> >># ------------------ module loading ----------------------------------
> >>
> >># Uncomment this if you want to use SQL database
> >>loadmodule "/usr/lib/ser/modules/mysql.so"
> >>
> >>loadmodule "/usr/lib/ser/modules/sl.so"
> >>loadmodule "/usr/lib/ser/modules/tm.so"
> >>loadmodule "/usr/lib/ser/modules/rr.so"
> >>loadmodule "/usr/lib/ser/modules/maxfwd.so"
> >>loadmodule "/usr/lib/ser/modules/usrloc.so"
> >>loadmodule "/usr/lib/ser/modules/registrar.so"
> >>
> >># Uncomment this if you want digest authentication
> >># mysql.so must be loaded !
> >>
> >>loadmodule "/usr/lib/ser/modules/auth.so"
> >>loadmodule "/usr/lib/ser/modules/auth_db.so"
> >>
> >># ----------------- setting module-specific parameters ---------------
> >>
> >># -- usrloc params --
> >>
> >># modparam("usrloc", "db_mode", 0)
> >>
> >># Uncomment this if you want to use SQL database
> >># for persistent storage and comment the previous line
> >>
> >>modparam("usrloc", "db_mode", 2)
> >>
> >>modparam("usrloc", "db_url", "sql://serro:47serro11@localhost/ser")
> >>
> >># -- auth params --
> >># Uncomment if you are using auth module
> >>#
> >># modparam("auth", "secret", "12036dabde659847dd9e")
> >>modparam("auth_db", "calculate_ha1", true)
> >>#
> >># If you set "calculate_ha1" parameter to yes (which true in this
> >>config), # uncomment also the following parameter)
> >>#
> >>modparam("auth_db", "password_column", "password")
> >>
> >>modparam("auth_db", "db_url", "sql://ser:heslo@localhost/ser")
> >>
> >>
> >># ------------------------- request routing logic -------------------
> >>
> >># main routing logic
> >>
> >>alias="dg"
> >>alias="phila.dg"
> >>
> >>
> >>route{
> >>
> >> # initial sanity checks -- messages with
> >> # max_forwars==0, or excessively long requests
> >> if (!mf_process_maxfwd_header("10")) {
> >> sl_send_reply("483","Too Many Hops");
> >> break;
> >> };
> >> if (len_gt( max_len )) {
> >> sl_send_reply("513", "Message too big");
> >> break;
> >> };
> >>
> >> # Do strict routing if pre-loaded route headers present
> >> # rewriteFromRoute();
> >>
> >> # if the request is for other domain use UsrLoc
> >> # (in case, it does not work, use the following command
> >> # with proper names and addresses in it)
> >> if (uri==myself) {
> >>
> >> if (method=="REGISTER") {
> >>
> >># Uncomment this if you want to use digest authentication
> >> if (!www_authorize("phila.dg", "subscriber")) {
> >> www_challenge("phila.dg", "0");
> >> break;
> >> };
> >>
> >> log("REGISTER");
> >> save("location");
> >> sl_send_reply("200", "ok");
> >> break;
> >> };
> >>
> >> # native SIP destinations are handled using our USRLOC DB
> >> if (!lookup("location")) {
> >> sl_send_reply("404", "Not Found");
> >> break;
> >> };
> >> };
> >> if (uri=~"^sip:9[0-9]*@dg") {
> >> strip(1);
> >> t_relay_to( "172.20.0.50", "5080" );
> >> };
> >>
> >> # forward to current uri now
> >> if (!t_relay()) {
> >> sl_reply_error();
> >> };
> >>
> >>}
> >>
> >>
> >>
> >>-----------------------------------------------------------------------------
> >>
> >>
> >>-----------------------------------------------------------------------------
> >>Here is the dump from mysql table subscriber
> >>-----------------------------------------------------------------------------
> >>
> >>+----------------------------------+---------+----------+------------+----------
> >>-+-------+----------------+---------------------+---------------------+---------
> >>---------------------------------+------+------------------+----------+---------
> >>-------------------------+-----------+----------------------------------+-------
> >>+------------+----------+
> >>| phplib_id | USER_ID | PASSWORD | FIRST_NAME |
> >>LAST_NAME
> >>| PHONE | EMAIL_ADDRESS | DATETIME_CREATED | DATETIME_MODIFIED |
> >>confirma
> >>tion | flag | SendNotification | Greeting |
> >>HA1 | REALM | ha1b
> >> | perms
> >>| allow_find | timezone |
> >>+----------------------------------+---------+----------+------------+----------
> >>-+-------+----------------+---------------------+---------------------+---------
> >>---------------------------------+------+------------------+----------+---------
> >>-------------------------+-----------+----------------------------------+-------
> >>+------------+----------+
> >>| 65e397cda0aa8e3202ea22cbd350e4e9 | admin | heslo | Initial |
> >>Admin
> >>| 123 | root at localhost | 2002-09-04 19:37:45 | 0000-00-00 00:00:00 |
> >>57DaSIPu
> >>Cm52UNe54LF545750cfdL48OMZfroM53 | o | | |
> >>0239482f
> >>19d262f3953186a725a6f53b | iptel.org | a84e8abaa7e83d1b45c75ab15b90c320 |
> >>admin
> >>| 0 | NULL |
> >>| 283c82693efac3f935093920a6516b7a | phila | phila | |
> >>| | phila at dg | 2003-03-13 15:36:23 | 0000-00-00 00:00:00 |
> >> | o | | |
> >> 283c8269
> >>3efac3f935093920a6516b7a | dg | 6019db526487612c357fcfc459556875 |
> >>NULL
> >>| 0 | NULL |
> >>| 9c4c3a3872dad018337a7ab9a71c166b | phila1 | phila1 | |
> >>| | phila at phila.dg | 2003-03-13 15:39:17 | 0000-00-00 00:00:00 |
> >> | o | | |
> >> 9c4c3a38
> >>72dad018337a7ab9a71c166b | phila.dg | b31cc4b515b1297413463d94f1bd82f4 |
> >>NULL
> >>| 0 | NULL |
> >>+----------------------------------+---------+----------+------------+----------
> >>-+-------+----------------+---------------------+---------------------+---------
> >>---------------------------------+------+------------------+----------+---------
> >>-------------------------+-----------+----------------------------------+-------
> >>+------------+----------+
> >>
> >>
> >>-----------------------------------------------------------------------------
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>>Jan.
> >>>
> >>>On 13-03 18:02, Anton Yurchenko wrote:
> >>>
> >>>
> >>>
> >>>
> >>>>Hello,
> >>>>
> >>>>I`ve downloaded todays cvs and installed is, now, I am trying to
> >>>>register my SIP phone ( Snom 100 ), with it and authorize it.
> >>>>The phone sends a REGISTER and the ser sends it a 401 Unauthorized.
> >>>>
> >>>>-----------
> >>>>0.000000 172.20.0.199 -> 172.20.0.50 SIP Request: SUBSCRIBE
> >>>>sip:phila at phila.dg
> >>>>0.002626 172.20.0.50 -> 172.20.0.199 SIP Status: 404 Not Found
> >>>>0.038876 172.20.0.199 -> 172.20.0.50 SIP Request: REGISTER sip:phila.dg
> >>>>0.042129 172.20.0.50 -> 172.20.0.199 SIP Status: 401 Unauthorized
> >>>>
> >>>>-------------
> >>>>
> >>>>I`ve added the user to the mysql database and, am using the
> >>>>configuration included in the example ser.cfg ( I`ve uncommented the 4
> >>>>lines).
> >>>>---------------------------
> >>>># Uncomment this if you want to use digest authentication
> >>>> if (!www_authorize("dg", "subscriber")) {
> >>>> www_challenge("dg", "0");
> >>>> break;
> >>>> };
> >>>>---------------------------
> >>>>
> >>>>it seems that the www_challenge sends this message.
> >>>>
> >>>>How to fix this? And what is the SUBSCRIBE request?
> >>>>
> >>>>
> >>>>Thanks a lot,
> >>>>
> >>>>--
> >>>>
> >>>>Anton Yurchenko<phila at dg.net.ua>
> >>>>Digital Generation
> >>>>
> >>>>_______________________________________________
> >>>>Serusers mailing list
> >>>>serusers at lists.iptel.org
> >>>>http://lists.iptel.org/mailman/listinfo/seruser
> >>>>
> >>>>
> >>>>
> >>>s
> >>>
> >>>
> >>>
> >>>
> >>--
> >>
> >>Anton Yurchenko<phila at dg.net.ua>
> >>Digital Generation
> >>
> >>
> >>
> >
> >
> >
> >
>
>
> --
>
> Anton Yurchenko<phila at dg.net.ua>
> Digital Generation
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20030317/a52e954e/attachment.pgp>
More information about the sr-users
mailing list