High Availability Synchronization Fails with "-internaluserlogin disabled" Command
Article ID: CTX214822
Updated On:
Description
When internaluserlogin is disabled on a NetScaler high availability configuration then high availability sync authentication is performed using SSH key. In case SSH keys is not configured then refer to CTX140432 - NetScaler High Availability File Sync Fails When "internaluserlogin" is Disabled to enable internaluserlogin option. If SSH key is configured then continue reading this article.
- The following setting is present in ns.conf: set ns param -internaluserlogin DISABLED
- Potential error messages in ns.log: In start_ldap_auth: For user nsroot, Null password check failed in ldap authentication
- Potential error messages in /var/log/nsfsyncd.log:
rsync error: unexplained error (code 255)
This issue affects all builds/versions of NetScaler.
Resolution
On Both HA nodes, verify the permissions of the following directories (permissions must match EXACTLY)
/flash: drwxr-xr-x
/flash/nsconfig: drwxr-xr-x
/flash/nsconfig/ssh: drwxr-xr-x
On both HA Nodes, verify the permissions and existence of the following files (permissions must match EXACTLY):
/flash/nsconfig/ssh/authorized_keys: -rw-r--r--
/flash/nsconfig/ssh/ns_comm_key: -rw-------
/flash/nsconfig/ssh/ns_comm_key.pub: -rw-r--r--
If any of the above files or permissions are incorrect, resolve them using the following procedure:
Be sure to type these commands exactly. Some of the filenames involved contain and/or begin with a period (.). This is not a typo.
On the HA Primary (from the CLI):
- shell
- cd /root/.ssh
- ssh-keygen -t rsa -f ns_comm_key
- When prompted for a passphrase, press ENTER twice (to indicate a blank passphrase). Passphrases are not supported for this function within Netscaler
- cp ns_comm_key /nsconfig/ssh
- cp ns_comm_key.pub /nsconfig/ssh
- cd /nsconfig/ssh
- cp ns_comm_key.pub authorized_keys
- chmod 755 /flash
- chmod 755 /flash/nsconfig
- chmod 755 /flash/nsconfig/ssh
- chmod 644 /flash/nsconfig/ssh/authorized_keys
- chmod 600 /flash/nsconfig/ssh/ns_comm_key
- chmod 644 /flash/nsconfig/ssh/ns_comm_key.pub
- For the following 3 commands, replace {secondaryNSIP} with the NSIP address of the HA secondary. You will be prompted for the nsroot password after each command.
- scp authorized_keys nsroot@{secondaryNSIP}:/flash/nsconfig/ssh
- scp ns_comm_key nsroot@{secondaryNSIP}:/flash/nsconfig/ssh
- scp ns_comm_key.pub nsroot@{secondaryNSIP}:/flash/nsconfig/ssh
- The following command will restart the sshd daemon (it will NOT reboot the Netscaler), to make the changes take effect. Quotes in this command are actually the single back-quote character (keyboard location varies). Do NOT use regular single quotes (apostrophe) for this command:
On the HA Secondary:
- shell
- chmod 755 /flash
- chmod 755 /flash/nsconfig
- chmod 755 /flash/nsconfig/ssh
- chmod 644 /flash/nsconfig/ssh/authorized_keys
- chmod 600 /flash/nsconfig/ssh/ns_comm_key
- chmod 644 /flash/nsconfig/ssh/ns_comm_key.pub
- The following command will restart the sshd daemon (it will NOT reboot the Netscaler), to make the changes take effect. Quotes in this command are actually the single back-quote character (keyboard location varies). Do NOT use regular single quotes (apostrophe) for this command:
Back on the HA Primary:
- exit (to return back to the cli)
- force HA sync
- Wait about 30 seconds
- show ha node
- Confirm that Synchronization status now shows SUCCESS
Problem Cause
The following configuration setting configures the NetScaler to utilize public/private key authentication for HA synchronization, in lieu of normal RPCNode passwords
set ns param -internaluserlogin DISABLED.
Issue/Introduction
Additional Information
Citrix Documentation - Configuring Synchronization
