<div dir="ltr"><div>I have found some steps to reproduce this easily.<br><br></div><div>Start the engine bound to an AD for authentication<br></div><div>log in to the user portal as an AD user which has been granted a Role (I used PowerUserRole)<br>
</div><div><br></div><div>Result: Login will succeed<br></div><div>Data from engine.log: <br></div><div>2013-08-06 15:54:10,088 INFO [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-10) Running command: LoginUserCommand internal: false.<br>
2013-08-06 15:54:10,139 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-10) Correlation ID: 23c4709, Call Stack: null, Custom Event ID: -1, Message: User ovirttest logged in.<br>
<br></div><div>log out of the user portal<br>Result: log out succeeds<br>Data from engine.log: <br>2013-08-06 15:54:12,448 INFO [org.ovirt.engine.core.bll.LogoutUserCommand] (ajp--127.0.0.1-8702-2) Running command: LogoutUserCommand internal: false.<br>
2013-08-06 15:54:12,474 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: 52a89e7d, Call Stack: null, Custom Event ID: -1, Message: User ovirttest logged out.<br>
<br></div><div>As the same user log in to the user portal again but this purposely input the wrong password.<br></div><div>Result: log in will fail<br>Data from engine.log:<br></div><div>2013-08-06 15:54:20,830 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-7) Kerberos error: Pre-authentication information was invalid (24)<br>
2013-08-06 15:54:20,832 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the username and password.<br>2013-08-06 15:54:20,843 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--127.0.0.1-8702-7) Failed ldap search server LDAP://<a href="http://foodc02.foo.test.com:389">foodc02.foo.test.com:389</a> using user <a href="mailto:ovirttest@FOO.TEST.COM">ovirttest@FOO.TEST.COM</a> due to Authentication Failed. Please verify the username and password.. We should not try the next server<br>
2013-08-06 15:54:20,850 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-7) Kerberos error: Pre-authentication information was invalid (24)<br>2013-08-06 15:54:20,851 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the username and password.<br>
</div><div>2013-08-06 15:54:20,852 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--127.0.0.1-8702-7) Failed ldap search server LDAP://<a href="http://foodc01.foo.test.com:389">foodc01.foo.test.com:389</a> using user <a href="mailto:ovirttest@FOO.TEST.COM">ovirttest@FOO.TEST.COM</a> due to Authentication Failed. Please verify the username and password.. We should not try the next server<br>
2013-08-06 15:54:20,853 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-7) Failed authenticating user: ovirttest to domain <a href="http://gso.med.ge.com">gso.med.ge.com</a>. Ldap Query Type is getUserByName<br>
2013-08-06 15:54:20,854 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the username and password.<br>2013-08-06 15:54:20,855 ERROR [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-7) USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD : ovirttest<br>
2013-08-06 15:54:20,856 WARN [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD<br><br></div><div>Try again to log in as the same user this time typing the correct password.<br>
</div><div>Result: Login fails!<br>Data from engine.log:<br>2013-08-06 15:54:25,186 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-7) Failed authenticating user: ovirttest to domain <a href="http://gso.med.ge.com">gso.med.ge.com</a>. Ldap Query Type is getUserByName<br>
2013-08-06 15:54:25,187 ERROR [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-7) USER_FAILED_TO_AUTHENTICATE : ovirttest<br>2013-08-06 15:54:25,187 WARN [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE<br>
<br></div><div>Try again with another AD user.<br></div><div>Result: Login fails!<br>Data from engine.log:<br>2013-08-06 15:54:38,056 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-5) Failed authenticating user: ovirtadmin to domain <a href="http://gso.med.ge.com">gso.med.ge.com</a>. Ldap Query Type is getUserByName<br>
2013-08-06 15:54:38,057 ERROR [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-5) USER_FAILED_TO_AUTHENTICATE : ovirtadmin<br>2013-08-06 15:54:38,058 WARN [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-5) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE<br>
<br></div><div>Logging into the admin portal as the admin@internal user will yield that engine seems to have forgotten about and can no longer enumerate AD users and groups.<br></div><div>engine stays in this state until it has been restarted.<br>
<br></div><div>I also note the two following errors in the engine log file as well:<br>2013-08-06 15:53:41,098 ERROR [org.ovirt.engine.core.dal.dbbroker.generic.DBConfigUtils] (MSC service thread 1-9) Could not parse option AutoRecoveryAllowedTypes value.<br>
2013-08-06 15:53:41,161 ERROR [org.ovirt.engine.core.dal.dbbroker.generic.DBConfigUtils] (MSC service thread 1-9) Failed to decrypt value for property AttestationTruststorePass will be used encrypted value: javax.crypto.BadPaddingException: Data must start with zero<br>
<br></div><div>- DHC<br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Aug 6, 2013 at 1:31 PM, Dead Horse <span dir="ltr"><<a href="mailto:deadhorseconsulting@gmail.com" target="_blank">deadhorseconsulting@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Really attaching logs from other install.<br></div> - DHC<br></div><div class="HOEnZb"><div class="h5">
<div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Aug 6, 2013 at 1:30 PM, Dead Horse <span dir="ltr"><<a href="mailto:deadhorseconsulting@gmail.com" target="_blank">deadhorseconsulting@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Also I note that he login does succeed in the AD servers logs as well as the engine also acknowledges the same. However the login ends up in either the user logging in and the dialog sitting in space forever and/or the engine no longer enumerating the AD users/groups.<br>
<br></div>Attached are logs from another install seeing the same thing.<br></div>-DHC<br></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Aug 6, 2013 at 1:20 PM, Dead Horse <span dir="ltr"><<a href="mailto:deadhorseconsulting@gmail.com" target="_blank">deadhorseconsulting@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div><div>Seeing and issue where users are not able to log in. Also for some reason the engine is seemingly
forgeting about AD users. Removing the AD domain via engine-manage-domains
and re-adding it works for enumerating the users, however the first
attempt to login as a user results in the engine no longer enumerating
the users nor allowing logins.<br>
</div>Attached are the pertinent logs.<br><br></div><div>Engine is built and running from current master as of this morning, and was installed/built and upgraded via RPMs yum/engine-upgrade</div><div><br></div> - DHC</div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>