<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Hi,</p>
<p><br>
</p>
<p>i have two free-IPA directories setup in multi-master replication. Both are running on CentOS 7.2 with latest Software installed. Replication between both IPAs is setup correctly and i am able to authenticate against each of the two manually.</p>
<p><br>
</p>
<p>However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2 against IPA2 i can't login. Login is only working if IPA1 is running&nbsp;(keep in mind that manual authentication against IPA2 is working).</p>
<p><br>
</p>
<p>In the dirSRV Error-Logfile nothing is logged, however i can see the authentication in the access log from IPA2:</p>
<p><br>
</p>
<p><br>
</p>
<p>###</p>
<p><br>
</p>
<p>filter=&quot;(&amp;(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)))&quot; attrs=&quot;krbPrincipalName
 krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
 krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass&quot;</p>
<p>[03/Jun/2016:17:18:39 &#43;0200] conn=5 op=758 RESULT err=0 tag=101 nentries=1 etime=0</p>
<p>[03/Jun/2016:17:18:39 &#43;0200] conn=5 op=759 SRCH base=&quot;cn=global_policy,cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu&quot; scope=0 filter=&quot;(objectClass=*)&quot; attrs=&quot;krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength
 krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration&quot;</p>
<p>[03/Jun/2016:17:18:39 &#43;0200] conn=5 op=759 RESULT err=0 tag=101 nentries=1 etime=0</p>
<p>[03/Jun/2016:17:18:39 &#43;0200] conn=5 op=760 SRCH base=&quot;uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu&quot; scope=0 filter=&quot;(objectClass=*)&quot; attrs=&quot;objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration
 krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory
 ipaNTHomeDirectoryDrive&quot;</p>
<p>[03/Jun/2016:17:18:39 &#43;0200] conn=5 op=760 RESULT err=0 tag=101 nentries=1 etime=0</p>
<p>[03/Jun/2016:17:18:39 &#43;0200] conn=5 op=761 MOD dn=&quot;uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu&quot;</p>
<p>[03/Jun/2016:17:18:39 &#43;0200] conn=5 op=761 RESULT err=0 tag=103 nentries=0 etime=0 csn=5751a1820001000d0000</p>
<p>[03/Jun/2016:17:18:39 &#43;0200] conn=95 fd=109 slot=109 connection from 192.168.210.45 to 192.168.210.181</p>
<p>[03/Jun/2016:17:18:39 &#43;0200] conn=6 op=937 SRCH base=&quot;dc=intern,dc=customer-virt,dc=eu&quot; scope=2 filter=&quot;(&amp;(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)))&quot;
 attrs=&quot;krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth
 krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass&quot;</p>
<p>[03/Jun/2016:17:18:39 &#43;0200] conn=6 op=937 RESULT err=0 tag=101 nentries=1 etime=0</p>
<p>[03/Jun/2016:17:18:39 &#43;0200] conn=6 op=938 SRCH base=&quot;dc=intern,dc=customer-virt,dc=eu&quot; scope=2 filter=&quot;(&amp;(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=ldap/auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU)))&quot;
 attrs=&quot;krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth
 krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass&quot;</p>
<p>[03/Jun/2016:17:18:39 &#43;0200] conn=6 op=938 RESULT err=0 tag=101 nentries=1 etime=0</p>
<p>[03/Jun/2016:17:18:39 &#43;0200] conn=6 op=939 SRCH base=&quot;cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu&quot; scope=0 filter=&quot;(objectClass=krbticketpolicyaux)&quot; attrs=&quot;krbMaxTicketLife krbMaxRenewableAge krbTicketFlags&quot;</p>
<p>[03/Jun/2016:17:18:39 &#43;0200] conn=6 op=939 RESULT err=0 tag=101 nentries=1 etime=0</p>
<p>[03/Jun/2016:17:18:39 &#43;0200] conn=6 op=940 SRCH base=&quot;dc=intern,dc=customer-virt,dc=eu&quot; scope=2 filter=&quot;(&amp;(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kries@INTERN.CUSTOMER-VIRT.EU))&quot; attrs=&quot;krbPrincipalName krbCanonicalName
 ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
 krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass&quot;</p>
<p>[03/Jun/2016:17:18:39 &#43;0200] conn=6 op=940 RESULT err=0 tag=101 nentries=1 etime=0</p>
<p>[03/Jun/2016:17:18:39 &#43;0200] conn=6 op=941 SRCH base=&quot;cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu&quot; scope=0 filter=&quot;(objectClass=krbticketpolicyaux)&quot; attrs=&quot;krbMaxTicketLife krbMaxRenewableAge krbTicketFlags&quot;</p>
<p>[03/Jun/2016:17:18:39 &#43;0200] conn=6 op=941 RESULT err=0 tag=101 nentries=1 etime=0</p>
<p><br>
</p>
<p>###</p>
<p><br>
</p>
<p><br>
</p>
<p>In the oVirt Engine log i can see the following:</p>
<p><br>
</p>
<p>###</p>
<p><br>
</p>
<p>2016-06-03 17:18:40,402 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Error in communicating with LDAP server auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested exception is
 javax.naming.CommunicationException: auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root exception is java.net.UnknownHostException: auth02.intern.customer-virt.eu.intern.customer-virt.eu]</p>
<p>2016-06-03 17:18:40,416 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 using user kries@INTERN.CUSTOMER-VIRT.EU
 due to auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested exception is javax.naming.CommunicationException: auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root exception is java.net.UnknownHostException: auth02.intern.customer-virt.eu.intern.customer-virt.eu].
 We should try the next server</p>
<p>2016-06-03 17:18:41,675 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LDAPTemplateWrapper] (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter is (&amp;(objectClass=posixAccount)(objectClass=krbPrincipalAux)(uid=kries)). Exception
 message is: null</p>
<p>2016-06-03 17:18:41,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that the login name , password and path are correct.&nbsp;</p>
<p>2016-06-03 17:18:41,690 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://auth02.intern.customer-virt.eu:389 using user kries@INTERN.CUSTOMER-VIRT.EU due to Kerberos error.
 Please check log for further details.. We should not try the next server</p>
<p>2016-06-03 17:18:41,698 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain intern.customer-virt.eu. Ldap Query Type is getUserByName</p>
<p>2016-06-03 17:18:41,703 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further details.</p>
<p>2016-06-03 17:18:41,706 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-3) Failed to run command LdapAuthenticateUserCommand. Domain is intern.customer-virt.eu. User is kries.</p>
<p>2016-06-03 17:18:41,712 INFO &nbsp;[org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-3) Cant login user &quot;kries&quot; with authentication profile &quot;intern.customer-virt.eu&quot; because the authentication failed.</p>
<p>2016-06-03 17:18:41,719 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User kries@intern.customer-virt.eu failed to log in.</p>
<p>2016-06-03 17:18:41,723 WARN &nbsp;[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user kries@intern.customer-virt.eu. Reasons: USER_FAILED_TO_AUTHENTICATE</p>
<p><br>
</p>
<p>###</p>
<p><br>
</p>
<p>Any thoughts why i can't authenticate via oVirt against IPA2?</p>
<p><br>
</p>
<p>Thanks</p>
<p>Greets</p>
<p>Kilian</p>
<p><br>
</p>
<p><br>
</p>
</div>
</body>
</html>