<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Hi,</p>
<p><br>
</p>
<p>i have two free-IPA directories setup in multi-master replication. Both are running on CentOS 7.2 with latest Software installed. Replication between both IPAs is setup correctly and i am able to authenticate against each of the two manually.</p>
<p><br>
</p>
<p>However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2 against IPA2 i can't login. Login is only working if IPA1 is running (keep in mind that manual authentication against IPA2 is working).</p>
<p><br>
</p>
<p>In the dirSRV Error-Logfile nothing is logged, however i can see the authentication in the access log from IPA2:</p>
<p><br>
</p>
<p><br>
</p>
<p>###</p>
<p><br>
</p>
<p>filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"</p>
<p>[03/Jun/2016:17:18:39 +0200] conn=5 op=758 RESULT err=0 tag=101 nentries=1 etime=0</p>
<p>[03/Jun/2016:17:18:39 +0200] conn=5 op=759 SRCH base="cn=global_policy,cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength
krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration"</p>
<p>[03/Jun/2016:17:18:39 +0200] conn=5 op=759 RESULT err=0 tag=101 nentries=1 etime=0</p>
<p>[03/Jun/2016:17:18:39 +0200] conn=5 op=760 SRCH base="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory
ipaNTHomeDirectoryDrive"</p>
<p>[03/Jun/2016:17:18:39 +0200] conn=5 op=760 RESULT err=0 tag=101 nentries=1 etime=0</p>
<p>[03/Jun/2016:17:18:39 +0200] conn=5 op=761 MOD dn="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu"</p>
<p>[03/Jun/2016:17:18:39 +0200] conn=5 op=761 RESULT err=0 tag=103 nentries=0 etime=0 csn=5751a1820001000d0000</p>
<p>[03/Jun/2016:17:18:39 +0200] conn=95 fd=109 slot=109 connection from 192.168.210.45 to 192.168.210.181</p>
<p>[03/Jun/2016:17:18:39 +0200] conn=6 op=937 SRCH base="dc=intern,dc=customer-virt,dc=eu" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)))"
attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth
krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"</p>
<p>[03/Jun/2016:17:18:39 +0200] conn=6 op=937 RESULT err=0 tag=101 nentries=1 etime=0</p>
<p>[03/Jun/2016:17:18:39 +0200] conn=6 op=938 SRCH base="dc=intern,dc=customer-virt,dc=eu" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=ldap/auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU)))"
attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth
krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"</p>
<p>[03/Jun/2016:17:18:39 +0200] conn=6 op=938 RESULT err=0 tag=101 nentries=1 etime=0</p>
<p>[03/Jun/2016:17:18:39 +0200] conn=6 op=939 SRCH base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"</p>
<p>[03/Jun/2016:17:18:39 +0200] conn=6 op=939 RESULT err=0 tag=101 nentries=1 etime=0</p>
<p>[03/Jun/2016:17:18:39 +0200] conn=6 op=940 SRCH base="dc=intern,dc=customer-virt,dc=eu" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kries@INTERN.CUSTOMER-VIRT.EU))" attrs="krbPrincipalName krbCanonicalName
ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"</p>
<p>[03/Jun/2016:17:18:39 +0200] conn=6 op=940 RESULT err=0 tag=101 nentries=1 etime=0</p>
<p>[03/Jun/2016:17:18:39 +0200] conn=6 op=941 SRCH base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"</p>
<p>[03/Jun/2016:17:18:39 +0200] conn=6 op=941 RESULT err=0 tag=101 nentries=1 etime=0</p>
<p><br>
</p>
<p>###</p>
<p><br>
</p>
<p><br>
</p>
<p>In the oVirt Engine log i can see the following:</p>
<p><br>
</p>
<p>###</p>
<p><br>
</p>
<p>2016-06-03 17:18:40,402 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Error in communicating with LDAP server auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested exception is
javax.naming.CommunicationException: auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root exception is java.net.UnknownHostException: auth02.intern.customer-virt.eu.intern.customer-virt.eu]</p>
<p>2016-06-03 17:18:40,416 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 using user kries@INTERN.CUSTOMER-VIRT.EU
due to auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested exception is javax.naming.CommunicationException: auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root exception is java.net.UnknownHostException: auth02.intern.customer-virt.eu.intern.customer-virt.eu].
We should try the next server</p>
<p>2016-06-03 17:18:41,675 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LDAPTemplateWrapper] (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter is (&(objectClass=posixAccount)(objectClass=krbPrincipalAux)(uid=kries)). Exception
message is: null</p>
<p>2016-06-03 17:18:41,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that the login name , password and path are correct. </p>
<p>2016-06-03 17:18:41,690 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://auth02.intern.customer-virt.eu:389 using user kries@INTERN.CUSTOMER-VIRT.EU due to Kerberos error.
Please check log for further details.. We should not try the next server</p>
<p>2016-06-03 17:18:41,698 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain intern.customer-virt.eu. Ldap Query Type is getUserByName</p>
<p>2016-06-03 17:18:41,703 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further details.</p>
<p>2016-06-03 17:18:41,706 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-3) Failed to run command LdapAuthenticateUserCommand. Domain is intern.customer-virt.eu. User is kries.</p>
<p>2016-06-03 17:18:41,712 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication profile "intern.customer-virt.eu" because the authentication failed.</p>
<p>2016-06-03 17:18:41,719 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User kries@intern.customer-virt.eu failed to log in.</p>
<p>2016-06-03 17:18:41,723 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user kries@intern.customer-virt.eu. Reasons: USER_FAILED_TO_AUTHENTICATE</p>
<p><br>
</p>
<p>###</p>
<p><br>
</p>
<p>Any thoughts why i can't authenticate via oVirt against IPA2?</p>
<p><br>
</p>
<p>Thanks</p>
<p>Greets</p>
<p>Kilian</p>
<p><br>
</p>
<p><br>
</p>
</div>
</body>
</html>