<div dir="ltr"><div><div><div>How did you setup the authentication. DId you use AAA or engine-manage-domains ?<br><br></div>Do you *have* to use kerberos, or can you just use ldap?<br><br></div>If you have no requirement to use kerberos, then I would just use simple AAA ldap. <br><br></div>How are you load balancing the IPA servers? Does fail over work for other things? IE client machines connected to the IPA realm?<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 7, 2016 at 9:49 AM, Kilian Ries <span dir="ltr"><<a href="mailto:mail@kilian-ries.de" target="_blank">mail@kilian-ries.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Indeed there was a faulty record for the IPA2 - i corrected that. Now the engine-log shows the correct ldap-address:<br>
<br>
###<br>
<br>
2016-06-07 15:20:43,940 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that the login name , password and path are correct.<br>
2016-06-07 15:20:43,946 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://<a href="http://auth02.intern.eu:389" rel="noreferrer" target="_blank">auth02.intern.eu:389</a> using user <a href="mailto:kries@INTERN.EU">kries@INTERN.EU</a> due to Kerberos error. Please check log for further details.. We should not try the next server<br>
2016-06-07 15:20:43,951 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain <a href="http://intern.eu" rel="noreferrer" target="_blank">intern.eu</a>. Ldap Query Type is getUserByName<br>
2016-06-07 15:20:43,954 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further details.<br>
2016-06-07 15:20:43,957 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-3) Failed to run command LdapAuthenticateUserCommand. Domain is <a href="http://intern.eu" rel="noreferrer" target="_blank">intern.eu</a>. User is kries.<br>
2016-06-07 15:20:43,961 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication profile "<a href="http://intern.eu" rel="noreferrer" target="_blank">intern.eu</a>" because the authentication failed.<br>
2016-06-07 15:20:43,968 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User <a href="mailto:kries@intern.eu">kries@intern.eu</a> failed to log in.<br>
2016-06-07 15:20:43,971 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user <a href="mailto:kries@intern.eu">kries@intern.eu</a>. Reasons: USER_FAILED_TO_AUTHENTICATE<br>
<br>
###<br>
<br>
I'm still not able to login to oVirt via IPA2<br>
<br>
krb5kdc and dirsrv-acces Log don't show anything new.<br>
<span class=""><br>
________________________________________<br>
Von: Ondra Machacek <<a href="mailto:omachace@redhat.com">omachace@redhat.com</a>><br>
</span>Gesendet: Montag, 6. Juni 2016 14:31<br>
An: Kilian Ries; <a href="mailto:users@ovirt.org">users@ovirt.org</a><br>
Betreff: Re: AW: [ovirt-users] free-IPA Multi-Master Authentication Problem<br>
<div class="HOEnZb"><div class="h5"><br>
It looks fine, thanks.<br>
Looking at the oVirt log I see IPA server FQDN:<br>
<br>
<a href="http://auth02.intern.customer-virt.eu.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu.intern.customer-virt.eu</a><br>
<br>
Looking at krb realm, I guess this should be -<br>
<a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a><br>
<br>
Do you use SRV records or did you pass --ldap-servers to manage-domains?<br>
If SRV, then you maybe misconfigured DNS, if --ldap-servers, you should<br>
edit configuration with proper FQDN.<br>
<br>
On 06/06/2016 11:00 AM, Kilian Ries wrote:<br>
> Hello,<br>
><br>
> here is the krb5kdc log from IPA2:<br>
><br>
><br>
> ###<br>
> Jun 03 17:18:22 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1283](info): AS_REQ (1 etypes {23}) <a href="http://192.168.210.45" rel="noreferrer" target="_blank">192.168.210.45</a>: NEEDED_PREAUTH: <a href="mailto:kries@INTERN.CUSTOMER-VIRT.EU">kries@INTERN.CUSTOMER-VIRT.EU</a> for krbtgt/<a href="mailto:INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU">INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU</a>, Additional pre-authentication required<br>
> Jun 03 17:18:22 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1283](info): closing down fd 12<br>
> Jun 03 17:18:22 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1283](info): AS_REQ (1 etypes {23}) <a href="http://192.168.210.45" rel="noreferrer" target="_blank">192.168.210.45</a>: ISSUE: authtime 1464967102, etypes {rep=23 tkt=18 ses=23}, <a href="mailto:kries@INTERN.CUSTOMER-VIRT.EU">kries@INTERN.CUSTOMER-VIRT.EU</a> for krbtgt/<a href="mailto:INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU">INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU</a><br>
> Jun 03 17:18:22 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1283](info): closing down fd 12<br>
> Jun 03 17:18:40 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1283](info): AS_REQ (1 etypes {23}) <a href="http://192.168.210.45" rel="noreferrer" target="_blank">192.168.210.45</a>: NEEDED_PREAUTH: <a href="mailto:kries@INTERN.CUSTOMER-VIRT.EU">kries@INTERN.CUSTOMER-VIRT.EU</a> for krbtgt/<a href="mailto:INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU">INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU</a>, Additional pre-authentication required<br>
> Jun 03 17:18:40 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1283](info): closing down fd 12<br>
> Jun 03 17:18:40 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1284](info): AS_REQ (1 etypes {23}) <a href="http://192.168.210.45" rel="noreferrer" target="_blank">192.168.210.45</a>: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=23}, <a href="mailto:kries@INTERN.CUSTOMER-VIRT.EU">kries@INTERN.CUSTOMER-VIRT.EU</a> for krbtgt/<a href="mailto:INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU">INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU</a><br>
> Jun 03 17:18:40 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1284](info): closing down fd 12<br>
> Jun 03 17:18:40 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1283](info): AS_REQ (1 etypes {23}) <a href="http://192.168.210.45" rel="noreferrer" target="_blank">192.168.210.45</a>: NEEDED_PREAUTH: <a href="mailto:kries@INTERN.CUSTOMER-VIRT.EU">kries@INTERN.CUSTOMER-VIRT.EU</a> for krbtgt/<a href="mailto:INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU">INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU</a>, Additional pre-authentication required<br>
> Jun 03 17:18:40 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1283](info): closing down fd 12<br>
> Jun 03 17:18:40 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1284](info): AS_REQ (1 etypes {23}) <a href="http://192.168.210.45" rel="noreferrer" target="_blank">192.168.210.45</a>: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=23}, <a href="mailto:kries@INTERN.CUSTOMER-VIRT.EU">kries@INTERN.CUSTOMER-VIRT.EU</a> for krbtgt/<a href="mailto:INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU">INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU</a><br>
> Jun 03 17:18:40 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1284](info): closing down fd 12<br>
> Jun 03 17:18:40 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1283](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) <a href="http://192.168.210.45" rel="noreferrer" target="_blank">192.168.210.45</a>: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=18}, <a href="mailto:kries@INTERN.CUSTOMER-VIRT.EU">kries@INTERN.CUSTOMER-VIRT.EU</a> for ldap/<a href="mailto:auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU">auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU</a><br>
> Jun 03 17:18:40 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1283](info): closing down fd 12<br>
> ###<br>
><br>
> Thanks for the hint with the LDAP-Provider, i'm trying to migrate as soon as possible.<br>
><br>
> Greets<br>
> Kilian<br>
><br>
> ________________________________________<br>
> Von: Ondra Machacek <<a href="mailto:omachace@redhat.com">omachace@redhat.com</a>><br>
> Gesendet: Montag, 6. Juni 2016 09:48<br>
> An: Kilian Ries; <a href="mailto:users@ovirt.org">users@ovirt.org</a><br>
> Betreff: Re: [ovirt-users] free-IPA Multi-Master Authentication Problem<br>
><br>
> On 06/03/2016 05:44 PM, Kilian Ries wrote:<br>
>> Hi,<br>
>><br>
>><br>
>> i have two free-IPA directories setup in multi-master replication. Both<br>
>> are running on CentOS 7.2 with latest Software installed. Replication<br>
>> between both IPAs is setup correctly and i am able to authenticate<br>
>> against each of the two manually.<br>
>><br>
>><br>
>> However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2<br>
>> against IPA2 i can't login. Login is only working if IPA1 is<br>
>> running (keep in mind that manual authentication against IPA2 is working).<br>
>><br>
>><br>
>> In the dirSRV Error-Logfile nothing is logged, however i can see the<br>
>> authentication in the access log from IPA2:<br>
>><br>
>><br>
>><br>
>> ###<br>
>><br>
>><br>
>> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/<a href="mailto:INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU">INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU</a>)(krbPrincipalName=krbtgt/<a href="mailto:INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU">INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU</a>)))"<br>
>> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias<br>
>> krbUPEnabled krbPrincipalKey krbTicketPolicyReference<br>
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference<br>
>> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases<br>
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData<br>
>> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife<br>
>> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData<br>
>> ipaUserAuthType ipatokenRadiusConfigLink objectClass"<br>
>><br>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=758 RESULT err=0 tag=101<br>
>> nentries=1 etime=0<br>
>><br>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=759 SRCH<br>
>> base="cn=global_policy,cn=<a href="http://INTERN.CUSTOMER-VIRT.EU" rel="noreferrer" target="_blank">INTERN.CUSTOMER-VIRT.EU</a>,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"<br>
>> scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife<br>
>> krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure<br>
>> krbPwdFailureCountInterval krbPwdLockoutDuration"<br>
>><br>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=759 RESULT err=0 tag=101<br>
>> nentries=1 etime=0<br>
>><br>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=760 SRCH<br>
>> base="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu"<br>
>> scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn<br>
>> gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference<br>
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference<br>
>> krbPrincipalType krbLastPwdChange krbPrincipalAliases<br>
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount<br>
>> krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier<br>
>> ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory<br>
>> ipaNTHomeDirectoryDrive"<br>
>><br>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=760 RESULT err=0 tag=101<br>
>> nentries=1 etime=0<br>
>><br>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=761 MOD<br>
>> dn="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu"<br>
>><br>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=761 RESULT err=0 tag=103<br>
>> nentries=0 etime=0 csn=5751a1820001000d0000<br>
>><br>
>> [03/Jun/2016:17:18:39 +0200] conn=95 fd=109 slot=109 connection from<br>
>> 192.168.210.45 to 192.168.210.181<br>
>><br>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=937 SRCH<br>
>> base="dc=intern,dc=customer-virt,dc=eu" scope=2<br>
>> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/<a href="mailto:INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU">INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU</a>)(krbPrincipalName=krbtgt/<a href="mailto:INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU">INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU</a>)))"<br>
>> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias<br>
>> krbUPEnabled krbPrincipalKey krbTicketPolicyReference<br>
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference<br>
>> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases<br>
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData<br>
>> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife<br>
>> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData<br>
>> ipaUserAuthType ipatokenRadiusConfigLink objectClass"<br>
>><br>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=937 RESULT err=0 tag=101<br>
>> nentries=1 etime=0<br>
>><br>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=938 SRCH<br>
>> base="dc=intern,dc=customer-virt,dc=eu" scope=2<br>
>> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/<a href="mailto:auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU">auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU</a>)(krbPrincipalName=ldap/<a href="mailto:auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU">auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU</a>)))"<br>
>> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias<br>
>> krbUPEnabled krbPrincipalKey krbTicketPolicyReference<br>
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference<br>
>> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases<br>
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData<br>
>> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife<br>
>> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData<br>
>> ipaUserAuthType ipatokenRadiusConfigLink objectClass"<br>
>><br>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=938 RESULT err=0 tag=101<br>
>> nentries=1 etime=0<br>
>><br>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=939 SRCH<br>
>> base="cn=<a href="http://INTERN.CUSTOMER-VIRT.EU" rel="noreferrer" target="_blank">INTERN.CUSTOMER-VIRT.EU</a>,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"<br>
>> scope=0 filter="(objectClass=krbticketpolicyaux)"<br>
>> attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"<br>
>><br>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=939 RESULT err=0 tag=101<br>
>> nentries=1 etime=0<br>
>><br>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=940 SRCH<br>
>> base="dc=intern,dc=customer-virt,dc=eu" scope=2<br>
>> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=<a href="mailto:kries@INTERN.CUSTOMER-VIRT.EU">kries@INTERN.CUSTOMER-VIRT.EU</a>))"<br>
>> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias<br>
>> krbUPEnabled krbPrincipalKey krbTicketPolicyReference<br>
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference<br>
>> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases<br>
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData<br>
>> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife<br>
>> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData<br>
>> ipaUserAuthType ipatokenRadiusConfigLink objectClass"<br>
>><br>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=940 RESULT err=0 tag=101<br>
>> nentries=1 etime=0<br>
>><br>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=941 SRCH<br>
>> base="cn=<a href="http://INTERN.CUSTOMER-VIRT.EU" rel="noreferrer" target="_blank">INTERN.CUSTOMER-VIRT.EU</a>,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"<br>
>> scope=0 filter="(objectClass=krbticketpolicyaux)"<br>
>> attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"<br>
>><br>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=941 RESULT err=0 tag=101<br>
>> nentries=1 etime=0<br>
>><br>
>><br>
>> ###<br>
>><br>
>><br>
>><br>
>> In the oVirt Engine log i can see the following:<br>
>><br>
>><br>
>> ###<br>
>><br>
>><br>
>> 2016-06-03 17:18:40,402 ERROR<br>
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]<br>
>> (ajp--127.0.0.1-8702-3) Error in communicating with LDAP server<br>
>> <a href="http://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu.intern.customer-virt.eu:389</a>; nested<br>
>> exception is javax.naming.CommunicationException:<br>
>> <a href="http://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu.intern.customer-virt.eu:389</a> [Root<br>
>> exception is java.net.UnknownHostException:<br>
>> <a href="http://auth02.intern.customer-virt.eu.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu.intern.customer-virt.eu</a>]<br>
>><br>
>> 2016-06-03 17:18:40,416 ERROR<br>
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]<br>
>> (ajp--127.0.0.1-8702-3) Failed ldap search server<br>
>> ldap://<a href="http://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu.intern.customer-virt.eu:389</a> using<br>
>> user <a href="mailto:kries@INTERN.CUSTOMER-VIRT.EU">kries@INTERN.CUSTOMER-VIRT.EU</a> due to<br>
>> <a href="http://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu.intern.customer-virt.eu:389</a>; nested<br>
>> exception is javax.naming.CommunicationException:<br>
>> <a href="http://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu.intern.customer-virt.eu:389</a> [Root<br>
>> exception is java.net.UnknownHostException:<br>
>> <a href="http://auth02.intern.customer-virt.eu.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu.intern.customer-virt.eu</a>]. We should try<br>
>> the next server<br>
>><br>
>> 2016-06-03 17:18:41,675 ERROR<br>
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LDAPTemplateWrapper]<br>
>> (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter<br>
>> is<br>
>> (&(objectClass=posixAccount)(objectClass=krbPrincipalAux)(uid=kries)).<br>
>> Exception message is: null<br>
>><br>
>> 2016-06-03 17:18:41,681 ERROR<br>
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]<br>
>> (ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that<br>
>> the login name , password and path are correct.<br>
>><br>
>> 2016-06-03 17:18:41,690 ERROR<br>
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]<br>
>> (ajp--127.0.0.1-8702-3) Failed ldap search server<br>
>> ldap://<a href="http://auth02.intern.customer-virt.eu:389" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu:389</a> using user<br>
>> <a href="mailto:kries@INTERN.CUSTOMER-VIRT.EU">kries@INTERN.CUSTOMER-VIRT.EU</a> due to Kerberos error. Please check log<br>
>> for further details.. We should not try the next server<br>
>><br>
>> 2016-06-03 17:18:41,698 ERROR<br>
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]<br>
>> (ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain<br>
>> <a href="http://intern.customer-virt.eu" rel="noreferrer" target="_blank">intern.customer-virt.eu</a>. Ldap Query Type is getUserByName<br>
>><br>
>> 2016-06-03 17:18:41,703 ERROR<br>
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]<br>
>> (ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further<br>
>> details.<br>
>><br>
>> 2016-06-03 17:18:41,706 ERROR<br>
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]<br>
>> (ajp--127.0.0.1-8702-3) Failed to run command<br>
>> LdapAuthenticateUserCommand. Domain is <a href="http://intern.customer-virt.eu" rel="noreferrer" target="_blank">intern.customer-virt.eu</a>. User is<br>
>> kries.<br>
>><br>
>> 2016-06-03 17:18:41,712 INFO<br>
>> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]<br>
>> (ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication<br>
>> profile "<a href="http://intern.customer-virt.eu" rel="noreferrer" target="_blank">intern.customer-virt.eu</a>" because the authentication failed.<br>
>><br>
>> 2016-06-03 17:18:41,719 ERROR<br>
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]<br>
>> (ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom<br>
>> Event ID: -1, Message: User <a href="mailto:kries@intern.customer-virt.eu">kries@intern.customer-virt.eu</a> failed to log in.<br>
>><br>
>> 2016-06-03 17:18:41,723 WARN<br>
>> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]<br>
>> (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for<br>
>> user <a href="mailto:kries@intern.customer-virt.eu">kries@intern.customer-virt.eu</a>. Reasons: USER_FAILED_TO_AUTHENTICATE<br>
>><br>
>><br>
>> ###<br>
>><br>
>><br>
>> Any thoughts why i can't authenticate via oVirt against IPA2?<br>
><br>
> Can you please also share if there is some error in /var/log/krb5kdc.log<br>
> in IPA2?<br>
><br>
> Anyway, please migrate to new ovirt-engine-extensions-aaa-ldap, read<br>
> this[1] for more information.<br>
><br>
> [1] <a href="http://lists.ovirt.org/pipermail/users/2015-August/034008.html" rel="noreferrer" target="_blank">http://lists.ovirt.org/pipermail/users/2015-August/034008.html</a><br>
><br>
>><br>
>><br>
>> Thanks<br>
>><br>
>> Greets<br>
>><br>
>> Kilian<br>
>><br>
>><br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> Users mailing list<br>
>> <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
>> <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
>><br>
><br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
</div></div></blockquote></div><br></div>