
<div dir="ltr"><div><div><div>How did you setup the authentication. DId you use AAA or engine-manage-domains ?<br><br></div>Do you *have* to use kerberos, or can you just use ldap?<br><br></div>If you have no requirement to use kerberos, then I would just use simple AAA ldap. <br><br></div>How are you load balancing the IPA servers?  Does fail over work for other things? IE client machines connected to the IPA realm?<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 7, 2016 at 9:49 AM, Kilian Ries <span dir="ltr">&lt;<a href="mailto:mail@kilian-ries.de" target="_blank">mail@kilian-ries.de</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Indeed there was a faulty record for the IPA2 - i corrected that. Now the engine-log shows the correct ldap-address:<br>

<br>

###<br>

<br>

2016-06-07 15:20:43,940 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that the login name , password and path are correct.<br>

2016-06-07 15:20:43,946 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://<a href="http://auth02.intern.eu:389" rel="noreferrer" target="_blank">auth02.intern.eu:389</a> using user <a href="mailto:kries@INTERN.EU">kries@INTERN.EU</a> due to Kerberos error. Please check log for further details.. We should not try the next server<br>

2016-06-07 15:20:43,951 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain <a href="http://intern.eu" rel="noreferrer" target="_blank">intern.eu</a>. Ldap Query Type is getUserByName<br>

2016-06-07 15:20:43,954 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further details.<br>

2016-06-07 15:20:43,957 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-3) Failed to run command LdapAuthenticateUserCommand. Domain is <a href="http://intern.eu" rel="noreferrer" target="_blank">intern.eu</a>. User is kries.<br>

2016-06-07 15:20:43,961 INFO  [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-3) Cant login user &quot;kries&quot; with authentication profile &quot;<a href="http://intern.eu" rel="noreferrer" target="_blank">intern.eu</a>&quot; because the authentication failed.<br>

2016-06-07 15:20:43,968 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User <a href="mailto:kries@intern.eu">kries@intern.eu</a> failed to log in.<br>

2016-06-07 15:20:43,971 WARN  [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user <a href="mailto:kries@intern.eu">kries@intern.eu</a>. Reasons: USER_FAILED_TO_AUTHENTICATE<br>

<br>

###<br>

<br>

I&#39;m still not able to login to oVirt via IPA2<br>

<br>

krb5kdc and dirsrv-acces Log don&#39;t show anything new.<br>

<span class=""><br>

________________________________________<br>

Von: Ondra Machacek &lt;<a href="mailto:omachace@redhat.com">omachace@redhat.com</a>&gt;<br>

</span>Gesendet: Montag, 6. Juni 2016 14:31<br>

An: Kilian Ries; <a href="mailto:users@ovirt.org">users@ovirt.org</a><br>

Betreff: Re: AW: [ovirt-users] free-IPA Multi-Master Authentication Problem<br>

<div class="HOEnZb"><div class="h5"><br>

It looks fine, thanks.<br>

Looking at the oVirt log I see IPA server FQDN:<br>

<br>

  <a href="http://auth02.intern.customer-virt.eu.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu.intern.customer-virt.eu</a><br>

<br>

Looking at krb realm, I guess this should be -<br>

<a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a><br>

<br>

Do you use SRV records or did you pass --ldap-servers to manage-domains?<br>

If SRV, then you maybe misconfigured DNS, if --ldap-servers, you should<br>

edit configuration with proper FQDN.<br>

<br>

On 06/06/2016 11:00 AM, Kilian Ries wrote:<br>

&gt; Hello,<br>

&gt;<br>

&gt; here is the krb5kdc log from IPA2:<br>

&gt;<br>

&gt;<br>

&gt; ###<br>

&gt; Jun 03 17:18:22 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1283](info): AS_REQ (1 etypes {23}) <a href="http://192.168.210.45" rel="noreferrer" target="_blank">192.168.210.45</a>: NEEDED_PREAUTH: <a href="mailto:kries@INTERN.CUSTOMER-VIRT.EU">kries@INTERN.CUSTOMER-VIRT.EU</a> for krbtgt/<a href="mailto:INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU">INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU</a>, Additional pre-authentication required<br>

&gt; Jun 03 17:18:22 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1283](info): closing down fd 12<br>

&gt; Jun 03 17:18:22 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1283](info): AS_REQ (1 etypes {23}) <a href="http://192.168.210.45" rel="noreferrer" target="_blank">192.168.210.45</a>: ISSUE: authtime 1464967102, etypes {rep=23 tkt=18 ses=23}, <a href="mailto:kries@INTERN.CUSTOMER-VIRT.EU">kries@INTERN.CUSTOMER-VIRT.EU</a> for krbtgt/<a href="mailto:INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU">INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU</a><br>

&gt; Jun 03 17:18:22 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1283](info): closing down fd 12<br>

&gt; Jun 03 17:18:40 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1283](info): AS_REQ (1 etypes {23}) <a href="http://192.168.210.45" rel="noreferrer" target="_blank">192.168.210.45</a>: NEEDED_PREAUTH: <a href="mailto:kries@INTERN.CUSTOMER-VIRT.EU">kries@INTERN.CUSTOMER-VIRT.EU</a> for krbtgt/<a href="mailto:INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU">INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU</a>, Additional pre-authentication required<br>

&gt; Jun 03 17:18:40 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1283](info): closing down fd 12<br>

&gt; Jun 03 17:18:40 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1284](info): AS_REQ (1 etypes {23}) <a href="http://192.168.210.45" rel="noreferrer" target="_blank">192.168.210.45</a>: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=23}, <a href="mailto:kries@INTERN.CUSTOMER-VIRT.EU">kries@INTERN.CUSTOMER-VIRT.EU</a> for krbtgt/<a href="mailto:INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU">INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU</a><br>

&gt; Jun 03 17:18:40 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1284](info): closing down fd 12<br>

&gt; Jun 03 17:18:40 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1283](info): AS_REQ (1 etypes {23}) <a href="http://192.168.210.45" rel="noreferrer" target="_blank">192.168.210.45</a>: NEEDED_PREAUTH: <a href="mailto:kries@INTERN.CUSTOMER-VIRT.EU">kries@INTERN.CUSTOMER-VIRT.EU</a> for krbtgt/<a href="mailto:INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU">INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU</a>, Additional pre-authentication required<br>

&gt; Jun 03 17:18:40 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1283](info): closing down fd 12<br>

&gt; Jun 03 17:18:40 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1284](info): AS_REQ (1 etypes {23}) <a href="http://192.168.210.45" rel="noreferrer" target="_blank">192.168.210.45</a>: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=23}, <a href="mailto:kries@INTERN.CUSTOMER-VIRT.EU">kries@INTERN.CUSTOMER-VIRT.EU</a> for krbtgt/<a href="mailto:INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU">INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU</a><br>

&gt; Jun 03 17:18:40 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1284](info): closing down fd 12<br>

&gt; Jun 03 17:18:40 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1283](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) <a href="http://192.168.210.45" rel="noreferrer" target="_blank">192.168.210.45</a>: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=18}, <a href="mailto:kries@INTERN.CUSTOMER-VIRT.EU">kries@INTERN.CUSTOMER-VIRT.EU</a> for ldap/<a href="mailto:auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU">auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU</a><br>

&gt; Jun 03 17:18:40 <a href="http://auth02.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu</a> krb5kdc[1283](info): closing down fd 12<br>

&gt; ###<br>

&gt;<br>

&gt; Thanks for the hint with the LDAP-Provider, i&#39;m trying to migrate as soon as possible.<br>

&gt;<br>

&gt; Greets<br>

&gt; Kilian<br>

&gt;<br>

&gt; ________________________________________<br>

&gt; Von: Ondra Machacek &lt;<a href="mailto:omachace@redhat.com">omachace@redhat.com</a>&gt;<br>

&gt; Gesendet: Montag, 6. Juni 2016 09:48<br>

&gt; An: Kilian Ries; <a href="mailto:users@ovirt.org">users@ovirt.org</a><br>

&gt; Betreff: Re: [ovirt-users] free-IPA Multi-Master Authentication Problem<br>

&gt;<br>

&gt; On 06/03/2016 05:44 PM, Kilian Ries wrote:<br>

&gt;&gt; Hi,<br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt; i have two free-IPA directories setup in multi-master replication. Both<br>

&gt;&gt; are running on CentOS 7.2 with latest Software installed. Replication<br>

&gt;&gt; between both IPAs is setup correctly and i am able to authenticate<br>

&gt;&gt; against each of the two manually.<br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt; However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2<br>

&gt;&gt; against IPA2 i can&#39;t login. Login is only working if IPA1 is<br>

&gt;&gt; running (keep in mind that manual authentication against IPA2 is working).<br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt; In the dirSRV Error-Logfile nothing is logged, however i can see the<br>

&gt;&gt; authentication in the access log from IPA2:<br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt; ###<br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt; filter=&quot;(&amp;(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/<a href="mailto:INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU">INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU</a>)(krbPrincipalName=krbtgt/<a href="mailto:INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU">INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU</a>)))&quot;<br>

&gt;&gt; attrs=&quot;krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias<br>

&gt;&gt; krbUPEnabled krbPrincipalKey krbTicketPolicyReference<br>

&gt;&gt; krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference<br>

&gt;&gt; krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases<br>

&gt;&gt; krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData<br>

&gt;&gt; krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife<br>

&gt;&gt; krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData<br>

&gt;&gt; ipaUserAuthType ipatokenRadiusConfigLink objectClass&quot;<br>

&gt;&gt;<br>

&gt;&gt; [03/Jun/2016:17:18:39 +0200] conn=5 op=758 RESULT err=0 tag=101<br>

&gt;&gt; nentries=1 etime=0<br>

&gt;&gt;<br>

&gt;&gt; [03/Jun/2016:17:18:39 +0200] conn=5 op=759 SRCH<br>

&gt;&gt; base=&quot;cn=global_policy,cn=<a href="http://INTERN.CUSTOMER-VIRT.EU" rel="noreferrer" target="_blank">INTERN.CUSTOMER-VIRT.EU</a>,cn=kerberos,dc=intern,dc=customer-virt,dc=eu&quot;<br>

&gt;&gt; scope=0 filter=&quot;(objectClass=*)&quot; attrs=&quot;krbMaxPwdLife krbMinPwdLife<br>

&gt;&gt; krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure<br>

&gt;&gt; krbPwdFailureCountInterval krbPwdLockoutDuration&quot;<br>

&gt;&gt;<br>

&gt;&gt; [03/Jun/2016:17:18:39 +0200] conn=5 op=759 RESULT err=0 tag=101<br>

&gt;&gt; nentries=1 etime=0<br>

&gt;&gt;<br>

&gt;&gt; [03/Jun/2016:17:18:39 +0200] conn=5 op=760 SRCH<br>

&gt;&gt; base=&quot;uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu&quot;<br>

&gt;&gt; scope=0 filter=&quot;(objectClass=*)&quot; attrs=&quot;objectClass uid cn fqdn<br>

&gt;&gt; gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference<br>

&gt;&gt; krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference<br>

&gt;&gt; krbPrincipalType krbLastPwdChange krbPrincipalAliases<br>

&gt;&gt; krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount<br>

&gt;&gt; krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier<br>

&gt;&gt; ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory<br>

&gt;&gt; ipaNTHomeDirectoryDrive&quot;<br>

&gt;&gt;<br>

&gt;&gt; [03/Jun/2016:17:18:39 +0200] conn=5 op=760 RESULT err=0 tag=101<br>

&gt;&gt; nentries=1 etime=0<br>

&gt;&gt;<br>

&gt;&gt; [03/Jun/2016:17:18:39 +0200] conn=5 op=761 MOD<br>

&gt;&gt; dn=&quot;uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu&quot;<br>

&gt;&gt;<br>

&gt;&gt; [03/Jun/2016:17:18:39 +0200] conn=5 op=761 RESULT err=0 tag=103<br>

&gt;&gt; nentries=0 etime=0 csn=5751a1820001000d0000<br>

&gt;&gt;<br>

&gt;&gt; [03/Jun/2016:17:18:39 +0200] conn=95 fd=109 slot=109 connection from<br>

&gt;&gt; 192.168.210.45 to 192.168.210.181<br>

&gt;&gt;<br>

&gt;&gt; [03/Jun/2016:17:18:39 +0200] conn=6 op=937 SRCH<br>

&gt;&gt; base=&quot;dc=intern,dc=customer-virt,dc=eu&quot; scope=2<br>

&gt;&gt; filter=&quot;(&amp;(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/<a href="mailto:INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU">INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU</a>)(krbPrincipalName=krbtgt/<a href="mailto:INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU">INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU</a>)))&quot;<br>

&gt;&gt; attrs=&quot;krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias<br>

&gt;&gt; krbUPEnabled krbPrincipalKey krbTicketPolicyReference<br>

&gt;&gt; krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference<br>

&gt;&gt; krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases<br>

&gt;&gt; krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData<br>

&gt;&gt; krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife<br>

&gt;&gt; krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData<br>

&gt;&gt; ipaUserAuthType ipatokenRadiusConfigLink objectClass&quot;<br>

&gt;&gt;<br>

&gt;&gt; [03/Jun/2016:17:18:39 +0200] conn=6 op=937 RESULT err=0 tag=101<br>

&gt;&gt; nentries=1 etime=0<br>

&gt;&gt;<br>

&gt;&gt; [03/Jun/2016:17:18:39 +0200] conn=6 op=938 SRCH<br>

&gt;&gt; base=&quot;dc=intern,dc=customer-virt,dc=eu&quot; scope=2<br>

&gt;&gt; filter=&quot;(&amp;(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/<a href="mailto:auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU">auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU</a>)(krbPrincipalName=ldap/<a href="mailto:auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU">auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU</a>)))&quot;<br>

&gt;&gt; attrs=&quot;krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias<br>

&gt;&gt; krbUPEnabled krbPrincipalKey krbTicketPolicyReference<br>

&gt;&gt; krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference<br>

&gt;&gt; krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases<br>

&gt;&gt; krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData<br>

&gt;&gt; krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife<br>

&gt;&gt; krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData<br>

&gt;&gt; ipaUserAuthType ipatokenRadiusConfigLink objectClass&quot;<br>

&gt;&gt;<br>

&gt;&gt; [03/Jun/2016:17:18:39 +0200] conn=6 op=938 RESULT err=0 tag=101<br>

&gt;&gt; nentries=1 etime=0<br>

&gt;&gt;<br>

&gt;&gt; [03/Jun/2016:17:18:39 +0200] conn=6 op=939 SRCH<br>

&gt;&gt; base=&quot;cn=<a href="http://INTERN.CUSTOMER-VIRT.EU" rel="noreferrer" target="_blank">INTERN.CUSTOMER-VIRT.EU</a>,cn=kerberos,dc=intern,dc=customer-virt,dc=eu&quot;<br>

&gt;&gt; scope=0 filter=&quot;(objectClass=krbticketpolicyaux)&quot;<br>

&gt;&gt; attrs=&quot;krbMaxTicketLife krbMaxRenewableAge krbTicketFlags&quot;<br>

&gt;&gt;<br>

&gt;&gt; [03/Jun/2016:17:18:39 +0200] conn=6 op=939 RESULT err=0 tag=101<br>

&gt;&gt; nentries=1 etime=0<br>

&gt;&gt;<br>

&gt;&gt; [03/Jun/2016:17:18:39 +0200] conn=6 op=940 SRCH<br>

&gt;&gt; base=&quot;dc=intern,dc=customer-virt,dc=eu&quot; scope=2<br>

&gt;&gt; filter=&quot;(&amp;(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=<a href="mailto:kries@INTERN.CUSTOMER-VIRT.EU">kries@INTERN.CUSTOMER-VIRT.EU</a>))&quot;<br>

&gt;&gt; attrs=&quot;krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias<br>

&gt;&gt; krbUPEnabled krbPrincipalKey krbTicketPolicyReference<br>

&gt;&gt; krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference<br>

&gt;&gt; krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases<br>

&gt;&gt; krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData<br>

&gt;&gt; krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife<br>

&gt;&gt; krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData<br>

&gt;&gt; ipaUserAuthType ipatokenRadiusConfigLink objectClass&quot;<br>

&gt;&gt;<br>

&gt;&gt; [03/Jun/2016:17:18:39 +0200] conn=6 op=940 RESULT err=0 tag=101<br>

&gt;&gt; nentries=1 etime=0<br>

&gt;&gt;<br>

&gt;&gt; [03/Jun/2016:17:18:39 +0200] conn=6 op=941 SRCH<br>

&gt;&gt; base=&quot;cn=<a href="http://INTERN.CUSTOMER-VIRT.EU" rel="noreferrer" target="_blank">INTERN.CUSTOMER-VIRT.EU</a>,cn=kerberos,dc=intern,dc=customer-virt,dc=eu&quot;<br>

&gt;&gt; scope=0 filter=&quot;(objectClass=krbticketpolicyaux)&quot;<br>

&gt;&gt; attrs=&quot;krbMaxTicketLife krbMaxRenewableAge krbTicketFlags&quot;<br>

&gt;&gt;<br>

&gt;&gt; [03/Jun/2016:17:18:39 +0200] conn=6 op=941 RESULT err=0 tag=101<br>

&gt;&gt; nentries=1 etime=0<br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt; ###<br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt; In the oVirt Engine log i can see the following:<br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt; ###<br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt; 2016-06-03 17:18:40,402 ERROR<br>

&gt;&gt; [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]<br>

&gt;&gt; (ajp--127.0.0.1-8702-3) Error in communicating with LDAP server<br>

&gt;&gt; <a href="http://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu.intern.customer-virt.eu:389</a>; nested<br>

&gt;&gt; exception is javax.naming.CommunicationException:<br>

&gt;&gt; <a href="http://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu.intern.customer-virt.eu:389</a> [Root<br>

&gt;&gt; exception is java.net.UnknownHostException:<br>

&gt;&gt; <a href="http://auth02.intern.customer-virt.eu.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu.intern.customer-virt.eu</a>]<br>

&gt;&gt;<br>

&gt;&gt; 2016-06-03 17:18:40,416 ERROR<br>

&gt;&gt; [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]<br>

&gt;&gt; (ajp--127.0.0.1-8702-3) Failed ldap search server<br>

&gt;&gt; ldap://<a href="http://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu.intern.customer-virt.eu:389</a> using<br>

&gt;&gt; user <a href="mailto:kries@INTERN.CUSTOMER-VIRT.EU">kries@INTERN.CUSTOMER-VIRT.EU</a> due to<br>

&gt;&gt; <a href="http://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu.intern.customer-virt.eu:389</a>; nested<br>

&gt;&gt; exception is javax.naming.CommunicationException:<br>

&gt;&gt; <a href="http://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu.intern.customer-virt.eu:389</a> [Root<br>

&gt;&gt; exception is java.net.UnknownHostException:<br>

&gt;&gt; <a href="http://auth02.intern.customer-virt.eu.intern.customer-virt.eu" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu.intern.customer-virt.eu</a>]. We should try<br>

&gt;&gt; the next server<br>

&gt;&gt;<br>

&gt;&gt; 2016-06-03 17:18:41,675 ERROR<br>

&gt;&gt; [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LDAPTemplateWrapper]<br>

&gt;&gt; (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter<br>

&gt;&gt; is<br>

&gt;&gt; (&amp;(objectClass=posixAccount)(objectClass=krbPrincipalAux)(uid=kries)).<br>

&gt;&gt; Exception message is: null<br>

&gt;&gt;<br>

&gt;&gt; 2016-06-03 17:18:41,681 ERROR<br>

&gt;&gt; [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]<br>

&gt;&gt; (ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that<br>

&gt;&gt; the login name , password and path are correct.<br>

&gt;&gt;<br>

&gt;&gt; 2016-06-03 17:18:41,690 ERROR<br>

&gt;&gt; [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]<br>

&gt;&gt; (ajp--127.0.0.1-8702-3) Failed ldap search server<br>

&gt;&gt; ldap://<a href="http://auth02.intern.customer-virt.eu:389" rel="noreferrer" target="_blank">auth02.intern.customer-virt.eu:389</a> using user<br>

&gt;&gt; <a href="mailto:kries@INTERN.CUSTOMER-VIRT.EU">kries@INTERN.CUSTOMER-VIRT.EU</a> due to Kerberos error. Please check log<br>

&gt;&gt; for further details.. We should not try the next server<br>

&gt;&gt;<br>

&gt;&gt; 2016-06-03 17:18:41,698 ERROR<br>

&gt;&gt; [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]<br>

&gt;&gt; (ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain<br>

&gt;&gt; <a href="http://intern.customer-virt.eu" rel="noreferrer" target="_blank">intern.customer-virt.eu</a>. Ldap Query Type is getUserByName<br>

&gt;&gt;<br>

&gt;&gt; 2016-06-03 17:18:41,703 ERROR<br>

&gt;&gt; [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]<br>

&gt;&gt; (ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further<br>

&gt;&gt; details.<br>

&gt;&gt;<br>

&gt;&gt; 2016-06-03 17:18:41,706 ERROR<br>

&gt;&gt; [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]<br>

&gt;&gt; (ajp--127.0.0.1-8702-3) Failed to run command<br>

&gt;&gt; LdapAuthenticateUserCommand. Domain is <a href="http://intern.customer-virt.eu" rel="noreferrer" target="_blank">intern.customer-virt.eu</a>. User is<br>

&gt;&gt; kries.<br>

&gt;&gt;<br>

&gt;&gt; 2016-06-03 17:18:41,712 INFO<br>

&gt;&gt;  [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]<br>

&gt;&gt; (ajp--127.0.0.1-8702-3) Cant login user &quot;kries&quot; with authentication<br>

&gt;&gt; profile &quot;<a href="http://intern.customer-virt.eu" rel="noreferrer" target="_blank">intern.customer-virt.eu</a>&quot; because the authentication failed.<br>

&gt;&gt;<br>

&gt;&gt; 2016-06-03 17:18:41,719 ERROR<br>

&gt;&gt; [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]<br>

&gt;&gt; (ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom<br>

&gt;&gt; Event ID: -1, Message: User <a href="mailto:kries@intern.customer-virt.eu">kries@intern.customer-virt.eu</a> failed to log in.<br>

&gt;&gt;<br>

&gt;&gt; 2016-06-03 17:18:41,723 WARN<br>

&gt;&gt;  [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]<br>

&gt;&gt; (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for<br>

&gt;&gt; user <a href="mailto:kries@intern.customer-virt.eu">kries@intern.customer-virt.eu</a>. Reasons: USER_FAILED_TO_AUTHENTICATE<br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt; ###<br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt; Any thoughts why i can&#39;t authenticate via oVirt against IPA2?<br>

&gt;<br>

&gt; Can you please also share if there is some error in /var/log/krb5kdc.log<br>

&gt; in IPA2?<br>

&gt;<br>

&gt; Anyway, please migrate to new ovirt-engine-extensions-aaa-ldap, read<br>

&gt; this[1] for more information.<br>

&gt;<br>

&gt; [1] <a href="http://lists.ovirt.org/pipermail/users/2015-August/034008.html" rel="noreferrer" target="_blank">http://lists.ovirt.org/pipermail/users/2015-August/034008.html</a><br>

&gt;<br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt; Thanks<br>

&gt;&gt;<br>

&gt;&gt; Greets<br>

&gt;&gt;<br>

&gt;&gt; Kilian<br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;&gt; _______________________________________________<br>

&gt;&gt; Users mailing list<br>

&gt;&gt; <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>

&gt;&gt; <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>

&gt;&gt;<br>

&gt;<br>

_______________________________________________<br>

Users mailing list<br>

<a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>

<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>

</div></div></blockquote></div><br></div>