<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 12, 2018 at 1:04 PM, Martin Perina <span dir="ltr"><<a href="mailto:mperina@redhat.com" target="_blank">mperina@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 12, 2018 at 12:44 PM, Eitan Raviv <span dir="ltr"><<a href="mailto:eraviv@redhat.com" target="_blank">eraviv@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>The recurring denied access for every SyncNetworkProvider might be because you changed the admin password on the engine but not on the provider.<br><br>Dominik, will updating to the same password on the provider solve the denied access?<br></div><div>Martin, does the engine lock out the admin user for failed retries?<br></div></div></blockquote><div><br><div>Of course, after 5 incorrect logins the account is locked. But I looked at logs and I can't see any login errors, so currently trying to reproduce to find out what's going on ...<br></div></div></div></div></div></blockquote><div><br><div style="font-family:arial,helvetica,sans-serif;display:inline" class="gmail_default">OK, so confirmed. If you change password for admin@internal using aaa-jdbc-tool and you don't change immediately for OVN provider, then admin@interal account is locked.<br><br></div><div style="font-family:arial,helvetica,sans-serif;display:inline" class="gmail_default">We should probably change logic in OVN provider to shutdown the OVN provider service if authentication failure to engine is raised. Using this we will break OVN provider, but<br></div><div style="font-family:arial,helvetica,sans-serif;display:inline" class="gmail_default">it seems to me much less severe than locking admin@internal account. Dominik, what do you think?<br></div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><div></div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br><br></div>HTH<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 12, 2018 at 12:29 PM, Käfer Marcel <span dir="ltr"><<a href="mailto:marcel.kaefer@putzbrunn.de" target="_blank">marcel.kaefer@putzbrunn.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="DE">
<div class="m_8431112185659963320m_5237658339845808930m_93154007004167478WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Here are the logfiles…<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thanks<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Von:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Eitan Raviv [mailto:<a href="mailto:eraviv@redhat.com" target="_blank">eraviv@redhat.com</a>]
<br>
<b>Gesendet:</b> Donnerstag, 12. April 2018 11:12<br>
<b>An:</b> Käfer Marcel<br>
<b>Cc:</b> <a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a>; Martin Perina<br>
<b>Betreff:</b> Re: [ovirt-users] admin account constantly gets locked<u></u><u></u></span></p><div><div class="m_8431112185659963320m_5237658339845808930h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal">The sync network command is probably unrelated. <u></u><u></u></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Can you attach the full engine and the setup logs?<u></u><u></u></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Martin, this looks a bit like [1]. Any idea?<u></u><u></u></p>
</div>
<p class="MsoNormal">Thanks<u></u><u></u></p>
<div>
<p class="MsoNormal"><br>
<br>
[1] <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1410955" target="_blank">https://bugzilla.redhat.com/sh<wbr>ow_bug.cgi?id=1410955</a>
<u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Thu, Apr 12, 2018 at 10:22 AM, Käfer Marcel <<a href="mailto:marcel.kaefer@putzbrunn.de" target="_blank">marcel.kaefer@putzbrunn.de</a>> wrote:<u></u><u></u></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">Hello,<br>
<br>
a few days ago I installed an ovirt-engine 4.2.2.6 following the steps of the documentation. After the installation I logged in to the admin page, configured a datadomain and changed the admin password. After a few hours I tried to login again, using the new
password and got "Unable to log in because the user account is disabled or locked. Contact the system administrator." So I unlocked the admin account from the shell using "ovirt-aaa-jdbc-tool user unlock admin" which worked fine and I was able to continue
working till the next login.<br>
<br>
I traced the /var/log/ovirt-engine/engine.l<wbr>og and found this after unlocking the admin account again.<br>
<br>
2018-04-12 09:06:19,984+02 INFO [<a href="http://org.ovirt.engine.core.bll.pro" target="_blank">org.ovirt.engine.core.bll.pro</a><wbr>vider.network.SyncNetworkProvi<wbr>derCommand] (EE-ManagedThreadFactory-engin<wbr>eScheduled-Thread-87) [2ed5aa42] Lock Acquired to object 'EngineLock:{exclusiveLocks='[<wbr>e37c0b9e-09bc-4893-9b0c-c70f56<wbr>d6ecfc=PROVIDER]',
sharedLocks=''}'<br>
2018-04-12 09:06:19,991+02 INFO [<a href="http://org.ovirt.engine.core.bll.pro" target="_blank">org.ovirt.engine.core.bll.pro</a><wbr>vider.network.SyncNetworkProvi<wbr>derCommand] (EE-ManagedThreadFactory-engin<wbr>eScheduled-Thread-87) [2ed5aa42] Running command: SyncNetworkProviderCommand internal: true.<br>
2018-04-12 09:06:20,102+02 INFO [org.ovirt.engine.extension.aa<wbr>a.jdbc.core.Authentication] (default task-239) [] locking user: admin due to interval failures<br>
2018-04-12 09:06:25,046+02 ERROR [org.ovirt.engine.core.sso.uti<wbr>ls.SsoUtils] (default task-239) [] OAuthException access_denied: Cannot authenticate user 'admin@internal': The username or password is incorrect..<br>
2018-04-12 09:06:25,049+02 ERROR [<a href="http://org.ovirt.engine.core.bll.pro" target="_blank">org.ovirt.engine.core.bll.pro</a><wbr>vider.network.SyncNetworkProvi<wbr>derCommand] (EE-ManagedThreadFactory-engin<wbr>eScheduled-Thread-87) [2ed5aa42] Command '<a href="http://org.ovirt.engine.core.bll.pro" target="_blank">org.ovirt.engine.core.bll.pro</a><wbr>vider.network.SyncNetworkProvi<wbr>derCommand' failed: EngineException:
(Failed with error Unauthorized and code 5050)<br>
2018-04-12 09:06:25,050+02 INFO [<a href="http://org.ovirt.engine.core.bll.pro" target="_blank">org.ovirt.engine.core.bll.pro</a><wbr>vider.network.SyncNetworkProvi<wbr>derCommand] (EE-ManagedThreadFactory-engin<wbr>eScheduled-Thread-87) [2ed5aa42] Lock freed to object 'EngineLock:{exclusiveLocks='[<wbr>e37c0b9e-09bc-4893-9b0c-c70f56<wbr>d6ecfc=PROVIDER]',
sharedLocks=''}'<br>
<br>
It seems like the SyncNetworkProviderCommand is somehow locking the admin account. I already restarted the whole machine but it didn't help.<br>
<br>
Can someone please point me in the right direction, where to find the error?<br>
<br>
Thanks in advance<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
______________________________<wbr>_________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman<wbr>/listinfo/users</a><u></u><u></u></p>
</div>
<p class="MsoNormal"><br>
<br clear="all"><span class="m_8431112185659963320HOEnZb"><font color="#888888">
<br>
-- <u></u><u></u></font></span></p><span class="m_8431112185659963320HOEnZb"><font color="#888888">
<div>
<div>
<div>
<div>
<p class="MsoNormal">Eitan Raviv<br>
IRC: erav (#ovirt #vdsm #devel #rhev-dev)<u></u><u></u></p>
</div>
</div>
</div>
</div>
</font></span></div><span class="m_8431112185659963320HOEnZb"><font color="#888888">
</font></span></div></div></div><span class="m_8431112185659963320HOEnZb"><font color="#888888">
</font></span></div><span class="m_8431112185659963320HOEnZb"><font color="#888888">
</font></span></blockquote></div><span class="m_8431112185659963320HOEnZb"><font color="#888888"><br><br clear="all"><span class="HOEnZb"><font color="#888888"><br>-- <br><div class="m_8431112185659963320m_5237658339845808930gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr">Eitan Raviv<br>IRC: erav (#ovirt #vdsm #devel #rhev-dev)<br></div></div></div></div>
</font></span></font></span></div><span class="HOEnZb"><font color="#888888">
</font></span></blockquote></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><br>-- <br><div class="m_8431112185659963320gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><font size="1">Martin Perina<br>Associate Manager, Software Engineering<br>Red Hat Czech s.r.o.<br></font></div></div>
</font></span></div></div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><font size="1">Martin Perina<br>Associate Manager, Software Engineering<br>Red Hat Czech s.r.o.<br></font></div></div>
</div></div>