Re: [Engine-devel] users cannot log into userportal

----- Original Message ----- From: "Alexander Wels" <awels(a)redhat.com&gt; Sent: Friday, August 9, 2013 10:11:07 AM On Friday, August 09, 2013 08:28:15 AM Einav Cohen wrote: > > ----- Original Message ----- > > From: "Alexander Wels" <awels(a)redhat.com&gt; > > Sent: Friday, August 9, 2013 8:19:34 AM > > > > On Thursday, August 08, 2013 09:10:33 PM Einav Cohen wrote: > > > > ----- Original Message ----- > > > > From: "Dead Horse" <deadhorseconsulting(a)gmail.com&gt; > > > > Sent: Thursday, August 8, 2013 7:51:03 PM > > > > > > > > I verified the fix against current master with multiple installs and > > > > browsers. Thanks guys! > > > > > > > > Fix verified to work with: > > > > Firefox Version 22.0-1 > > > > Google Chrome Version 28.0.1500.95 > > > > > > > > I still noted an odd issue with Firefox Version 17.0.8-1 (Current > > > > Firefox > > > > EL6 Version). > > > > The login into the user portal succeeds and a successful login is > > > > logged, > > > > however the login remains hung at the login dialog indefinitely. > > > > Reloading the page and closing the browser does not change things. > > > > Also removing ~/<username>/.mozilla and starting fresh results in the > > > > same. > > > > Can someone else check and verify similar oddness with EL6 Firefox. > > > > > > similar oddness was indeed encountered lately. Alexander (added) is > > > currently investigating. > > > @Alexander - can you please update on the investigation progress in > > > this > > > thread? > > > > As noted this seems to only happen with FF 17 ESR, which is the current > > EL6 > > version. If I use firebug or attach a GWT debugger, the problem goes > > away. > > Heck > > if I compile GWT in draft mode the problem goes away. I did however make > > some > > progress yesterday in determining the cause. It seems to me that for some > > reason revealDefaultPlace in the user portal is called multiple times and > > in certain cases the second time the method is called it never finishes > > which causes the behavior we are seeing. > > > > Still no solution, but this is my top priority to get working. > > many thanks for the update, Alexander. > this is a long shot, but it just occurred to me that recently the Message > of > the day feature has been introduced to the user portal login page [1]. > @Alexander - maybe worth investigating in that direction (i.e. if this > patch is reverted, does the problem go away?) > > [1] http://gerrit.ovirt.org/#/c/17545/ > I reversed that patch, but it had no effect on the problem. It did make the weird looking box underneath the login box go away, so at least I know where that came from.

> > Alexander > > > > > > - DHC > > > > > > > > > > > > On Wed, Aug 7, 2013 at 1:50 PM, Dead Horse < > > > > deadhorseconsulting(a)gmail.com > > > > > > > > > wrote: > > > > I see the fix in Gerrit/GIT. Thanks guys! I will test and update > > > > results > > > > tomorrow morning. > > > > - DHC > > > > > > > > > > > > On Wed, Aug 7, 2013 at 1:01 PM, Yair Zaslavsky < yzaslavs(a)redhat.com > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > > From: "Yair Zaslavsky" < yzaslavs(a)redhat.com > > > > > > To: "Dead Horse" < deadhorseconsulting(a)gmail.com > > > > > > Cc: "engine-devel" < engine-devel(a)ovirt.org > > > > > > Sent: Wednesday, August 7, 2013 9:00:34 PM > > > > > Subject: Re: [Engine-devel] users cannot log into userportal > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > > > > From: "Dead Horse" < deadhorseconsulting(a)gmail.com > > > > > > > To: "Itamar Heim" < iheim(a)redhat.com > > > > > > > Cc: "engine-devel" < engine-devel(a)ovirt.org >, "Yair Zaslavsky" > > > > > > < yzaslavs(a)redhat.com > > > > > > > Sent: Wednesday, August 7, 2013 6:14:02 PM > > > > > > Subject: Re: [Engine-devel] users cannot log into userportal > > > > > > > > > > > > BZ994604 ( https://bugzilla.redhat.com/show_bug.cgi?id=994604 ) > > > > > > has > > > > > > been > > > > > > opened. > > > > > > - DHC > > > > > > > > > > Thanks for your help DHC, > > > > > This was already fixed by rnori. > > > > > > > > Of course "already fixed" comparing with current time. This was > > > > indeed > > > > a > > > > real issue. > > > > > > > > > > On Wed, Aug 7, 2013 at 5:35 AM, Itamar Heim < iheim(a)redhat.com > > > > > wrote: > > > > > > > On 08/07/2013 12:10 AM, Dead Horse wrote: > > > > > > >> I have found some steps to reproduce this easily. > > > > > > >> > > > > > > >> Start the engine bound to an AD for authentication > > > > > > >> log in to the user portal as an AD user which has been granted > > > > > > >> a > > > > > > >> Role > > > > > > >> (I > > > > > > >> used PowerUserRole) > > > > > > >> > > > > > > >> Result: Login will succeed > > > > > > >> Data from engine.log: > > > > > > >> 2013-08-06 15:54:10,088 INFO > > > > > > >> [org.ovirt.engine.core.bll.**LoginUserCommand] > > > > > > >> (ajp--127.0.0.1-8702-10) > > > > > > >> Running command: LoginUserCommand internal: false. > > > > > > >> 2013-08-06 15:54:10,139 INFO > > > > > > >> [org.ovirt.engine.core.dal.**dbbroker.auditloghandling.** > > > > > > >> AuditLogDirector] > > > > > > >> (ajp--127.0.0.1-8702-10) Correlation ID: 23c4709, Call Stack: > > > > > > >> null, > > > > > > >> Custom Event ID: -1, Message: User ovirttest logged in. > > > > > > >> > > > > > > >> log out of the user portal > > > > > > >> Result: log out succeeds > > > > > > >> Data from engine.log: > > > > > > >> 2013-08-06 15:54:12,448 INFO > > > > > > >> [org.ovirt.engine.core.bll.**LogoutUserCommand] > > > > > > >> (ajp--127.0.0.1-8702-2) > > > > > > >> Running command: LogoutUserCommand internal: false. > > > > > > >> 2013-08-06 15:54:12,474 INFO > > > > > > >> [org.ovirt.engine.core.dal.**dbbroker.auditloghandling.** > > > > > > >> AuditLogDirector] > > > > > > >> (ajp--127.0.0.1-8702-2) Correlation ID: 52a89e7d, Call Stack: > > > > > > >> null, > > > > > > >> Custom Event ID: -1, Message: User ovirttest logged out. > > > > > > >> > > > > > > >> As the same user log in to the user portal again but this > > > > > > >> purposely > > > > > > >> input the wrong password. > > > > > > >> Result: log in will fail > > > > > > >> Data from engine.log: > > > > > > >> 2013-08-06 15:54:20,830 ERROR > > > > > > >> [org.ovirt.engine.core.bll.**adbroker.**GSSAPIDirContextAuthent > > > > > > >> icat > > > > > > >> ion** > > > > > > >> Strategy] > > > > > > >> (ajp--127.0.0.1-8702-7) Kerberos error: Pre-authentication > > > > > > >> information > > > > > > >> was invalid (24) > > > > > > >> 2013-08-06 15:54:20,832 ERROR > > > > > > >> [org.ovirt.engine.core.bll.**adbroker.**GSSAPIDirContextAuthent > > > > > > >> icat > > > > > > >> ion** > > > > > > >> Strategy] > > > > > > >> (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify > > > > > > >> the > > > > > > >> username and password. > > > > > > >> 2013-08-06 15:54:20,843 ERROR > > > > > > >> [org.ovirt.engine.core.bll.**adbroker.DirectorySearcher] > > > > > > >> (ajp--127.0.0.1-8702-7) Failed ldap search server > > > > > > >> LDAP://foodc02.foo.test.com:**389 < > > > > > > >> http://foodc02.foo.test.com:389 > > > > > > >> > > > > > > >> < > > > > > > >> http://foodc02.foo.test.com:**389 < > > > > > > >> http://foodc02.foo.test.com:389 > > > > > > >> > > > > > > >> using > > > > > > >> user ovirttest(a)FOO.TEST.COM <mailto: ovirttest(a)FOO.TEST.COM > > > > > > >> **> > > > > > > >> due > > > > > > >> to > > > > > > >> > > > > > > >> Authentication Failed. Please verify the username and > > > > > > >> password.. > > > > > > >> We > > > > > > >> should not try the next server > > > > > > >> 2013-08-06 15:54:20,850 ERROR > > > > > > >> [org.ovirt.engine.core.bll.**adbroker.**GSSAPIDirContextAuthent > > > > > > >> icat > > > > > > >> ion** > > > > > > >> Strategy] > > > > > > >> (ajp--127.0.0.1-8702-7) Kerberos error: Pre-authentication > > > > > > >> information > > > > > > >> was invalid (24) > > > > > > >> 2013-08-06 15:54:20,851 ERROR > > > > > > >> [org.ovirt.engine.core.bll.**adbroker.**GSSAPIDirContextAuthent > > > > > > >> icat > > > > > > >> ion** > > > > > > >> Strategy] > > > > > > >> (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify > > > > > > >> the > > > > > > >> username and password. > > > > > > >> 2013-08-06 15:54:20,852 ERROR > > > > > > >> [org.ovirt.engine.core.bll.**adbroker.DirectorySearcher] > > > > > > >> (ajp--127.0.0.1-8702-7) Failed ldap search server > > > > > > >> LDAP://foodc01.foo.test.com:**389 < > > > > > > >> http://foodc01.foo.test.com:389 > > > > > > >> > > > > > > >> < > > > > > > >> http://foodc01.foo.test.com:**389 < > > > > > > >> http://foodc01.foo.test.com:389 > > > > > > >> > > > > > > >> using > > > > > > >> user ovirttest(a)FOO.TEST.COM <mailto: ovirttest(a)FOO.TEST.COM > > > > > > >> **> > > > > > > >> due > > > > > > >> to > > > > > > >> > > > > > > >> Authentication Failed. Please verify the username and > > > > > > >> password.. > > > > > > >> We > > > > > > >> should not try the next server > > > > > > >> 2013-08-06 15:54:20,853 ERROR > > > > > > >> [org.ovirt.engine.core.bll.**adbroker.**LdapAuthenticateUserCom > > > > > > >> mand > > > > > > >> ] > > > > > > >> (ajp--127.0.0.1-8702-7) Failed authenticating user: ovirttest > > > > > > >> to > > > > > > >> domain > > > > > > >> gso.med.ge.com < http://gso.med.ge.com >. Ldap Query Type is > > > > > > >> getUserByName > > > > > > >> > > > > > > >> 2013-08-06 15:54:20,854 ERROR > > > > > > >> [org.ovirt.engine.core.bll.**adbroker.**LdapAuthenticateUserCom > > > > > > >> mand > > > > > > >> ] > > > > > > >> (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify > > > > > > >> the > > > > > > >> username and password. > > > > > > >> 2013-08-06 15:54:20,855 ERROR > > > > > > >> [org.ovirt.engine.core.bll.**LoginUserCommand] > > > > > > >> (ajp--127.0.0.1-8702-7) > > > > > > >> USER_FAILED_TO_AUTHENTICATE_**WRONG_USERNAME_OR_PASSWORD : > > > > > > >> ovirttest > > > > > > >> 2013-08-06 15:54:20,856 WARN > > > > > > >> [org.ovirt.engine.core.bll.**LoginUserCommand] > > > > > > >> (ajp--127.0.0.1-8702-7) > > > > > > >> CanDoAction of action LoginUser failed. > > > > > > >> Reasons:USER_FAILED_TO_**AUTHENTICATE_WRONG_USERNAME_**OR_PASSW > > > > > > >> ORD > > > > > > >> > > > > > > >> Try again to log in as the same user this time typing the > > > > > > >> correct > > > > > > >> password. > > > > > > >> Result: Login fails! > > > > > > >> Data from engine.log: > > > > > > >> 2013-08-06 15:54:25,186 ERROR > > > > > > >> [org.ovirt.engine.core.bll.**adbroker.**LdapAuthenticateUserCom > > > > > > >> mand > > > > > > >> ] > > > > > > >> (ajp--127.0.0.1-8702-7) Failed authenticating user: ovirttest > > > > > > >> to > > > > > > >> domain > > > > > > >> gso.med.ge.com < http://gso.med.ge.com >. Ldap Query Type is > > > > > > >> getUserByName > > > > > > >> > > > > > > >> 2013-08-06 15:54:25,187 ERROR > > > > > > >> [org.ovirt.engine.core.bll.**LoginUserCommand] > > > > > > >> (ajp--127.0.0.1-8702-7) > > > > > > >> USER_FAILED_TO_AUTHENTICATE : ovirttest > > > > > > >> 2013-08-06 15:54:25,187 WARN > > > > > > >> [org.ovirt.engine.core.bll.**LoginUserCommand] > > > > > > >> (ajp--127.0.0.1-8702-7) > > > > > > >> CanDoAction of action LoginUser failed. > > > > > > >> Reasons:USER_FAILED_TO_** > > > > > > >> AUTHENTICATE > > > > > > >> > > > > > > >> Try again with another AD user. > > > > > > >> Result: Login fails! > > > > > > >> Data from engine.log: > > > > > > >> 2013-08-06 15:54:38,056 ERROR > > > > > > >> [org.ovirt.engine.core.bll.**adbroker.**LdapAuthenticateUserCom > > > > > > >> mand > > > > > > >> ] > > > > > > >> (ajp--127.0.0.1-8702-5) Failed authenticating user: ovirtadmin > > > > > > >> to > > > > > > >> domain > > > > > > >> gso.med.ge.com < http://gso.med.ge.com >. Ldap Query Type is > > > > > > >> getUserByName > > > > > > >> > > > > > > >> 2013-08-06 15:54:38,057 ERROR > > > > > > >> [org.ovirt.engine.core.bll.**LoginUserCommand] > > > > > > >> (ajp--127.0.0.1-8702-5) > > > > > > >> USER_FAILED_TO_AUTHENTICATE : ovirtadmin > > > > > > >> 2013-08-06 15:54:38,058 WARN > > > > > > >> [org.ovirt.engine.core.bll.**LoginUserCommand] > > > > > > >> (ajp--127.0.0.1-8702-5) > > > > > > >> CanDoAction of action LoginUser failed. > > > > > > >> Reasons:USER_FAILED_TO_** > > > > > > >> AUTHENTICATE > > > > > > >> > > > > > > >> Logging into the admin portal as the admin@internal user will > > > > > > >> yield > > > > > > >> that > > > > > > >> engine seems to have forgotten about and can no longer > > > > > > >> enumerate > > > > > > >> AD > > > > > > >> users and groups. > > > > > > >> engine stays in this state until it has been restarted. > > > > > > >> > > > > > > >> I also note the two following errors in the engine log file as > > > > > > >> well: > > > > > > >> 2013-08-06 15:53:41,098 ERROR > > > > > > >> [org.ovirt.engine.core.dal.**dbbroker.generic.**DBConfigUtils] > > > > > > >> (MSC > > > > > > >> service > > > > > > >> thread 1-9) Could not parse option AutoRecoveryAllowedTypes > > > > > > >> value. > > > > > > >> 2013-08-06 15:53:41,161 ERROR > > > > > > >> [org.ovirt.engine.core.dal.**dbbroker.generic.**DBConfigUtils] > > > > > > >> (MSC > > > > > > >> service > > > > > > >> thread 1-9) Failed to decrypt value for property > > > > > > >> AttestationTruststorePass will be used encrypted value: > > > > > > >> javax.crypto.**BadPaddingException: Data must start with zero > > > > > > >> > > > > > > >> - DHC > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> On Tue, Aug 6, 2013 at 1:31 PM, Dead Horse > > > > > > >> < deadhorseconsulting(a)gmail.com > > > > > > >> <mailto: deadhorseconsulting@ ** gmail.com < > > > > > > >> deadhorseconsulting(a)gmail.com > > > > > > > >> > > > > > > >> > > > > > > >> wrote: > > > > > > >> > > > > > > >> Really attaching logs from other install. > > > > > > >> - DHC > > > > > > >> > > > > > > >> > > > > > > >> On Tue, Aug 6, 2013 at 1:30 PM, Dead Horse > > > > > > >> < deadhorseconsulting(a)gmail.com > > > > > > >> <mailto: deadhorseconsulting@ ** gmail.com < > > > > > > >> deadhorseconsulting(a)gmail.com >>> > > > > > > >> wrote: > > > > > > >> > > > > > > >> Also I note that he login does succeed in the AD servers logs > > > > > > >> as > > > > > > >> well as the engine also acknowledges the same. However the > > > > > > >> login > > > > > > >> ends up in either the user logging in and the dialog sitting > > > > > > >> in > > > > > > >> space forever and/or the engine no longer enumerating the AD > > > > > > >> users/groups. > > > > > > >> > > > > > > >> Attached are logs from another install seeing the same thing. > > > > > > >> -DHC > > > > > > >> > > > > > > >> > > > > > > >> On Tue, Aug 6, 2013 at 1:20 PM, Dead Horse > > > > > > >> < deadhorseconsulting(a)gmail.com > > > > > > >> <mailto: deadhorseconsulting@ ** gmail.com < > > > > > > >> deadhorseconsulting(a)gmail.com >>> > > > > > > >> wrote: > > > > > > >> > > > > > > >> > > > > > > >> Seeing and issue where users are not able to log in. Also > > > > > > >> for some reason the engine is seemingly forgeting about AD > > > > > > >> users. Removing the AD domain via engine-manage-domains and > > > > > > >> re-adding it works for enumerating the users, however the > > > > > > >> first attempt to login as a user results in the engine no > > > > > > >> longer enumerating the users nor allowing logins. > > > > > > >> Attached are the pertinent logs. > > > > > > >> > > > > > > >> Engine is built and running from current master as of this > > > > > > >> morning, and was installed/built and upgraded via RPMs > > > > > > >> yum/engine-upgrade > > > > > > >> > > > > > > >> - DHC > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> ______________________________**_________________ > > > > > > >> Engine-devel mailing list > > > > > > >> Engine-devel(a)ovirt.org > > > > > > >> http://lists.ovirt.org/**mailman/listinfo/engine-devel < > > > > > > >> http://lists.ovirt.org/mailman/listinfo/engine-devel > > > > > > > > > > > > > > > thanks for reproducing with such clear steps. can you please > > > > > > > open a > > > > > > > bug? > > > > > > > yair - can you try and reproduce as well (I tried on an older > > > > > > > rhev > > > > > > > 3.2 > > > > > > > i > > > > > > > have and couldn't with the IPA provider) > > > > > > > > > > _______________________________________________ > > > > > Engine-devel mailing list > > > > > Engine-devel(a)ovirt.org > > > > > http://lists.ovirt.org/mailman/listinfo/engine-devel > > > > > > > > _______________________________________________ > > > > Engine-devel mailing list > > > > Engine-devel(a)ovirt.org > > > > http://lists.ovirt.org/mailman/listinfo/engine-devel