From: "Dead Horse" <deadhorseconsulting(a)gmail.com>
To: "Itamar Heim" <iheim(a)redhat.com>
Cc: "engine-devel" <engine-devel(a)ovirt.org>, "Yair Zaslavsky"
<yzaslavs(a)redhat.com>
Sent: Wednesday, August 7, 2013 6:14:02 PM
Subject: Re: [Engine-devel] users cannot log into userportal
BZ994604 (
https://bugzilla.redhat.com/show_bug.cgi?id=994604) has been
opened.
- DHC
On Wed, Aug 7, 2013 at 5:35 AM, Itamar Heim <iheim(a)redhat.com> wrote:
> On 08/07/2013 12:10 AM, Dead Horse wrote:
>
>> I have found some steps to reproduce this easily.
>>
>> Start the engine bound to an AD for authentication
>> log in to the user portal as an AD user which has been granted a Role (I
>> used PowerUserRole)
>>
>> Result: Login will succeed
>> Data from engine.log:
>> 2013-08-06 15:54:10,088 INFO
>> [org.ovirt.engine.core.bll.**LoginUserCommand] (ajp--127.0.0.1-8702-10)
>> Running command: LoginUserCommand internal: false.
>> 2013-08-06 15:54:10,139 INFO
>> [org.ovirt.engine.core.dal.**dbbroker.auditloghandling.**
>> AuditLogDirector]
>> (ajp--127.0.0.1-8702-10) Correlation ID: 23c4709, Call Stack: null,
>> Custom Event ID: -1, Message: User ovirttest logged in.
>>
>> log out of the user portal
>> Result: log out succeeds
>> Data from engine.log:
>> 2013-08-06 15:54:12,448 INFO
>> [org.ovirt.engine.core.bll.**LogoutUserCommand] (ajp--127.0.0.1-8702-2)
>> Running command: LogoutUserCommand internal: false.
>> 2013-08-06 15:54:12,474 INFO
>> [org.ovirt.engine.core.dal.**dbbroker.auditloghandling.**
>> AuditLogDirector]
>> (ajp--127.0.0.1-8702-2) Correlation ID: 52a89e7d, Call Stack: null,
>> Custom Event ID: -1, Message: User ovirttest logged out.
>>
>> As the same user log in to the user portal again but this purposely
>> input the wrong password.
>> Result: log in will fail
>> Data from engine.log:
>> 2013-08-06 15:54:20,830 ERROR
>> [org.ovirt.engine.core.bll.**adbroker.**GSSAPIDirContextAuthentication**
>> Strategy]
>> (ajp--127.0.0.1-8702-7) Kerberos error: Pre-authentication information
>> was invalid (24)
>> 2013-08-06 15:54:20,832 ERROR
>> [org.ovirt.engine.core.bll.**adbroker.**GSSAPIDirContextAuthentication**
>> Strategy]
>> (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the
>> username and password.
>> 2013-08-06 15:54:20,843 ERROR
>> [org.ovirt.engine.core.bll.**adbroker.DirectorySearcher]
>> (ajp--127.0.0.1-8702-7) Failed ldap search server
>> LDAP://foodc02.foo.test.com:**389 <
http://foodc02.foo.test.com:389> <
>>
http://foodc02.foo.test.com:**389 <
http://foodc02.foo.test.com:389>>
>> using
>> user ovirttest(a)FOO.TEST.COM <mailto:ovirttest@FOO.TEST.COM**> due to
>>
>> Authentication Failed. Please verify the username and password.. We
>> should not try the next server
>> 2013-08-06 15:54:20,850 ERROR
>> [org.ovirt.engine.core.bll.**adbroker.**GSSAPIDirContextAuthentication**
>> Strategy]
>> (ajp--127.0.0.1-8702-7) Kerberos error: Pre-authentication information
>> was invalid (24)
>> 2013-08-06 15:54:20,851 ERROR
>> [org.ovirt.engine.core.bll.**adbroker.**GSSAPIDirContextAuthentication**
>> Strategy]
>> (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the
>> username and password.
>> 2013-08-06 15:54:20,852 ERROR
>> [org.ovirt.engine.core.bll.**adbroker.DirectorySearcher]
>> (ajp--127.0.0.1-8702-7) Failed ldap search server
>> LDAP://foodc01.foo.test.com:**389 <
http://foodc01.foo.test.com:389> <
>>
http://foodc01.foo.test.com:**389 <
http://foodc01.foo.test.com:389>>
>> using
>> user ovirttest(a)FOO.TEST.COM <mailto:ovirttest@FOO.TEST.COM**> due to
>>
>> Authentication Failed. Please verify the username and password.. We
>> should not try the next server
>> 2013-08-06 15:54:20,853 ERROR
>> [org.ovirt.engine.core.bll.**adbroker.**LdapAuthenticateUserCommand]
>> (ajp--127.0.0.1-8702-7) Failed authenticating user: ovirttest to domain
>>
gso.med.ge.com <
http://gso.med.ge.com>. Ldap Query Type is getUserByName
>>
>> 2013-08-06 15:54:20,854 ERROR
>> [org.ovirt.engine.core.bll.**adbroker.**LdapAuthenticateUserCommand]
>> (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the
>> username and password.
>> 2013-08-06 15:54:20,855 ERROR
>> [org.ovirt.engine.core.bll.**LoginUserCommand] (ajp--127.0.0.1-8702-7)
>> USER_FAILED_TO_AUTHENTICATE_**WRONG_USERNAME_OR_PASSWORD : ovirttest
>> 2013-08-06 15:54:20,856 WARN
>> [org.ovirt.engine.core.bll.**LoginUserCommand] (ajp--127.0.0.1-8702-7)
>> CanDoAction of action LoginUser failed.
>> Reasons:USER_FAILED_TO_**AUTHENTICATE_WRONG_USERNAME_**OR_PASSWORD
>>
>> Try again to log in as the same user this time typing the correct
>> password.
>> Result: Login fails!
>> Data from engine.log:
>> 2013-08-06 15:54:25,186 ERROR
>> [org.ovirt.engine.core.bll.**adbroker.**LdapAuthenticateUserCommand]
>> (ajp--127.0.0.1-8702-7) Failed authenticating user: ovirttest to domain
>>
gso.med.ge.com <
http://gso.med.ge.com>. Ldap Query Type is getUserByName
>>
>> 2013-08-06 15:54:25,187 ERROR
>> [org.ovirt.engine.core.bll.**LoginUserCommand] (ajp--127.0.0.1-8702-7)
>> USER_FAILED_TO_AUTHENTICATE : ovirttest
>> 2013-08-06 15:54:25,187 WARN
>> [org.ovirt.engine.core.bll.**LoginUserCommand] (ajp--127.0.0.1-8702-7)
>> CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_**
>> AUTHENTICATE
>>
>> Try again with another AD user.
>> Result: Login fails!
>> Data from engine.log:
>> 2013-08-06 15:54:38,056 ERROR
>> [org.ovirt.engine.core.bll.**adbroker.**LdapAuthenticateUserCommand]
>> (ajp--127.0.0.1-8702-5) Failed authenticating user: ovirtadmin to domain
>>
gso.med.ge.com <
http://gso.med.ge.com>. Ldap Query Type is getUserByName
>>
>> 2013-08-06 15:54:38,057 ERROR
>> [org.ovirt.engine.core.bll.**LoginUserCommand] (ajp--127.0.0.1-8702-5)
>> USER_FAILED_TO_AUTHENTICATE : ovirtadmin
>> 2013-08-06 15:54:38,058 WARN
>> [org.ovirt.engine.core.bll.**LoginUserCommand] (ajp--127.0.0.1-8702-5)
>> CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_**
>> AUTHENTICATE
>>
>> Logging into the admin portal as the admin@internal user will yield that
>> engine seems to have forgotten about and can no longer enumerate AD
>> users and groups.
>> engine stays in this state until it has been restarted.
>>
>> I also note the two following errors in the engine log file as well:
>> 2013-08-06 15:53:41,098 ERROR
>> [org.ovirt.engine.core.dal.**dbbroker.generic.**DBConfigUtils] (MSC
>> service
>> thread 1-9) Could not parse option AutoRecoveryAllowedTypes value.
>> 2013-08-06 15:53:41,161 ERROR
>> [org.ovirt.engine.core.dal.**dbbroker.generic.**DBConfigUtils] (MSC
>> service
>> thread 1-9) Failed to decrypt value for property
>> AttestationTruststorePass will be used encrypted value:
>> javax.crypto.**BadPaddingException: Data must start with zero
>>
>> - DHC
>>
>>
>>
>> On Tue, Aug 6, 2013 at 1:31 PM, Dead Horse
>> <deadhorseconsulting(a)gmail.com
>> <mailto:deadhorseconsulting@**gmail.com<deadhorseconsulting@gmail.com>
>> >>
>>
>> wrote:
>>
>> Really attaching logs from other install.
>> - DHC
>>
>>
>> On Tue, Aug 6, 2013 at 1:30 PM, Dead Horse
>> <deadhorseconsulting(a)gmail.com
>>
<mailto:deadhorseconsulting@**gmail.com<deadhorseconsulting@gmail.com>>>
>> wrote:
>>
>> Also I note that he login does succeed in the AD servers logs as
>> well as the engine also acknowledges the same. However the login
>> ends up in either the user logging in and the dialog sitting in
>> space forever and/or the engine no longer enumerating the AD
>> users/groups.
>>
>> Attached are logs from another install seeing the same thing.
>> -DHC
>>
>>
>> On Tue, Aug 6, 2013 at 1:20 PM, Dead Horse
>> <deadhorseconsulting(a)gmail.com
>>
<mailto:deadhorseconsulting@**gmail.com<deadhorseconsulting@gmail.com>>>
>> wrote:
>>
>>
>> Seeing and issue where users are not able to log in. Also
>> for some reason the engine is seemingly forgeting about AD
>> users. Removing the AD domain via engine-manage-domains and
>> re-adding it works for enumerating the users, however the
>> first attempt to login as a user results in the engine no
>> longer enumerating the users nor allowing logins.
>> Attached are the pertinent logs.
>>
>> Engine is built and running from current master as of this
>> morning, and was installed/built and upgraded via RPMs
>> yum/engine-upgrade
>>
>> - DHC
>>
>>
>>
>>
>>
>>
>> ______________________________**_________________
>> Engine-devel mailing list
>> Engine-devel(a)ovirt.org
>>
http://lists.ovirt.org/**mailman/listinfo/engine-devel<http://lists.ov...
>>
>>
> thanks for reproducing with such clear steps. can you please open a bug?
> yair - can you try and reproduce as well (I tried on an older rhev 3.2 i
> have and couldn't with the IPA provider)
>