BZ994604 (https://bugzilla.redhat.com/show_bug.cgi?id=994604) has been opened.
- DHC


On Wed, Aug 7, 2013 at 5:35 AM, Itamar Heim <iheim@redhat.com> wrote:
On 08/07/2013 12:10 AM, Dead Horse wrote:
I have found some steps to reproduce this easily.

Start the engine bound to an AD for authentication
log in to the user portal as an AD user which has been granted a Role (I
used PowerUserRole)

Result: Login will succeed
Data from engine.log:
2013-08-06 15:54:10,088 INFO
[org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-10)
Running command: LoginUserCommand internal: false.
2013-08-06 15:54:10,139 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-10) Correlation ID: 23c4709, Call Stack: null,
Custom Event ID: -1, Message: User ovirttest logged in.

log out of the user portal
Result: log out succeeds
Data from engine.log:
2013-08-06 15:54:12,448 INFO
[org.ovirt.engine.core.bll.LogoutUserCommand] (ajp--127.0.0.1-8702-2)
Running command: LogoutUserCommand internal: false.
2013-08-06 15:54:12,474 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-2) Correlation ID: 52a89e7d, Call Stack: null,
Custom Event ID: -1, Message: User ovirttest logged out.

As the same user log in to the user portal again but this purposely
input the wrong password.
Result: log in will fail
Data from engine.log:
2013-08-06 15:54:20,830 ERROR
[org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-7) Kerberos error: Pre-authentication information
was invalid (24)
2013-08-06 15:54:20,832 ERROR
[org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the
username and password.
2013-08-06 15:54:20,843 ERROR
[org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
(ajp--127.0.0.1-8702-7) Failed ldap search server
LDAP://foodc02.foo.test.com:389 <http://foodc02.foo.test.com:389> using
user ovirttest@FOO.TEST.COM <mailto:ovirttest@FOO.TEST.COM> due to

Authentication Failed. Please verify the username and password.. We
should not try the next server
2013-08-06 15:54:20,850 ERROR
[org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-7) Kerberos error: Pre-authentication information
was invalid (24)
2013-08-06 15:54:20,851 ERROR
[org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the
username and password.
2013-08-06 15:54:20,852 ERROR
[org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
(ajp--127.0.0.1-8702-7) Failed ldap search server
LDAP://foodc01.foo.test.com:389 <http://foodc01.foo.test.com:389> using
user ovirttest@FOO.TEST.COM <mailto:ovirttest@FOO.TEST.COM> due to

Authentication Failed. Please verify the username and password.. We
should not try the next server
2013-08-06 15:54:20,853 ERROR
[org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand]
(ajp--127.0.0.1-8702-7) Failed authenticating user: ovirttest to domain
gso.med.ge.com <http://gso.med.ge.com>. Ldap Query Type is getUserByName

2013-08-06 15:54:20,854 ERROR
[org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand]
(ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the
username and password.
2013-08-06 15:54:20,855 ERROR
[org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-7)
USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD : ovirttest
2013-08-06 15:54:20,856 WARN
[org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-7)
CanDoAction of action LoginUser failed.
Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD

Try again to log in as the same user this time typing the correct password.
Result: Login fails!
Data from engine.log:
2013-08-06 15:54:25,186 ERROR
[org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand]
(ajp--127.0.0.1-8702-7) Failed authenticating user: ovirttest to domain
gso.med.ge.com <http://gso.med.ge.com>. Ldap Query Type is getUserByName

2013-08-06 15:54:25,187 ERROR
[org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-7)
USER_FAILED_TO_AUTHENTICATE : ovirttest
2013-08-06 15:54:25,187 WARN
[org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-7)
CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE

Try again with another AD user.
Result: Login fails!
Data from engine.log:
2013-08-06 15:54:38,056 ERROR
[org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand]
(ajp--127.0.0.1-8702-5) Failed authenticating user: ovirtadmin to domain
gso.med.ge.com <http://gso.med.ge.com>. Ldap Query Type is getUserByName

2013-08-06 15:54:38,057 ERROR
[org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-5)
USER_FAILED_TO_AUTHENTICATE : ovirtadmin
2013-08-06 15:54:38,058 WARN
[org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-5)
CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE

Logging into the admin portal as the admin@internal user will yield that
engine seems to have forgotten about and can no longer enumerate AD
users and groups.
engine stays in this state until it has been restarted.

I also note the two following errors in the engine log file as well:
2013-08-06 15:53:41,098 ERROR
[org.ovirt.engine.core.dal.dbbroker.generic.DBConfigUtils] (MSC service
thread 1-9) Could not parse option AutoRecoveryAllowedTypes value.
2013-08-06 15:53:41,161 ERROR
[org.ovirt.engine.core.dal.dbbroker.generic.DBConfigUtils] (MSC service
thread 1-9) Failed to decrypt value for property
AttestationTruststorePass will be used encrypted value:
javax.crypto.BadPaddingException: Data must start with zero

- DHC



On Tue, Aug 6, 2013 at 1:31 PM, Dead Horse
<deadhorseconsulting@gmail.com <mailto:deadhorseconsulting@gmail.com>>

wrote:

    Really attaching logs from other install.
      - DHC


    On Tue, Aug 6, 2013 at 1:30 PM, Dead Horse
    <deadhorseconsulting@gmail.com
    <mailto:deadhorseconsulting@gmail.com>> wrote:

        Also I note that he login does succeed in the AD servers logs as
        well as the engine also acknowledges the same. However the login
        ends up in either the user logging in and the dialog sitting in
        space forever and/or the engine no longer enumerating the AD
        users/groups.

        Attached are logs from another install seeing the same thing.
        -DHC


        On Tue, Aug 6, 2013 at 1:20 PM, Dead Horse
        <deadhorseconsulting@gmail.com
        <mailto:deadhorseconsulting@gmail.com>> wrote:


            Seeing and issue where users are not able to log in. Also
            for some reason the engine is seemingly forgeting about AD
            users. Removing the AD domain via engine-manage-domains and
            re-adding it works for enumerating the users, however the
            first attempt to login as a user results in the engine no
            longer enumerating the users nor allowing logins.
            Attached are the pertinent logs.

            Engine is built and running from current master as of this
            morning, and was installed/built and upgraded via RPMs
            yum/engine-upgrade

              - DHC






_______________________________________________
Engine-devel mailing list
Engine-devel@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-devel


thanks for reproducing with such clear steps. can you please open a bug?
yair - can you try and reproduce as well (I tried on an older rhev 3.2 i have and couldn't with the IPA provider)