free-IPA Multi-Master Authentication Problem
--_000_ef9bab9b95a64bbfbda0fcdfb57bcf55kilianriesde_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, i have two free-IPA directories setup in multi-master replication. Both are= running on CentOS 7.2 with latest Software installed. Replication between = both IPAs is setup correctly and i am able to authenticate against each of = the two manually. However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2 agai= nst IPA2 i can't login. Login is only working if IPA1 is running (keep in m= ind that manual authentication against IPA2 is working). In the dirSRV Error-Logfile nothing is logged, however i can see the authen= tication in the access log from IPA2: ### filter=3D"(&(|(objectClass=3Dkrbprincipalaux)(objectClass=3Dkrbprincipal)(o= bjectClass=3Dipakrbprincipal))(|(ipaKrbPrincipalAlias=3Dkrbtgt/INTERN.CUSTO= MER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=3Dkrbtgt/INTERN.CUSTO= MER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)))" attrs=3D"krbPrincipalName krbCanoni= calName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyRe= ference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference = krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLast= SuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAd= minUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewab= leAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatoke= nRadiusConfigLink objectClass" [03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D758 RESULT err=3D0 tag=3D101 nen= tries=3D1 etime=3D0 [03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D759 SRCH base=3D"cn=3Dglobal_pol= icy,cn=3DINTERN.CUSTOMER-VIRT.EU,cn=3Dkerberos,dc=3Dintern,dc=3Dcustomer-vi= rt,dc=3Deu" scope=3D0 filter=3D"(objectClass=3D*)" attrs=3D"krbMaxPwdLife k= rbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdM= axFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D759 RESULT err=3D0 tag=3D101 nen= tries=3D1 etime=3D0 [03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D760 SRCH base=3D"uid=3Dkries,cn= =3Dusers,cn=3Daccounts,dc=3Dintern,dc=3Dcustomer-virt,dc=3Deu" scope=3D0 fi= lter=3D"(objectClass=3D*)" attrs=3D"objectClass uid cn fqdn gidNumber krbPr= incipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiratio= n krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdCh= ange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFa= iledCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLo= gonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive" [03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D760 RESULT err=3D0 tag=3D101 nen= tries=3D1 etime=3D0 [03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D761 MOD dn=3D"uid=3Dkries,cn=3Du= sers,cn=3Daccounts,dc=3Dintern,dc=3Dcustomer-virt,dc=3Deu" [03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D761 RESULT err=3D0 tag=3D103 nen= tries=3D0 etime=3D0 csn=3D5751a1820001000d0000 [03/Jun/2016:17:18:39 +0200] conn=3D95 fd=3D109 slot=3D109 connection from = 192.168.210.45 to 192.168.210.181 [03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D937 SRCH base=3D"dc=3Dintern,dc= =3Dcustomer-virt,dc=3Deu" scope=3D2 filter=3D"(&(|(objectClass=3Dkrbprincip= alaux)(objectClass=3Dkrbprincipal)(objectClass=3Dipakrbprincipal))(|(ipaKrb= PrincipalAlias=3Dkrbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)(kr= bPrincipalName=3Dkrbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)))"= attrs=3D"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabl= ed krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPassw= ordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastP= wdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLog= inFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicket= Flags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipa= KrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D937 RESULT err=3D0 tag=3D101 nen= tries=3D1 etime=3D0 [03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D938 SRCH base=3D"dc=3Dintern,dc= =3Dcustomer-virt,dc=3Deu" scope=3D2 filter=3D"(&(|(objectClass=3Dkrbprincip= alaux)(objectClass=3Dkrbprincipal)(objectClass=3Dipakrbprincipal))(|(ipaKrb= PrincipalAlias=3Dldap/auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.E= U)(krbPrincipalName=3Dldap/auth02.intern.customer-virt.eu@INTERN.CUSTOMER-V= IRT.EU)))" attrs=3D"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias = krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiratio= n krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistor= y krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedA= uth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences= krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordH= istory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass= " [03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D938 RESULT err=3D0 tag=3D101 nen= tries=3D1 etime=3D0 [03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D939 SRCH base=3D"cn=3DINTERN.CUS= TOMER-VIRT.EU,cn=3Dkerberos,dc=3Dintern,dc=3Dcustomer-virt,dc=3Deu" scope= =3D0 filter=3D"(objectClass=3Dkrbticketpolicyaux)" attrs=3D"krbMaxTicketLif= e krbMaxRenewableAge krbTicketFlags" [03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D939 RESULT err=3D0 tag=3D101 nen= tries=3D1 etime=3D0 [03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D940 SRCH base=3D"dc=3Dintern,dc= =3Dcustomer-virt,dc=3Deu" scope=3D2 filter=3D"(&(|(objectClass=3Dkrbprincip= alaux)(objectClass=3Dkrbprincipal))(krbPrincipalName=3Dkries@INTERN.CUSTOME= R-VIRT.EU))" attrs=3D"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlia= s krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpirat= ion krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHist= ory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFaile= dAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferenc= es krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwor= dHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectCla= ss" [03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D940 RESULT err=3D0 tag=3D101 nen= tries=3D1 etime=3D0 [03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D941 SRCH base=3D"cn=3DINTERN.CUS= TOMER-VIRT.EU,cn=3Dkerberos,dc=3Dintern,dc=3Dcustomer-virt,dc=3Deu" scope= =3D0 filter=3D"(objectClass=3Dkrbticketpolicyaux)" attrs=3D"krbMaxTicketLif= e krbMaxRenewableAge krbTicketFlags" [03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D941 RESULT err=3D0 tag=3D101 nen= tries=3D1 etime=3D0 ### In the oVirt Engine log i can see the following: ### 2016-06-03 17:18:40,402 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb= erosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Error in commu= nicating with LDAP server auth02.intern.customer-virt.eu.intern.customer-vi= rt.eu:389; nested exception is javax.naming.CommunicationException: auth02.= intern.customer-virt.eu.intern.customer-virt.eu:389 [Root exception is java= .net.UnknownHostException: auth02.intern.customer-virt.eu.intern.customer-v= irt.eu] 2016-06-03 17:18:40,416 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb= erosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search serv= er ldap://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 using = user kries@INTERN.CUSTOMER-VIRT.EU due to auth02.intern.customer-virt.eu.in= tern.customer-virt.eu:389; nested exception is javax.naming.CommunicationEx= ception: auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root e= xception is java.net.UnknownHostException: auth02.intern.customer-virt.eu.i= ntern.customer-virt.eu]. We should try the next server 2016-06-03 17:18:41,675 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb= erosldap.LDAPTemplateWrapper] (ajp--127.0.0.1-8702-3) Error in running LDAP= query. BaseDN is , filter is (&(objectClass=3DposixAccount)(objectClass=3D= krbPrincipalAux)(uid=3Dkries)). Exception message is: null 2016-06-03 17:18:41,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb= erosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Ldap authentic= ation failed. Please check that the login name , password and path are corr= ect. 2016-06-03 17:18:41,690 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb= erosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search serv= er ldap://auth02.intern.customer-virt.eu:389 using user kries@INTERN.CUSTOM= ER-VIRT.EU due to Kerberos error. Please check log for further details.. We= should not try the next server 2016-06-03 17:18:41,698 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb= erosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Failed authen= ticating user: kries to domain intern.customer-virt.eu. Ldap Query Type is = getUserByName 2016-06-03 17:18:41,703 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb= erosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Kerberos erro= r. Please check log for further details. 2016-06-03 17:18:41,706 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb= erosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-3) Failed to run comma= nd LdapAuthenticateUserCommand. Domain is intern.customer-virt.eu. User is = kries. 2016-06-03 17:18:41,712 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseComma= nd] (ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication pro= file "intern.customer-virt.eu" because the authentication failed. 2016-06-03 17:18:41,719 ERROR [org.ovirt.engine.core.dal.dbbroker.auditlogh= andling.AuditLogDirector] (ajp--127.0.0.1-8702-3) Correlation ID: null, Cal= l Stack: null, Custom Event ID: -1, Message: User kries@intern.customer-vir= t.eu failed to log in. 2016-06-03 17:18:41,723 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUser= Command] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser faile= d for user kries@intern.customer-virt.eu. Reasons: USER_FAILED_TO_AUTHENTIC= ATE ### Any thoughts why i can't authenticate via oVirt against IPA2? Thanks Greets Kilian --_000_ef9bab9b95a64bbfbda0fcdfb57bcf55kilianriesde_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> <style type=3D"text/css" style=3D"display:none;"><!-- P {margin-top:0;margi= n-bottom:0;} --></style> </head> <body dir=3D"ltr"> <div id=3D"divtagdefaultwrapper" style=3D"font-size:12pt;color:#000000;back= ground-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;"> <p>Hi,</p> <p><br> </p> <p>i have two free-IPA directories setup in multi-master replication. Both = are running on CentOS 7.2 with latest Software installed. Replication betwe= en both IPAs is setup correctly and i am able to authenticate against each = of the two manually.</p> <p><br> </p> <p>However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2 a= gainst IPA2 i can't login. Login is only working if IPA1 is running (k= eep in mind that manual authentication against IPA2 is working).</p> <p><br> </p> <p>In the dirSRV Error-Logfile nothing is logged, however i can see the aut= hentication in the access log from IPA2:</p> <p><br> </p> <p><br> </p> <p>###</p> <p><br> </p> <p>filter=3D"(&(|(objectClass=3Dkrbprincipalaux)(objectClass=3Dkrb= principal)(objectClass=3Dipakrbprincipal))(|(ipaKrbPrincipalAlias=3Dkrbtgt/= INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=3Dkrbtgt/= INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)))" attrs=3D"krbP= rincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTick= etPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicy= Reference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAlias= es krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences kr= bTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHist= ory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass&qu= ot;</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D758 RESULT err=3D0 tag=3D= 101 nentries=3D1 etime=3D0</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D759 SRCH base=3D"cn= =3Dglobal_policy,cn=3DINTERN.CUSTOMER-VIRT.EU,cn=3Dkerberos,dc=3Dintern,dc= =3Dcustomer-virt,dc=3Deu" scope=3D0 filter=3D"(objectClass=3D*)&q= uot; attrs=3D"krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMin= Length krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration"</p=
<p>[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D759 RESULT err=3D0 tag=3D= 101 nentries=3D1 etime=3D0</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D760 SRCH base=3D"uid= =3Dkries,cn=3Dusers,cn=3Daccounts,dc=3Dintern,dc=3Dcustomer-virt,dc=3Deu&qu= ot; scope=3D0 filter=3D"(objectClass=3D*)" attrs=3D"objectCl= ass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicy= Reference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdCha= nge krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFai= ledCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLog= onScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D760 RESULT err=3D0 tag=3D= 101 nentries=3D1 etime=3D0</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D761 MOD dn=3D"uid=3D= kries,cn=3Dusers,cn=3Daccounts,dc=3Dintern,dc=3Dcustomer-virt,dc=3Deu"= </p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D761 RESULT err=3D0 tag=3D= 103 nentries=3D0 etime=3D0 csn=3D5751a1820001000d0000</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D95 fd=3D109 slot=3D109 connectio= n from 192.168.210.45 to 192.168.210.181</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D937 SRCH base=3D"dc= =3Dintern,dc=3Dcustomer-virt,dc=3Deu" scope=3D2 filter=3D"(&(= |(objectClass=3Dkrbprincipalaux)(objectClass=3Dkrbprincipal)(objectClass=3D= ipakrbprincipal))(|(ipaKrbPrincipalAlias=3Dkrbtgt/INTERN.CUSTOMER-VIRT.EU@I= NTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=3Dkrbtgt/INTERN.CUSTOMER-VIRT.EU@I= NTERN.CUSTOMER-VIRT.EU)))" attrs=3D"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUP= Enabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krb= PasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krb= LastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbO= bjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccoun= tLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigL= ink objectClass"</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D937 RESULT err=3D0 tag=3D= 101 nentries=3D1 etime=3D0</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D938 SRCH base=3D"dc= =3Dintern,dc=3Dcustomer-virt,dc=3Deu" scope=3D2 filter=3D"(&(= |(objectClass=3Dkrbprincipalaux)(objectClass=3Dkrbprincipal)(objectClass=3D= ipakrbprincipal))(|(ipaKrbPrincipalAlias=3Dldap/auth02.intern.customer-virt= .eu@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=3Dldap/auth02.intern.customer= -virt.eu@INTERN.CUSTOMER-VIRT.EU)))" attrs=3D"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUP= Enabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krb= PasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krb= LastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbO= bjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccoun= tLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigL= ink objectClass"</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D938 RESULT err=3D0 tag=3D= 101 nentries=3D1 etime=3D0</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D939 SRCH base=3D"cn= =3DINTERN.CUSTOMER-VIRT.EU,cn=3Dkerberos,dc=3Dintern,dc=3Dcustomer-virt,dc= =3Deu" scope=3D0 filter=3D"(objectClass=3Dkrbticketpolicyaux)&quo= t; attrs=3D"krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"</= p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D939 RESULT err=3D0 tag=3D= 101 nentries=3D1 etime=3D0</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D940 SRCH base=3D"dc= =3Dintern,dc=3Dcustomer-virt,dc=3Deu" scope=3D2 filter=3D"(&(= |(objectClass=3Dkrbprincipalaux)(objectClass=3Dkrbprincipal))(krbPrincipalN= ame=3Dkries@INTERN.CUSTOMER-VIRT.EU))" attrs=3D"krbPrincipalName = krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference= krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrin= cipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccess= fulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxT= icketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData = ipaUserAuthType ipatokenRadiusConfigLink objectClass"</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D940 RESULT err=3D0 tag=3D= 101 nentries=3D1 etime=3D0</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D941 SRCH base=3D"cn= =3DINTERN.CUSTOMER-VIRT.EU,cn=3Dkerberos,dc=3Dintern,dc=3Dcustomer-virt,dc= =3Deu" scope=3D0 filter=3D"(objectClass=3Dkrbticketpolicyaux)&quo= t; attrs=3D"krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"</= p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D941 RESULT err=3D0 tag=3D= 101 nentries=3D1 etime=3D0</p> <p><br> </p> <p>###</p> <p><br> </p> <p><br> </p> <p>In the oVirt Engine log i can see the following:</p> <p><br> </p> <p>###</p> <p><br> </p> <p>2016-06-03 17:18:40,402 ERROR [org.ovirt.engine.extensions.aaa.builtin.k= erberosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Error in co= mmunicating with LDAP server auth02.intern.customer-virt.eu.intern.customer= -virt.eu:389; nested exception is javax.naming.CommunicationException: auth02.intern.customer-virt.eu.intern= .customer-virt.eu:389 [Root exception is java.net.UnknownHostException: aut= h02.intern.customer-virt.eu.intern.customer-virt.eu]</p> <p>2016-06-03 17:18:40,416 ERROR [org.ovirt.engine.extensions.aaa.builtin.k= erberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search s= erver ldap://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 usi= ng user kries@INTERN.CUSTOMER-VIRT.EU due to auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested = exception is javax.naming.CommunicationException: auth02.intern.customer-vi= rt.eu.intern.customer-virt.eu:389 [Root exception is java.net.UnknownHostEx= ception: auth02.intern.customer-virt.eu.intern.customer-virt.eu]. We should try the next server</p> <p>2016-06-03 17:18:41,675 ERROR [org.ovirt.engine.extensions.aaa.builtin.k= erberosldap.LDAPTemplateWrapper] (ajp--127.0.0.1-8702-3) Error in running L= DAP query. BaseDN is , filter is (&(objectClass=3DposixAccount)(objectC= lass=3DkrbPrincipalAux)(uid=3Dkries)). Exception message is: null</p> <p>2016-06-03 17:18:41,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.k= erberosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Ldap authen= tication failed. Please check that the login name , password and path are c= orrect. </p> <p>2016-06-03 17:18:41,690 ERROR [org.ovirt.engine.extensions.aaa.builtin.k= erberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search s= erver ldap://auth02.intern.customer-virt.eu:389 using user kries@INTERN.CUS= TOMER-VIRT.EU due to Kerberos error. Please check log for further details.. We should not try the next server</= p> <p>2016-06-03 17:18:41,698 ERROR [org.ovirt.engine.extensions.aaa.builtin.k= erberosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Failed aut= henticating user: kries to domain intern.customer-virt.eu. Ldap Query Type = is getUserByName</p> <p>2016-06-03 17:18:41,703 ERROR [org.ovirt.engine.extensions.aaa.builtin.k= erberosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Kerberos e= rror. Please check log for further details.</p> <p>2016-06-03 17:18:41,706 ERROR [org.ovirt.engine.extensions.aaa.builtin.k= erberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-3) Failed to run co= mmand LdapAuthenticateUserCommand. Domain is intern.customer-virt.eu. User = is kries.</p> <p>2016-06-03 17:18:41,712 INFO [org.ovirt.engine.core.bll.aaa.LoginB= aseCommand] (ajp--127.0.0.1-8702-3) Cant login user "kries" with = authentication profile "intern.customer-virt.eu" because the auth= entication failed.</p> <p>2016-06-03 17:18:41,719 ERROR [org.ovirt.engine.core.dal.dbbroker.auditl= oghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) Correlation ID: null, = Call Stack: null, Custom Event ID: -1, Message: User kries@intern.customer-= virt.eu failed to log in.</p> <p>2016-06-03 17:18:41,723 WARN [org.ovirt.engine.core.bll.aaa.LoginA= dminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUs= er failed for user kries@intern.customer-virt.eu. Reasons: USER_FAILED_TO_A= UTHENTICATE</p> <p><br> </p> <p>###</p> <p><br> </p> <p>Any thoughts why i can't authenticate via oVirt against IPA2?</p> <p><br> </p> <p>Thanks</p> <p>Greets</p> <p>Kilian</p> <p><br> </p> <p><br> </p> </div> </body> </html> --_000_ef9bab9b95a64bbfbda0fcdfb57bcf55kilianriesde_--
On 06/03/2016 05:44 PM, Kilian Ries wrote:
Can you please also share if there is some error in /var/log/krb5kdc.log in IPA2? Anyway, please migrate to new ovirt-engine-extensions-aaa-ldap, read this[1] for more information. [1] http://lists.ovirt.org/pipermail/users/2015-August/034008.html
Hello, here is the krb5kdc log from IPA2: ### Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes {23}) 192.168.210.45: NEEDED_PREAUTH: kries@INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU, Additional pre-authentication required Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12 Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes {23}) 192.168.210.45: ISSUE: authtime 1464967102, etypes {rep=23 tkt=18 ses=23}, kries@INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12 Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes {23}) 192.168.210.45: NEEDED_PREAUTH: kries@INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU, Additional pre-authentication required Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12 Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): AS_REQ (1 etypes {23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=23}, kries@INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): closing down fd 12 Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes {23}) 192.168.210.45: NEEDED_PREAUTH: kries@INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU, Additional pre-authentication required Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12 Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): AS_REQ (1 etypes {23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=23}, kries@INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): closing down fd 12 Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=18}, kries@INTERN.CUSTOMER-VIRT.EU for ldap/auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12 ### Thanks for the hint with the LDAP-Provider, i'm trying to migrate as soon as possible. Greets Kilian ________________________________________ Von: Ondra Machacek <omachace@redhat.com> Gesendet: Montag, 6. Juni 2016 09:48 An: Kilian Ries; users@ovirt.org Betreff: Re: [ovirt-users] free-IPA Multi-Master Authentication Problem On 06/03/2016 05:44 PM, Kilian Ries wrote:
Can you please also share if there is some error in /var/log/krb5kdc.log in IPA2? Anyway, please migrate to new ovirt-engine-extensions-aaa-ldap, read this[1] for more information. [1] http://lists.ovirt.org/pipermail/users/2015-August/034008.html
It looks fine, thanks. Looking at the oVirt log I see IPA server FQDN: auth02.intern.customer-virt.eu.intern.customer-virt.eu Looking at krb realm, I guess this should be - auth02.intern.customer-virt.eu Do you use SRV records or did you pass --ldap-servers to manage-domains? If SRV, then you maybe misconfigured DNS, if --ldap-servers, you should edit configuration with proper FQDN. On 06/06/2016 11:00 AM, Kilian Ries wrote:
Indeed there was a faulty record for the IPA2 - i corrected that. Now the engine-log shows the correct ldap-address: ### 2016-06-07 15:20:43,940 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that the login name , password and path are correct. 2016-06-07 15:20:43,946 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://auth02.intern.eu:389 using user kries@INTERN.EU due to Kerberos error. Please check log for further details.. We should not try the next server 2016-06-07 15:20:43,951 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain intern.eu. Ldap Query Type is getUserByName 2016-06-07 15:20:43,954 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further details. 2016-06-07 15:20:43,957 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-3) Failed to run command LdapAuthenticateUserCommand. Domain is intern.eu. User is kries. 2016-06-07 15:20:43,961 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication profile "intern.eu" because the authentication failed. 2016-06-07 15:20:43,968 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User kries@intern.eu failed to log in. 2016-06-07 15:20:43,971 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user kries@intern.eu. Reasons: USER_FAILED_TO_AUTHENTICATE ### I'm still not able to login to oVirt via IPA2 krb5kdc and dirsrv-acces Log don't show anything new. ________________________________________ Von: Ondra Machacek <omachace@redhat.com> Gesendet: Montag, 6. Juni 2016 14:31 An: Kilian Ries; users@ovirt.org Betreff: Re: AW: [ovirt-users] free-IPA Multi-Master Authentication Problem It looks fine, thanks. Looking at the oVirt log I see IPA server FQDN: auth02.intern.customer-virt.eu.intern.customer-virt.eu Looking at krb realm, I guess this should be - auth02.intern.customer-virt.eu Do you use SRV records or did you pass --ldap-servers to manage-domains? If SRV, then you maybe misconfigured DNS, if --ldap-servers, you should edit configuration with proper FQDN. On 06/06/2016 11:00 AM, Kilian Ries wrote:
How did you setup the authentication. DId you use AAA or engine-manage-domains ? Do you *have* to use kerberos, or can you just use ldap? If you have no requirement to use kerberos, then I would just use simple AAA ldap. How are you load balancing the IPA servers? Does fail over work for other things? IE client machines connected to the IPA realm? On Tue, Jun 7, 2016 at 9:49 AM, Kilian Ries <mail@kilian-ries.de> wrote:
participants (3)
-
Donny Davis -
Kilian Ries -
Ondra Machacek