[ovirt-users] Re: Unable to login after upgrade

That's very strange, can you please share the upgrade log if you still have it? Also can you please share the output of: $ select * from users; and $ select * from permissions; and also please share content of: /etc/ovirt-engine/extensions.d/internal-authn.properties /etc/ovirt-engine/extensions.d/internal-auth.properties /etc/ovirt-engine/aaa/internal.properties On 05/30/2018 06:12 PM, Michael Watters wrote: > It looks like the issue was caused by a new admin account being created > in the internal-authz domain.  Here is what the engine logs show. > > 2018-05-30 11:15:21,893-04 INFO > [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-9) > [] User admin@internal successfully logged in with scopes: > ovirt-app-admin ovirt-app-api ovirt-app-portal > ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all > ovirt-ext=token-info:authz-search > ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate > ovirt-ext=token:password-access > > 2018-05-30 11:15:22,175-04 INFO > [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default > task-11) [77362b19] Running command: CreateUserSessionCommand internal: > false. > > 2018-05-30 11:15:22,252-04 ERROR > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (default task-11) [77362b19] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User > admin@internal-authz connecting from '10.209.44.27' failed to log > in<UNKNOWN>. > > 2018-05-30 11:15:22,253-04 ERROR > [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default > task-11) [] The user admin@internal is not authorized to perform login > > I was able to login after updating the permissions table to use the new > user ID as follows. > > update permissions set ad_element_id = (select user_id from users where > domain = 'internal-authz' and username = 'admin') where ad_element_id = > (select user_id from users where domain = 'internal' and username = > 'admin') ; > > Despite this the ovirt-aaa-jdbc-tool still shows the wrong user ID when > querying the admin account.  For example: > > [root@mdct-ovirt-engine-dev ~]# ovirt-aaa-jdbc-tool user show admin > -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) -- > Namespace: * > Name: admin > ID: fdfc627c-d875-11e0-90f0-83df133b58cc > Display Name: > Email: > First Name: admin > Last Name: > Department: > Title: > Description: > Account Disabled: false > Account Locked: false > Account Unlocked At: 1970-01-01 00:00:00Z > Account Valid From: 2016-11-16 15:27:01Z > Account Valid To: 2216-11-16 15:27:01Z > Account Without Password: false > Last successful Login At: 2018-05-30 16:02:46Z > Last unsuccessful Login At: 2018-05-29 19:25:28Z > Password Valid To: 2216-09-29 15:27:01Z > > Is there a way to resolve this conflict?  Where does the > admin@internal-authz account come from?  I tried renaming the account > but it is recreated every time that the engine is restarted. > > > On 05/29/2018 04:31 PM, Alex K wrote: >> Are you using engine IP to login? Perhaps the sso default file was >> overwritten? >> >> Alex >> >> On Tue, May 29, 2018, 20:32 Michael Watters <wattersm(a)watters.ws >> <mailto:wattersm@watters.ws>> wrote: >> >> I recently upgraded one of our ovirt engines from 4.1 to the 4.2.3 >> release and the admin account is no longer able to login. After >> entering the user name and password I receive a message that >> states "The >> user admin@internal is not authorized to perform login". >> >> Is there a way to resolve this?  Resetting the password did not work. >> _______________________________________________ >> Users mailing list -- users(a)ovirt.org <mailto:users@ovirt.org> >> To unsubscribe send an email to users-leave(a)ovirt.org >> <mailto:users-leave@ovirt.org> >> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >> oVirt Code of Conduct: >> https://www.ovirt.org/community/about/community-guidelines/ >> List Archives: >> https://lists.ovirt.org/archives/list/users@ovirt.org/message/FT3NKC36NMN... >> > > > > _______________________________________________ > Users mailing list -- users(a)ovirt.org > To unsubscribe send an email to users-leave(a)ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ > List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/DT7ERVLLGIY... >