On 11/13/18 10:09 PM, Will Hegedus wrote:
So, it turns out that one of the domain controllers had a different certificate chain (outside of my team's control) which was inexplicably causing the whole thing to fail.
I would run "ovirt-engine-extensions-tool --log-level=FINEST --log-file=/tmp/aaa.log aaa login-user --user-name=preader@liberty.edu --profile=liberty.edu" and everything would look fine up until the point that it needed to "doFetchPrincipalRecord", at which point it would fail to get the principal record for the account. The bind would succeed, but because "Creating LDAPConnectionPool" would fail on *just one* of the domain controllers, it for some reason seemed to invalidate all of the entries in that pool, thereby causing the fetching of principal records to fail even though the bind succeeded on one of the OK domain controllers.
Is this behavior intended? I really think this should be classified as a bug.
For what it's worth, this was resolved by getting the certificate chain from the problem DC and then adding it to the Java Keystore with the other certificate chain that all the other domain controllers use.
Please open a bug will detail information of the AD infrastructure, like what's the forest what's the domains, and which DC are in domain, and I will try to take a look. Thanks a lot!
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZCQPBSP4HW35JN...