--_000_ef9bab9b95a64bbfbda0fcdfb57bcf55kilianriesde_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, i have two free-IPA directories setup in multi-master replication. Both are= running on CentOS 7.2 with latest Software installed. Replication between = both IPAs is setup correctly and i am able to authenticate against each of = the two manually. However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2 agai= nst IPA2 i can't login. Login is only working if IPA1 is running (keep in m= ind that manual authentication against IPA2 is working). In the dirSRV Error-Logfile nothing is logged, however i can see the authen= tication in the access log from IPA2: ### filter=3D"(&(|(objectClass=3Dkrbprincipalaux)(objectClass=3Dkrbprincipal)(o= bjectClass=3Dipakrbprincipal))(|(ipaKrbPrincipalAlias=3Dkrbtgt/INTERN.CUSTO= MER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=3Dkrbtgt/INTERN.CUSTO= MER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)))" attrs=3D"krbPrincipalName krbCanoni= calName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyRe= ference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference = krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLast= SuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAd= minUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewab= leAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatoke= nRadiusConfigLink objectClass" [03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D758 RESULT err=3D0 tag=3D101 nen= tries=3D1 etime=3D0 [03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D759 SRCH base=3D"cn=3Dglobal_pol= icy,cn=3DINTERN.CUSTOMER-VIRT.EU,cn=3Dkerberos,dc=3Dintern,dc=3Dcustomer-vi= rt,dc=3Deu" scope=3D0 filter=3D"(objectClass=3D*)" attrs=3D"krbMaxPwdLife k= rbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdM= axFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D759 RESULT err=3D0 tag=3D101 nen= tries=3D1 etime=3D0 [03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D760 SRCH base=3D"uid=3Dkries,cn= =3Dusers,cn=3Daccounts,dc=3Dintern,dc=3Dcustomer-virt,dc=3Deu" scope=3D0 fi= lter=3D"(objectClass=3D*)" attrs=3D"objectClass uid cn fqdn gidNumber krbPr= incipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiratio= n krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdCh= ange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFa= iledCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLo= gonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive" [03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D760 RESULT err=3D0 tag=3D101 nen= tries=3D1 etime=3D0 [03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D761 MOD dn=3D"uid=3Dkries,cn=3Du= sers,cn=3Daccounts,dc=3Dintern,dc=3Dcustomer-virt,dc=3Deu" [03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D761 RESULT err=3D0 tag=3D103 nen= tries=3D0 etime=3D0 csn=3D5751a1820001000d0000 [03/Jun/2016:17:18:39 +0200] conn=3D95 fd=3D109 slot=3D109 connection from = 192.168.210.45 to 192.168.210.181 [03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D937 SRCH base=3D"dc=3Dintern,dc= =3Dcustomer-virt,dc=3Deu" scope=3D2 filter=3D"(&(|(objectClass=3Dkrbprincip= alaux)(objectClass=3Dkrbprincipal)(objectClass=3Dipakrbprincipal))(|(ipaKrb= PrincipalAlias=3Dkrbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)(kr= bPrincipalName=3Dkrbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)))"= attrs=3D"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabl= ed krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPassw= ordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastP= wdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLog= inFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicket= Flags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipa= KrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D937 RESULT err=3D0 tag=3D101 nen= tries=3D1 etime=3D0 [03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D938 SRCH base=3D"dc=3Dintern,dc= =3Dcustomer-virt,dc=3Deu" scope=3D2 filter=3D"(&(|(objectClass=3Dkrbprincip= alaux)(objectClass=3Dkrbprincipal)(objectClass=3Dipakrbprincipal))(|(ipaKrb= PrincipalAlias=3Dldap/auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.E= U)(krbPrincipalName=3Dldap/auth02.intern.customer-virt.eu@INTERN.CUSTOMER-V= IRT.EU)))" attrs=3D"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias = krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiratio= n krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistor= y krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedA= uth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences= krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordH= istory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass= " [03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D938 RESULT err=3D0 tag=3D101 nen= tries=3D1 etime=3D0 [03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D939 SRCH base=3D"cn=3DINTERN.CUS= TOMER-VIRT.EU,cn=3Dkerberos,dc=3Dintern,dc=3Dcustomer-virt,dc=3Deu" scope= =3D0 filter=3D"(objectClass=3Dkrbticketpolicyaux)" attrs=3D"krbMaxTicketLif= e krbMaxRenewableAge krbTicketFlags" [03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D939 RESULT err=3D0 tag=3D101 nen= tries=3D1 etime=3D0 [03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D940 SRCH base=3D"dc=3Dintern,dc= =3Dcustomer-virt,dc=3Deu" scope=3D2 filter=3D"(&(|(objectClass=3Dkrbprincip= alaux)(objectClass=3Dkrbprincipal))(krbPrincipalName=3Dkries@INTERN.CUSTOME= R-VIRT.EU))" attrs=3D"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlia= s krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpirat= ion krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHist= ory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFaile= dAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferenc= es krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwor= dHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectCla= ss" [03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D940 RESULT err=3D0 tag=3D101 nen= tries=3D1 etime=3D0 [03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D941 SRCH base=3D"cn=3DINTERN.CUS= TOMER-VIRT.EU,cn=3Dkerberos,dc=3Dintern,dc=3Dcustomer-virt,dc=3Deu" scope= =3D0 filter=3D"(objectClass=3Dkrbticketpolicyaux)" attrs=3D"krbMaxTicketLif= e krbMaxRenewableAge krbTicketFlags" [03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D941 RESULT err=3D0 tag=3D101 nen= tries=3D1 etime=3D0 ### In the oVirt Engine log i can see the following: ### 2016-06-03 17:18:40,402 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb= erosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Error in commu= nicating with LDAP server auth02.intern.customer-virt.eu.intern.customer-vi= rt.eu:389; nested exception is javax.naming.CommunicationException: auth02.= intern.customer-virt.eu.intern.customer-virt.eu:389 [Root exception is java= .net.UnknownHostException: auth02.intern.customer-virt.eu.intern.customer-v= irt.eu] 2016-06-03 17:18:40,416 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb= erosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search serv= er ldap://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 using = user kries@INTERN.CUSTOMER-VIRT.EU due to auth02.intern.customer-virt.eu.in= tern.customer-virt.eu:389; nested exception is javax.naming.CommunicationEx= ception: auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root e= xception is java.net.UnknownHostException: auth02.intern.customer-virt.eu.i= ntern.customer-virt.eu]. We should try the next server 2016-06-03 17:18:41,675 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb= erosldap.LDAPTemplateWrapper] (ajp--127.0.0.1-8702-3) Error in running LDAP= query. BaseDN is , filter is (&(objectClass=3DposixAccount)(objectClass=3D= krbPrincipalAux)(uid=3Dkries)). Exception message is: null 2016-06-03 17:18:41,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb= erosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Ldap authentic= ation failed. Please check that the login name , password and path are corr= ect. 2016-06-03 17:18:41,690 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb= erosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search serv= er ldap://auth02.intern.customer-virt.eu:389 using user kries@INTERN.CUSTOM= ER-VIRT.EU due to Kerberos error. Please check log for further details.. We= should not try the next server 2016-06-03 17:18:41,698 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb= erosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Failed authen= ticating user: kries to domain intern.customer-virt.eu. Ldap Query Type is = getUserByName 2016-06-03 17:18:41,703 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb= erosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Kerberos erro= r. Please check log for further details. 2016-06-03 17:18:41,706 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb= erosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-3) Failed to run comma= nd LdapAuthenticateUserCommand. Domain is intern.customer-virt.eu. User is = kries. 2016-06-03 17:18:41,712 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseComma= nd] (ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication pro= file "intern.customer-virt.eu" because the authentication failed. 2016-06-03 17:18:41,719 ERROR [org.ovirt.engine.core.dal.dbbroker.auditlogh= andling.AuditLogDirector] (ajp--127.0.0.1-8702-3) Correlation ID: null, Cal= l Stack: null, Custom Event ID: -1, Message: User kries@intern.customer-vir= t.eu failed to log in. 2016-06-03 17:18:41,723 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUser= Command] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser faile= d for user kries@intern.customer-virt.eu. Reasons: USER_FAILED_TO_AUTHENTIC= ATE ### Any thoughts why i can't authenticate via oVirt against IPA2? Thanks Greets Kilian --_000_ef9bab9b95a64bbfbda0fcdfb57bcf55kilianriesde_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> <style type=3D"text/css" style=3D"display:none;"><!-- P {margin-top:0;margi= n-bottom:0;} --></style> </head> <body dir=3D"ltr"> <div id=3D"divtagdefaultwrapper" style=3D"font-size:12pt;color:#000000;back= ground-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;"> <p>Hi,</p> <p><br> </p> <p>i have two free-IPA directories setup in multi-master replication. Both = are running on CentOS 7.2 with latest Software installed. Replication betwe= en both IPAs is setup correctly and i am able to authenticate against each = of the two manually.</p> <p><br> </p> <p>However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2 a= gainst IPA2 i can't login. Login is only working if IPA1 is running (k= eep in mind that manual authentication against IPA2 is working).</p> <p><br> </p> <p>In the dirSRV Error-Logfile nothing is logged, however i can see the aut= hentication in the access log from IPA2:</p> <p><br> </p> <p><br> </p> <p>###</p> <p><br> </p> <p>filter=3D"(&(|(objectClass=3Dkrbprincipalaux)(objectClass=3Dkrb= principal)(objectClass=3Dipakrbprincipal))(|(ipaKrbPrincipalAlias=3Dkrbtgt/= INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=3Dkrbtgt/= INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)))" attrs=3D"krbP= rincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTick= etPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicy= Reference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAlias= es krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences kr= bTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHist= ory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass&qu= ot;</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D758 RESULT err=3D0 tag=3D= 101 nentries=3D1 etime=3D0</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D759 SRCH base=3D"cn= =3Dglobal_policy,cn=3DINTERN.CUSTOMER-VIRT.EU,cn=3Dkerberos,dc=3Dintern,dc= =3Dcustomer-virt,dc=3Deu" scope=3D0 filter=3D"(objectClass=3D*)&q= uot; attrs=3D"krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMin= Length krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration"</p=
<p>[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D759 RESULT err=3D0 tag=3D= 101 nentries=3D1 etime=3D0</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D760 SRCH base=3D"uid= =3Dkries,cn=3Dusers,cn=3Daccounts,dc=3Dintern,dc=3Dcustomer-virt,dc=3Deu&qu= ot; scope=3D0 filter=3D"(objectClass=3D*)" attrs=3D"objectCl= ass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicy= Reference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdCha= nge krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFai= ledCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLog= onScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D760 RESULT err=3D0 tag=3D= 101 nentries=3D1 etime=3D0</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D761 MOD dn=3D"uid=3D= kries,cn=3Dusers,cn=3Daccounts,dc=3Dintern,dc=3Dcustomer-virt,dc=3Deu"= </p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D761 RESULT err=3D0 tag=3D= 103 nentries=3D0 etime=3D0 csn=3D5751a1820001000d0000</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D95 fd=3D109 slot=3D109 connectio= n from 192.168.210.45 to 192.168.210.181</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D937 SRCH base=3D"dc= =3Dintern,dc=3Dcustomer-virt,dc=3Deu" scope=3D2 filter=3D"(&(= |(objectClass=3Dkrbprincipalaux)(objectClass=3Dkrbprincipal)(objectClass=3D= ipakrbprincipal))(|(ipaKrbPrincipalAlias=3Dkrbtgt/INTERN.CUSTOMER-VIRT.EU@I= NTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=3Dkrbtgt/INTERN.CUSTOMER-VIRT.EU@I= NTERN.CUSTOMER-VIRT.EU)))" attrs=3D"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUP= Enabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krb= PasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krb= LastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbO= bjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccoun= tLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigL= ink objectClass"</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D937 RESULT err=3D0 tag=3D= 101 nentries=3D1 etime=3D0</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D938 SRCH base=3D"dc= =3Dintern,dc=3Dcustomer-virt,dc=3Deu" scope=3D2 filter=3D"(&(= |(objectClass=3Dkrbprincipalaux)(objectClass=3Dkrbprincipal)(objectClass=3D= ipakrbprincipal))(|(ipaKrbPrincipalAlias=3Dldap/auth02.intern.customer-virt= .eu@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=3Dldap/auth02.intern.customer= -virt.eu@INTERN.CUSTOMER-VIRT.EU)))" attrs=3D"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUP= Enabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krb= PasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krb= LastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbO= bjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccoun= tLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigL= ink objectClass"</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D938 RESULT err=3D0 tag=3D= 101 nentries=3D1 etime=3D0</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D939 SRCH base=3D"cn= =3DINTERN.CUSTOMER-VIRT.EU,cn=3Dkerberos,dc=3Dintern,dc=3Dcustomer-virt,dc= =3Deu" scope=3D0 filter=3D"(objectClass=3Dkrbticketpolicyaux)&quo= t; attrs=3D"krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"</= p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D939 RESULT err=3D0 tag=3D= 101 nentries=3D1 etime=3D0</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D940 SRCH base=3D"dc= =3Dintern,dc=3Dcustomer-virt,dc=3Deu" scope=3D2 filter=3D"(&(= |(objectClass=3Dkrbprincipalaux)(objectClass=3Dkrbprincipal))(krbPrincipalN= ame=3Dkries@INTERN.CUSTOMER-VIRT.EU))" attrs=3D"krbPrincipalName = krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference= krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrin= cipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccess= fulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxT= icketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData = ipaUserAuthType ipatokenRadiusConfigLink objectClass"</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D940 RESULT err=3D0 tag=3D= 101 nentries=3D1 etime=3D0</p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D941 SRCH base=3D"cn= =3DINTERN.CUSTOMER-VIRT.EU,cn=3Dkerberos,dc=3Dintern,dc=3Dcustomer-virt,dc= =3Deu" scope=3D0 filter=3D"(objectClass=3Dkrbticketpolicyaux)&quo= t; attrs=3D"krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"</= p> <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D941 RESULT err=3D0 tag=3D= 101 nentries=3D1 etime=3D0</p> <p><br> </p> <p>###</p> <p><br> </p> <p><br> </p> <p>In the oVirt Engine log i can see the following:</p> <p><br> </p> <p>###</p> <p><br> </p> <p>2016-06-03 17:18:40,402 ERROR [org.ovirt.engine.extensions.aaa.builtin.k= erberosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Error in co= mmunicating with LDAP server auth02.intern.customer-virt.eu.intern.customer= -virt.eu:389; nested exception is javax.naming.CommunicationException: auth02.intern.customer-virt.eu.intern= .customer-virt.eu:389 [Root exception is java.net.UnknownHostException: aut= h02.intern.customer-virt.eu.intern.customer-virt.eu]</p> <p>2016-06-03 17:18:40,416 ERROR [org.ovirt.engine.extensions.aaa.builtin.k= erberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search s= erver ldap://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 usi= ng user kries@INTERN.CUSTOMER-VIRT.EU due to auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested = exception is javax.naming.CommunicationException: auth02.intern.customer-vi= rt.eu.intern.customer-virt.eu:389 [Root exception is java.net.UnknownHostEx= ception: auth02.intern.customer-virt.eu.intern.customer-virt.eu]. We should try the next server</p> <p>2016-06-03 17:18:41,675 ERROR [org.ovirt.engine.extensions.aaa.builtin.k= erberosldap.LDAPTemplateWrapper] (ajp--127.0.0.1-8702-3) Error in running L= DAP query. BaseDN is , filter is (&(objectClass=3DposixAccount)(objectC= lass=3DkrbPrincipalAux)(uid=3Dkries)). Exception message is: null</p> <p>2016-06-03 17:18:41,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.k= erberosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Ldap authen= tication failed. Please check that the login name , password and path are c= orrect. </p> <p>2016-06-03 17:18:41,690 ERROR [org.ovirt.engine.extensions.aaa.builtin.k= erberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search s= erver ldap://auth02.intern.customer-virt.eu:389 using user kries@INTERN.CUS= TOMER-VIRT.EU due to Kerberos error. Please check log for further details.. We should not try the next server</= p> <p>2016-06-03 17:18:41,698 ERROR [org.ovirt.engine.extensions.aaa.builtin.k= erberosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Failed aut= henticating user: kries to domain intern.customer-virt.eu. Ldap Query Type = is getUserByName</p> <p>2016-06-03 17:18:41,703 ERROR [org.ovirt.engine.extensions.aaa.builtin.k= erberosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Kerberos e= rror. Please check log for further details.</p> <p>2016-06-03 17:18:41,706 ERROR [org.ovirt.engine.extensions.aaa.builtin.k= erberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-3) Failed to run co= mmand LdapAuthenticateUserCommand. Domain is intern.customer-virt.eu. User = is kries.</p> <p>2016-06-03 17:18:41,712 INFO [org.ovirt.engine.core.bll.aaa.LoginB= aseCommand] (ajp--127.0.0.1-8702-3) Cant login user "kries" with = authentication profile "intern.customer-virt.eu" because the auth= entication failed.</p> <p>2016-06-03 17:18:41,719 ERROR [org.ovirt.engine.core.dal.dbbroker.auditl= oghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) Correlation ID: null, = Call Stack: null, Custom Event ID: -1, Message: User kries@intern.customer-= virt.eu failed to log in.</p> <p>2016-06-03 17:18:41,723 WARN [org.ovirt.engine.core.bll.aaa.LoginA= dminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUs= er failed for user kries@intern.customer-virt.eu. Reasons: USER_FAILED_TO_A= UTHENTICATE</p> <p><br> </p> <p>###</p> <p><br> </p> <p>Any thoughts why i can't authenticate via oVirt against IPA2?</p> <p><br> </p> <p>Thanks</p> <p>Greets</p> <p>Kilian</p> <p><br> </p> <p><br> </p> </div> </body> </html> --_000_ef9bab9b95a64bbfbda0fcdfb57bcf55kilianriesde_--