Upgrade to Ovirt 3.5.0 Authentication Fails to IPA

14 Nov 2014

      --=-7FGTMvtERpsX2N9uBb42
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hello,

I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA.
Starting up ovrit-engine the extension manager fails to properly load
the service that handles Kerberos/LDAP.

engine.log:
...
2014-11-10 11:29:25,106 INFO
[org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (MSC service
thread 1-10) Start initializing ExecutionMessageDirector
2014-11-10 11:29:25,108 INFO
[org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (MSC service
thread 1-10) Finished initializing ExecutionMessageDirector
2014-11-10 11:29:25,145 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Loading extension 'builtin-authn-internal'
2014-11-10 11:29:25,146 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Extension 'builtin-authn-internal' loaded
2014-11-10 11:29:25,148 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Loading extension 'internal'
2014-11-10 11:29:25,150 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Extension 'internal' loaded
2014-11-10 11:29:25,154 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Loading extension 'builtin-authn-EXAMPLE.ORG'
2014-11-10 11:29:25,215 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Extension 'builtin-authn-EXAMPLE.ORG' loaded
2014-11-10 11:29:25,218 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Loading extension 'EXAMPLE.ORG'
2014-11-10 11:29:25,264 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Extension 'EXAMPLE.ORG' loaded
2014-11-10 11:29:25,265 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Initializing extension 'EXAMPLE.ORG'
2014-11-10 11:29:25,265 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Extension 'EXAMPLE.ORG' initialized
2014-11-10 11:29:25,266 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Initializing extension 'builtin-authn-internal'
2014-11-10 11:29:25,266 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Extension 'builtin-authn-internal' initialized
2014-11-10 11:29:25,267 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Initializing extension 'builtin-authn-EXAMPLE.ORG'
2014-11-10 11:29:25,267 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Extension 'builtin-authn-EXAMPLE.ORG' initialized
2014-11-10 11:29:25,268 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Initializing extension 'internal'
2014-11-10 11:29:25,268 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Extension 'internal' initialized
2014-11-10 11:29:25,268 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Start of enabled extensions list
2014-11-10 11:29:25,269 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Instance name: 'EXAMPLE.ORG', Extension name:
'Kerberos/Ldap Authz (Built-in)', Version: 'N/A', Notes: '', License:
'ASL 2.0',
 Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
interface Version: '0',  File: 'N/A', Initialized: 'true'
2014-11-10 11:29:25,270 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Instance name: 'builtin-authn-internal', Extension name:
'Internal Authn (Built-in)', Version: 'N/A', Notes: '', License: 'AS
L 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
interface Version: '0',  File: 'N/A', Initialized: 'true'
2014-11-10 11:29:25,270 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Instance name: 'builtin-authn-EXAMPLE.ORG', Extension name:
'Kerberos/Ldap Authn (Built-in)', Version: 'N/A', Notes: '', Licen
se: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project',
Build interface Version: '0',  File: 'N/A', Initialized: 'true'
2014-11-10 11:29:25,271 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) Instance name: 'internal', Extension name: 'Internal Authz
(Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home:
'http://www.ovirt.org', Author 'The oVirt Project', Build interface
Version: '0',  File: 'N/A', Initialized: 'true'
2014-11-10 11:29:25,272 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
thread 1-10) End of enabled extensions list
2014-11-10 11:29:25,404 INFO
[org.ovirt.engine.core.bll.aaa.DbUserCacheManager] (MSC service thread
1-10) Start initializing DbUserCacheManager
2014-11-10 11:29:25,405 INFO
[org.ovirt.engine.core.bll.aaa.DbUserCacheManager] (MSC service thread
1-10) Finished initializing DbUserCacheManager
2014-11-10 11:29:25,414 INFO
[org.ovirt.engine.core.bll.tasks.AsyncTaskManager] (MSC service thread
1-10) Initialization of AsyncTaskManager completed successfully.
2014-11-10 11:29:25,416 INFO
[org.ovirt.engine.core.vdsbroker.ResourceManager] (MSC service thread
1-10) Start initializing ResourceManager
2014-11-10 11:29:25,458 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase=
] (DefaultQuartzScheduler_Worker-1) Failed to run command LdapSearchUserByQ=
ueryCommand. Domain is EXAMPLE.ORG. User is user1@EXAMPLE.ORG.
2014-11-10 11:29:25,459 ERROR [org.ovirt.engine.core.bll.aaa.SyncUsers]
(DefaultQuartzScheduler_Worker-1) Error during user synchronization of
extension EXAMPLE.ORG. Exception message is No enum constant
org.ovirt.engine.extensions.aaa.bui
ltin.kerberosldap.LDAPSecurityAuthentication.

Trying to authenticate with user2 from IPA produces this error:

engine.log:
2014-11-10 11:30:08,777 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase=
] (ajp--127.0.0.1-8702-2) Failed to run command LdapAuthenticateUserCommand=
. Domain is EXAMPLE.ORG. User is user2.
2014-11-10 11:30:08,779 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-2) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:=20
{Extkey[name=3DAAA_AUTHN_CREDENTIALS;type=3Dclass
java.lang.String;uuid=3DAAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5=
c909706];]=3D***, Extkey[name=3DEXTENSION_INVOKE_CONTEXT;type=3Dclass org.o=
virt.engine.api.extensions.ExtMap;uuid=3DEXTENSION_INVOKE_CONTEXT[886d2ebb-=
312a-49ae-9cc3-e1f849834b7d];]=3D{Extkey[name=3DEXTENSION_INTERFACE_VERSION=
_MAX;type=3Dclass java.lang.Integer;uuid=3DEXTENSION_INTERFACE_VERSION_MAX[=
f4cff49f-2717-4901-8ee9-df362446e3e7];]=3D0, Extkey[name=3DEXTENSION_LICENS=
E;type=3Dclass java.lang.String;uuid=3DEXTENSION_LICENSE[8a61ad65-054c-4e31=
-9c6d-1ca4d60a4c18];]=3DASL 2.0, Extkey[name=3DEXTENSION_HOME_URL;type=3Dcl=
ass java.lang.String;uuid=3DEXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d1=
92e18304];]=3Dhttp://www.ovirt.org, Extkey[name=3DEXTENSION_LOCALE;type=3Dc=
lass java.lang.String;uuid=3DEXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d=
778bb29];]=3Den_US, Extkey[name=3DEXTENSION_NAME;type=3Dclass java.lang.Str=
ing;uuid=3DEXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=3DKerbero=
s/Ldap Authn (Built-in), Extkey[name=3DEXTENSION_INTERFACE_VERSION_MIN;type=
=3Dclass java.lang.Integer;uuid=3DEXTENSION_INTERFACE_VERSION_MIN[2b84fc91-=
305b-497b-a1d7-d961b9d2ce0b];]=3D0, Extkey[name=3DEXTENSION_CONFIGURATION;t=
ype=3Dclass java.util.Properties;uuid=3DEXTENSION_CONFIGURATION[2d48ab72-f0=
a1-4312-b4ae-5068a226b0fc];]=3D***, Extkey[name=3DEXTENSION_AUTHOR;type=3Dc=
lass java.lang.String;uuid=3DEXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e0701=
8b7fbcc];]=3DThe oVirt Project, Extkey[name=3DEXTENSION_INSTANCE_NAME;type=
=3Dclass java.lang.String;uuid=3DEXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5=
-a245-8674327f011b];]=3Dbuiltin-authn-EXAMPLE.ORG, Extkey[name=3DEXTENSION_=
BUILD_INTERFACE_VERSION;type=3Dclass java.lang.Integer;uuid=3DEXTENSION_BUI=
LD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=3D0, Extkey[na=
me=3DEXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=3Dinterface java.util.Coll=
ection;uuid=3DEXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9=
b-ebff01e35263];]=3D[, config.authn.user.password], Extkey[name=3DAAA_AUTHN=
_CAPABILITIES;type=3Dclass java.lang.Long;uuid=3DAAA_AUTHN_CAPABILITIES[9d1=
6bee3-10fd-46f2-83f9-3d3c54cf258d];]=3D12, Extkey[name=3DEXTENSION_GLOBAL_C=
ONTEXT;type=3Dclass org.ovirt.engine.api.extensions.ExtMap;uuid=3DEXTENSION=
_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=3D*skip*, Extkey[na=
me=3DEXTENSION_VERSION;type=3Dclass java.lang.String;uuid=3DEXTENSION_VERSI=
ON[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=3DN/A, Extkey[name=3DEXTENSION_M=
ANAGER_TRACE_LOG;type=3Dinterface org.slf4j.Logger;uuid=3DEXTENSION_MANAGER=
_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=3Dorg.slf4j.impl.Slf4jLo=
gger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.Kerberos/=
Ldap Authn (Built-in).builtin-authn-EXAMPLE.ORG), Extkey[name=3DEXTENSION_P=
ROVIDES;type=3Dinterface java.util.Collection;uuid=3DEXTENSION_PROVIDES[8cf=
373a6-65b5-4594-b828-0e275087de91];]=3D[org.ovirt.engine.api.extensions.aaa=
.Authn]}, Extkey[name=3DAAA_AUTHN_USER;type=3Dclass java.lang.String;uuid=
=3DAAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=3Duser2, Extkey[n=
ame=3DEXTENSION_INVOKE_COMMAND;type=3Dclass org.ovirt.engine.api.extensions=
.ExtUUID;uuid=3DEXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f2=
8d];]=3DAAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80=
244c]}
Output:
{Extkey[name=3DEXTENSION_INVOKE_RESULT;type=3Dclass
java.lang.Integer;uuid=3DEXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-09=
9c772ddd4e];]=3D2, Extkey[name=3DEXTENSION_INVOKE_MESSAGE;type=3Dclass java=
.lang.String;uuid=3DEXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb7=
2f5893];]=3DNo enum constant org.ovirt.engine.extensions.aaa.builtin.kerber=
osldap.LDAPSecurityAuthentication.}

engine-manage-domains shows the IPA domain but I cannot delete the
domain or edit it.

# engine-manage-domains list
Domain: EXAMPLE.ORG
        User name: null
Manage Domains completed successfully

# engine-manage-domains delete --domain=3DEXAMPLE.ORG
Domain example.org doesn't exist in the configuration.

Any ideas on fixing?

Regards,
Cameron

--=-7FGTMvtERpsX2N9uBb42
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAABAgAGBQJUZiJKAAoJEM1PCzopIAOtj+4IAKqqzUwJopm2lptCLicVzS3O
2rdWqgA6XGTr7b0NOHRNyFk6dxgcw0Au9Nf5RMykpiw3GKxDAQ64BKvNmxncGSL2
HudZ/+iTtwFsgxU87jGOYD/l9Gq9uaxheH8VdkwY6R4sCCUGLmM9oDo33TYz2k/a
my+m7CsBYdfzJFRrcNdHcaRWFtJ9GKxiuUyCPhAPYRHW1Z86EZk1BbVb6gr/hyTG
56NZAgPa5nCBXchdETm+60JVwc3G/PY/Txo0oUxpd9CrBPLpxe45jojWSZuFAtk4
FX2gw0sNMo1CCaKOXumnJONF5pVpmcPH6VVZDtnPhs7Jbk5ntNpg2urqkejOR+M=
=SDGw
-----END PGP SIGNATURE-----

--=-7FGTMvtERpsX2N9uBb42--

Cameron Christensen

Marcelo Donato

Alon Bar-Lev

Cameron Christensen

Alon Bar-Lev

Cameron Christensen

Yair Zaslavsky

Yair Zaslavsky

tags

participants (4)