6:44 p.m.
--_000_ef9bab9b95a64bbfbda0fcdfb57bcf55kilianriesde_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hi,
i have two free-IPA directories setup in multi-master replication. Both are=
running on CentOS 7.2 with latest Software installed. Replication between =
both IPAs is setup correctly and i am able to authenticate against each of =
the two manually.
However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2 agai=
nst IPA2 i can't login. Login is only working if IPA1 is running (keep in m=
ind that manual authentication against IPA2 is working).
In the dirSRV Error-Logfile nothing is logged, however i can see the authen=
tication in the access log from IPA2:
###
filter=3D"(&(|(objectClass=3Dkrbprincipalaux)(objectClass=3Dkrbprincipal)(o=
bjectClass=3Dipakrbprincipal))(|(ipaKrbPrincipalAlias=3Dkrbtgt/INTERN.CUSTO=
MER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=3Dkrbtgt/INTERN.CUSTO=
MER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU)))" attrs=3D"krbPrincipalName krbCanoni=
calName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyRe=
ference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference =
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLast=
SuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAd=
minUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewab=
leAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatoke=
nRadiusConfigLink objectClass"
[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D758 RESULT err=3D0 tag=3D101 nen=
tries=3D1 etime=3D0
[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D759 SRCH base=3D"cn=3Dglobal_pol=
icy,cn=3DINTERN.CUSTOMER-VIRT.EU,cn=3Dkerberos,dc=3Dintern,dc=3Dcustomer-vi=
rt,dc=3Deu" scope=3D0 filter=3D"(objectClass=3D*)"
attrs=3D"krbMaxPwdLife k=
rbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdM=
axFailure krbPwdFailureCountInterval krbPwdLockoutDuration"
[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D759 RESULT err=3D0 tag=3D101 nen=
tries=3D1 etime=3D0
[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D760 SRCH base=3D"uid=3Dkries,cn=
=3Dusers,cn=3Daccounts,dc=3Dintern,dc=3Dcustomer-virt,dc=3Deu" scope=3D0 fi=
lter=3D"(objectClass=3D*)" attrs=3D"objectClass uid cn fqdn gidNumber
krbPr=
incipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiratio=
n krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdCh=
ange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFa=
iledCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLo=
gonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"
[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D760 RESULT err=3D0 tag=3D101 nen=
tries=3D1 etime=3D0
[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D761 MOD dn=3D"uid=3Dkries,cn=3Du=
sers,cn=3Daccounts,dc=3Dintern,dc=3Dcustomer-virt,dc=3Deu"
[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D761 RESULT err=3D0 tag=3D103 nen=
tries=3D0 etime=3D0 csn=3D5751a1820001000d0000
[03/Jun/2016:17:18:39 +0200] conn=3D95 fd=3D109 slot=3D109 connection from =
192.168.210.45 to 192.168.210.181
[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D937 SRCH base=3D"dc=3Dintern,dc=
=3Dcustomer-virt,dc=3Deu" scope=3D2
filter=3D"(&(|(objectClass=3Dkrbprincip=
alaux)(objectClass=3Dkrbprincipal)(objectClass=3Dipakrbprincipal))(|(ipaKrb=
PrincipalAlias=3Dkrbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU)(kr=
bPrincipalName=3Dkrbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU)))"=
attrs=3D"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabl=
ed krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPassw=
ordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastP=
wdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLog=
inFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicket=
Flags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipa=
KrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D937 RESULT err=3D0 tag=3D101 nen=
tries=3D1 etime=3D0
[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D938 SRCH base=3D"dc=3Dintern,dc=
=3Dcustomer-virt,dc=3Deu" scope=3D2
filter=3D"(&(|(objectClass=3Dkrbprincip=
alaux)(objectClass=3Dkrbprincipal)(objectClass=3Dipakrbprincipal))(|(ipaKrb=
PrincipalAlias=3Dldap/auth02.intern.customer-virt.eu(a)INTERN.CUSTOMER-VIRT.E=
U)(krbPrincipalName=3Dldap/auth02.intern.customer-virt.eu(a)INTERN.CUSTOMER-V=
IRT.EU)))" attrs=3D"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias =
krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiratio=
n krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistor=
y krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedA=
uth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences=
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordH=
istory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass=
"
[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D938 RESULT err=3D0 tag=3D101 nen=
tries=3D1 etime=3D0
[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D939 SRCH base=3D"cn=3DINTERN.CUS=
TOMER-VIRT.EU,cn=3Dkerberos,dc=3Dintern,dc=3Dcustomer-virt,dc=3Deu" scope=
=3D0 filter=3D"(objectClass=3Dkrbticketpolicyaux)"
attrs=3D"krbMaxTicketLif=
e krbMaxRenewableAge krbTicketFlags"
[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D939 RESULT err=3D0 tag=3D101 nen=
tries=3D1 etime=3D0
[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D940 SRCH base=3D"dc=3Dintern,dc=
=3Dcustomer-virt,dc=3Deu" scope=3D2
filter=3D"(&(|(objectClass=3Dkrbprincip=
alaux)(objectClass=3Dkrbprincipal))(krbPrincipalName=3Dkries(a)INTERN.CUSTOME=
R-VIRT.EU))" attrs=3D"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlia=
s krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpirat=
ion krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHist=
ory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFaile=
dAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferenc=
es krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwor=
dHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectCla=
ss"
[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D940 RESULT err=3D0 tag=3D101 nen=
tries=3D1 etime=3D0
[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D941 SRCH base=3D"cn=3DINTERN.CUS=
TOMER-VIRT.EU,cn=3Dkerberos,dc=3Dintern,dc=3Dcustomer-virt,dc=3Deu" scope=
=3D0 filter=3D"(objectClass=3Dkrbticketpolicyaux)"
attrs=3D"krbMaxTicketLif=
e krbMaxRenewableAge krbTicketFlags"
[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D941 RESULT err=3D0 tag=3D101 nen=
tries=3D1 etime=3D0
###
In the oVirt Engine log i can see the following:
###
2016-06-03 17:18:40,402 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb=
erosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Error in commu=
nicating with LDAP server auth02.intern.customer-virt.eu.intern.customer-vi=
rt.eu:389; nested exception is javax.naming.CommunicationException: auth02.=
intern.customer-virt.eu.intern.customer-virt.eu:389 [Root exception is java=
.net.UnknownHostException: auth02.intern.customer-virt.eu.intern.customer-v=
irt.eu]
2016-06-03 17:18:40,416 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb=
erosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search serv=
er ldap://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 using =
user kries(a)INTERN.CUSTOMER-VIRT.EU due to auth02.intern.customer-virt.eu.in=
tern.customer-virt.eu:389; nested exception is javax.naming.CommunicationEx=
ception: auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root e=
xception is java.net.UnknownHostException: auth02.intern.customer-virt.eu.i=
ntern.customer-virt.eu]. We should try the next server
2016-06-03 17:18:41,675 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb=
erosldap.LDAPTemplateWrapper] (ajp--127.0.0.1-8702-3) Error in running LDAP=
query. BaseDN is , filter is (&(objectClass=3DposixAccount)(objectClass=3D=
krbPrincipalAux)(uid=3Dkries)). Exception message is: null
2016-06-03 17:18:41,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb=
erosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Ldap authentic=
ation failed. Please check that the login name , password and path are corr=
ect.
2016-06-03 17:18:41,690 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb=
erosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search serv=
er ldap://auth02.intern.customer-virt.eu:389 using user kries(a)INTERN.CUSTOM=
ER-VIRT.EU due to Kerberos error. Please check log for further details.. We=
should not try the next server
2016-06-03 17:18:41,698 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb=
erosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Failed authen=
ticating user: kries to domain intern.customer-virt.eu. Ldap Query Type is =
getUserByName
2016-06-03 17:18:41,703 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb=
erosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Kerberos erro=
r. Please check log for further details.
2016-06-03 17:18:41,706 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerb=
erosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-3) Failed to run comma=
nd LdapAuthenticateUserCommand. Domain is intern.customer-virt.eu. User is =
kries.
2016-06-03 17:18:41,712 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseComma=
nd] (ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication pro=
file "intern.customer-virt.eu" because the authentication failed.
2016-06-03 17:18:41,719 ERROR [org.ovirt.engine.core.dal.dbbroker.auditlogh=
andling.AuditLogDirector] (ajp--127.0.0.1-8702-3) Correlation ID: null, Cal=
l Stack: null, Custom Event ID: -1, Message: User kries(a)intern.customer-vir=
t.eu failed to log in.
2016-06-03 17:18:41,723 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUser=
Command] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser faile=
d for user kries(a)intern.customer-virt.eu. Reasons: USER_FAILED_TO_AUTHENTIC=
ATE
###
Any thoughts why i can't authenticate via oVirt against IPA2?
Thanks
Greets
Kilian
--_000_ef9bab9b95a64bbfbda0fcdfb57bcf55kilianriesde_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html <head <meta http-equiv=3D"Content-Type"
content=3D"text/html; charset=3Diso-8859-=
1" <style type=3D"text/css"
style=3D"display:none;"><!-- P {margin-top:0;margi=
n-bottom:0;} --></style </head <body dir=3D"ltr" <div
id=3D"divtagdefaultwrapper" style=3D"font-size:12pt;color:#000000;back=
ground-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;" <p>Hi,</p
<p><br </p
<p>i have two free-IPA directories setup in multi-master replication. Both =
are running on CentOS 7.2 with latest Software installed. Replication betwe=
en both IPAs is setup correctly and i am able to authenticate against each =
of the two manually.</p <p><br </p <p>However, if i shutdown IPA1
and try to authenticate from oVirt 3.5.6.2 a=
gainst IPA2 i can't login. Login is only working if IPA1 is running (k=
eep in mind that manual authentication against IPA2 is working).</p <p><br
</p <p>In the dirSRV Error-Logfile
nothing is logged, however i can see the aut=
hentication in the access log from IPA2:</p
<p><br </p
<p><br </p
<p>###</p <p><br </p
<p>filter=3D"(&(|(objectClass=3Dkrbprincipalaux)(objectClass=3Dkrb=
principal)(objectClass=3Dipakrbprincipal))(|(ipaKrbPrincipalAlias=3Dkrbtgt/=
INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=3Dkrbtgt/=
INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU)))&quot; attrs=3D"krbP=
rincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTick=
etPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicy=
Reference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAlias=
es krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences kr=
bTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHist=
ory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass&qu=
ot;</p <p>[03/Jun/2016:17:18:39
+0200] conn=3D5 op=3D758 RESULT err=3D0 tag=3D=
101 nentries=3D1 etime=3D0</p <p>[03/Jun/2016:17:18:39
+0200] conn=3D5 op=3D759 SRCH base=3D"cn=
=3Dglobal_policy,cn=3DINTERN.CUSTOMER-VIRT.EU,cn=3Dkerberos,dc=3Dintern,dc=
=3Dcustomer-virt,dc=3Deu" scope=3D0 filter=3D"(objectClass=3D*)&q=
uot; attrs=3D"krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMin=
Length krbPwdHistoryLength
krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration"</p=
<p>[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D759
RESULT err=3D0 tag=3D=
101 nentries=3D1 etime=3D0</p <p>[03/Jun/2016:17:18:39
+0200] conn=3D5 op=3D760 SRCH base=3D"uid=
=3Dkries,cn=3Dusers,cn=3Daccounts,dc=3Dintern,dc=3Dcustomer-virt,dc=3Deu&qu=
ot; scope=3D0 filter=3D"(objectClass=3D*)" attrs=3D"objectCl=
ass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicy=
Reference krbPrincipalExpiration
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdCha=
nge krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFai=
ledCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLog=
onScript ipaNTProfilePath ipaNTHomeDirectory
ipaNTHomeDirectoryDrive"</p
<p>[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D760 RESULT err=3D0
tag=3D=
101 nentries=3D1 etime=3D0</p <p>[03/Jun/2016:17:18:39
+0200] conn=3D5 op=3D761 MOD dn=3D"uid=3D=
kries,cn=3Dusers,cn=3Daccounts,dc=3Dintern,dc=3Dcustomer-virt,dc=3Deu"=
</p <p>[03/Jun/2016:17:18:39 +0200] conn=3D5 op=3D761
RESULT err=3D0 tag=3D=
103 nentries=3D0 etime=3D0 csn=3D5751a1820001000d0000</p
<p>[03/Jun/2016:17:18:39 +0200] conn=3D95 fd=3D109 slot=3D109
connectio=
n from 192.168.210.45 to 192.168.210.181</p
<p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D937 SRCH
base=3D"dc=
=3Dintern,dc=3Dcustomer-virt,dc=3Deu" scope=3D2 filter=3D"(&(=
|(objectClass=3Dkrbprincipalaux)(objectClass=3Dkrbprincipal)(objectClass=3D=
ipakrbprincipal))(|(ipaKrbPrincipalAlias=3Dkrbtgt/INTERN.CUSTOMER-VIRT.EU@I=
NTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=3Dkrbtgt/INTERN.CUSTOMER-VIRT.EU@I=
NTERN.CUSTOMER-VIRT.EU)))"
attrs=3D"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUP=
Enabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krb=
PasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krb=
LastPwdChange krbPrincipalAliases krbLastSuccessfulAuth
krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbO=
bjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccoun=
tLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigL=
ink objectClass"</p <p>[03/Jun/2016:17:18:39
+0200] conn=3D6 op=3D937 RESULT err=3D0 tag=3D=
101 nentries=3D1 etime=3D0</p <p>[03/Jun/2016:17:18:39
+0200] conn=3D6 op=3D938 SRCH base=3D"dc=
=3Dintern,dc=3Dcustomer-virt,dc=3Deu" scope=3D2 filter=3D"(&(=
|(objectClass=3Dkrbprincipalaux)(objectClass=3Dkrbprincipal)(objectClass=3D=
ipakrbprincipal))(|(ipaKrbPrincipalAlias=3Dldap/auth02.intern.customer-virt=
.eu(a)INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=3Dldap/auth02.intern.customer=
-virt.eu(a)INTERN.CUSTOMER-VIRT.EU)))&quot;
attrs=3D"krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUP=
Enabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krb=
PasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krb=
LastPwdChange krbPrincipalAliases krbLastSuccessfulAuth
krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbO=
bjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccoun=
tLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigL=
ink objectClass"</p <p>[03/Jun/2016:17:18:39
+0200] conn=3D6 op=3D938 RESULT err=3D0 tag=3D=
101 nentries=3D1 etime=3D0</p <p>[03/Jun/2016:17:18:39
+0200] conn=3D6 op=3D939 SRCH base=3D"cn=
=3DINTERN.CUSTOMER-VIRT.EU,cn=3Dkerberos,dc=3Dintern,dc=3Dcustomer-virt,dc=
=3Deu" scope=3D0 filter=3D"(objectClass=3Dkrbticketpolicyaux)&quo=
t; attrs=3D"krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"</=
p <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D939
RESULT err=3D0 tag=3D=
101 nentries=3D1 etime=3D0</p <p>[03/Jun/2016:17:18:39
+0200] conn=3D6 op=3D940 SRCH base=3D"dc=
=3Dintern,dc=3Dcustomer-virt,dc=3Deu" scope=3D2 filter=3D"(&(=
|(objectClass=3Dkrbprincipalaux)(objectClass=3Dkrbprincipal))(krbPrincipalN=
ame=3Dkries(a)INTERN.CUSTOMER-VIRT.EU))&quot; attrs=3D"krbPrincipalName =
krbCanonicalName
ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference=
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrin=
cipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccess=
fulAuth krbLastFailedAuth krbLoginFailedCount
krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxT=
icketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData =
ipaUserAuthType ipatokenRadiusConfigLink objectClass"</p <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D940
RESULT err=3D0 tag=3D=
101 nentries=3D1 etime=3D0</p <p>[03/Jun/2016:17:18:39
+0200] conn=3D6 op=3D941 SRCH base=3D"cn=
=3DINTERN.CUSTOMER-VIRT.EU,cn=3Dkerberos,dc=3Dintern,dc=3Dcustomer-virt,dc=
=3Deu" scope=3D0 filter=3D"(objectClass=3Dkrbticketpolicyaux)&quo=
t; attrs=3D"krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"</=
p <p>[03/Jun/2016:17:18:39 +0200] conn=3D6 op=3D941
RESULT err=3D0 tag=3D=
101 nentries=3D1 etime=3D0</p <p><br </p <p>###</p <p><br
</p <p><br </p <p>In the oVirt Engine log i
can see the following:</p <p><br </p <p>###</p <p><br
</p <p>2016-06-03 17:18:40,402
ERROR [org.ovirt.engine.extensions.aaa.builtin.k=
erberosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Error in co=
mmunicating with LDAP server auth02.intern.customer-virt.eu.intern.customer=
-virt.eu:389; nested exception is
javax.naming.CommunicationException: auth02.intern.customer-virt.eu.intern=
.customer-virt.eu:389 [Root exception is java.net.UnknownHostException: aut=
h02.intern.customer-virt.eu.intern.customer-virt.eu]</p
<p>2016-06-03 17:18:40,416 ERROR [org.ovirt.engine.extensions.aaa.builtin.k=
erberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search s=
erver ldap://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 usi=
ng user kries(a)INTERN.CUSTOMER-VIRT.EU
due to auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested =
exception is javax.naming.CommunicationException: auth02.intern.customer-vi=
rt.eu.intern.customer-virt.eu:389 [Root exception is java.net.UnknownHostEx=
ception: auth02.intern.customer-virt.eu.intern.customer-virt.eu].
We should try the next server</p
<p>2016-06-03 17:18:41,675 ERROR [org.ovirt.engine.extensions.aaa.builtin.k=
erberosldap.LDAPTemplateWrapper] (ajp--127.0.0.1-8702-3) Error in running L=
DAP query. BaseDN is , filter is (&(objectClass=3DposixAccount)(objectC=
lass=3DkrbPrincipalAux)(uid=3Dkries)). Exception
message is: null</p <p>2016-06-03 17:18:41,681
ERROR [org.ovirt.engine.extensions.aaa.builtin.k=
erberosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Ldap authen=
tication failed. Please check that the login name , password and path are c=
orrect. </p <p>2016-06-03 17:18:41,690
ERROR [org.ovirt.engine.extensions.aaa.builtin.k=
erberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search s=
erver ldap://auth02.intern.customer-virt.eu:389 using user kries(a)INTERN.CUS=
TOMER-VIRT.EU due to Kerberos error.
Please check log for further details.. We should not try the next server</=
p <p>2016-06-03 17:18:41,698 ERROR
[org.ovirt.engine.extensions.aaa.builtin.k=
erberosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Failed aut=
henticating user: kries to domain intern.customer-virt.eu. Ldap Query Type =
is getUserByName</p <p>2016-06-03 17:18:41,703
ERROR [org.ovirt.engine.extensions.aaa.builtin.k=
erberosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Kerberos e=
rror. Please check log for further details.</p
<p>2016-06-03 17:18:41,706 ERROR [org.ovirt.engine.extensions.aaa.builtin.k=
erberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-3) Failed to run co=
mmand LdapAuthenticateUserCommand. Domain is intern.customer-virt.eu. User =
is kries.</p <p>2016-06-03 17:18:41,712
INFO [org.ovirt.engine.core.bll.aaa.LoginB=
aseCommand] (ajp--127.0.0.1-8702-3) Cant login user "kries" with =
authentication profile "intern.customer-virt.eu" because the auth=
entication failed.</p <p>2016-06-03 17:18:41,719
ERROR [org.ovirt.engine.core.dal.dbbroker.auditl=
oghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) Correlation ID: null, =
Call Stack: null, Custom Event ID: -1, Message: User kries(a)intern.customer-=
virt.eu failed to log in.</p <p>2016-06-03 17:18:41,723
WARN [org.ovirt.engine.core.bll.aaa.LoginA=
dminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUs=
er failed for user kries(a)intern.customer-virt.eu. Reasons: USER_FAILED_TO_A=
UTHENTICATE</p <p><br </p <p>###</p <p><br
</p <p>Any thoughts why i
can't authenticate via oVirt against IPA2?</p
<p><br </p
<p>Thanks</p <p>Greets</p <p>Kilian</p
<p><br </p
<p><br </p
</div </body </html
--_000_ef9bab9b95a64bbfbda0fcdfb57bcf55kilianriesde_--
10:48 a.m.
On 06/03/2016 05:44 PM, Kilian Ries wrote:
Hi,
i have two free-IPA directories setup in multi-master replication. Both
are running on CentOS 7.2 with latest Software installed. Replication
between both IPAs is setup correctly and i am able to authenticate
against each of the two manually.
However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2
against IPA2 i can't login. Login is only working if IPA1 is
running (keep in mind that manual authentication against IPA2 is working).
In the dirSRV Error-Logfile nothing is logged, however i can see the
authentication in the access log from IPA2:
###
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU)))"
attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[03/Jun/2016:17:18:39 +0200] conn=5 op=758 RESULT err=0 tag=101
nentries=1 etime=0
[03/Jun/2016:17:18:39 +0200] conn=5 op=759 SRCH
base="cn=global_policy,cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife
krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure
krbPwdFailureCountInterval krbPwdLockoutDuration"
[03/Jun/2016:17:18:39 +0200] conn=5 op=759 RESULT err=0 tag=101
nentries=1 etime=0
[03/Jun/2016:17:18:39 +0200] conn=5 op=760 SRCH
base="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu"
scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn
gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier
ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory
ipaNTHomeDirectoryDrive"
[03/Jun/2016:17:18:39 +0200] conn=5 op=760 RESULT err=0 tag=101
nentries=1 etime=0
[03/Jun/2016:17:18:39 +0200] conn=5 op=761 MOD
dn="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu"
[03/Jun/2016:17:18:39 +0200] conn=5 op=761 RESULT err=0 tag=103
nentries=0 etime=0 csn=5751a1820001000d0000
[03/Jun/2016:17:18:39 +0200] conn=95 fd=109 slot=109 connection from
192.168.210.45 to 192.168.210.181
[03/Jun/2016:17:18:39 +0200] conn=6 op=937 SRCH
base="dc=intern,dc=customer-virt,dc=eu" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU)))"
attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[03/Jun/2016:17:18:39 +0200] conn=6 op=937 RESULT err=0 tag=101
nentries=1 etime=0
[03/Jun/2016:17:18:39 +0200] conn=6 op=938 SRCH
base="dc=intern,dc=customer-virt,dc=eu" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=ldap/auth02.intern.customer-virt.eu(a)INTERN.CUSTOMER-VIRT.EU)))"
attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[03/Jun/2016:17:18:39 +0200] conn=6 op=938 RESULT err=0 tag=101
nentries=1 etime=0
[03/Jun/2016:17:18:39 +0200] conn=6 op=939 SRCH
base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
scope=0 filter="(objectClass=krbticketpolicyaux)"
attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[03/Jun/2016:17:18:39 +0200] conn=6 op=939 RESULT err=0 tag=101
nentries=1 etime=0
[03/Jun/2016:17:18:39 +0200] conn=6 op=940 SRCH
base="dc=intern,dc=customer-virt,dc=eu" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kries(a)INTERN.CUSTOMER-VIRT.EU))"
attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[03/Jun/2016:17:18:39 +0200] conn=6 op=940 RESULT err=0 tag=101
nentries=1 etime=0
[03/Jun/2016:17:18:39 +0200] conn=6 op=941 SRCH
base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
scope=0 filter="(objectClass=krbticketpolicyaux)"
attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[03/Jun/2016:17:18:39 +0200] conn=6 op=941 RESULT err=0 tag=101
nentries=1 etime=0
###
In the oVirt Engine log i can see the following:
###
2016-06-03 17:18:40,402 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
(ajp--127.0.0.1-8702-3) Error in communicating with LDAP server
auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested
exception is javax.naming.CommunicationException:
auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root
exception is java.net.UnknownHostException:
auth02.intern.customer-virt.eu.intern.customer-virt.eu]
2016-06-03 17:18:40,416 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-3) Failed ldap search server
ldap://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 using
user kries(a)INTERN.CUSTOMER-VIRT.EU due to
auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested
exception is javax.naming.CommunicationException:
auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root
exception is java.net.UnknownHostException:
auth02.intern.customer-virt.eu.intern.customer-virt.eu]. We should try
the next server
2016-06-03 17:18:41,675 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LDAPTemplateWrapper]
(ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter
is
(&(objectClass=posixAccount)(objectClass=krbPrincipalAux)(uid=kries)).
Exception message is: null
2016-06-03 17:18:41,681 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
(ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that
the login name , password and path are correct.
2016-06-03 17:18:41,690 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-3) Failed ldap search server
ldap://auth02.intern.customer-virt.eu:389 using user
kries(a)INTERN.CUSTOMER-VIRT.EU due to Kerberos error. Please check log
for further details.. We should not try the next server
2016-06-03 17:18:41,698 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
(ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain
intern.customer-virt.eu. Ldap Query Type is getUserByName
2016-06-03 17:18:41,703 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
(ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further
details.
2016-06-03 17:18:41,706 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
(ajp--127.0.0.1-8702-3) Failed to run command
LdapAuthenticateUserCommand. Domain is intern.customer-virt.eu. User is
kries.
2016-06-03 17:18:41,712 INFO
[org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
(ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication
profile "intern.customer-virt.eu" because the authentication failed.
2016-06-03 17:18:41,719 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom
Event ID: -1, Message: User kries(a)intern.customer-virt.eu failed to log in.
2016-06-03 17:18:41,723 WARN
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for
user kries(a)intern.customer-virt.eu. Reasons: USER_FAILED_TO_AUTHENTICATE
###
Any thoughts why i can't authenticate via oVirt against IPA2?
Can you please also share if there is some error in /var/log/krb5kdc.log
in IPA2?
Anyway, please migrate to new ovirt-engine-extensions-aaa-ldap, read
this[1] for more information.
[1] http://lists.ovirt.org/pipermail/users/2015-August/034008.html
Thanks
Greets
Kilian
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
noon
Hello,
here is the krb5kdc log from IPA2:
###
Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes {23})
192.168.210.45: NEEDED_PREAUTH: kries(a)INTERN.CUSTOMER-VIRT.EU for
krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU, Additional pre-authentication
required
Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12
Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes {23})
192.168.210.45: ISSUE: authtime 1464967102, etypes {rep=23 tkt=18 ses=23},
kries(a)INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU
Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes {23})
192.168.210.45: NEEDED_PREAUTH: kries(a)INTERN.CUSTOMER-VIRT.EU for
krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU, Additional pre-authentication
required
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): AS_REQ (1 etypes {23})
192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=23},
kries(a)INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): closing down fd 12
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes {23})
192.168.210.45: NEEDED_PREAUTH: kries(a)INTERN.CUSTOMER-VIRT.EU for
krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU, Additional pre-authentication
required
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): AS_REQ (1 etypes {23})
192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=23},
kries(a)INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): closing down fd 12
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): TGS_REQ (6 etypes {18
17 16 23 1 3}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=18},
kries(a)INTERN.CUSTOMER-VIRT.EU for
ldap/auth02.intern.customer-virt.eu(a)INTERN.CUSTOMER-VIRT.EU
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12
###
Thanks for the hint with the LDAP-Provider, i'm trying to migrate as soon as
possible.
Greets
Kilian
________________________________________
Von: Ondra Machacek <omachace(a)redhat.com>
Gesendet: Montag, 6. Juni 2016 09:48
An: Kilian Ries; users(a)ovirt.org
Betreff: Re: [ovirt-users] free-IPA Multi-Master Authentication Problem
On 06/03/2016 05:44 PM, Kilian Ries wrote:
Hi,
i have two free-IPA directories setup in multi-master replication. Both
are running on CentOS 7.2 with latest Software installed. Replication
between both IPAs is setup correctly and i am able to authenticate
against each of the two manually.
However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2
against IPA2 i can't login. Login is only working if IPA1 is
running (keep in mind that manual authentication against IPA2 is working).
In the dirSRV Error-Logfile nothing is logged, however i can see the
authentication in the access log from IPA2:
###
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU)))"
attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[03/Jun/2016:17:18:39 +0200] conn=5 op=758 RESULT err=0 tag=101
nentries=1 etime=0
[03/Jun/2016:17:18:39 +0200] conn=5 op=759 SRCH
base="cn=global_policy,cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife
krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure
krbPwdFailureCountInterval krbPwdLockoutDuration"
[03/Jun/2016:17:18:39 +0200] conn=5 op=759 RESULT err=0 tag=101
nentries=1 etime=0
[03/Jun/2016:17:18:39 +0200] conn=5 op=760 SRCH
base="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu"
scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn
gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier
ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory
ipaNTHomeDirectoryDrive"
[03/Jun/2016:17:18:39 +0200] conn=5 op=760 RESULT err=0 tag=101
nentries=1 etime=0
[03/Jun/2016:17:18:39 +0200] conn=5 op=761 MOD
dn="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu"
[03/Jun/2016:17:18:39 +0200] conn=5 op=761 RESULT err=0 tag=103
nentries=0 etime=0 csn=5751a1820001000d0000
[03/Jun/2016:17:18:39 +0200] conn=95 fd=109 slot=109 connection from
192.168.210.45 to 192.168.210.181
[03/Jun/2016:17:18:39 +0200] conn=6 op=937 SRCH
base="dc=intern,dc=customer-virt,dc=eu" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU)))"
attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[03/Jun/2016:17:18:39 +0200] conn=6 op=937 RESULT err=0 tag=101
nentries=1 etime=0
[03/Jun/2016:17:18:39 +0200] conn=6 op=938 SRCH
base="dc=intern,dc=customer-virt,dc=eu" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=ldap/auth02.intern.customer-virt.eu(a)INTERN.CUSTOMER-VIRT.EU)))"
attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[03/Jun/2016:17:18:39 +0200] conn=6 op=938 RESULT err=0 tag=101
nentries=1 etime=0
[03/Jun/2016:17:18:39 +0200] conn=6 op=939 SRCH
base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
scope=0 filter="(objectClass=krbticketpolicyaux)"
attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[03/Jun/2016:17:18:39 +0200] conn=6 op=939 RESULT err=0 tag=101
nentries=1 etime=0
[03/Jun/2016:17:18:39 +0200] conn=6 op=940 SRCH
base="dc=intern,dc=customer-virt,dc=eu" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kries(a)INTERN.CUSTOMER-VIRT.EU))"
attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[03/Jun/2016:17:18:39 +0200] conn=6 op=940 RESULT err=0 tag=101
nentries=1 etime=0
[03/Jun/2016:17:18:39 +0200] conn=6 op=941 SRCH
base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
scope=0 filter="(objectClass=krbticketpolicyaux)"
attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[03/Jun/2016:17:18:39 +0200] conn=6 op=941 RESULT err=0 tag=101
nentries=1 etime=0
###
In the oVirt Engine log i can see the following:
###
2016-06-03 17:18:40,402 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
(ajp--127.0.0.1-8702-3) Error in communicating with LDAP server
auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested
exception is javax.naming.CommunicationException:
auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root
exception is java.net.UnknownHostException:
auth02.intern.customer-virt.eu.intern.customer-virt.eu]
2016-06-03 17:18:40,416 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-3) Failed ldap search server
ldap://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 using
user kries(a)INTERN.CUSTOMER-VIRT.EU due to
auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested
exception is javax.naming.CommunicationException:
auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root
exception is java.net.UnknownHostException:
auth02.intern.customer-virt.eu.intern.customer-virt.eu]. We should try
the next server
2016-06-03 17:18:41,675 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LDAPTemplateWrapper]
(ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter
is
(&(objectClass=posixAccount)(objectClass=krbPrincipalAux)(uid=kries)).
Exception message is: null
2016-06-03 17:18:41,681 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
(ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that
the login name , password and path are correct.
2016-06-03 17:18:41,690 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-3) Failed ldap search server
ldap://auth02.intern.customer-virt.eu:389 using user
kries(a)INTERN.CUSTOMER-VIRT.EU due to Kerberos error. Please check log
for further details.. We should not try the next server
2016-06-03 17:18:41,698 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
(ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain
intern.customer-virt.eu. Ldap Query Type is getUserByName
2016-06-03 17:18:41,703 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
(ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further
details.
2016-06-03 17:18:41,706 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
(ajp--127.0.0.1-8702-3) Failed to run command
LdapAuthenticateUserCommand. Domain is intern.customer-virt.eu. User is
kries.
2016-06-03 17:18:41,712 INFO
[org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
(ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication
profile "intern.customer-virt.eu" because the authentication failed.
2016-06-03 17:18:41,719 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom
Event ID: -1, Message: User kries(a)intern.customer-virt.eu failed to log in.
2016-06-03 17:18:41,723 WARN
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for
user kries(a)intern.customer-virt.eu. Reasons: USER_FAILED_TO_AUTHENTICATE
###
Any thoughts why i can't authenticate via oVirt against IPA2?
Can you please also share if there is some error in /var/log/krb5kdc.log
in IPA2?
Anyway, please migrate to new ovirt-engine-extensions-aaa-ldap, read
this[1] for more information.
[1] http://lists.ovirt.org/pipermail/users/2015-August/034008.html
>
>
> Thanks
>
> Greets
>
> Kilian
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
3:31 p.m.
It looks fine, thanks.
Looking at the oVirt log I see IPA server FQDN:
auth02.intern.customer-virt.eu.intern.customer-virt.eu
Looking at krb realm, I guess this should be -
auth02.intern.customer-virt.eu
Do you use SRV records or did you pass --ldap-servers to manage-domains?
If SRV, then you maybe misconfigured DNS, if --ldap-servers, you should
edit configuration with proper FQDN.
On 06/06/2016 11:00 AM, Kilian Ries wrote:
Hello,
here is the krb5kdc log from IPA2:
###
Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes
{23}) 192.168.210.45: NEEDED_PREAUTH: kries(a)INTERN.CUSTOMER-VIRT.EU for
krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU, Additional pre-authentication
required
Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12
Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes
{23}) 192.168.210.45: ISSUE: authtime 1464967102, etypes {rep=23 tkt=18 ses=23},
kries(a)INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU
Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes
{23}) 192.168.210.45: NEEDED_PREAUTH: kries(a)INTERN.CUSTOMER-VIRT.EU for
krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU, Additional pre-authentication
required
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): AS_REQ (1 etypes
{23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=23},
kries(a)INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): closing down fd 12
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes
{23}) 192.168.210.45: NEEDED_PREAUTH: kries(a)INTERN.CUSTOMER-VIRT.EU for
krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU, Additional pre-authentication
required
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): AS_REQ (1 etypes
{23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=23},
kries(a)INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): closing down fd 12
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): TGS_REQ (6 etypes {18
17 16 23 1 3}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=18},
kries(a)INTERN.CUSTOMER-VIRT.EU for
ldap/auth02.intern.customer-virt.eu(a)INTERN.CUSTOMER-VIRT.EU
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12
###
Thanks for the hint with the LDAP-Provider, i'm trying to migrate as soon as
possible.
Greets
Kilian
________________________________________
Von: Ondra Machacek <omachace(a)redhat.com>
Gesendet: Montag, 6. Juni 2016 09:48
An: Kilian Ries; users(a)ovirt.org
Betreff: Re: [ovirt-users] free-IPA Multi-Master Authentication Problem
On 06/03/2016 05:44 PM, Kilian Ries wrote:
> Hi,
>
>
> i have two free-IPA directories setup in multi-master replication. Both
> are running on CentOS 7.2 with latest Software installed. Replication
> between both IPAs is setup correctly and i am able to authenticate
> against each of the two manually.
>
>
> However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2
> against IPA2 i can't login. Login is only working if IPA1 is
> running (keep in mind that manual authentication against IPA2 is working).
>
>
> In the dirSRV Error-Logfile nothing is logged, however i can see the
> authentication in the access log from IPA2:
>
>
>
> ###
>
>
>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU)))"
> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>
> [03/Jun/2016:17:18:39 +0200] conn=5 op=758 RESULT err=0 tag=101
> nentries=1 etime=0
>
> [03/Jun/2016:17:18:39 +0200] conn=5 op=759 SRCH
>
base="cn=global_policy,cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
> scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife
> krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure
> krbPwdFailureCountInterval krbPwdLockoutDuration"
>
> [03/Jun/2016:17:18:39 +0200] conn=5 op=759 RESULT err=0 tag=101
> nentries=1 etime=0
>
> [03/Jun/2016:17:18:39 +0200] conn=5 op=760 SRCH
> base="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu"
> scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn
> gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
> krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier
> ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory
> ipaNTHomeDirectoryDrive"
>
> [03/Jun/2016:17:18:39 +0200] conn=5 op=760 RESULT err=0 tag=101
> nentries=1 etime=0
>
> [03/Jun/2016:17:18:39 +0200] conn=5 op=761 MOD
> dn="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu"
>
> [03/Jun/2016:17:18:39 +0200] conn=5 op=761 RESULT err=0 tag=103
> nentries=0 etime=0 csn=5751a1820001000d0000
>
> [03/Jun/2016:17:18:39 +0200] conn=95 fd=109 slot=109 connection from
> 192.168.210.45 to 192.168.210.181
>
> [03/Jun/2016:17:18:39 +0200] conn=6 op=937 SRCH
> base="dc=intern,dc=customer-virt,dc=eu" scope=2
>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU)))"
> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>
> [03/Jun/2016:17:18:39 +0200] conn=6 op=937 RESULT err=0 tag=101
> nentries=1 etime=0
>
> [03/Jun/2016:17:18:39 +0200] conn=6 op=938 SRCH
> base="dc=intern,dc=customer-virt,dc=eu" scope=2
>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=ldap/auth02.intern.customer-virt.eu(a)INTERN.CUSTOMER-VIRT.EU)))"
> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>
> [03/Jun/2016:17:18:39 +0200] conn=6 op=938 RESULT err=0 tag=101
> nentries=1 etime=0
>
> [03/Jun/2016:17:18:39 +0200] conn=6 op=939 SRCH
>
base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
> scope=0 filter="(objectClass=krbticketpolicyaux)"
> attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
>
> [03/Jun/2016:17:18:39 +0200] conn=6 op=939 RESULT err=0 tag=101
> nentries=1 etime=0
>
> [03/Jun/2016:17:18:39 +0200] conn=6 op=940 SRCH
> base="dc=intern,dc=customer-virt,dc=eu" scope=2
>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kries(a)INTERN.CUSTOMER-VIRT.EU))"
> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>
> [03/Jun/2016:17:18:39 +0200] conn=6 op=940 RESULT err=0 tag=101
> nentries=1 etime=0
>
> [03/Jun/2016:17:18:39 +0200] conn=6 op=941 SRCH
>
base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
> scope=0 filter="(objectClass=krbticketpolicyaux)"
> attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
>
> [03/Jun/2016:17:18:39 +0200] conn=6 op=941 RESULT err=0 tag=101
> nentries=1 etime=0
>
>
> ###
>
>
>
> In the oVirt Engine log i can see the following:
>
>
> ###
>
>
> 2016-06-03 17:18:40,402 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
> (ajp--127.0.0.1-8702-3) Error in communicating with LDAP server
> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested
> exception is javax.naming.CommunicationException:
> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root
> exception is java.net.UnknownHostException:
> auth02.intern.customer-virt.eu.intern.customer-virt.eu]
>
> 2016-06-03 17:18:40,416 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> (ajp--127.0.0.1-8702-3) Failed ldap search server
> ldap://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 using
> user kries(a)INTERN.CUSTOMER-VIRT.EU due to
> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested
> exception is javax.naming.CommunicationException:
> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root
> exception is java.net.UnknownHostException:
> auth02.intern.customer-virt.eu.intern.customer-virt.eu]. We should try
> the next server
>
> 2016-06-03 17:18:41,675 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LDAPTemplateWrapper]
> (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter
> is
> (&(objectClass=posixAccount)(objectClass=krbPrincipalAux)(uid=kries)).
> Exception message is: null
>
> 2016-06-03 17:18:41,681 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
> (ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that
> the login name , password and path are correct.
>
> 2016-06-03 17:18:41,690 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> (ajp--127.0.0.1-8702-3) Failed ldap search server
> ldap://auth02.intern.customer-virt.eu:389 using user
> kries(a)INTERN.CUSTOMER-VIRT.EU due to Kerberos error. Please check log
> for further details.. We should not try the next server
>
> 2016-06-03 17:18:41,698 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
> (ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain
> intern.customer-virt.eu. Ldap Query Type is getUserByName
>
> 2016-06-03 17:18:41,703 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
> (ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further
> details.
>
> 2016-06-03 17:18:41,706 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
> (ajp--127.0.0.1-8702-3) Failed to run command
> LdapAuthenticateUserCommand. Domain is intern.customer-virt.eu. User is
> kries.
>
> 2016-06-03 17:18:41,712 INFO
> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
> (ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication
> profile "intern.customer-virt.eu" because the authentication failed.
>
> 2016-06-03 17:18:41,719 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom
> Event ID: -1, Message: User kries(a)intern.customer-virt.eu failed to log in.
>
> 2016-06-03 17:18:41,723 WARN
> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
> (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for
> user kries(a)intern.customer-virt.eu. Reasons: USER_FAILED_TO_AUTHENTICATE
>
>
> ###
>
>
> Any thoughts why i can't authenticate via oVirt against IPA2?
Can you please also share if there is some error in /var/log/krb5kdc.log
in IPA2?
Anyway, please migrate to new ovirt-engine-extensions-aaa-ldap, read
this[1] for more information.
[1] http://lists.ovirt.org/pipermail/users/2015-August/034008.html
>
>
> Thanks
>
> Greets
>
> Kilian
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
4:49 p.m.
Indeed there was a faulty record for the IPA2 - i corrected that. Now the engine-log shows
the correct ldap-address:
###
2016-06-07 15:20:43,940 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
(ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that the login name ,
password and path are correct.
2016-06-07 15:20:43,946 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-3) Failed ldap search server ldap://auth02.intern.eu:389 using user
kries(a)INTERN.EU due to Kerberos error. Please check log for further details.. We should
not try the next server
2016-06-07 15:20:43,951 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
(ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain intern.eu. Ldap Query
Type is getUserByName
2016-06-07 15:20:43,954 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
(ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further details.
2016-06-07 15:20:43,957 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
(ajp--127.0.0.1-8702-3) Failed to run command LdapAuthenticateUserCommand. Domain is
intern.eu. User is kries.
2016-06-07 15:20:43,961 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
(ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication profile
"intern.eu" because the authentication failed.
2016-06-07 15:20:43,968 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom Event ID: -1,
Message: User kries(a)intern.eu failed to log in.
2016-06-07 15:20:43,971 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user
kries(a)intern.eu. Reasons: USER_FAILED_TO_AUTHENTICATE
###
I'm still not able to login to oVirt via IPA2
krb5kdc and dirsrv-acces Log don't show anything new.
________________________________________
Von: Ondra Machacek <omachace(a)redhat.com>
Gesendet: Montag, 6. Juni 2016 14:31
An: Kilian Ries; users(a)ovirt.org
Betreff: Re: AW: [ovirt-users] free-IPA Multi-Master Authentication Problem
It looks fine, thanks.
Looking at the oVirt log I see IPA server FQDN:
auth02.intern.customer-virt.eu.intern.customer-virt.eu
Looking at krb realm, I guess this should be -
auth02.intern.customer-virt.eu
Do you use SRV records or did you pass --ldap-servers to manage-domains?
If SRV, then you maybe misconfigured DNS, if --ldap-servers, you should
edit configuration with proper FQDN.
On 06/06/2016 11:00 AM, Kilian Ries wrote:
> Hello,
>
> here is the krb5kdc log from IPA2:
>
>
> ###
> Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes
{23}) 192.168.210.45: NEEDED_PREAUTH: kries(a)INTERN.CUSTOMER-VIRT.EU for
krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU, Additional pre-authentication
required
> Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd
12
> Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes
{23}) 192.168.210.45: ISSUE: authtime 1464967102, etypes {rep=23 tkt=18 ses=23},
kries(a)INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU
> Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd
12
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes
{23}) 192.168.210.45: NEEDED_PREAUTH: kries(a)INTERN.CUSTOMER-VIRT.EU for
krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU, Additional pre-authentication
required
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd
12
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): AS_REQ (1 etypes
{23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=23},
kries(a)INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): closing down fd
12
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes
{23}) 192.168.210.45: NEEDED_PREAUTH: kries(a)INTERN.CUSTOMER-VIRT.EU for
krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU, Additional pre-authentication
required
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd
12
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): AS_REQ (1 etypes
{23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=23},
kries(a)INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): closing down fd
12
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): TGS_REQ (6 etypes
{18 17 16 23 1 3}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18
ses=18}, kries(a)INTERN.CUSTOMER-VIRT.EU for
ldap/auth02.intern.customer-virt.eu(a)INTERN.CUSTOMER-VIRT.EU
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd
12
> ###
>
> Thanks for the hint with the LDAP-Provider, i'm trying to migrate as soon as
possible.
>
> Greets
> Kilian
>
> ________________________________________
> Von: Ondra Machacek <omachace(a)redhat.com>
> Gesendet: Montag, 6. Juni 2016 09:48
> An: Kilian Ries; users(a)ovirt.org
> Betreff: Re: [ovirt-users] free-IPA Multi-Master Authentication Problem
>
> On 06/03/2016 05:44 PM, Kilian Ries wrote:
>> Hi,
>>
>>
>> i have two free-IPA directories setup in multi-master replication. Both
>> are running on CentOS 7.2 with latest Software installed. Replication
>> between both IPAs is setup correctly and i am able to authenticate
>> against each of the two manually.
>>
>>
>> However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2
>> against IPA2 i can't login. Login is only working if IPA1 is
>> running (keep in mind that manual authentication against IPA2 is working).
>>
>>
>> In the dirSRV Error-Logfile nothing is logged, however i can see the
>> authentication in the access log from IPA2:
>>
>>
>>
>> ###
>>
>>
>>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU)))"
>> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
>> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
>> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
>> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
>> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=758 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=759 SRCH
>>
base="cn=global_policy,cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
>> scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife
krbMinPwdLife
>> krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure
>> krbPwdFailureCountInterval krbPwdLockoutDuration"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=759 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=760 SRCH
>> base="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu"
>> scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn
>> gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>> krbPrincipalType krbLastPwdChange krbPrincipalAliases
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
>> krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier
>> ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory
>> ipaNTHomeDirectoryDrive"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=760 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=761 MOD
>> dn="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=761 RESULT err=0 tag=103
>> nentries=0 etime=0 csn=5751a1820001000d0000
>>
>> [03/Jun/2016:17:18:39 +0200] conn=95 fd=109 slot=109 connection from
>> 192.168.210.45 to 192.168.210.181
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=937 SRCH
>> base="dc=intern,dc=customer-virt,dc=eu" scope=2
>>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/INTERN.CUSTOMER-VIRT.EU@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=krbtgt/INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU)))"
>> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
>> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
>> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
>> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
>> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=937 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=938 SRCH
>> base="dc=intern,dc=customer-virt,dc=eu" scope=2
>>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/auth02.intern.customer-virt.eu@INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=ldap/auth02.intern.customer-virt.eu(a)INTERN.CUSTOMER-VIRT.EU)))"
>> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
>> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
>> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
>> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
>> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=938 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=939 SRCH
>>
base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
>> scope=0 filter="(objectClass=krbticketpolicyaux)"
>> attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=939 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=940 SRCH
>> base="dc=intern,dc=customer-virt,dc=eu" scope=2
>>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kries(a)INTERN.CUSTOMER-VIRT.EU))"
>> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
>> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
>> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
>> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
>> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=940 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=941 SRCH
>>
base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
>> scope=0 filter="(objectClass=krbticketpolicyaux)"
>> attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=941 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>>
>> ###
>>
>>
>>
>> In the oVirt Engine log i can see the following:
>>
>>
>> ###
>>
>>
>> 2016-06-03 17:18:40,402 ERROR
>>
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
>> (ajp--127.0.0.1-8702-3) Error in communicating with LDAP server
>> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested
>> exception is javax.naming.CommunicationException:
>> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root
>> exception is java.net.UnknownHostException:
>> auth02.intern.customer-virt.eu.intern.customer-virt.eu]
>>
>> 2016-06-03 17:18:40,416 ERROR
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
>> (ajp--127.0.0.1-8702-3) Failed ldap search server
>> ldap://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 using
>> user kries(a)INTERN.CUSTOMER-VIRT.EU due to
>> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested
>> exception is javax.naming.CommunicationException:
>> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root
>> exception is java.net.UnknownHostException:
>> auth02.intern.customer-virt.eu.intern.customer-virt.eu]. We should try
>> the next server
>>
>> 2016-06-03 17:18:41,675 ERROR
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LDAPTemplateWrapper]
>> (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter
>> is
>> (&(objectClass=posixAccount)(objectClass=krbPrincipalAux)(uid=kries)).
>> Exception message is: null
>>
>> 2016-06-03 17:18:41,681 ERROR
>>
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
>> (ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that
>> the login name , password and path are correct.
>>
>> 2016-06-03 17:18:41,690 ERROR
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
>> (ajp--127.0.0.1-8702-3) Failed ldap search server
>> ldap://auth02.intern.customer-virt.eu:389 using user
>> kries(a)INTERN.CUSTOMER-VIRT.EU due to Kerberos error. Please check log
>> for further details.. We should not try the next server
>>
>> 2016-06-03 17:18:41,698 ERROR
>>
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
>> (ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain
>> intern.customer-virt.eu. Ldap Query Type is getUserByName
>>
>> 2016-06-03 17:18:41,703 ERROR
>>
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
>> (ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further
>> details.
>>
>> 2016-06-03 17:18:41,706 ERROR
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
>> (ajp--127.0.0.1-8702-3) Failed to run command
>> LdapAuthenticateUserCommand. Domain is intern.customer-virt.eu. User is
>> kries.
>>
>> 2016-06-03 17:18:41,712 INFO
>> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
>> (ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication
>> profile "intern.customer-virt.eu" because the authentication failed.
>>
>> 2016-06-03 17:18:41,719 ERROR
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom
>> Event ID: -1, Message: User kries(a)intern.customer-virt.eu failed to log in.
>>
>> 2016-06-03 17:18:41,723 WARN
>> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
>> (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for
>> user kries(a)intern.customer-virt.eu. Reasons: USER_FAILED_TO_AUTHENTICATE
>>
>>
>> ###
>>
>>
>> Any thoughts why i can't authenticate via oVirt against IPA2?
>
> Can you please also share if there is some error in /var/log/krb5kdc.log
> in IPA2?
>
> Anyway, please migrate to new ovirt-engine-extensions-aaa-ldap, read
> this[1] for more information.
>
> [1] http://lists.ovirt.org/pipermail/users/2015-August/034008.html
>
>>
>>
>> Thanks
>>
>> Greets
>>
>> Kilian
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
1:28 p.m.
How did you setup the authentication. DId you use AAA or
engine-manage-domains ?
Do you *have* to use kerberos, or can you just use ldap?
If you have no requirement to use kerberos, then I would just use simple
AAA ldap.
How are you load balancing the IPA servers? Does fail over work for other
things? IE client machines connected to the IPA realm?
On Tue, Jun 7, 2016 at 9:49 AM, Kilian Ries <mail(a)kilian-ries.de> wrote:
Indeed there was a faulty record for the IPA2 - i corrected that. Now
the
engine-log shows the correct ldap-address:
###
2016-06-07 15:20:43,940 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
(ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that the
login name , password and path are correct.
2016-06-07 15:20:43,946 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-3) Failed ldap search server ldap://
auth02.intern.eu:389 using user kries(a)INTERN.EU due to Kerberos error.
Please check log for further details.. We should not try the next server
2016-06-07 15:20:43,951 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
(ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain
intern.eu. Ldap Query Type is getUserByName
2016-06-07 15:20:43,954 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
(ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further
details.
2016-06-07 15:20:43,957 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
(ajp--127.0.0.1-8702-3) Failed to run command LdapAuthenticateUserCommand.
Domain is intern.eu. User is kries.
2016-06-07 15:20:43,961 INFO
[org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-3)
Cant login user "kries" with authentication profile "intern.eu"
because
the authentication failed.
2016-06-07 15:20:43,968 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom
Event ID: -1, Message: User kries(a)intern.eu failed to log in.
2016-06-07 15:20:43,971 WARN
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for
user kries(a)intern.eu. Reasons: USER_FAILED_TO_AUTHENTICATE
###
I'm still not able to login to oVirt via IPA2
krb5kdc and dirsrv-acces Log don't show anything new.
________________________________________
Von: Ondra Machacek <omachace(a)redhat.com>
Gesendet: Montag, 6. Juni 2016 14:31
An: Kilian Ries; users(a)ovirt.org
Betreff: Re: AW: [ovirt-users] free-IPA Multi-Master Authentication Problem
It looks fine, thanks.
Looking at the oVirt log I see IPA server FQDN:
auth02.intern.customer-virt.eu.intern.customer-virt.eu
Looking at krb realm, I guess this should be -
auth02.intern.customer-virt.eu
Do you use SRV records or did you pass --ldap-servers to manage-domains?
If SRV, then you maybe misconfigured DNS, if --ldap-servers, you should
edit configuration with proper FQDN.
On 06/06/2016 11:00 AM, Kilian Ries wrote:
> Hello,
>
> here is the krb5kdc log from IPA2:
>
>
> ###
> Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info):
AS_REQ (1 etypes {23}) 192.168.210.45: NEEDED_PREAUTH:
kries(a)INTERN.CUSTOMER-VIRT.EU for krbtgt/
INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU, Additional
pre-authentication required
> Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info):
closing down fd 12
> Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info):
AS_REQ (1 etypes {23}) 192.168.210.45: ISSUE: authtime 1464967102, etypes
{rep=23 tkt=18 ses=23}, kries(a)INTERN.CUSTOMER-VIRT.EU for krbtgt/
INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU
> Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info):
closing down fd 12
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info):
AS_REQ (1 etypes {23}) 192.168.210.45: NEEDED_PREAUTH:
kries(a)INTERN.CUSTOMER-VIRT.EU for krbtgt/
INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU, Additional
pre-authentication required
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info):
closing down fd 12
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info):
AS_REQ (1 etypes {23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes
{rep=23 tkt=18 ses=23}, kries(a)INTERN.CUSTOMER-VIRT.EU for krbtgt/
INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info):
closing down fd 12
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info):
AS_REQ (1 etypes {23}) 192.168.210.45: NEEDED_PREAUTH:
kries(a)INTERN.CUSTOMER-VIRT.EU for krbtgt/
INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU, Additional
pre-authentication required
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info):
closing down fd 12
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info):
AS_REQ (1 etypes {23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes
{rep=23 tkt=18 ses=23}, kries(a)INTERN.CUSTOMER-VIRT.EU for krbtgt/
INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info):
closing down fd 12
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info):
TGS_REQ (6 etypes {18 17 16 23 1 3}) 192.168.210.45: ISSUE: authtime
1464967120, etypes {rep=23 tkt=18 ses=18}, kries(a)INTERN.CUSTOMER-VIRT.EU
for ldap/auth02.intern.customer-virt.eu(a)INTERN.CUSTOMER-VIRT.EU
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info):
closing down fd 12
> ###
>
> Thanks for the hint with the LDAP-Provider, i'm trying to migrate as
soon as possible.
>
> Greets
> Kilian
>
> ________________________________________
> Von: Ondra Machacek <omachace(a)redhat.com>
> Gesendet: Montag, 6. Juni 2016 09:48
> An: Kilian Ries; users(a)ovirt.org
> Betreff: Re: [ovirt-users] free-IPA Multi-Master Authentication Problem
>
> On 06/03/2016 05:44 PM, Kilian Ries wrote:
>> Hi,
>>
>>
>> i have two free-IPA directories setup in multi-master replication. Both
>> are running on CentOS 7.2 with latest Software installed. Replication
>> between both IPAs is setup correctly and i am able to authenticate
>> against each of the two manually.
>>
>>
>> However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2
>> against IPA2 i can't login. Login is only working if IPA1 is
>> running (keep in mind that manual authentication against IPA2 is
working).
>>
>>
>> In the dirSRV Error-Logfile nothing is logged, however i can see the
>> authentication in the access log from IPA2:
>>
>>
>>
>> ###
>>
>>
>>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/
INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=krbtgt/
INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU)))"
>> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
>> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
>> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
>> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
>> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=758 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=759 SRCH
>> base="cn=global_policy,cn=INTERN.CUSTOMER-VIRT.EU
,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
>> scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife
krbMinPwdLife
>> krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure
>> krbPwdFailureCountInterval krbPwdLockoutDuration"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=759 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=760 SRCH
>>
base="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu"
>> scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn
>> gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>> krbPrincipalType krbLastPwdChange krbPrincipalAliases
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
>> krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier
>> ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory
>> ipaNTHomeDirectoryDrive"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=760 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=761 MOD
>> dn="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=761 RESULT err=0 tag=103
>> nentries=0 etime=0 csn=5751a1820001000d0000
>>
>> [03/Jun/2016:17:18:39 +0200] conn=95 fd=109 slot=109 connection from
>> 192.168.210.45 to 192.168.210.181
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=937 SRCH
>> base="dc=intern,dc=customer-virt,dc=eu" scope=2
>>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/
INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=krbtgt/
INTERN.CUSTOMER-VIRT.EU(a)INTERN.CUSTOMER-VIRT.EU)))"
>> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
>> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
>> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
>> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
>> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=937 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=938 SRCH
>> base="dc=intern,dc=customer-virt,dc=eu" scope=2
>>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/
auth02.intern.customer-virt.eu(a)INTERN.CUSTOMER-VIRT.EU
)(krbPrincipalName=ldap/
auth02.intern.customer-virt.eu(a)INTERN.CUSTOMER-VIRT.EU)))"
>> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
>> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
>> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
>> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
>> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=938 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=939 SRCH
>> base="cn=INTERN.CUSTOMER-VIRT.EU
,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
>> scope=0 filter="(objectClass=krbticketpolicyaux)"
>> attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=939 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=940 SRCH
>> base="dc=intern,dc=customer-virt,dc=eu" scope=2
>>
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=
kries(a)INTERN.CUSTOMER-VIRT.EU))"
>> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
>> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
>> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
>> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
>> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=940 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=941 SRCH
>> base="cn=INTERN.CUSTOMER-VIRT.EU
,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
>> scope=0 filter="(objectClass=krbticketpolicyaux)"
>> attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=941 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>>
>> ###
>>
>>
>>
>> In the oVirt Engine log i can see the following:
>>
>>
>> ###
>>
>>
>> 2016-06-03 17:18:40,402 ERROR
>>
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
>> (ajp--127.0.0.1-8702-3) Error in communicating with LDAP server
>> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested
>> exception is javax.naming.CommunicationException:
>> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root
>> exception is java.net.UnknownHostException:
>> auth02.intern.customer-virt.eu.intern.customer-virt.eu]
>>
>> 2016-06-03 17:18:40,416 ERROR
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
>> (ajp--127.0.0.1-8702-3) Failed ldap search server
>> ldap://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 using
>> user kries(a)INTERN.CUSTOMER-VIRT.EU due to
>> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested
>> exception is javax.naming.CommunicationException:
>> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root
>> exception is java.net.UnknownHostException:
>> auth02.intern.customer-virt.eu.intern.customer-virt.eu]. We should try
>> the next server
>>
>> 2016-06-03 17:18:41,675 ERROR
>>
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LDAPTemplateWrapper]
>> (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter
>> is
>> (&(objectClass=posixAccount)(objectClass=krbPrincipalAux)(uid=kries)).
>> Exception message is: null
>>
>> 2016-06-03 17:18:41,681 ERROR
>>
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
>> (ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that
>> the login name , password and path are correct.
>>
>> 2016-06-03 17:18:41,690 ERROR
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
>> (ajp--127.0.0.1-8702-3) Failed ldap search server
>> ldap://auth02.intern.customer-virt.eu:389 using user
>> kries(a)INTERN.CUSTOMER-VIRT.EU due to Kerberos error. Please check log
>> for further details.. We should not try the next server
>>
>> 2016-06-03 17:18:41,698 ERROR
>>
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
>> (ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain
>> intern.customer-virt.eu. Ldap Query Type is getUserByName
>>
>> 2016-06-03 17:18:41,703 ERROR
>>
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
>> (ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further
>> details.
>>
>> 2016-06-03 17:18:41,706 ERROR
>>
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
>> (ajp--127.0.0.1-8702-3) Failed to run command
>> LdapAuthenticateUserCommand. Domain is intern.customer-virt.eu. User is
>> kries.
>>
>> 2016-06-03 17:18:41,712 INFO
>> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
>> (ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication
>> profile "intern.customer-virt.eu" because the authentication failed.
>>
>> 2016-06-03 17:18:41,719 ERROR
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom
>> Event ID: -1, Message: User kries(a)intern.customer-virt.eu failed to
log in.
>>
>> 2016-06-03 17:18:41,723 WARN
>> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
>> (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for
>> user kries(a)intern.customer-virt.eu. Reasons:
USER_FAILED_TO_AUTHENTICATE
>>
>>
>> ###
>>
>>
>> Any thoughts why i can't authenticate via oVirt against IPA2?
>
> Can you please also share if there is some error in /var/log/krb5kdc.log
> in IPA2?
>
> Anyway, please migrate to new ovirt-engine-extensions-aaa-ldap, read
> this[1] for more information.
>
> [1] http://lists.ovirt.org/pipermail/users/2015-August/034008.html
>
>>
>>
>> Thanks
>>
>> Greets
>>
>> Kilian
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
3083
days inactive
3095
days old
5 comments
3 participants
participants (3)
-
Donny Davis -
Kilian Ries -
Ondra Machacek