[Engine-devel] users cannot log into userportal
Dead Horse
deadhorseconsulting at gmail.com
Thu Aug 8 23:51:03 UTC 2013
I verified the fix against current master with multiple installs and
browsers. Thanks guys!
Fix verified to work with:
Firefox Version 22.0-1
Google Chrome Version 28.0.1500.95
I still noted an odd issue with Firefox Version 17.0.8-1 (Current
Firefox EL6 Version).
The login into the user portal succeeds and a successful login is
logged, however the login remains hung at the login dialog
indefinitely.
Reloading the page and closing the browser does not change things.
Also removing ~/<username>/.mozilla and starting fresh results in the same.
Can someone else check and verify similar oddness with EL6 Firefox.
- DHC
On Wed, Aug 7, 2013 at 1:50 PM, Dead Horse <deadhorseconsulting at gmail.com>wrote:
> I see the fix in Gerrit/GIT. Thanks guys! I will test and update results
> tomorrow morning.
> - DHC
>
>
> On Wed, Aug 7, 2013 at 1:01 PM, Yair Zaslavsky <yzaslavs at redhat.com>wrote:
>
>>
>>
>> ----- Original Message -----
>> > From: "Yair Zaslavsky" <yzaslavs at redhat.com>
>> > To: "Dead Horse" <deadhorseconsulting at gmail.com>
>> > Cc: "engine-devel" <engine-devel at ovirt.org>
>> > Sent: Wednesday, August 7, 2013 9:00:34 PM
>> > Subject: Re: [Engine-devel] users cannot log into userportal
>> >
>> >
>> >
>> > ----- Original Message -----
>> > > From: "Dead Horse" <deadhorseconsulting at gmail.com>
>> > > To: "Itamar Heim" <iheim at redhat.com>
>> > > Cc: "engine-devel" <engine-devel at ovirt.org>, "Yair Zaslavsky"
>> > > <yzaslavs at redhat.com>
>> > > Sent: Wednesday, August 7, 2013 6:14:02 PM
>> > > Subject: Re: [Engine-devel] users cannot log into userportal
>> > >
>> > > BZ994604 (https://bugzilla.redhat.com/show_bug.cgi?id=994604) has
>> been
>> > > opened.
>> > > - DHC
>> >
>> > Thanks for your help DHC,
>> > This was already fixed by rnori.
>>
>> Of course "already fixed" comparing with current time. This was indeed a
>> real issue.
>>
>> >
>> > >
>> > >
>> > > On Wed, Aug 7, 2013 at 5:35 AM, Itamar Heim <iheim at redhat.com> wrote:
>> > >
>> > > > On 08/07/2013 12:10 AM, Dead Horse wrote:
>> > > >
>> > > >> I have found some steps to reproduce this easily.
>> > > >>
>> > > >> Start the engine bound to an AD for authentication
>> > > >> log in to the user portal as an AD user which has been granted a
>> Role (I
>> > > >> used PowerUserRole)
>> > > >>
>> > > >> Result: Login will succeed
>> > > >> Data from engine.log:
>> > > >> 2013-08-06 15:54:10,088 INFO
>> > > >> [org.ovirt.engine.core.bll.**LoginUserCommand]
>> (ajp--127.0.0.1-8702-10)
>> > > >> Running command: LoginUserCommand internal: false.
>> > > >> 2013-08-06 15:54:10,139 INFO
>> > > >> [org.ovirt.engine.core.dal.**dbbroker.auditloghandling.**
>> > > >> AuditLogDirector]
>> > > >> (ajp--127.0.0.1-8702-10) Correlation ID: 23c4709, Call Stack: null,
>> > > >> Custom Event ID: -1, Message: User ovirttest logged in.
>> > > >>
>> > > >> log out of the user portal
>> > > >> Result: log out succeeds
>> > > >> Data from engine.log:
>> > > >> 2013-08-06 15:54:12,448 INFO
>> > > >> [org.ovirt.engine.core.bll.**LogoutUserCommand]
>> (ajp--127.0.0.1-8702-2)
>> > > >> Running command: LogoutUserCommand internal: false.
>> > > >> 2013-08-06 15:54:12,474 INFO
>> > > >> [org.ovirt.engine.core.dal.**dbbroker.auditloghandling.**
>> > > >> AuditLogDirector]
>> > > >> (ajp--127.0.0.1-8702-2) Correlation ID: 52a89e7d, Call Stack: null,
>> > > >> Custom Event ID: -1, Message: User ovirttest logged out.
>> > > >>
>> > > >> As the same user log in to the user portal again but this purposely
>> > > >> input the wrong password.
>> > > >> Result: log in will fail
>> > > >> Data from engine.log:
>> > > >> 2013-08-06 15:54:20,830 ERROR
>> > > >>
>> [org.ovirt.engine.core.bll.**adbroker.**GSSAPIDirContextAuthentication**
>> > > >> Strategy]
>> > > >> (ajp--127.0.0.1-8702-7) Kerberos error: Pre-authentication
>> information
>> > > >> was invalid (24)
>> > > >> 2013-08-06 15:54:20,832 ERROR
>> > > >>
>> [org.ovirt.engine.core.bll.**adbroker.**GSSAPIDirContextAuthentication**
>> > > >> Strategy]
>> > > >> (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the
>> > > >> username and password.
>> > > >> 2013-08-06 15:54:20,843 ERROR
>> > > >> [org.ovirt.engine.core.bll.**adbroker.DirectorySearcher]
>> > > >> (ajp--127.0.0.1-8702-7) Failed ldap search server
>> > > >> LDAP://foodc02.foo.test.com:**389 <http://foodc02.foo.test.com:389>
>> <
>> > > >> http://foodc02.foo.test.com:**389 <http://foodc02.foo.test.com:389
>> >>
>> > > >> using
>> > > >> user ovirttest at FOO.TEST.COM <mailto:ovirttest at FOO.TEST.COM**> due
>> to
>> > > >>
>> > > >> Authentication Failed. Please verify the username and password.. We
>> > > >> should not try the next server
>> > > >> 2013-08-06 15:54:20,850 ERROR
>> > > >>
>> [org.ovirt.engine.core.bll.**adbroker.**GSSAPIDirContextAuthentication**
>> > > >> Strategy]
>> > > >> (ajp--127.0.0.1-8702-7) Kerberos error: Pre-authentication
>> information
>> > > >> was invalid (24)
>> > > >> 2013-08-06 15:54:20,851 ERROR
>> > > >>
>> [org.ovirt.engine.core.bll.**adbroker.**GSSAPIDirContextAuthentication**
>> > > >> Strategy]
>> > > >> (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the
>> > > >> username and password.
>> > > >> 2013-08-06 15:54:20,852 ERROR
>> > > >> [org.ovirt.engine.core.bll.**adbroker.DirectorySearcher]
>> > > >> (ajp--127.0.0.1-8702-7) Failed ldap search server
>> > > >> LDAP://foodc01.foo.test.com:**389 <http://foodc01.foo.test.com:389>
>> <
>> > > >> http://foodc01.foo.test.com:**389 <http://foodc01.foo.test.com:389
>> >>
>> > > >> using
>> > > >> user ovirttest at FOO.TEST.COM <mailto:ovirttest at FOO.TEST.COM**> due
>> to
>> > > >>
>> > > >> Authentication Failed. Please verify the username and password.. We
>> > > >> should not try the next server
>> > > >> 2013-08-06 15:54:20,853 ERROR
>> > > >>
>> [org.ovirt.engine.core.bll.**adbroker.**LdapAuthenticateUserCommand]
>> > > >> (ajp--127.0.0.1-8702-7) Failed authenticating user: ovirttest to
>> domain
>> > > >> gso.med.ge.com <http://gso.med.ge.com>. Ldap Query Type is
>> getUserByName
>> > > >>
>> > > >> 2013-08-06 15:54:20,854 ERROR
>> > > >>
>> [org.ovirt.engine.core.bll.**adbroker.**LdapAuthenticateUserCommand]
>> > > >> (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the
>> > > >> username and password.
>> > > >> 2013-08-06 15:54:20,855 ERROR
>> > > >> [org.ovirt.engine.core.bll.**LoginUserCommand]
>> (ajp--127.0.0.1-8702-7)
>> > > >> USER_FAILED_TO_AUTHENTICATE_**WRONG_USERNAME_OR_PASSWORD :
>> ovirttest
>> > > >> 2013-08-06 15:54:20,856 WARN
>> > > >> [org.ovirt.engine.core.bll.**LoginUserCommand]
>> (ajp--127.0.0.1-8702-7)
>> > > >> CanDoAction of action LoginUser failed.
>> > > >> Reasons:USER_FAILED_TO_**AUTHENTICATE_WRONG_USERNAME_**OR_PASSWORD
>> > > >>
>> > > >> Try again to log in as the same user this time typing the correct
>> > > >> password.
>> > > >> Result: Login fails!
>> > > >> Data from engine.log:
>> > > >> 2013-08-06 15:54:25,186 ERROR
>> > > >>
>> [org.ovirt.engine.core.bll.**adbroker.**LdapAuthenticateUserCommand]
>> > > >> (ajp--127.0.0.1-8702-7) Failed authenticating user: ovirttest to
>> domain
>> > > >> gso.med.ge.com <http://gso.med.ge.com>. Ldap Query Type is
>> getUserByName
>> > > >>
>> > > >> 2013-08-06 15:54:25,187 ERROR
>> > > >> [org.ovirt.engine.core.bll.**LoginUserCommand]
>> (ajp--127.0.0.1-8702-7)
>> > > >> USER_FAILED_TO_AUTHENTICATE : ovirttest
>> > > >> 2013-08-06 15:54:25,187 WARN
>> > > >> [org.ovirt.engine.core.bll.**LoginUserCommand]
>> (ajp--127.0.0.1-8702-7)
>> > > >> CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_**
>> > > >> AUTHENTICATE
>> > > >>
>> > > >> Try again with another AD user.
>> > > >> Result: Login fails!
>> > > >> Data from engine.log:
>> > > >> 2013-08-06 15:54:38,056 ERROR
>> > > >>
>> [org.ovirt.engine.core.bll.**adbroker.**LdapAuthenticateUserCommand]
>> > > >> (ajp--127.0.0.1-8702-5) Failed authenticating user: ovirtadmin to
>> domain
>> > > >> gso.med.ge.com <http://gso.med.ge.com>. Ldap Query Type is
>> getUserByName
>> > > >>
>> > > >> 2013-08-06 15:54:38,057 ERROR
>> > > >> [org.ovirt.engine.core.bll.**LoginUserCommand]
>> (ajp--127.0.0.1-8702-5)
>> > > >> USER_FAILED_TO_AUTHENTICATE : ovirtadmin
>> > > >> 2013-08-06 15:54:38,058 WARN
>> > > >> [org.ovirt.engine.core.bll.**LoginUserCommand]
>> (ajp--127.0.0.1-8702-5)
>> > > >> CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_**
>> > > >> AUTHENTICATE
>> > > >>
>> > > >> Logging into the admin portal as the admin at internal user will
>> yield that
>> > > >> engine seems to have forgotten about and can no longer enumerate AD
>> > > >> users and groups.
>> > > >> engine stays in this state until it has been restarted.
>> > > >>
>> > > >> I also note the two following errors in the engine log file as
>> well:
>> > > >> 2013-08-06 15:53:41,098 ERROR
>> > > >> [org.ovirt.engine.core.dal.**dbbroker.generic.**DBConfigUtils] (MSC
>> > > >> service
>> > > >> thread 1-9) Could not parse option AutoRecoveryAllowedTypes value.
>> > > >> 2013-08-06 15:53:41,161 ERROR
>> > > >> [org.ovirt.engine.core.dal.**dbbroker.generic.**DBConfigUtils] (MSC
>> > > >> service
>> > > >> thread 1-9) Failed to decrypt value for property
>> > > >> AttestationTruststorePass will be used encrypted value:
>> > > >> javax.crypto.**BadPaddingException: Data must start with zero
>> > > >>
>> > > >> - DHC
>> > > >>
>> > > >>
>> > > >>
>> > > >> On Tue, Aug 6, 2013 at 1:31 PM, Dead Horse
>> > > >> <deadhorseconsulting at gmail.com
>> > > >> <mailto:deadhorseconsulting@**gmail.com<
>> deadhorseconsulting at gmail.com>
>> > > >> >>
>> > > >>
>> > > >> wrote:
>> > > >>
>> > > >> Really attaching logs from other install.
>> > > >> - DHC
>> > > >>
>> > > >>
>> > > >> On Tue, Aug 6, 2013 at 1:30 PM, Dead Horse
>> > > >> <deadhorseconsulting at gmail.com
>> > > >> <mailto:deadhorseconsulting@**gmail.com<
>> deadhorseconsulting at gmail.com>>>
>> > > >> wrote:
>> > > >>
>> > > >> Also I note that he login does succeed in the AD servers
>> logs as
>> > > >> well as the engine also acknowledges the same. However the
>> login
>> > > >> ends up in either the user logging in and the dialog
>> sitting in
>> > > >> space forever and/or the engine no longer enumerating the
>> AD
>> > > >> users/groups.
>> > > >>
>> > > >> Attached are logs from another install seeing the same
>> thing.
>> > > >> -DHC
>> > > >>
>> > > >>
>> > > >> On Tue, Aug 6, 2013 at 1:20 PM, Dead Horse
>> > > >> <deadhorseconsulting at gmail.com
>> > > >> <mailto:deadhorseconsulting@**gmail.com<
>> deadhorseconsulting at gmail.com>>>
>> > > >> wrote:
>> > > >>
>> > > >>
>> > > >> Seeing and issue where users are not able to log in.
>> Also
>> > > >> for some reason the engine is seemingly forgeting
>> about AD
>> > > >> users. Removing the AD domain via
>> engine-manage-domains and
>> > > >> re-adding it works for enumerating the users, however
>> the
>> > > >> first attempt to login as a user results in the engine
>> no
>> > > >> longer enumerating the users nor allowing logins.
>> > > >> Attached are the pertinent logs.
>> > > >>
>> > > >> Engine is built and running from current master as of
>> this
>> > > >> morning, and was installed/built and upgraded via RPMs
>> > > >> yum/engine-upgrade
>> > > >>
>> > > >> - DHC
>> > > >>
>> > > >>
>> > > >>
>> > > >>
>> > > >>
>> > > >>
>> > > >> ______________________________**_________________
>> > > >> Engine-devel mailing list
>> > > >> Engine-devel at ovirt.org
>> > > >> http://lists.ovirt.org/**mailman/listinfo/engine-devel<
>> http://lists.ovirt.org/mailman/listinfo/engine-devel>
>> > > >>
>> > > >>
>> > > > thanks for reproducing with such clear steps. can you please open a
>> bug?
>> > > > yair - can you try and reproduce as well (I tried on an older rhev
>> 3.2 i
>> > > > have and couldn't with the IPA provider)
>> > > >
>> > >
>> > _______________________________________________
>> > Engine-devel mailing list
>> > Engine-devel at ovirt.org
>> > http://lists.ovirt.org/mailman/listinfo/engine-devel
>> >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/engine-devel/attachments/20130808/57a046b1/attachment.html>
More information about the Engine-devel
mailing list