[ovirt-users] free-IPA Multi-Master Authentication Problem

Ondra Machacek omachace at redhat.com
Mon Jun 6 03:48:00 EDT 2016


On 06/03/2016 05:44 PM, Kilian Ries wrote:
> Hi,
>
>
> i have two free-IPA directories setup in multi-master replication. Both
> are running on CentOS 7.2 with latest Software installed. Replication
> between both IPAs is setup correctly and i am able to authenticate
> against each of the two manually.
>
>
> However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2
> against IPA2 i can't login. Login is only working if IPA1 is
> running (keep in mind that manual authentication against IPA2 is working).
>
>
> In the dirSRV Error-Logfile nothing is logged, however i can see the
> authentication in the access log from IPA2:
>
>
>
> ###
>
>
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=krbtgt/INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU)))"
> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>
> [03/Jun/2016:17:18:39 +0200] conn=5 op=758 RESULT err=0 tag=101
> nentries=1 etime=0
>
> [03/Jun/2016:17:18:39 +0200] conn=5 op=759 SRCH
> base="cn=global_policy,cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
> scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife
> krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure
> krbPwdFailureCountInterval krbPwdLockoutDuration"
>
> [03/Jun/2016:17:18:39 +0200] conn=5 op=759 RESULT err=0 tag=101
> nentries=1 etime=0
>
> [03/Jun/2016:17:18:39 +0200] conn=5 op=760 SRCH
> base="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu"
> scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn
> gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
> krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier
> ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory
> ipaNTHomeDirectoryDrive"
>
> [03/Jun/2016:17:18:39 +0200] conn=5 op=760 RESULT err=0 tag=101
> nentries=1 etime=0
>
> [03/Jun/2016:17:18:39 +0200] conn=5 op=761 MOD
> dn="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu"
>
> [03/Jun/2016:17:18:39 +0200] conn=5 op=761 RESULT err=0 tag=103
> nentries=0 etime=0 csn=5751a1820001000d0000
>
> [03/Jun/2016:17:18:39 +0200] conn=95 fd=109 slot=109 connection from
> 192.168.210.45 to 192.168.210.181
>
> [03/Jun/2016:17:18:39 +0200] conn=6 op=937 SRCH
> base="dc=intern,dc=customer-virt,dc=eu" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=krbtgt/INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU)))"
> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>
> [03/Jun/2016:17:18:39 +0200] conn=6 op=937 RESULT err=0 tag=101
> nentries=1 etime=0
>
> [03/Jun/2016:17:18:39 +0200] conn=6 op=938 SRCH
> base="dc=intern,dc=customer-virt,dc=eu" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/auth02.intern.customer-virt.eu at INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=ldap/auth02.intern.customer-virt.eu at INTERN.CUSTOMER-VIRT.EU)))"
> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>
> [03/Jun/2016:17:18:39 +0200] conn=6 op=938 RESULT err=0 tag=101
> nentries=1 etime=0
>
> [03/Jun/2016:17:18:39 +0200] conn=6 op=939 SRCH
> base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
> scope=0 filter="(objectClass=krbticketpolicyaux)"
> attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
>
> [03/Jun/2016:17:18:39 +0200] conn=6 op=939 RESULT err=0 tag=101
> nentries=1 etime=0
>
> [03/Jun/2016:17:18:39 +0200] conn=6 op=940 SRCH
> base="dc=intern,dc=customer-virt,dc=eu" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kries at INTERN.CUSTOMER-VIRT.EU))"
> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>
> [03/Jun/2016:17:18:39 +0200] conn=6 op=940 RESULT err=0 tag=101
> nentries=1 etime=0
>
> [03/Jun/2016:17:18:39 +0200] conn=6 op=941 SRCH
> base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
> scope=0 filter="(objectClass=krbticketpolicyaux)"
> attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
>
> [03/Jun/2016:17:18:39 +0200] conn=6 op=941 RESULT err=0 tag=101
> nentries=1 etime=0
>
>
> ###
>
>
>
> In the oVirt Engine log i can see the following:
>
>
> ###
>
>
> 2016-06-03 17:18:40,402 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
> (ajp--127.0.0.1-8702-3) Error in communicating with LDAP server
> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested
> exception is javax.naming.CommunicationException:
> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root
> exception is java.net.UnknownHostException:
> auth02.intern.customer-virt.eu.intern.customer-virt.eu]
>
> 2016-06-03 17:18:40,416 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> (ajp--127.0.0.1-8702-3) Failed ldap search server
> ldap://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 using
> user kries at INTERN.CUSTOMER-VIRT.EU due to
> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested
> exception is javax.naming.CommunicationException:
> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root
> exception is java.net.UnknownHostException:
> auth02.intern.customer-virt.eu.intern.customer-virt.eu]. We should try
> the next server
>
> 2016-06-03 17:18:41,675 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LDAPTemplateWrapper]
> (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter
> is
> (&(objectClass=posixAccount)(objectClass=krbPrincipalAux)(uid=kries)).
> Exception message is: null
>
> 2016-06-03 17:18:41,681 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
> (ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that
> the login name , password and path are correct.
>
> 2016-06-03 17:18:41,690 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> (ajp--127.0.0.1-8702-3) Failed ldap search server
> ldap://auth02.intern.customer-virt.eu:389 using user
> kries at INTERN.CUSTOMER-VIRT.EU due to Kerberos error. Please check log
> for further details.. We should not try the next server
>
> 2016-06-03 17:18:41,698 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
> (ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain
> intern.customer-virt.eu. Ldap Query Type is getUserByName
>
> 2016-06-03 17:18:41,703 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
> (ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further
> details.
>
> 2016-06-03 17:18:41,706 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
> (ajp--127.0.0.1-8702-3) Failed to run command
> LdapAuthenticateUserCommand. Domain is intern.customer-virt.eu. User is
> kries.
>
> 2016-06-03 17:18:41,712 INFO
>  [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
> (ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication
> profile "intern.customer-virt.eu" because the authentication failed.
>
> 2016-06-03 17:18:41,719 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom
> Event ID: -1, Message: User kries at intern.customer-virt.eu failed to log in.
>
> 2016-06-03 17:18:41,723 WARN
>  [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
> (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for
> user kries at intern.customer-virt.eu. Reasons: USER_FAILED_TO_AUTHENTICATE
>
>
> ###
>
>
> Any thoughts why i can't authenticate via oVirt against IPA2?

Can you please also share if there is some error in /var/log/krb5kdc.log 
in IPA2?

Anyway, please migrate to new ovirt-engine-extensions-aaa-ldap, read 
this[1] for more information.

[1] http://lists.ovirt.org/pipermail/users/2015-August/034008.html

>
>
> Thanks
>
> Greets
>
> Kilian
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>


More information about the Users mailing list