[ovirt-users] free-IPA Multi-Master Authentication Problem
Donny Davis
donny at fortnebula.com
Wed Jun 15 06:28:31 EDT 2016
How did you setup the authentication. DId you use AAA or
engine-manage-domains ?
Do you *have* to use kerberos, or can you just use ldap?
If you have no requirement to use kerberos, then I would just use simple
AAA ldap.
How are you load balancing the IPA servers? Does fail over work for other
things? IE client machines connected to the IPA realm?
On Tue, Jun 7, 2016 at 9:49 AM, Kilian Ries <mail at kilian-ries.de> wrote:
> Indeed there was a faulty record for the IPA2 - i corrected that. Now the
> engine-log shows the correct ldap-address:
>
> ###
>
> 2016-06-07 15:20:43,940 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
> (ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that the
> login name , password and path are correct.
> 2016-06-07 15:20:43,946 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://
> auth02.intern.eu:389 using user kries at INTERN.EU due to Kerberos error.
> Please check log for further details.. We should not try the next server
> 2016-06-07 15:20:43,951 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
> (ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain
> intern.eu. Ldap Query Type is getUserByName
> 2016-06-07 15:20:43,954 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
> (ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further
> details.
> 2016-06-07 15:20:43,957 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
> (ajp--127.0.0.1-8702-3) Failed to run command LdapAuthenticateUserCommand.
> Domain is intern.eu. User is kries.
> 2016-06-07 15:20:43,961 INFO
> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-3)
> Cant login user "kries" with authentication profile "intern.eu" because
> the authentication failed.
> 2016-06-07 15:20:43,968 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom
> Event ID: -1, Message: User kries at intern.eu failed to log in.
> 2016-06-07 15:20:43,971 WARN
> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
> (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for
> user kries at intern.eu. Reasons: USER_FAILED_TO_AUTHENTICATE
>
> ###
>
> I'm still not able to login to oVirt via IPA2
>
> krb5kdc and dirsrv-acces Log don't show anything new.
>
> ________________________________________
> Von: Ondra Machacek <omachace at redhat.com>
> Gesendet: Montag, 6. Juni 2016 14:31
> An: Kilian Ries; users at ovirt.org
> Betreff: Re: AW: [ovirt-users] free-IPA Multi-Master Authentication Problem
>
> It looks fine, thanks.
> Looking at the oVirt log I see IPA server FQDN:
>
> auth02.intern.customer-virt.eu.intern.customer-virt.eu
>
> Looking at krb realm, I guess this should be -
> auth02.intern.customer-virt.eu
>
> Do you use SRV records or did you pass --ldap-servers to manage-domains?
> If SRV, then you maybe misconfigured DNS, if --ldap-servers, you should
> edit configuration with proper FQDN.
>
> On 06/06/2016 11:00 AM, Kilian Ries wrote:
> > Hello,
> >
> > here is the krb5kdc log from IPA2:
> >
> >
> > ###
> > Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info):
> AS_REQ (1 etypes {23}) 192.168.210.45: NEEDED_PREAUTH:
> kries at INTERN.CUSTOMER-VIRT.EU for krbtgt/
> INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU, Additional
> pre-authentication required
> > Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info):
> closing down fd 12
> > Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info):
> AS_REQ (1 etypes {23}) 192.168.210.45: ISSUE: authtime 1464967102, etypes
> {rep=23 tkt=18 ses=23}, kries at INTERN.CUSTOMER-VIRT.EU for krbtgt/
> INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU
> > Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info):
> closing down fd 12
> > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info):
> AS_REQ (1 etypes {23}) 192.168.210.45: NEEDED_PREAUTH:
> kries at INTERN.CUSTOMER-VIRT.EU for krbtgt/
> INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU, Additional
> pre-authentication required
> > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info):
> closing down fd 12
> > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info):
> AS_REQ (1 etypes {23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes
> {rep=23 tkt=18 ses=23}, kries at INTERN.CUSTOMER-VIRT.EU for krbtgt/
> INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU
> > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info):
> closing down fd 12
> > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info):
> AS_REQ (1 etypes {23}) 192.168.210.45: NEEDED_PREAUTH:
> kries at INTERN.CUSTOMER-VIRT.EU for krbtgt/
> INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU, Additional
> pre-authentication required
> > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info):
> closing down fd 12
> > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info):
> AS_REQ (1 etypes {23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes
> {rep=23 tkt=18 ses=23}, kries at INTERN.CUSTOMER-VIRT.EU for krbtgt/
> INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU
> > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info):
> closing down fd 12
> > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info):
> TGS_REQ (6 etypes {18 17 16 23 1 3}) 192.168.210.45: ISSUE: authtime
> 1464967120, etypes {rep=23 tkt=18 ses=18}, kries at INTERN.CUSTOMER-VIRT.EU
> for ldap/auth02.intern.customer-virt.eu at INTERN.CUSTOMER-VIRT.EU
> > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info):
> closing down fd 12
> > ###
> >
> > Thanks for the hint with the LDAP-Provider, i'm trying to migrate as
> soon as possible.
> >
> > Greets
> > Kilian
> >
> > ________________________________________
> > Von: Ondra Machacek <omachace at redhat.com>
> > Gesendet: Montag, 6. Juni 2016 09:48
> > An: Kilian Ries; users at ovirt.org
> > Betreff: Re: [ovirt-users] free-IPA Multi-Master Authentication Problem
> >
> > On 06/03/2016 05:44 PM, Kilian Ries wrote:
> >> Hi,
> >>
> >>
> >> i have two free-IPA directories setup in multi-master replication. Both
> >> are running on CentOS 7.2 with latest Software installed. Replication
> >> between both IPAs is setup correctly and i am able to authenticate
> >> against each of the two manually.
> >>
> >>
> >> However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2
> >> against IPA2 i can't login. Login is only working if IPA1 is
> >> running (keep in mind that manual authentication against IPA2 is
> working).
> >>
> >>
> >> In the dirSRV Error-Logfile nothing is logged, however i can see the
> >> authentication in the access log from IPA2:
> >>
> >>
> >>
> >> ###
> >>
> >>
> >>
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/
> INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=krbtgt/
> INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU)))"
> >> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
> >> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> >> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> >> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> >> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
> >> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
> >> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
> >> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
> >>
> >> [03/Jun/2016:17:18:39 +0200] conn=5 op=758 RESULT err=0 tag=101
> >> nentries=1 etime=0
> >>
> >> [03/Jun/2016:17:18:39 +0200] conn=5 op=759 SRCH
> >> base="cn=global_policy,cn=INTERN.CUSTOMER-VIRT.EU
> ,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
> >> scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife
> >> krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure
> >> krbPwdFailureCountInterval krbPwdLockoutDuration"
> >>
> >> [03/Jun/2016:17:18:39 +0200] conn=5 op=759 RESULT err=0 tag=101
> >> nentries=1 etime=0
> >>
> >> [03/Jun/2016:17:18:39 +0200] conn=5 op=760 SRCH
> >> base="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu"
> >> scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn
> >> gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference
> >> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> >> krbPrincipalType krbLastPwdChange krbPrincipalAliases
> >> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
> >> krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier
> >> ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory
> >> ipaNTHomeDirectoryDrive"
> >>
> >> [03/Jun/2016:17:18:39 +0200] conn=5 op=760 RESULT err=0 tag=101
> >> nentries=1 etime=0
> >>
> >> [03/Jun/2016:17:18:39 +0200] conn=5 op=761 MOD
> >> dn="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu"
> >>
> >> [03/Jun/2016:17:18:39 +0200] conn=5 op=761 RESULT err=0 tag=103
> >> nentries=0 etime=0 csn=5751a1820001000d0000
> >>
> >> [03/Jun/2016:17:18:39 +0200] conn=95 fd=109 slot=109 connection from
> >> 192.168.210.45 to 192.168.210.181
> >>
> >> [03/Jun/2016:17:18:39 +0200] conn=6 op=937 SRCH
> >> base="dc=intern,dc=customer-virt,dc=eu" scope=2
> >>
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/
> INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=krbtgt/
> INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU)))"
> >> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
> >> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> >> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> >> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> >> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
> >> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
> >> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
> >> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
> >>
> >> [03/Jun/2016:17:18:39 +0200] conn=6 op=937 RESULT err=0 tag=101
> >> nentries=1 etime=0
> >>
> >> [03/Jun/2016:17:18:39 +0200] conn=6 op=938 SRCH
> >> base="dc=intern,dc=customer-virt,dc=eu" scope=2
> >>
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/
> auth02.intern.customer-virt.eu at INTERN.CUSTOMER-VIRT.EU
> )(krbPrincipalName=ldap/
> auth02.intern.customer-virt.eu at INTERN.CUSTOMER-VIRT.EU)))"
> >> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
> >> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> >> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> >> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> >> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
> >> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
> >> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
> >> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
> >>
> >> [03/Jun/2016:17:18:39 +0200] conn=6 op=938 RESULT err=0 tag=101
> >> nentries=1 etime=0
> >>
> >> [03/Jun/2016:17:18:39 +0200] conn=6 op=939 SRCH
> >> base="cn=INTERN.CUSTOMER-VIRT.EU
> ,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
> >> scope=0 filter="(objectClass=krbticketpolicyaux)"
> >> attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
> >>
> >> [03/Jun/2016:17:18:39 +0200] conn=6 op=939 RESULT err=0 tag=101
> >> nentries=1 etime=0
> >>
> >> [03/Jun/2016:17:18:39 +0200] conn=6 op=940 SRCH
> >> base="dc=intern,dc=customer-virt,dc=eu" scope=2
> >>
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=
> kries at INTERN.CUSTOMER-VIRT.EU))"
> >> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
> >> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> >> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> >> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> >> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
> >> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
> >> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
> >> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
> >>
> >> [03/Jun/2016:17:18:39 +0200] conn=6 op=940 RESULT err=0 tag=101
> >> nentries=1 etime=0
> >>
> >> [03/Jun/2016:17:18:39 +0200] conn=6 op=941 SRCH
> >> base="cn=INTERN.CUSTOMER-VIRT.EU
> ,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
> >> scope=0 filter="(objectClass=krbticketpolicyaux)"
> >> attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
> >>
> >> [03/Jun/2016:17:18:39 +0200] conn=6 op=941 RESULT err=0 tag=101
> >> nentries=1 etime=0
> >>
> >>
> >> ###
> >>
> >>
> >>
> >> In the oVirt Engine log i can see the following:
> >>
> >>
> >> ###
> >>
> >>
> >> 2016-06-03 17:18:40,402 ERROR
> >>
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
> >> (ajp--127.0.0.1-8702-3) Error in communicating with LDAP server
> >> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested
> >> exception is javax.naming.CommunicationException:
> >> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root
> >> exception is java.net.UnknownHostException:
> >> auth02.intern.customer-virt.eu.intern.customer-virt.eu]
> >>
> >> 2016-06-03 17:18:40,416 ERROR
> >> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> >> (ajp--127.0.0.1-8702-3) Failed ldap search server
> >> ldap://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 using
> >> user kries at INTERN.CUSTOMER-VIRT.EU due to
> >> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested
> >> exception is javax.naming.CommunicationException:
> >> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root
> >> exception is java.net.UnknownHostException:
> >> auth02.intern.customer-virt.eu.intern.customer-virt.eu]. We should try
> >> the next server
> >>
> >> 2016-06-03 17:18:41,675 ERROR
> >>
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LDAPTemplateWrapper]
> >> (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter
> >> is
> >> (&(objectClass=posixAccount)(objectClass=krbPrincipalAux)(uid=kries)).
> >> Exception message is: null
> >>
> >> 2016-06-03 17:18:41,681 ERROR
> >>
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
> >> (ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that
> >> the login name , password and path are correct.
> >>
> >> 2016-06-03 17:18:41,690 ERROR
> >> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> >> (ajp--127.0.0.1-8702-3) Failed ldap search server
> >> ldap://auth02.intern.customer-virt.eu:389 using user
> >> kries at INTERN.CUSTOMER-VIRT.EU due to Kerberos error. Please check log
> >> for further details.. We should not try the next server
> >>
> >> 2016-06-03 17:18:41,698 ERROR
> >>
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
> >> (ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain
> >> intern.customer-virt.eu. Ldap Query Type is getUserByName
> >>
> >> 2016-06-03 17:18:41,703 ERROR
> >>
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
> >> (ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further
> >> details.
> >>
> >> 2016-06-03 17:18:41,706 ERROR
> >>
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
> >> (ajp--127.0.0.1-8702-3) Failed to run command
> >> LdapAuthenticateUserCommand. Domain is intern.customer-virt.eu. User is
> >> kries.
> >>
> >> 2016-06-03 17:18:41,712 INFO
> >> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
> >> (ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication
> >> profile "intern.customer-virt.eu" because the authentication failed.
> >>
> >> 2016-06-03 17:18:41,719 ERROR
> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> >> (ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom
> >> Event ID: -1, Message: User kries at intern.customer-virt.eu failed to
> log in.
> >>
> >> 2016-06-03 17:18:41,723 WARN
> >> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
> >> (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for
> >> user kries at intern.customer-virt.eu. Reasons:
> USER_FAILED_TO_AUTHENTICATE
> >>
> >>
> >> ###
> >>
> >>
> >> Any thoughts why i can't authenticate via oVirt against IPA2?
> >
> > Can you please also share if there is some error in /var/log/krb5kdc.log
> > in IPA2?
> >
> > Anyway, please migrate to new ovirt-engine-extensions-aaa-ldap, read
> > this[1] for more information.
> >
> > [1] http://lists.ovirt.org/pipermail/users/2015-August/034008.html
> >
> >>
> >>
> >> Thanks
> >>
> >> Greets
> >>
> >> Kilian
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users
> >>
> >
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160615/12b95d16/attachment-0001.html>
More information about the Users
mailing list