[ovirt-users] free-IPA Multi-Master Authentication Problem

Ondra Machacek omachace at redhat.com
Mon Jun 6 12:31:51 UTC 2016 

It looks fine, thanks.
Looking at the oVirt log I see IPA server FQDN:

  auth02.intern.customer-virt.eu.intern.customer-virt.eu

Looking at krb realm, I guess this should be - 
auth02.intern.customer-virt.eu

Do you use SRV records or did you pass --ldap-servers to manage-domains?
If SRV, then you maybe misconfigured DNS, if --ldap-servers, you should 
edit configuration with proper FQDN.

On 06/06/2016 11:00 AM, Kilian Ries wrote:
> Hello,
>
> here is the krb5kdc log from IPA2:
>
>
> ###
> Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes {23}) 192.168.210.45: NEEDED_PREAUTH: kries at INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU, Additional pre-authentication required
> Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12
> Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes {23}) 192.168.210.45: ISSUE: authtime 1464967102, etypes {rep=23 tkt=18 ses=23}, kries at INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU
> Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes {23}) 192.168.210.45: NEEDED_PREAUTH: kries at INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU, Additional pre-authentication required
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): AS_REQ (1 etypes {23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=23}, kries at INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): closing down fd 12
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes {23}) 192.168.210.45: NEEDED_PREAUTH: kries at INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU, Additional pre-authentication required
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): AS_REQ (1 etypes {23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=23}, kries at INTERN.CUSTOMER-VIRT.EU for krbtgt/INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): closing down fd 12
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=18}, kries at INTERN.CUSTOMER-VIRT.EU for ldap/auth02.intern.customer-virt.eu at INTERN.CUSTOMER-VIRT.EU
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12
> ###
>
> Thanks for the hint with the LDAP-Provider, i'm trying to migrate as soon as possible.
>
> Greets
> Kilian
>
> ________________________________________
> Von: Ondra Machacek <omachace at redhat.com>
> Gesendet: Montag, 6. Juni 2016 09:48
> An: Kilian Ries; users at ovirt.org
> Betreff: Re: [ovirt-users] free-IPA Multi-Master Authentication Problem
>
> On 06/03/2016 05:44 PM, Kilian Ries wrote:
>> Hi,
>>
>>
>> i have two free-IPA directories setup in multi-master replication. Both
>> are running on CentOS 7.2 with latest Software installed. Replication
>> between both IPAs is setup correctly and i am able to authenticate
>> against each of the two manually.
>>
>>
>> However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2
>> against IPA2 i can't login. Login is only working if IPA1 is
>> running (keep in mind that manual authentication against IPA2 is working).
>>
>>
>> In the dirSRV Error-Logfile nothing is logged, however i can see the
>> authentication in the access log from IPA2:
>>
>>
>>
>> ###
>>
>>
>> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=krbtgt/INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU)))"
>> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
>> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
>> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
>> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
>> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=758 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=759 SRCH
>> base="cn=global_policy,cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
>> scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife
>> krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure
>> krbPwdFailureCountInterval krbPwdLockoutDuration"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=759 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=760 SRCH
>> base="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu"
>> scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn
>> gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>> krbPrincipalType krbLastPwdChange krbPrincipalAliases
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
>> krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier
>> ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory
>> ipaNTHomeDirectoryDrive"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=760 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=761 MOD
>> dn="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=5 op=761 RESULT err=0 tag=103
>> nentries=0 etime=0 csn=5751a1820001000d0000
>>
>> [03/Jun/2016:17:18:39 +0200] conn=95 fd=109 slot=109 connection from
>> 192.168.210.45 to 192.168.210.181
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=937 SRCH
>> base="dc=intern,dc=customer-virt,dc=eu" scope=2
>> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=krbtgt/INTERN.CUSTOMER-VIRT.EU at INTERN.CUSTOMER-VIRT.EU)))"
>> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
>> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
>> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
>> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
>> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=937 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=938 SRCH
>> base="dc=intern,dc=customer-virt,dc=eu" scope=2
>> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/auth02.intern.customer-virt.eu at INTERN.CUSTOMER-VIRT.EU)(krbPrincipalName=ldap/auth02.intern.customer-virt.eu at INTERN.CUSTOMER-VIRT.EU)))"
>> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
>> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
>> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
>> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
>> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=938 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=939 SRCH
>> base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
>> scope=0 filter="(objectClass=krbticketpolicyaux)"
>> attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=939 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=940 SRCH
>> base="dc=intern,dc=customer-virt,dc=eu" scope=2
>> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kries at INTERN.CUSTOMER-VIRT.EU))"
>> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
>> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
>> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
>> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
>> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=940 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=941 SRCH
>> base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
>> scope=0 filter="(objectClass=krbticketpolicyaux)"
>> attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
>>
>> [03/Jun/2016:17:18:39 +0200] conn=6 op=941 RESULT err=0 tag=101
>> nentries=1 etime=0
>>
>>
>> ###
>>
>>
>>
>> In the oVirt Engine log i can see the following:
>>
>>
>> ###
>>
>>
>> 2016-06-03 17:18:40,402 ERROR
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
>> (ajp--127.0.0.1-8702-3) Error in communicating with LDAP server
>> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested
>> exception is javax.naming.CommunicationException:
>> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root
>> exception is java.net.UnknownHostException:
>> auth02.intern.customer-virt.eu.intern.customer-virt.eu]
>>
>> 2016-06-03 17:18:40,416 ERROR
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
>> (ajp--127.0.0.1-8702-3) Failed ldap search server
>> ldap://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 using
>> user kries at INTERN.CUSTOMER-VIRT.EU due to
>> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested
>> exception is javax.naming.CommunicationException:
>> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root
>> exception is java.net.UnknownHostException:
>> auth02.intern.customer-virt.eu.intern.customer-virt.eu]. We should try
>> the next server
>>
>> 2016-06-03 17:18:41,675 ERROR
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LDAPTemplateWrapper]
>> (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter
>> is
>> (&(objectClass=posixAccount)(objectClass=krbPrincipalAux)(uid=kries)).
>> Exception message is: null
>>
>> 2016-06-03 17:18:41,681 ERROR
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
>> (ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that
>> the login name , password and path are correct.
>>
>> 2016-06-03 17:18:41,690 ERROR
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
>> (ajp--127.0.0.1-8702-3) Failed ldap search server
>> ldap://auth02.intern.customer-virt.eu:389 using user
>> kries at INTERN.CUSTOMER-VIRT.EU due to Kerberos error. Please check log
>> for further details.. We should not try the next server
>>
>> 2016-06-03 17:18:41,698 ERROR
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
>> (ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain
>> intern.customer-virt.eu. Ldap Query Type is getUserByName
>>
>> 2016-06-03 17:18:41,703 ERROR
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
>> (ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further
>> details.
>>
>> 2016-06-03 17:18:41,706 ERROR
>> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
>> (ajp--127.0.0.1-8702-3) Failed to run command
>> LdapAuthenticateUserCommand. Domain is intern.customer-virt.eu. User is
>> kries.
>>
>> 2016-06-03 17:18:41,712 INFO
>>  [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
>> (ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication
>> profile "intern.customer-virt.eu" because the authentication failed.
>>
>> 2016-06-03 17:18:41,719 ERROR
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom
>> Event ID: -1, Message: User kries at intern.customer-virt.eu failed to log in.
>>
>> 2016-06-03 17:18:41,723 WARN
>>  [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
>> (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for
>> user kries at intern.customer-virt.eu. Reasons: USER_FAILED_TO_AUTHENTICATE
>>
>>
>> ###
>>
>>
>> Any thoughts why i can't authenticate via oVirt against IPA2?
>
> Can you please also share if there is some error in /var/log/krb5kdc.log
> in IPA2?
>
> Anyway, please migrate to new ovirt-engine-extensions-aaa-ldap, read
> this[1] for more information.
>
> [1] http://lists.ovirt.org/pipermail/users/2015-August/034008.html
>
>>
>>
>> Thanks
>>
>> Greets
>>
>> Kilian
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>

More information about the Users mailing list