Re: [ovirt-users] free-IPA Multi-Master Authentication Problem
How did you setup the authentication. DId you use AAA or
engine-manage-domains ?
Do you *have* to use kerberos, or can you just use ldap?
If you have no requirement to use kerberos, then I would just use simple
AAA ldap.
How are you load balancing the IPA servers? Does fail over work for other
things? IE client machines connected to the IPA realm?
On Tue, Jun 7, 2016 at 9:49 AM, Kilian Ries wrote:
> Indeed there was a faulty record for the IPA2 - i corrected that. Now the
> engine-log shows the correct ldap-address:
>
> ###
>
> 2016-06-07 15:20:43,940 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
> (ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that the
> login name , password and path are correct.
> 2016-06-07 15:20:43,946 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://
> auth02.intern.eu:389 using user kr...@intern.eu due to Kerberos error.
> Please check log for further details.. We should not try the next server
> 2016-06-07 15:20:43,951 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
> (ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain
> intern.eu. Ldap Query Type is getUserByName
> 2016-06-07 15:20:43,954 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
> (ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further
> details.
> 2016-06-07 15:20:43,957 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
> (ajp--127.0.0.1-8702-3) Failed to run command LdapAuthenticateUserCommand.
> Domain is intern.eu. User is kries.
> 2016-06-07 15:20:43,961 INFO
> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-3)
> Cant login user "kries" with authentication profile "intern.eu" because
> the authentication failed.
> 2016-06-07 15:20:43,968 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom
> Event ID: -1, Message: User kr...@intern.eu failed to log in.
> 2016-06-07 15:20:43,971 WARN
> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
> (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for
> user kr...@intern.eu. Reasons: USER_FAILED_TO_AUTHENTICATE
>
> ###
>
> I'm still not able to login to oVirt via IPA2
>
> krb5kdc and dirsrv-acces Log don't show anything new.
>
> ________________
> Von: Ondra Machacek
> Gesendet: Montag, 6. Juni 2016 14:31
> An: Kilian Ries; users@ovirt.org
> Betreff: Re: AW: [ovirt-users] free-IPA Multi-Master Authentication Problem
>
> It looks fine, thanks.
> Looking at the oVirt log I see IPA server FQDN:
>
> auth02.intern.customer-virt.eu.intern.customer-virt.eu
>
> Looking at krb realm, I guess this should be -
> auth02.intern.customer-virt.eu
>
> Do you use SRV records or did you pass --ldap-servers to manage-domains?
> If SRV, then you maybe misconfigured DNS, if --ldap-servers, you should
> edit configuration with proper FQDN.
>
> On 06/06/2016 11:00 AM, Kilian Ries wrote:
> > Hello,
> >
> > here is the krb5kdc log from IPA2:
> >
> >
> > ###
> > Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info):
> AS_REQ (1 etypes {23}) 192.168.210.45: NEEDED_PREAUTH:
> kr...@intern.customer-virt.eu for krbtgt/
> intern.customer-virt...@intern.customer-virt.eu, Additional
> pre-authentication required
> > Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info):
> closing down fd 12
> > Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info):
> AS_REQ (1 etypes {23}) 192.168.210.45: ISSUE: authtime 1464967102, etypes
> {rep=23 tkt=18 ses=23}, kr...@intern.customer-virt.eu for krbtgt/
> intern.customer-virt...@intern.customer-virt.eu
> > Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info):
> closing down fd 12
> > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info):
> AS_REQ (1 etypes {23}) 192.168.210.45: NEEDED_PREAUTH:
> kr...@intern.customer-virt.eu for krbtgt/
> intern.customer-virt...@intern.customer-virt.eu, Additional
> pre-authentication required
> > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info):
> closing down fd 12
> > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info):
> AS_REQ (1 etypes {23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes
> {rep=23 tkt=18 ses=23}, kr...@intern.customer-virt.eu for krbtgt/
> intern.customer-virt...@intern.customer-virt.eu
> > Jun 03
Re: [ovirt-users] free-IPA Multi-Master Authentication Problem
Indeed there was a faulty record for the IPA2 - i corrected that. Now the
engine-log shows the correct ldap-address:
###
2016-06-07 15:20:43,940 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler]
(ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that the
login name , password and path are correct.
2016-06-07 15:20:43,946 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-3) Failed ldap search server ldap://auth02.intern.eu:389
using user kr...@intern.eu due to Kerberos error. Please check log for further
details.. We should not try the next server
2016-06-07 15:20:43,951 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
(ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain intern.eu.
Ldap Query Type is getUserByName
2016-06-07 15:20:43,954 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand]
(ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further details.
2016-06-07 15:20:43,957 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
(ajp--127.0.0.1-8702-3) Failed to run command LdapAuthenticateUserCommand.
Domain is intern.eu. User is kries.
2016-06-07 15:20:43,961 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
(ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication profile
"intern.eu" because the authentication failed.
2016-06-07 15:20:43,968 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom Event
ID: -1, Message: User kr...@intern.eu failed to log in.
2016-06-07 15:20:43,971 WARN
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3)
CanDoAction of action LoginAdminUser failed for user kr...@intern.eu. Reasons:
USER_FAILED_TO_AUTHENTICATE
###
I'm still not able to login to oVirt via IPA2
krb5kdc and dirsrv-acces Log don't show anything new.
Von: Ondra Machacek
Gesendet: Montag, 6. Juni 2016 14:31
An: Kilian Ries; users@ovirt.org
Betreff: Re: AW: [ovirt-users] free-IPA Multi-Master Authentication Problem
It looks fine, thanks.
Looking at the oVirt log I see IPA server FQDN:
auth02.intern.customer-virt.eu.intern.customer-virt.eu
Looking at krb realm, I guess this should be -
auth02.intern.customer-virt.eu
Do you use SRV records or did you pass --ldap-servers to manage-domains?
If SRV, then you maybe misconfigured DNS, if --ldap-servers, you should
edit configuration with proper FQDN.
On 06/06/2016 11:00 AM, Kilian Ries wrote:
> Hello,
>
> here is the krb5kdc log from IPA2:
>
>
> ###
> Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1
> etypes {23}) 192.168.210.45: NEEDED_PREAUTH: kr...@intern.customer-virt.eu
> for krbtgt/intern.customer-virt...@intern.customer-virt.eu, Additional
> pre-authentication required
> Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing
> down fd 12
> Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1
> etypes {23}) 192.168.210.45: ISSUE: authtime 1464967102, etypes {rep=23
> tkt=18 ses=23}, kr...@intern.customer-virt.eu for
> krbtgt/intern.customer-virt...@intern.customer-virt.eu
> Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing
> down fd 12
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1
> etypes {23}) 192.168.210.45: NEEDED_PREAUTH: kr...@intern.customer-virt.eu
> for krbtgt/intern.customer-virt...@intern.customer-virt.eu, Additional
> pre-authentication required
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing
> down fd 12
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): AS_REQ (1
> etypes {23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23
> tkt=18 ses=23}, kr...@intern.customer-virt.eu for
> krbtgt/intern.customer-virt...@intern.customer-virt.eu
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): closing
> down fd 12
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1
> etypes {23}) 192.168.210.45: NEEDED_PREAUTH: kr...@intern.customer-virt.eu
> for krbtgt/intern.customer-virt...@intern.customer-virt.eu, Additional
> pre-authentication required
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing
> down fd 12
> Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): AS_REQ (1
> etypes {23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23
> tkt=18 ses=23}, kr...@intern.customer-virt.eu for
> krbtgt/intern.customer-virt...@intern.customer-virt.eu
> Jun 03 17:18:4
Re: [ovirt-users] free-IPA Multi-Master Authentication Problem
It looks fine, thanks.
Looking at the oVirt log I see IPA server FQDN:
auth02.intern.customer-virt.eu.intern.customer-virt.eu
Looking at krb realm, I guess this should be -
auth02.intern.customer-virt.eu
Do you use SRV records or did you pass --ldap-servers to manage-domains?
If SRV, then you maybe misconfigured DNS, if --ldap-servers, you should
edit configuration with proper FQDN.
On 06/06/2016 11:00 AM, Kilian Ries wrote:
Hello,
here is the krb5kdc log from IPA2:
###
Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1
etypes {23}) 192.168.210.45: NEEDED_PREAUTH: kr...@intern.customer-virt.eu for
krbtgt/intern.customer-virt...@intern.customer-virt.eu, Additional
pre-authentication required
Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing
down fd 12
Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1
etypes {23}) 192.168.210.45: ISSUE: authtime 1464967102, etypes {rep=23 tkt=18
ses=23}, kr...@intern.customer-virt.eu for
krbtgt/intern.customer-virt...@intern.customer-virt.eu
Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing
down fd 12
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1
etypes {23}) 192.168.210.45: NEEDED_PREAUTH: kr...@intern.customer-virt.eu for
krbtgt/intern.customer-virt...@intern.customer-virt.eu, Additional
pre-authentication required
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing
down fd 12
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): AS_REQ (1
etypes {23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18
ses=23}, kr...@intern.customer-virt.eu for
krbtgt/intern.customer-virt...@intern.customer-virt.eu
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): closing
down fd 12
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1
etypes {23}) 192.168.210.45: NEEDED_PREAUTH: kr...@intern.customer-virt.eu for
krbtgt/intern.customer-virt...@intern.customer-virt.eu, Additional
pre-authentication required
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing
down fd 12
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): AS_REQ (1
etypes {23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18
ses=23}, kr...@intern.customer-virt.eu for
krbtgt/intern.customer-virt...@intern.customer-virt.eu
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): closing
down fd 12
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): TGS_REQ (6
etypes {18 17 16 23 1 3}) 192.168.210.45: ISSUE: authtime 1464967120, etypes
{rep=23 tkt=18 ses=18}, kr...@intern.customer-virt.eu for
ldap/auth02.intern.customer-virt...@intern.customer-virt.eu
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing
down fd 12
###
Thanks for the hint with the LDAP-Provider, i'm trying to migrate as soon as
possible.
Greets
Kilian
Von: Ondra Machacek
Gesendet: Montag, 6. Juni 2016 09:48
An: Kilian Ries; users@ovirt.org
Betreff: Re: [ovirt-users] free-IPA Multi-Master Authentication Problem
On 06/03/2016 05:44 PM, Kilian Ries wrote:
Hi,
i have two free-IPA directories setup in multi-master replication. Both
are running on CentOS 7.2 with latest Software installed. Replication
between both IPAs is setup correctly and i am able to authenticate
against each of the two manually.
However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2
against IPA2 i can't login. Login is only working if IPA1 is
running (keep in mind that manual authentication against IPA2 is working).
In the dirSRV Error-Logfile nothing is logged, however i can see the
authentication in the access log from IPA2:
###
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/intern.customer-virt...@intern.customer-virt.eu)(krbPrincipalName=krbtgt/intern.customer-virt...@intern.customer-virt.eu)))"
attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[03/Jun/2016:17:18:39 +0200] conn=5 op=758 RESULT err=0 tag=101
nentries=1 etime=0
[03/Jun/2016:17:18:39 +0200] conn=5 op=759 SRCH
base="cn=global_policy,cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife
krbPwdMinDif
Re: [ovirt-users] free-IPA Multi-Master Authentication Problem
Hello,
here is the krb5kdc log from IPA2:
###
Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1
etypes {23}) 192.168.210.45: NEEDED_PREAUTH: kr...@intern.customer-virt.eu for
krbtgt/intern.customer-virt...@intern.customer-virt.eu, Additional
pre-authentication required
Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing
down fd 12
Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1
etypes {23}) 192.168.210.45: ISSUE: authtime 1464967102, etypes {rep=23 tkt=18
ses=23}, kr...@intern.customer-virt.eu for
krbtgt/intern.customer-virt...@intern.customer-virt.eu
Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing
down fd 12
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1
etypes {23}) 192.168.210.45: NEEDED_PREAUTH: kr...@intern.customer-virt.eu for
krbtgt/intern.customer-virt...@intern.customer-virt.eu, Additional
pre-authentication required
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing
down fd 12
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): AS_REQ (1
etypes {23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18
ses=23}, kr...@intern.customer-virt.eu for
krbtgt/intern.customer-virt...@intern.customer-virt.eu
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): closing
down fd 12
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1
etypes {23}) 192.168.210.45: NEEDED_PREAUTH: kr...@intern.customer-virt.eu for
krbtgt/intern.customer-virt...@intern.customer-virt.eu, Additional
pre-authentication required
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing
down fd 12
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): AS_REQ (1
etypes {23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18
ses=23}, kr...@intern.customer-virt.eu for
krbtgt/intern.customer-virt...@intern.customer-virt.eu
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): closing
down fd 12
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): TGS_REQ (6
etypes {18 17 16 23 1 3}) 192.168.210.45: ISSUE: authtime 1464967120, etypes
{rep=23 tkt=18 ses=18}, kr...@intern.customer-virt.eu for
ldap/auth02.intern.customer-virt...@intern.customer-virt.eu
Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing
down fd 12
###
Thanks for the hint with the LDAP-Provider, i'm trying to migrate as soon as
possible.
Greets
Kilian
Von: Ondra Machacek
Gesendet: Montag, 6. Juni 2016 09:48
An: Kilian Ries; users@ovirt.org
Betreff: Re: [ovirt-users] free-IPA Multi-Master Authentication Problem
On 06/03/2016 05:44 PM, Kilian Ries wrote:
> Hi,
>
>
> i have two free-IPA directories setup in multi-master replication. Both
> are running on CentOS 7.2 with latest Software installed. Replication
> between both IPAs is setup correctly and i am able to authenticate
> against each of the two manually.
>
>
> However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2
> against IPA2 i can't login. Login is only working if IPA1 is
> running (keep in mind that manual authentication against IPA2 is working).
>
>
> In the dirSRV Error-Logfile nothing is logged, however i can see the
> authentication in the access log from IPA2:
>
>
>
> ###
>
>
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/intern.customer-virt...@intern.customer-virt.eu)(krbPrincipalName=krbtgt/intern.customer-virt...@intern.customer-virt.eu)))"
> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias
> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>
> [03/Jun/2016:17:18:39 +0200] conn=5 op=758 RESULT err=0 tag=101
> nentries=1 etime=0
>
> [03/Jun/2016:17:18:39 +0200] conn=5 op=759 SRCH
> base="cn=global_policy,cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu"
> scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife
> krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure
> krbPwdFailureCountInterval krbPwdLockoutDuration"
>
> [03/Jun/2016:17:18:39 +0200] conn=5 op=759 RESULT err=0 tag=101
> nentries=1 etime=0
>
> [03/Jun/2016:17:18:39 +0200] conn
Re: [ovirt-users] free-IPA Multi-Master Authentication Problem
On 06/03/2016 05:44 PM, Kilian Ries wrote: Hi, i have two free-IPA directories setup in multi-master replication. Both are running on CentOS 7.2 with latest Software installed. Replication between both IPAs is setup correctly and i am able to authenticate against each of the two manually. However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2 against IPA2 i can't login. Login is only working if IPA1 is running (keep in mind that manual authentication against IPA2 is working). In the dirSRV Error-Logfile nothing is logged, however i can see the authentication in the access log from IPA2: ### filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/intern.customer-virt...@intern.customer-virt.eu)(krbPrincipalName=krbtgt/intern.customer-virt...@intern.customer-virt.eu)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [03/Jun/2016:17:18:39 +0200] conn=5 op=758 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jun/2016:17:18:39 +0200] conn=5 op=759 SRCH base="cn=global_policy,cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [03/Jun/2016:17:18:39 +0200] conn=5 op=759 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jun/2016:17:18:39 +0200] conn=5 op=760 SRCH base="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive" [03/Jun/2016:17:18:39 +0200] conn=5 op=760 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jun/2016:17:18:39 +0200] conn=5 op=761 MOD dn="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu" [03/Jun/2016:17:18:39 +0200] conn=5 op=761 RESULT err=0 tag=103 nentries=0 etime=0 csn=5751a1820001000d [03/Jun/2016:17:18:39 +0200] conn=95 fd=109 slot=109 connection from 192.168.210.45 to 192.168.210.181 [03/Jun/2016:17:18:39 +0200] conn=6 op=937 SRCH base="dc=intern,dc=customer-virt,dc=eu" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/intern.customer-virt...@intern.customer-virt.eu)(krbPrincipalName=krbtgt/intern.customer-virt...@intern.customer-virt.eu)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [03/Jun/2016:17:18:39 +0200] conn=6 op=937 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jun/2016:17:18:39 +0200] conn=6 op=938 SRCH base="dc=intern,dc=customer-virt,dc=eu" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/auth02.intern.customer-virt...@intern.customer-virt.eu)(krbPrincipalName=ldap/auth02.intern.customer-virt...@intern.customer-virt.eu)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [03/Jun/2016:17:18:39 +0200] conn=6 op=938 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jun/2016:17:18:39 +0200] conn=6 op=939 SRCH base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRene
[ovirt-users] free-IPA Multi-Master Authentication Problem
Hi, i have two free-IPA directories setup in multi-master replication. Both are running on CentOS 7.2 with latest Software installed. Replication between both IPAs is setup correctly and i am able to authenticate against each of the two manually. However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2 against IPA2 i can't login. Login is only working if IPA1 is running (keep in mind that manual authentication against IPA2 is working). In the dirSRV Error-Logfile nothing is logged, however i can see the authentication in the access log from IPA2: ### filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/intern.customer-virt...@intern.customer-virt.eu)(krbPrincipalName=krbtgt/intern.customer-virt...@intern.customer-virt.eu)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [03/Jun/2016:17:18:39 +0200] conn=5 op=758 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jun/2016:17:18:39 +0200] conn=5 op=759 SRCH base="cn=global_policy,cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [03/Jun/2016:17:18:39 +0200] conn=5 op=759 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jun/2016:17:18:39 +0200] conn=5 op=760 SRCH base="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive" [03/Jun/2016:17:18:39 +0200] conn=5 op=760 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jun/2016:17:18:39 +0200] conn=5 op=761 MOD dn="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu" [03/Jun/2016:17:18:39 +0200] conn=5 op=761 RESULT err=0 tag=103 nentries=0 etime=0 csn=5751a1820001000d [03/Jun/2016:17:18:39 +0200] conn=95 fd=109 slot=109 connection from 192.168.210.45 to 192.168.210.181 [03/Jun/2016:17:18:39 +0200] conn=6 op=937 SRCH base="dc=intern,dc=customer-virt,dc=eu" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/intern.customer-virt...@intern.customer-virt.eu)(krbPrincipalName=krbtgt/intern.customer-virt...@intern.customer-virt.eu)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [03/Jun/2016:17:18:39 +0200] conn=6 op=937 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jun/2016:17:18:39 +0200] conn=6 op=938 SRCH base="dc=intern,dc=customer-virt,dc=eu" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/auth02.intern.customer-virt...@intern.customer-virt.eu)(krbPrincipalName=ldap/auth02.intern.customer-virt...@intern.customer-virt.eu)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [03/Jun/2016:17:18:39 +0200] conn=6 op=938 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jun/2016:17:18:39 +0200] conn=6 op=939 SRCH base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
