Hi,
i have two free-IPA directories setup in multi-master replication. Both are running on CentOS 7.2 with latest Software installed. Replication between both IPAs is setup correctly and i am able to authenticate against each of the two manually. However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2 against IPA2 i can't login. Login is only working if IPA1 is running (keep in mind that manual authentication against IPA2 is working). In the dirSRV Error-Logfile nothing is logged, however i can see the authentication in the access log from IPA2: ### filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/[email protected])(krbPrincipalName=krbtgt/[email protected])))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [03/Jun/2016:17:18:39 +0200] conn=5 op=758 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jun/2016:17:18:39 +0200] conn=5 op=759 SRCH base="cn=global_policy,cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [03/Jun/2016:17:18:39 +0200] conn=5 op=759 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jun/2016:17:18:39 +0200] conn=5 op=760 SRCH base="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive" [03/Jun/2016:17:18:39 +0200] conn=5 op=760 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jun/2016:17:18:39 +0200] conn=5 op=761 MOD dn="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu" [03/Jun/2016:17:18:39 +0200] conn=5 op=761 RESULT err=0 tag=103 nentries=0 etime=0 csn=5751a1820001000d0000 [03/Jun/2016:17:18:39 +0200] conn=95 fd=109 slot=109 connection from 192.168.210.45 to 192.168.210.181 [03/Jun/2016:17:18:39 +0200] conn=6 op=937 SRCH base="dc=intern,dc=customer-virt,dc=eu" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/[email protected])(krbPrincipalName=krbtgt/[email protected])))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [03/Jun/2016:17:18:39 +0200] conn=6 op=937 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jun/2016:17:18:39 +0200] conn=6 op=938 SRCH base="dc=intern,dc=customer-virt,dc=eu" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/[email protected])(krbPrincipalName=ldap/[email protected])))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [03/Jun/2016:17:18:39 +0200] conn=6 op=938 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jun/2016:17:18:39 +0200] conn=6 op=939 SRCH base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [03/Jun/2016:17:18:39 +0200] conn=6 op=939 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jun/2016:17:18:39 +0200] conn=6 op=940 SRCH base="dc=intern,dc=customer-virt,dc=eu" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))([email protected]))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [03/Jun/2016:17:18:39 +0200] conn=6 op=940 RESULT err=0 tag=101 nentries=1 etime=0 [03/Jun/2016:17:18:39 +0200] conn=6 op=941 SRCH base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [03/Jun/2016:17:18:39 +0200] conn=6 op=941 RESULT err=0 tag=101 nentries=1 etime=0 ### In the oVirt Engine log i can see the following: ### 2016-06-03 17:18:40,402 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Error in communicating with LDAP server auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested exception is javax.naming.CommunicationException: auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root exception is java.net.UnknownHostException: auth02.intern.customer-virt.eu.intern.customer-virt.eu] 2016-06-03 17:18:40,416 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 using user [email protected] due to auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested exception is javax.naming.CommunicationException: auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root exception is java.net.UnknownHostException: auth02.intern.customer-virt.eu.intern.customer-virt.eu]. We should try the next server 2016-06-03 17:18:41,675 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LDAPTemplateWrapper] (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter is (&(objectClass=posixAccount)(objectClass=krbPrincipalAux)(uid=kries)). Exception message is: null 2016-06-03 17:18:41,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that the login name , password and path are correct. 2016-06-03 17:18:41,690 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://auth02.intern.customer-virt.eu:389 using user [email protected] due to Kerberos error. Please check log for further details.. We should not try the next server 2016-06-03 17:18:41,698 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain intern.customer-virt.eu. Ldap Query Type is getUserByName 2016-06-03 17:18:41,703 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further details. 2016-06-03 17:18:41,706 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-3) Failed to run command LdapAuthenticateUserCommand. Domain is intern.customer-virt.eu. User is kries. 2016-06-03 17:18:41,712 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication profile "intern.customer-virt.eu" because the authentication failed. 2016-06-03 17:18:41,719 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User [email protected] failed to log in. 2016-06-03 17:18:41,723 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user [email protected]. Reasons: USER_FAILED_TO_AUTHENTICATE ### Any thoughts why i can't authenticate via oVirt against IPA2? Thanks Greets Kilian
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
