Hello, here is the krb5kdc log from IPA2:
### Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes {23}) 192.168.210.45: NEEDED_PREAUTH: kr...@intern.customer-virt.eu for krbtgt/intern.customer-virt...@intern.customer-virt.eu, Additional pre-authentication required Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12 Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes {23}) 192.168.210.45: ISSUE: authtime 1464967102, etypes {rep=23 tkt=18 ses=23}, kr...@intern.customer-virt.eu for krbtgt/intern.customer-virt...@intern.customer-virt.eu Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12 Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes {23}) 192.168.210.45: NEEDED_PREAUTH: kr...@intern.customer-virt.eu for krbtgt/intern.customer-virt...@intern.customer-virt.eu, Additional pre-authentication required Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12 Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): AS_REQ (1 etypes {23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=23}, kr...@intern.customer-virt.eu for krbtgt/intern.customer-virt...@intern.customer-virt.eu Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): closing down fd 12 Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 etypes {23}) 192.168.210.45: NEEDED_PREAUTH: kr...@intern.customer-virt.eu for krbtgt/intern.customer-virt...@intern.customer-virt.eu, Additional pre-authentication required Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12 Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): AS_REQ (1 etypes {23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=23}, kr...@intern.customer-virt.eu for krbtgt/intern.customer-virt...@intern.customer-virt.eu Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): closing down fd 12 Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 tkt=18 ses=18}, kr...@intern.customer-virt.eu for ldap/auth02.intern.customer-virt...@intern.customer-virt.eu Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing down fd 12 ### Thanks for the hint with the LDAP-Provider, i'm trying to migrate as soon as possible. Greets Kilian ________________________________________ Von: Ondra Machacek <omach...@redhat.com> Gesendet: Montag, 6. Juni 2016 09:48 An: Kilian Ries; users@ovirt.org Betreff: Re: [ovirt-users] free-IPA Multi-Master Authentication Problem On 06/03/2016 05:44 PM, Kilian Ries wrote: > Hi, > > > i have two free-IPA directories setup in multi-master replication. Both > are running on CentOS 7.2 with latest Software installed. Replication > between both IPAs is setup correctly and i am able to authenticate > against each of the two manually. > > > However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2 > against IPA2 i can't login. Login is only working if IPA1 is > running (keep in mind that manual authentication against IPA2 is working). > > > In the dirSRV Error-Logfile nothing is logged, however i can see the > authentication in the access log from IPA2: > > > > ### > > > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/intern.customer-virt...@intern.customer-virt.eu)(krbPrincipalName=krbtgt/intern.customer-virt...@intern.customer-virt.eu)))" > attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias > krbUPEnabled krbPrincipalKey krbTicketPolicyReference > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference > krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases > krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData > krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife > krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData > ipaUserAuthType ipatokenRadiusConfigLink objectClass" > > [03/Jun/2016:17:18:39 +0200] conn=5 op=758 RESULT err=0 tag=101 > nentries=1 etime=0 > > [03/Jun/2016:17:18:39 +0200] conn=5 op=759 SRCH > base="cn=global_policy,cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu" > scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife > krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure > krbPwdFailureCountInterval krbPwdLockoutDuration" > > [03/Jun/2016:17:18:39 +0200] conn=5 op=759 RESULT err=0 tag=101 > nentries=1 etime=0 > > [03/Jun/2016:17:18:39 +0200] conn=5 op=760 SRCH > base="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu" > scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn > gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference > krbPrincipalType krbLastPwdChange krbPrincipalAliases > krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount > krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier > ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory > ipaNTHomeDirectoryDrive" > > [03/Jun/2016:17:18:39 +0200] conn=5 op=760 RESULT err=0 tag=101 > nentries=1 etime=0 > > [03/Jun/2016:17:18:39 +0200] conn=5 op=761 MOD > dn="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu" > > [03/Jun/2016:17:18:39 +0200] conn=5 op=761 RESULT err=0 tag=103 > nentries=0 etime=0 csn=5751a1820001000d0000 > > [03/Jun/2016:17:18:39 +0200] conn=95 fd=109 slot=109 connection from > 192.168.210.45 to 192.168.210.181 > > [03/Jun/2016:17:18:39 +0200] conn=6 op=937 SRCH > base="dc=intern,dc=customer-virt,dc=eu" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/intern.customer-virt...@intern.customer-virt.eu)(krbPrincipalName=krbtgt/intern.customer-virt...@intern.customer-virt.eu)))" > attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias > krbUPEnabled krbPrincipalKey krbTicketPolicyReference > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference > krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases > krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData > krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife > krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData > ipaUserAuthType ipatokenRadiusConfigLink objectClass" > > [03/Jun/2016:17:18:39 +0200] conn=6 op=937 RESULT err=0 tag=101 > nentries=1 etime=0 > > [03/Jun/2016:17:18:39 +0200] conn=6 op=938 SRCH > base="dc=intern,dc=customer-virt,dc=eu" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/auth02.intern.customer-virt...@intern.customer-virt.eu)(krbPrincipalName=ldap/auth02.intern.customer-virt...@intern.customer-virt.eu)))" > attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias > krbUPEnabled krbPrincipalKey krbTicketPolicyReference > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference > krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases > krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData > krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife > krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData > ipaUserAuthType ipatokenRadiusConfigLink objectClass" > > [03/Jun/2016:17:18:39 +0200] conn=6 op=938 RESULT err=0 tag=101 > nentries=1 etime=0 > > [03/Jun/2016:17:18:39 +0200] conn=6 op=939 SRCH > base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu" > scope=0 filter="(objectClass=krbticketpolicyaux)" > attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" > > [03/Jun/2016:17:18:39 +0200] conn=6 op=939 RESULT err=0 tag=101 > nentries=1 etime=0 > > [03/Jun/2016:17:18:39 +0200] conn=6 op=940 SRCH > base="dc=intern,dc=customer-virt,dc=eu" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=kr...@intern.customer-virt.eu))" > attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias > krbUPEnabled krbPrincipalKey krbTicketPolicyReference > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference > krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases > krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData > krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife > krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData > ipaUserAuthType ipatokenRadiusConfigLink objectClass" > > [03/Jun/2016:17:18:39 +0200] conn=6 op=940 RESULT err=0 tag=101 > nentries=1 etime=0 > > [03/Jun/2016:17:18:39 +0200] conn=6 op=941 SRCH > base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu" > scope=0 filter="(objectClass=krbticketpolicyaux)" > attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" > > [03/Jun/2016:17:18:39 +0200] conn=6 op=941 RESULT err=0 tag=101 > nentries=1 etime=0 > > > ### > > > > In the oVirt Engine log i can see the following: > > > ### > > > 2016-06-03 17:18:40,402 ERROR > [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler] > (ajp--127.0.0.1-8702-3) Error in communicating with LDAP server > auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested > exception is javax.naming.CommunicationException: > auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root > exception is java.net.UnknownHostException: > auth02.intern.customer-virt.eu.intern.customer-virt.eu] > > 2016-06-03 17:18:40,416 ERROR > [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] > (ajp--127.0.0.1-8702-3) Failed ldap search server > ldap://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 using > user kr...@intern.customer-virt.eu due to > auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested > exception is javax.naming.CommunicationException: > auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root > exception is java.net.UnknownHostException: > auth02.intern.customer-virt.eu.intern.customer-virt.eu]. We should try > the next server > > 2016-06-03 17:18:41,675 ERROR > [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LDAPTemplateWrapper] > (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter > is > (&(objectClass=posixAccount)(objectClass=krbPrincipalAux)(uid=kries)). > Exception message is: null > > 2016-06-03 17:18:41,681 ERROR > [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler] > (ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that > the login name , password and path are correct. > > 2016-06-03 17:18:41,690 ERROR > [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] > (ajp--127.0.0.1-8702-3) Failed ldap search server > ldap://auth02.intern.customer-virt.eu:389 using user > kr...@intern.customer-virt.eu due to Kerberos error. Please check log > for further details.. We should not try the next server > > 2016-06-03 17:18:41,698 ERROR > [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] > (ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain > intern.customer-virt.eu. Ldap Query Type is getUserByName > > 2016-06-03 17:18:41,703 ERROR > [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] > (ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further > details. > > 2016-06-03 17:18:41,706 ERROR > [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] > (ajp--127.0.0.1-8702-3) Failed to run command > LdapAuthenticateUserCommand. Domain is intern.customer-virt.eu. User is > kries. > > 2016-06-03 17:18:41,712 INFO > [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] > (ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication > profile "intern.customer-virt.eu" because the authentication failed. > > 2016-06-03 17:18:41,719 ERROR > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom > Event ID: -1, Message: User kr...@intern.customer-virt.eu failed to log in. > > 2016-06-03 17:18:41,723 WARN > [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] > (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for > user kr...@intern.customer-virt.eu. Reasons: USER_FAILED_TO_AUTHENTICATE > > > ### > > > Any thoughts why i can't authenticate via oVirt against IPA2? Can you please also share if there is some error in /var/log/krb5kdc.log in IPA2? Anyway, please migrate to new ovirt-engine-extensions-aaa-ldap, read this[1] for more information. [1] http://lists.ovirt.org/pipermail/users/2015-August/034008.html > > > Thanks > > Greets > > Kilian > > > > > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users