Indeed there was a faulty record for the IPA2 - i corrected that. Now the engine-log shows the correct ldap-address:
### 2016-06-07 15:20:43,940 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler] (ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that the login name , password and path are correct. 2016-06-07 15:20:43,946 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://auth02.intern.eu:389 using user [email protected] due to Kerberos error. Please check log for further details.. We should not try the next server 2016-06-07 15:20:43,951 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain intern.eu. Ldap Query Type is getUserByName 2016-06-07 15:20:43,954 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further details. 2016-06-07 15:20:43,957 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-3) Failed to run command LdapAuthenticateUserCommand. Domain is intern.eu. User is kries. 2016-06-07 15:20:43,961 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication profile "intern.eu" because the authentication failed. 2016-06-07 15:20:43,968 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User [email protected] failed to log in. 2016-06-07 15:20:43,971 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user [email protected]. Reasons: USER_FAILED_TO_AUTHENTICATE ### I'm still not able to login to oVirt via IPA2 krb5kdc and dirsrv-acces Log don't show anything new. ________________________________________ Von: Ondra Machacek <[email protected]> Gesendet: Montag, 6. Juni 2016 14:31 An: Kilian Ries; [email protected] Betreff: Re: AW: [ovirt-users] free-IPA Multi-Master Authentication Problem It looks fine, thanks. Looking at the oVirt log I see IPA server FQDN: auth02.intern.customer-virt.eu.intern.customer-virt.eu Looking at krb realm, I guess this should be - auth02.intern.customer-virt.eu Do you use SRV records or did you pass --ldap-servers to manage-domains? If SRV, then you maybe misconfigured DNS, if --ldap-servers, you should edit configuration with proper FQDN. On 06/06/2016 11:00 AM, Kilian Ries wrote: > Hello, > > here is the krb5kdc log from IPA2: > > > ### > Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 > etypes {23}) 192.168.210.45: NEEDED_PREAUTH: [email protected] > for krbtgt/[email protected], Additional > pre-authentication required > Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing > down fd 12 > Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 > etypes {23}) 192.168.210.45: ISSUE: authtime 1464967102, etypes {rep=23 > tkt=18 ses=23}, [email protected] for > krbtgt/[email protected] > Jun 03 17:18:22 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing > down fd 12 > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 > etypes {23}) 192.168.210.45: NEEDED_PREAUTH: [email protected] > for krbtgt/[email protected], Additional > pre-authentication required > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing > down fd 12 > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): AS_REQ (1 > etypes {23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 > tkt=18 ses=23}, [email protected] for > krbtgt/[email protected] > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): closing > down fd 12 > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): AS_REQ (1 > etypes {23}) 192.168.210.45: NEEDED_PREAUTH: [email protected] > for krbtgt/[email protected], Additional > pre-authentication required > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing > down fd 12 > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): AS_REQ (1 > etypes {23}) 192.168.210.45: ISSUE: authtime 1464967120, etypes {rep=23 > tkt=18 ses=23}, [email protected] for > krbtgt/[email protected] > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1284](info): closing > down fd 12 > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): TGS_REQ > (6 etypes {18 17 16 23 1 3}) 192.168.210.45: ISSUE: authtime 1464967120, > etypes {rep=23 tkt=18 ses=18}, [email protected] for > ldap/[email protected] > Jun 03 17:18:40 auth02.intern.customer-virt.eu krb5kdc[1283](info): closing > down fd 12 > ### > > Thanks for the hint with the LDAP-Provider, i'm trying to migrate as soon as > possible. > > Greets > Kilian > > ________________________________________ > Von: Ondra Machacek <[email protected]> > Gesendet: Montag, 6. Juni 2016 09:48 > An: Kilian Ries; [email protected] > Betreff: Re: [ovirt-users] free-IPA Multi-Master Authentication Problem > > On 06/03/2016 05:44 PM, Kilian Ries wrote: >> Hi, >> >> >> i have two free-IPA directories setup in multi-master replication. Both >> are running on CentOS 7.2 with latest Software installed. Replication >> between both IPAs is setup correctly and i am able to authenticate >> against each of the two manually. >> >> >> However, if i shutdown IPA1 and try to authenticate from oVirt 3.5.6.2 >> against IPA2 i can't login. Login is only working if IPA1 is >> running (keep in mind that manual authentication against IPA2 is working). >> >> >> In the dirSRV Error-Logfile nothing is logged, however i can see the >> authentication in the access log from IPA2: >> >> >> >> ### >> >> >> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/[email protected])(krbPrincipalName=krbtgt/[email protected])))" >> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias >> krbUPEnabled krbPrincipalKey krbTicketPolicyReference >> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference >> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases >> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData >> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife >> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData >> ipaUserAuthType ipatokenRadiusConfigLink objectClass" >> >> [03/Jun/2016:17:18:39 +0200] conn=5 op=758 RESULT err=0 tag=101 >> nentries=1 etime=0 >> >> [03/Jun/2016:17:18:39 +0200] conn=5 op=759 SRCH >> base="cn=global_policy,cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu" >> scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife >> krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure >> krbPwdFailureCountInterval krbPwdLockoutDuration" >> >> [03/Jun/2016:17:18:39 +0200] conn=5 op=759 RESULT err=0 tag=101 >> nentries=1 etime=0 >> >> [03/Jun/2016:17:18:39 +0200] conn=5 op=760 SRCH >> base="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu" >> scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn >> gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference >> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference >> krbPrincipalType krbLastPwdChange krbPrincipalAliases >> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount >> krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier >> ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory >> ipaNTHomeDirectoryDrive" >> >> [03/Jun/2016:17:18:39 +0200] conn=5 op=760 RESULT err=0 tag=101 >> nentries=1 etime=0 >> >> [03/Jun/2016:17:18:39 +0200] conn=5 op=761 MOD >> dn="uid=kries,cn=users,cn=accounts,dc=intern,dc=customer-virt,dc=eu" >> >> [03/Jun/2016:17:18:39 +0200] conn=5 op=761 RESULT err=0 tag=103 >> nentries=0 etime=0 csn=5751a1820001000d0000 >> >> [03/Jun/2016:17:18:39 +0200] conn=95 fd=109 slot=109 connection from >> 192.168.210.45 to 192.168.210.181 >> >> [03/Jun/2016:17:18:39 +0200] conn=6 op=937 SRCH >> base="dc=intern,dc=customer-virt,dc=eu" scope=2 >> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/[email protected])(krbPrincipalName=krbtgt/[email protected])))" >> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias >> krbUPEnabled krbPrincipalKey krbTicketPolicyReference >> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference >> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases >> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData >> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife >> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData >> ipaUserAuthType ipatokenRadiusConfigLink objectClass" >> >> [03/Jun/2016:17:18:39 +0200] conn=6 op=937 RESULT err=0 tag=101 >> nentries=1 etime=0 >> >> [03/Jun/2016:17:18:39 +0200] conn=6 op=938 SRCH >> base="dc=intern,dc=customer-virt,dc=eu" scope=2 >> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/[email protected])(krbPrincipalName=ldap/[email protected])))" >> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias >> krbUPEnabled krbPrincipalKey krbTicketPolicyReference >> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference >> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases >> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData >> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife >> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData >> ipaUserAuthType ipatokenRadiusConfigLink objectClass" >> >> [03/Jun/2016:17:18:39 +0200] conn=6 op=938 RESULT err=0 tag=101 >> nentries=1 etime=0 >> >> [03/Jun/2016:17:18:39 +0200] conn=6 op=939 SRCH >> base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu" >> scope=0 filter="(objectClass=krbticketpolicyaux)" >> attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" >> >> [03/Jun/2016:17:18:39 +0200] conn=6 op=939 RESULT err=0 tag=101 >> nentries=1 etime=0 >> >> [03/Jun/2016:17:18:39 +0200] conn=6 op=940 SRCH >> base="dc=intern,dc=customer-virt,dc=eu" scope=2 >> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))([email protected]))" >> attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias >> krbUPEnabled krbPrincipalKey krbTicketPolicyReference >> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference >> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases >> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData >> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife >> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData >> ipaUserAuthType ipatokenRadiusConfigLink objectClass" >> >> [03/Jun/2016:17:18:39 +0200] conn=6 op=940 RESULT err=0 tag=101 >> nentries=1 etime=0 >> >> [03/Jun/2016:17:18:39 +0200] conn=6 op=941 SRCH >> base="cn=INTERN.CUSTOMER-VIRT.EU,cn=kerberos,dc=intern,dc=customer-virt,dc=eu" >> scope=0 filter="(objectClass=krbticketpolicyaux)" >> attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" >> >> [03/Jun/2016:17:18:39 +0200] conn=6 op=941 RESULT err=0 tag=101 >> nentries=1 etime=0 >> >> >> ### >> >> >> >> In the oVirt Engine log i can see the following: >> >> >> ### >> >> >> 2016-06-03 17:18:40,402 ERROR >> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler] >> (ajp--127.0.0.1-8702-3) Error in communicating with LDAP server >> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested >> exception is javax.naming.CommunicationException: >> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root >> exception is java.net.UnknownHostException: >> auth02.intern.customer-virt.eu.intern.customer-virt.eu] >> >> 2016-06-03 17:18:40,416 ERROR >> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] >> (ajp--127.0.0.1-8702-3) Failed ldap search server >> ldap://auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 using >> user [email protected] due to >> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389; nested >> exception is javax.naming.CommunicationException: >> auth02.intern.customer-virt.eu.intern.customer-virt.eu:389 [Root >> exception is java.net.UnknownHostException: >> auth02.intern.customer-virt.eu.intern.customer-virt.eu]. We should try >> the next server >> >> 2016-06-03 17:18:41,675 ERROR >> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LDAPTemplateWrapper] >> (ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is , filter >> is >> (&(objectClass=posixAccount)(objectClass=krbPrincipalAux)(uid=kries)). >> Exception message is: null >> >> 2016-06-03 17:18:41,681 ERROR >> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapSearchExceptionHandler] >> (ajp--127.0.0.1-8702-3) Ldap authentication failed. Please check that >> the login name , password and path are correct. >> >> 2016-06-03 17:18:41,690 ERROR >> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] >> (ajp--127.0.0.1-8702-3) Failed ldap search server >> ldap://auth02.intern.customer-virt.eu:389 using user >> [email protected] due to Kerberos error. Please check log >> for further details.. We should not try the next server >> >> 2016-06-03 17:18:41,698 ERROR >> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] >> (ajp--127.0.0.1-8702-3) Failed authenticating user: kries to domain >> intern.customer-virt.eu. Ldap Query Type is getUserByName >> >> 2016-06-03 17:18:41,703 ERROR >> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] >> (ajp--127.0.0.1-8702-3) Kerberos error. Please check log for further >> details. >> >> 2016-06-03 17:18:41,706 ERROR >> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] >> (ajp--127.0.0.1-8702-3) Failed to run command >> LdapAuthenticateUserCommand. Domain is intern.customer-virt.eu. User is >> kries. >> >> 2016-06-03 17:18:41,712 INFO >> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] >> (ajp--127.0.0.1-8702-3) Cant login user "kries" with authentication >> profile "intern.customer-virt.eu" because the authentication failed. >> >> 2016-06-03 17:18:41,719 ERROR >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (ajp--127.0.0.1-8702-3) Correlation ID: null, Call Stack: null, Custom >> Event ID: -1, Message: User [email protected] failed to log in. >> >> 2016-06-03 17:18:41,723 WARN >> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] >> (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for >> user [email protected]. Reasons: USER_FAILED_TO_AUTHENTICATE >> >> >> ### >> >> >> Any thoughts why i can't authenticate via oVirt against IPA2? > > Can you please also share if there is some error in /var/log/krb5kdc.log > in IPA2? > > Anyway, please migrate to new ovirt-engine-extensions-aaa-ldap, read > this[1] for more information. > > [1] http://lists.ovirt.org/pipermail/users/2015-August/034008.html > >> >> >> Thanks >> >> Greets >> >> Kilian >> >> >> >> >> >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.ovirt.org/mailman/listinfo/users >> > _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
