Cannot list IPA users from RHEVM v3 console

Latest response

Hi ,

 

Suddenly I see that I cannot  list/find IPA users  within the RHEVM  web console .

Although  I do may list   users via command line  either  from IPA server or RHEVM

 

# ipa user-find helpdesk
--------------
1 user matched
--------------
  User login: helpdesk
  First name: IT
  Last name: Helpdesk
  Home directory: /home/helpdesk
  Login shell: /bin/sh
  Account disabled: False
  Member of groups: ipausers
----------------------------
Number of entries returned 1

 

In the /var/log/rhevm/rhevm.log  on RHEVM  I see this :

 

2012-02-01 17:56:55,589 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (pool-11-thread-1) Error from Kerberos: rh6-ipa.example.com.
2012-02-01 17:56:55,589 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (http-0.0.0.0-8443-7) Failed authenticating user: helpdesk to domain example.com. Ldap Query Type is getUserByName
2012-02-01 17:56:55,590 ERROR [org.ovirt.engine.core.bll.LoginBaseCommand] (http-0.0.0.0-8443-7) USER_FAILED_TO_AUTHENTICATE : helpdesk

 

time  synced  on all   nodes correctly .

 

 

/Vlad .

 

Responses

Could it be that you have changes the user password?

 

When you added the domain to RHEV Manager you've provided a user and password. RHEV Manager uses this user to query IPA for the other users. If you've changed this password (by default passwords expire in IPA is set to 90 days) then you have to change it for in RHEV Manager as well

Thanks , I'll check .

 

I didn't . 

 

 

Does it mean that admin's password in RHEVM is not synced  with the one on  IPA server ? I thought  that the RHEVM  reads IPA  users database .Right ?

 

Also while being on IPA  or RHEVM   I do  succeed  to validate  admin@example.com  password .

 

/Vlad .

 

Simon ,

 

Fot the safe side I changed  my  admin  password  ( user I used to configure IPA )  in IPA server and validated  its status in RHEVM -  new password worked in RHEVM but I'm not capable to login in the RHEVM  console  with  IPA admin user . 

 

 

/var/log/rhevm/rhevm.log :

 

 

2012-02-02 10:03:09,117 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (pool-11-thread-240) Error from Kerberos: rh6-ipa.il.nds.com.
2012-02-02 10:03:09,118 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (http-0.0.0.0-8443-2) Failed authenticating user: admin to domain il.nds.com. Ldap Query Type is getUserByName
2012-02-02 10:03:09,118 ERROR [org.ovirt.engine.core.bll.LoginBaseCommand] (http-0.0.0.0-8443-2) USER_FAILED_TO_AUTHENTICATE : admin
2012-02-02 10:03:09,118 WARN  [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http-0.0.0.0-8443-2) CanDoAction of action LoginAdminUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE
 
 
/Vlad

 

2012-02-02 10:03:09,117 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (pool-11-thread-240) Error from Kerberos: rh6-ipa.il.nds.com.
2012-02-02 10:03:09,118 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (http-0.0.0.0-8443-2) Failed authenticating user: admin to domain il.nds.com. Ldap Query Type is getUserByName
2012-02-02 10:03:09,118 ERROR [org.ovirt.engine.core.bll.LoginBaseCommand] (http-0.0.0.0-8443-2) USER_FAILED_TO_AUTHENTICATE : admin
2012-02-02 10:03:09,118 WARN  [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http-0.0.0.0-8443-2) CanDoAction of action LoginAdminUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE

Did you use rhevm-manage-domains?

 

 ipa  passwd admin
I used  " ipa  passwd admin" 
 
Also , explain me , why  we need to change user's pw in RHEVM  if it reads  users info  from IPA and it awares  of them ?
 
 
 

You have to let RHEV Manager know the password.

 

Otherwise RHEV Manager will not be able to query the domain for the rest of the users. RHEV Manager uses the user&password provided when adding the domain to RHEV Manager in order to be able to access the domain and do queries.

 

The user provided to RHEV Manager does not have to be the IPA admin user, but it has to be a user that has permissions to query about other users in the domain.

 

If at any time you are changing this user's password in IPA then you have to change the password in RHEV Manager database as well using rhevm-manage-domains

 

I hope it is clear now.

What is the correct syntax  to change IPA admin  password while using rhevm-manage-domains  command?

# rhevm-manage-domains -action=edit -domain=<domain.com> -user=<username> -interactive

 

# service jbossas restart

 

# ipa-client-install --domain=EXAMPLE.COM  --server=rh6-ipa.example.com                              Discovery was successful!

Hostname: rhevm2.examples.com

Realm: IL.NDS.COM

DNS Domain: IL.NDS.COM

IPA Server: rh6-ipa.example.com

BaseDN: dc=example,dc=com

 

 

Continue to configure the system with these values? [no]: yes

Enrollment principal: admin

Password for admin@EXAMPLE.COM:

 

Enrolled in IPA realm EXAMPLE.COM

Created /etc/ipa/default.conf

Configured /etc/sssd/sssd.conf

Configured /etc/krb5.conf for IPA realm EXAMPLE.COM

SSSD enabled

Kerberos 5 enabled

NTP enabled

Client configuration complete.

 
After  that I manage to list admin's Kerberos ticket  with  kinit but login to the RHEV-M  doesn't work .
 
When  running suggested command I got  this error 
 
# rhevm-manage-domains -action=edit -domain=EXAMPLE.COM -user=admin interactive
Error:  exception message: Integrity check on decrypted field failed (31) - PREAUTH_FAILED
 
# rhevm-manage-domains -action=list
Domain: il.nds.com
        User name: admin@EXAMPLE.COM
        This domain is a remote domain.
Manage Domains completed successfully
 
############################################################
 
# rhevm-manage-domains -action=validate
Error:  exception message: Integrity check on decrypted field failed (31) - PREAUTH_FAILED
Failure while testing domain example.com. Details: Kerberos error. Please check log for further details.
 
The point is that in the past I did succeeded to manage IPA  users  from  RHEV-M .
 
Thanks .
 
/Vlad .
# rhevm-manage-domains -action=list
Domain: il.nds.com
        User name: admin@IL.NDS.COM
        This domain is a remote domain.
Manage Domains completed successfully
Failure while testing domain il.nds.com. Details: Kerberos error. Please check log for further details.]# rhevm-manage-domains -action=edit -domain=IL.NDS.COM -user=admin interactive
Error:  exception message: Integrity check on decrypted field failed (31) - PREAUTH_FAILED
Failure while testing domain il.nds.com. Details: Kerberos error. Please check log for further details.

Are you using il.nds.com or example.com? The output looks a bit inconsistent

In this  case - il.nds.com  .This  domain was choosen   when I ran ipa  installation wizard . I suspect it is due to resolv.conf  reflecting ipa server  dns client  config .

 

Also , I noticed that time in the RHEV manager ( according to the latest events)  differs from  the RHEV server .

 

It may explain Kerberos errors .

 

How to fix this ?

I'd like to understand your setup a bit first - what's the fqdn of RHEV-M? what's the fqdn of the DS? what SRV records does your DNS provide?

On  the server  I  adjusted  its time to the  one I see in  RHEV manager console ( sym link  /etc/localtime to UTC )

 

Now   I may add new users in the IPA  , change their paswords in the RHEV manager and login to User portal .

Thanks .

I had that problem and fixed thanks to this post: http://lists.ovirt.org/pipermail/users/2013-August/015796.html
there was illegal character ine the password, in my case ":"

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.