After updating IPA servers RHEL 6.6, we are unable to log into RHEVM

Solution Verified - Updated -

Issue

  • After upgrading IPA from RHEL 6.5 to 6.6, can't login to into RHEV gui
  • Changing minssf to 1 in the IPA server, it seems to fix the issue but, but breaks authentication for other apps
  • In the RHEM logs, we see: (engine.log)
ERROR [org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper] (ajp-/127.0.0.1:8702-16) Error in running LDAP query. BaseDN is , filter is (&(objectClass=posixAccount)(objectClass=krbPrincipalAux)(uid=u)). Exception message is: null
ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp-/127.0.0.1:8702-16) Failed ldap search server LDAP://ipa1.example.com:389 using user u@example.com due to null. We should try the next server
ERROR [org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper] (ajp-/127.0.0.1:8702-16) Error in running LDAP query. BaseDN is , filter is (&(objectClass=posixAccount)(objectClass=krbPrincipalAux)(uid=u)). Exception message is: null
ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp-/127.0.0.1:8702-16) Failed ldap search server LDAP://ipa2.example.com:389 using user u@example.com due to null. We should try the next server
ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (ajp-/127.0.0.1:8702-16) Failed authenticating user: u to domain example.com Ldap Query Type is getUserByName
ERROR [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-16) USER_FAILED_TO_AUTHENTICATE : u 
WARN  [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-16) CanDoAction of action LoginAdminUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE
  • We also saw the the following output from rhevm-manage-domains:
# rhevm-manage-domains -action=list
Domain: example.com
        User name: admin@EXAMPLE.COM
Manage Domains completed successfully

# rhevm-manage-domains -action=validate
Error:  exception message: Integrity check on decrypted field failed (31) - PREAUTH_FAILED
Failure while testing domain example.com. Details: Kerberos error. Please check log for further details.

Environment

  • Red Hat Enterprise Virtualization 3.3
  • Red Hat Enterprise Virtualization 3.4
  • Red Hat Directory Server
  • ipa-server-3.0.0-42.el6.x86_64

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content