Bug 1171474
| Summary: | [RFE] Add NTP server configuration to engine-setup deployment menu. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Nikolai Sednev <nsednev> | ||||
| Component: | ovirt-engine-setup | Assignee: | Sandro Bonazzola <sbonazzo> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | Pavel Stehlik <pstehlik> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 3.5.0 | CC: | bazulay, dfediuck, ecohen, gklein, iheim, lsurette, rbalakri, Rhev-m-bugs, yeylon | ||||
| Target Milestone: | --- | Keywords: | Triaged | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-12-08 07:14:08 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
*** This bug has been marked as a duplicate of bug 1162588 *** |
Created attachment 965564 [details] engine.log Description of problem: [RFE] Add NTP server configuration to engine-setup deployment menu. Reason for adding NTP configuration during engine-setup deployment procedure is simple, in case it's not configured and ntpd service not running on engine's VM, then after some time, a week or two, time skew on engine's VM will become enough for not allowing the Active Directory Kerberos authentication to fail, as they're not synchronized and then error message will be received in engine's log as appears bellow and AD user authentication will fail. 2014-12-07 13:37:22,217 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp-/127.0.0.1:8702-17) Failed ldap search server l dap://qa1.qa.lab.tlv.redhat.com:389 using user nsednev.TLV.REDHAT.COM due to Authentication Failed. The Engine clock is not synchronized with direct ory services (must be within 5 minutes difference). Please verify the clocks are synchronized. We should try the next server 2014-12-07 13:37:22,217 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] (ajp-/127.0.0.1:8702-17) Failed authentica ting user: nsednev to domain qa.lab.tlv.redhat.com. Ldap Query Type is getUserByName 2014-12-07 13:37:22,217 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] (ajp-/127.0.0.1:8702-17) Authentication Fa iled. The Engine clock is not synchronized with directory services (must be within 5 minutes difference). Please verify the clocks are synchronized 2014-12-07 13:37:22,218 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp-/127.0.0.1:8702-17) Failed to run command L dapAuthenticateUserCommand. Domain is qa.lab.tlv.redhat.com. User is nsednev. 2014-12-07 13:37:22,218 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp-/127.0.0.1:8702-17) Cant login user "nsednev" with authentication profi le "qa.lab.tlv.redhat.com" because the authentication failed. 2014-12-07 13:37:22,220 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-17) Correlation ID: null, Call St ack: null, Custom Event ID: -1, Message: User nsednev failed to log in. 2014-12-07 13:37:22,221 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-17) CanDoAction of action LoginAdminUser failed. R easons:USER_FAILED_TO_AUTHENTICATE 2014-12-07 13:37:25,575 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp-/127.0.0.1:8702-16) Kerber os error: Clock skew too great (37) 2014-12-07 13:37:25,575 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp-/127.0.0.1:8702-16) Authen tication Failed. The Engine clock is not synchronized with directory services (must be within 5 minutes difference). Please verify the clocks are synchroni zed Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1.Add engine to AD for kerberos authentication without ntpd service running on VM. 2.Log in to engine using AD domain and use your username/password as set at AD with proper permissions already set in engine itself. 3.Wait for ~2 weeks to get time skew difference between AD and your engine and try to log in to your engine, you will fail with errors as appear within the attachment. Actual results: User fails to login in to the engine because of the not synchronized ntp on engine's VM. Expected results: Engine deployment setup procedure have to include ntp service to be configured and to check if ntpd service configured to be running on boot, otherwise AD authentication will always get a time skew and eventually won't let customer to get logged in over AD authentication. Additional info: Engine's log attached. Work around is to configure ntpd service to run on boot "chkconfig ntpd on" and to set ntp config file for correct ntp server "vi /etc/ntp.conf" clock.redhat.com