Bug 1387476

Summary:	cannot reset admin password, using ovirt-aaa-jdbc-tool
Product:	[oVirt] ovirt-engine	Reporter:	gzcwnk <thing.thing>
Component:	AAA	Assignee:	Ravi Nori <rnori>
Status:	CLOSED WORKSFORME	QA Contact:	Gonza <grafuls>
Severity:	urgent	Docs Contact:
Priority:	unspecified
Version:	4.0.4	CC:	bugs, mperina, thing.thing
Target Milestone:	---	Flags:	mperina: needinfo? (thing.thing) rule-engine: planning_ack? rule-engine: devel_ack? rule-engine: testing_ack?
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-10-31 09:47:24 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	Infra	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description gzcwnk 2016-10-21 02:12:12 UTC

Description of problem:


cannot reset admin password, using command,

============
[root@ovirt1 ovirt-engine]#   ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to='2300-10-22 22:22:22Z'
Password:
Reenter password:
new password already used
[root@ovirt1 ovirt-engine]#   ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to='2300-10-22 22:22:22Z'
Password:
Reenter password:
updating user admin...
user updated successfully
[root@ovirt1 ovirt-engine]# date
Fri Oct 21 14:59:09 NZDT 2016
==============

Version-Release number of selected component (if applicable):

[root@ovirt1 ovirt-engine]# rpm -qa |grep ovirt
ovirt-engine-dwh-4.0.2-1.el7.centos.noarch
ovirt-engine-vmconsole-proxy-helper-4.0.4.4-1.el7.centos.noarch
ovirt-engine-restapi-4.0.4.4-1.el7.centos.noarch
ovirt-engine-sdk-python-3.6.9.1-1.el7.centos.noarch
ovirt-engine-extension-aaa-jdbc-1.1.0-1.el7.noarch
ovirt-host-deploy-1.5.2-1.el7.centos.noarch
ovirt-engine-lib-4.0.4.4-1.el7.centos.noarch
ovirt-engine-tools-backup-4.0.4.4-1.el7.centos.noarch
ovirt-engine-tools-4.0.4.4-1.el7.centos.noarch
ovirt-engine-setup-4.0.4.4-1.el7.centos.noarch
ovirt-image-uploader-4.0.1-1.el7.centos.noarch
ovirt-engine-setup-plugin-ovirt-engine-common-4.0.4.4-1.el7.centos.noarch
ovirt-imageio-proxy-0.4.0-0.201608310602.gita9b573b.el7.centos.noarch
ovirt-vmconsole-1.0.4-1.el7.centos.noarch
ovirt-engine-userportal-4.0.4.4-1.el7.centos.noarch
ovirt-engine-webadmin-portal-4.0.4.4-1.el7.centos.noarch
ovirt-engine-setup-plugin-ovirt-engine-4.0.4.4-1.el7.centos.noarch
ovirt-imageio-common-0.4.0-1.el7.noarch
python-ovirt-engine-sdk4-4.0.1-1.el7.centos.x86_64
ovirt-engine-wildfly-10.0.0-1.el7.x86_64
ovirt-host-deploy-java-1.5.2-1.el7.centos.noarch
ovirt-engine-dwh-setup-4.0.2-1.el7.centos.noarch
ovirt-engine-websocket-proxy-4.0.4.4-1.el7.centos.noarch
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.0.4.4-1.el7.centos.noarch
ovirt-engine-dashboard-1.0.3-1.el7.centos.noarch
ovirt-engine-4.0.4.4-1.el7.centos.noarch
ovirt-setup-lib-1.0.2-1.el7.centos.noarch
ovirt-engine-extensions-api-impl-4.0.4.4-1.el7.centos.noarch
ovirt-iso-uploader-4.0.1-1.el7.centos.noarch
ovirt-engine-wildfly-overlay-10.0.0-1.el7.noarch
ovirt-imageio-daemon-0.4.0-1.el7.noarch
ovirt-engine-cli-3.6.8.1-1.el7.centos.noarch
ovirt-vmconsole-host-1.0.4-1.el7.centos.noarch
ovirt-engine-setup-plugin-websocket-proxy-4.0.4.4-1.el7.centos.noarch
ovirt-engine-backend-4.0.4.4-1.el7.centos.noarch
ovirt-imageio-proxy-setup-0.4.0-0.201608310602.gita9b573b.el7.centos.noarch
ovirt-vmconsole-proxy-1.0.4-1.el7.centos.noarch
ovirt-engine-dbscripts-4.0.4.4-1.el7.centos.noarch
ovirt-release40-4.0.4-1.noarch
ovirt-engine-setup-base-4.0.4.4-1.el7.centos.noarch
[root@ovirt1 ovirt-engine]#
How reproducible:


Steps to Reproduce:
1. I found the ovirt server was 24hours ahead of NZST so I ran date and hwclock fix and rebooted, then unable to login.
2.
3.

Actual results:
cannot login to web ui

Expected results:
be able to login to web ui

Additional info:
I probably have the wrong component but I have no idea what one it is.

Comment 1 gzcwnk 2016-10-21 02:14:11 UTC

Cannot login, useraccount has expired, contact your system administrator, which , is um....me!

Comment 2 gzcwnk 2016-10-21 02:15:02 UTC

This is on Centos 7.2

Comment 3 gzcwnk 2016-10-21 02:16:53 UTC

How do I upload a sosreport?

Comment 4 gzcwnk 2016-10-21 02:24:08 UTC

Dont seem to be able to set a password,

:(

=======
[root@ovirt1 ovirt-engine]# engine-config -s AdminPassword=interactive
Error setting AdminPassword's value. No such entry.
[root@ovirt1 ovirt-engine]#
=======

Comment 5 gzcwnk 2016-10-21 02:51:55 UTC

engine log,

=======
2016-10-21 15:49:16,935 ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-53) [] Cannot authenticate user 'admin@internal': Cannot Login. User Account has expired, Please contact your system administrator.
=======

Comment 6 Yaniv Kaul 2016-10-22 07:37:02 UTC

Is the password set before or after the clock fix?

Comment 7 gzcwnk 2016-10-23 04:43:03 UTC

After, as after changing the time back 1 hour I could not login.

Comment 8 Martin Perina 2016-10-24 09:45:19 UTC

Hi,

so oVirt is depending on correct and synchronised date/time setting. Anyway back to your issue:

> [root@ovirt1 ovirt-engine]#   ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to='2300-10-22 22:22:22Z'
> Password:
> Reenter password:
> new password already used

You have specified the same password as currently set. By default we remember last 3 password (option PASSWORD_HISTORY_LIMIT), we require a password to be 6 characters long at least (option MIN_LENGTH). For more information about those options please take a look at:

  ovirt-aaa-jdbc-tool settings show

Anyway if you don't want to change the default and just set the password bypassing the checks, please use --force option:

 ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to='2300-10-22 22:22:22Z' --force


> [root@ovirt1 ovirt-engine]#   ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to='2300-10-22 22:22:22Z'
> Password:
> Reenter password:
> updating user admin...
> user updated successfully

This time you have probably entered different password, so password change was successful.


But according to Comment 5, the problem is not in the password:

> 2016-10-21 15:49:16,935 ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-53) [] Cannot authenticate user 'admin@internal': Cannot Login. User Account has expired, Please contact your system administrator.

Due to time shift you 'admin@internal' account has expired, you can verify that by executing:

  ovirt-aaa-jdbc-tool user show admin

and check 'Account Valid From' and 'Account Valid To' dates (be aware that both are specified using UTC time). If you need to change those values please use --account-valid-from or --acount-valid-to options:

  ovirt-aaa-jdbc-tool user edit --account-valid-from='...' --acount-valid-to='...'


You can find more information about ovirt-aaa-jdbc-tool at http://www.ovirt.org/develop/release-management/features/infra/aaa-jdbc/

Comment 9 Martin Perina 2016-10-24 09:46:31 UTC

One small correction:

  ovirt-aaa-jdbc-tool user edit admin --account-valid-from='...' --acount-valid-to='...'

Comment 10 Martin Perina 2016-10-31 09:47:24 UTC

Closing this as WORKSFORME, feel free to reopen, if hints provided in above comments doesn't work for you.