Bug 1136346 - [AAA] ExtensionManager ignores extension ENABLED
Summary: [AAA] ExtensionManager ignores extension ENABLED
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: oVirt
Classification: Retired
Component: ovirt-engine-core
Version: 3.5
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: 3.5.0
Assignee: Alon Bar-Lev
QA Contact: Ondra Machacek
URL:
Whiteboard: infra
Depends On:
Blocks: oVirt-AAA-rewrite
TreeView+ depends on / blocked
 
Reported: 2014-09-02 11:54 UTC by Ondra Machacek
Modified: 2016-02-10 19:35 UTC (History)
12 users (show)

Fixed In Version: ovirt-3.5.0_rc2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-17 12:42:41 UTC
oVirt Team: Infra
Embargoed:

Attachments (Terms of Use)
engine.log (238.13 KB, text/plain)
2014-09-02 15:34 UTC, Ondra Machacek 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 32332 0 master MERGED extmgr: respect enabled flag Never
oVirt gerrit 32395 0 ovirt-engine-3.5 MERGED extmgr: respect enabled flag Never

Description Ondra Machacek 2014-09-02 11:54:59 UTC 
Description of problem:

Version-Release number of selected component (if applicable):
0:0.0.0-0.0.master.20140819143104.git7d503c8.el6

How reproducible:
always

Steps to Reproduce:
1. add domain via engine-manage-domains command
2. install ovirt-engine-extension-aaa-ldap
3. service ovirt-engine restart
4. search users within domain added in step 1)

Actual results:
domain doesn't work

Expected results:
domain works OK

Additional info:

Client sends this tgs req:
Kerberos TGS-REQ
 KDC_REQ_BODY
   Server Name (Service and Instance): krbtgt/AD2.RHEV.LAB.ENG.BRQ.REDHAT.COM
 
Kerberos TGS-REQ
 KDC_REQ_BODY
  Server Name (Service and Instance): krbtgt/RHEV.LAB.ENG.BRQ.REDHAT.COM

instead of:
Server Name: ldap/brq-ldap.rhev.lab.eng.brq.redhat.com

kerberos log:

Sep 02 13:45:02 brq-ldap.rhev.lab.eng.brq.redhat.com krb5kdc[2353](info): AS_REQ (6 etypes {18 17 16 23 1 3}) 10.34.63.31: ISSUE: authtime 1409658302, etypes {rep=18 tkt=18 ses=18}, user1.LAB.ENG.BRQ.REDHAT.COM for krbtgt/BRQ-LDAP.RHEV.LAB.ENG.BRQ.REDHAT.COM.LAB.ENG.BRQ.REDHAT.COM
Sep 02 13:45:02 brq-ldap.rhev.lab.eng.brq.redhat.com krb5kdc[2353](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 10.34.63.31: UNKNOWN_SERVER: authtime 0,  user1.LAB.ENG.BRQ.REDHAT.COM for krbtgt/AD2.RHEV.LAB.ENG.BRQ.REDHAT.COM.LAB.ENG.BRQ.REDHAT.COM, Server not found in Kerberos database
Sep 02 13:45:02 brq-ldap.rhev.lab.eng.brq.redhat.com krb5kdc[2353](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 10.34.63.31: UNKNOWN_SERVER: authtime 0,  user1.LAB.ENG.BRQ.REDHAT.COM for krbtgt/RHEV.LAB.ENG.BRQ.REDHAT.COM.LAB.ENG.BRQ.REDHAT.COM, Server not found in Kerberos database
Sep 02 13:45:02 brq-ldap.rhev.lab.eng.brq.redhat.com krb5kdc[2353](info): AS_REQ (6 etypes {18 17 16 23 1 3}) 10.34.63.31: ISSUE: authtime 1409658302, etypes {rep=18 tkt=18 ses=18}, user1.LAB.ENG.BRQ.REDHAT.COM for krbtgt/BRQ-LDAP.RHEV.LAB.ENG.BRQ.REDHAT.COM.LAB.ENG.BRQ.REDHAT.COM
Sep 02 13:45:02 brq-ldap.rhev.lab.eng.brq.redhat.com krb5kdc[2353](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 10.34.63.31: UNKNOWN_SERVER: authtime 0,  user1.LAB.ENG.BRQ.REDHAT.COM for krbtgt/AD2.RHEV.LAB.ENG.BRQ.REDHAT.COM.LAB.ENG.BRQ.REDHAT.COM, Server not found in Kerberos database
Sep 02 13:45:02 brq-ldap.rhev.lab.eng.brq.redhat.com krb5kdc[2353](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 10.34.63.31: UNKNOWN_SERVER: authtime 0,  user1.LAB.ENG.BRQ.REDHAT.COM for krbtgt/RHEV.LAB.ENG.BRQ.REDHAT.COM.LAB.ENG.BRQ.REDHAT.COM, Server not found in Kerberos database
Comment 1 Alon Bar-Lev 2014-09-02 12:18:54 UTC 
what do you mean by "ovirt-engine-extension-aaa-ldap"? what configuration?
Comment 2 Ondra Machacek 2014-09-02 13:22:56 UTC 
Seems that sequence.krb-init.0.sysprop-set.value
is used for builtin provider instead of /etc/ovirt-engine/krb5.conf.
Even when that extensions is disabled.
Comment 3 Alon Bar-Lev 2014-09-02 15:08:12 UTC 
disabled how?
can you please provide engine log with FINEST of org.ovirt.engineextensions.aaa.ldap.
Comment 4 Ondra Machacek 2014-09-02 15:34:56 UTC 
Created attachment 933832 [details]
engine.log

disabled on extension level:
ovirt.engine.extension.enabled = false
Comment 5 Ondra Machacek 2014-09-02 18:59:14 UTC 
This don't solve the problem with overriding of /etc/ovirt-engine/krb5.conf
Comment 6 Alon Bar-Lev 2014-09-02 19:10:13 UTC 
(In reply to Ondra Machacek from comment #5)
> This don't solve the problem with overriding of /etc/ovirt-engine/krb5.conf

it won't be resolved.

jre can have only one kerberos configuration by setting java.security.krb5.conf system property.

usually, best to define this at /etc/ovirt-engine/engine.conf.d/xxxx.conf::ENGINE_PROPERTIES so it will be shared among all components.

the fact that the legacy kerberos ldap provider modify the jre global state at runtime is not good behavior.

as I wrote many times in the past, the kerberos support for the new ldap provider is not priority.

if you insist to have this working you should use the same kerberos configuration file that it generated by the engine-manage domain for all providers, as there is no way to disable the legacy provider system property injection.

BTW: it also unconditionally set sun.security.krb5.msinterop.kstring system property.
Comment 7 Sandro Bonazzola 2014-10-17 12:42:41 UTC 
oVirt 3.5 has been released and should include the fix for this issue.
Note You need to log in before you can comment on or make changes to this bug.