Description of problem: Version-Release number of selected component (if applicable): 0:0.0.0-0.0.master.20140819143104.git7d503c8.el6 How reproducible: always Steps to Reproduce: 1. add domain via engine-manage-domains command 2. install ovirt-engine-extension-aaa-ldap 3. service ovirt-engine restart 4. search users within domain added in step 1) Actual results: domain doesn't work Expected results: domain works OK Additional info: Client sends this tgs req: Kerberos TGS-REQ KDC_REQ_BODY Server Name (Service and Instance): krbtgt/AD2.RHEV.LAB.ENG.BRQ.REDHAT.COM Kerberos TGS-REQ KDC_REQ_BODY Server Name (Service and Instance): krbtgt/RHEV.LAB.ENG.BRQ.REDHAT.COM instead of: Server Name: ldap/brq-ldap.rhev.lab.eng.brq.redhat.com kerberos log: Sep 02 13:45:02 brq-ldap.rhev.lab.eng.brq.redhat.com krb5kdc[2353](info): AS_REQ (6 etypes {18 17 16 23 1 3}) 10.34.63.31: ISSUE: authtime 1409658302, etypes {rep=18 tkt=18 ses=18}, user1.LAB.ENG.BRQ.REDHAT.COM for krbtgt/BRQ-LDAP.RHEV.LAB.ENG.BRQ.REDHAT.COM.LAB.ENG.BRQ.REDHAT.COM Sep 02 13:45:02 brq-ldap.rhev.lab.eng.brq.redhat.com krb5kdc[2353](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 10.34.63.31: UNKNOWN_SERVER: authtime 0, user1.LAB.ENG.BRQ.REDHAT.COM for krbtgt/AD2.RHEV.LAB.ENG.BRQ.REDHAT.COM.LAB.ENG.BRQ.REDHAT.COM, Server not found in Kerberos database Sep 02 13:45:02 brq-ldap.rhev.lab.eng.brq.redhat.com krb5kdc[2353](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 10.34.63.31: UNKNOWN_SERVER: authtime 0, user1.LAB.ENG.BRQ.REDHAT.COM for krbtgt/RHEV.LAB.ENG.BRQ.REDHAT.COM.LAB.ENG.BRQ.REDHAT.COM, Server not found in Kerberos database Sep 02 13:45:02 brq-ldap.rhev.lab.eng.brq.redhat.com krb5kdc[2353](info): AS_REQ (6 etypes {18 17 16 23 1 3}) 10.34.63.31: ISSUE: authtime 1409658302, etypes {rep=18 tkt=18 ses=18}, user1.LAB.ENG.BRQ.REDHAT.COM for krbtgt/BRQ-LDAP.RHEV.LAB.ENG.BRQ.REDHAT.COM.LAB.ENG.BRQ.REDHAT.COM Sep 02 13:45:02 brq-ldap.rhev.lab.eng.brq.redhat.com krb5kdc[2353](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 10.34.63.31: UNKNOWN_SERVER: authtime 0, user1.LAB.ENG.BRQ.REDHAT.COM for krbtgt/AD2.RHEV.LAB.ENG.BRQ.REDHAT.COM.LAB.ENG.BRQ.REDHAT.COM, Server not found in Kerberos database Sep 02 13:45:02 brq-ldap.rhev.lab.eng.brq.redhat.com krb5kdc[2353](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 10.34.63.31: UNKNOWN_SERVER: authtime 0, user1.LAB.ENG.BRQ.REDHAT.COM for krbtgt/RHEV.LAB.ENG.BRQ.REDHAT.COM.LAB.ENG.BRQ.REDHAT.COM, Server not found in Kerberos database
what do you mean by "ovirt-engine-extension-aaa-ldap"? what configuration?
Seems that sequence.krb-init.0.sysprop-set.value is used for builtin provider instead of /etc/ovirt-engine/krb5.conf. Even when that extensions is disabled.
disabled how? can you please provide engine log with FINEST of org.ovirt.engineextensions.aaa.ldap.
Created attachment 933832 [details] engine.log disabled on extension level: ovirt.engine.extension.enabled = false
This don't solve the problem with overriding of /etc/ovirt-engine/krb5.conf
(In reply to Ondra Machacek from comment #5) > This don't solve the problem with overriding of /etc/ovirt-engine/krb5.conf it won't be resolved. jre can have only one kerberos configuration by setting java.security.krb5.conf system property. usually, best to define this at /etc/ovirt-engine/engine.conf.d/xxxx.conf::ENGINE_PROPERTIES so it will be shared among all components. the fact that the legacy kerberos ldap provider modify the jre global state at runtime is not good behavior. as I wrote many times in the past, the kerberos support for the new ldap provider is not priority. if you insist to have this working you should use the same kerberos configuration file that it generated by the engine-manage domain for all providers, as there is no way to disable the legacy provider system property injection. BTW: it also unconditionally set sun.security.krb5.msinterop.kstring system property.
oVirt 3.5 has been released and should include the fix for this issue.