Created attachment 965564 [details]
engine.log

Description of problem:
[RFE] Add NTP server configuration to engine-setup deployment menu.
Reason for adding NTP configuration during engine-setup deployment procedure is simple, in case it's not configured and ntpd service not running on engine's 
VM, then after some time, a week or two, time skew on engine's VM will become enough for not allowing the Active Directory Kerberos authentication to fail, as they're not synchronized and then error message will be received in engine's log as appears bellow and AD user authentication will fail. 



2014-12-07 13:37:22,217 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp-/127.0.0.1:8702-17) Failed ldap search server l
dap://qa1.qa.lab.tlv.redhat.com:389 using user nsednev.TLV.REDHAT.COM due to Authentication Failed. The Engine clock is not synchronized with direct
ory services (must be within 5 minutes difference). Please verify the clocks are synchronized. We should try the next server
2014-12-07 13:37:22,217 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] (ajp-/127.0.0.1:8702-17) Failed authentica
ting user: nsednev to domain qa.lab.tlv.redhat.com. Ldap Query Type is getUserByName
2014-12-07 13:37:22,217 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapAuthenticateUserCommand] (ajp-/127.0.0.1:8702-17) Authentication Fa
iled. The Engine clock is not synchronized with directory services (must be within 5 minutes difference). Please verify the clocks are synchronized
2014-12-07 13:37:22,218 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp-/127.0.0.1:8702-17) Failed to run command L
dapAuthenticateUserCommand. Domain is qa.lab.tlv.redhat.com. User is nsednev.
2014-12-07 13:37:22,218 INFO  [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp-/127.0.0.1:8702-17) Cant login user "nsednev" with authentication profi
le "qa.lab.tlv.redhat.com" because the authentication failed.
2014-12-07 13:37:22,220 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-17) Correlation ID: null, Call St
ack: null, Custom Event ID: -1, Message: User nsednev failed to log in.
2014-12-07 13:37:22,221 WARN  [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-17) CanDoAction of action LoginAdminUser failed. R
easons:USER_FAILED_TO_AUTHENTICATE
2014-12-07 13:37:25,575 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp-/127.0.0.1:8702-16) Kerber
os error: Clock skew too great (37)
2014-12-07 13:37:25,575 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp-/127.0.0.1:8702-16) Authen
tication Failed. The Engine clock is not synchronized with directory services (must be within 5 minutes difference). Please verify the clocks are synchroni
zed

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1.Add engine to AD for kerberos authentication without ntpd service running on VM.
2.Log in to engine using AD domain and use your username/password as set at AD with proper permissions already set in engine itself.
3.Wait for ~2 weeks to get time skew difference between AD and your engine and try to log in to your engine, you will fail with errors as appear within the attachment.

Actual results:
User fails to login in to the engine because of the not synchronized ntp on engine's VM.

Expected results:
Engine deployment setup procedure have to include ntp service to be configured and to check if ntpd service configured to be running on boot, otherwise AD authentication will always get a time skew and eventually won't let customer to get logged in over AD authentication. 

Additional info:
Engine's log attached.
Work around is to configure ntpd service to run on boot 
"chkconfig ntpd on"
and to set ntp config file for correct ntp server 
"vi /etc/ntp.conf"
clock.redhat.com