Hide Forgot
Created attachment 556270 [details] ovirt-engine log Description of problem: User could not be authenticated, because oVirt wants to connect to bad LDAP URI. Version-Release number of selected component (if applicable): ovirt-engine-3.0.0_0001-1.2.fc16.x86_64 How reproducible: always Steps to Reproduce: 1.Install and set up oVirt 2.Start jboss-as (if is not running) 3.Open browser, connect to ovirt management page and try to log in with proper credentials Actual results: User is not log in, because ldap URI for authenticate is not valid Expected results: User is log in into system Additional info: [root@ovirt ~]# engine-manage-domains -action=validate Domain spice.lab.eng.brq.redhat.com is valid. Manage Domains completed successfully [root@ovirt ~]# engine-manage-domains -action=list Domain: spice.lab.eng.brq.redhat.com User name: vdcadmin.ENG.BRQ.REDHAT.COM This domain is a remote domain. Manage Domains completed successfully [root@ovirt ~]# host -t SRV _ldap._tcp.spice.lab.eng.brq.redhat.com _ldap._tcp.spice.lab.eng.brq.redhat.com has SRV record 0 0 389 ad.spice.lab.eng.brq.redhat.com.
Created attachment 556297 [details] capture of DNS traffic of: engine-manage-domains -action=validate
Created attachment 556298 [details] capture of DNS traffic when Admin Portal loads
Created attachment 556299 [details] capture of DNS traffic when user tries to authenticate in Admin Portal These three captures were taken on oVirt machine. They show that domain is configured correctly (as engine-manage-domains -action=validate shows) but then engine tries to reach ldap on itself, which results in USER_FAILED_TO_AUTHENTICATE_CONNECTION_ERROR presented to user.
Does it reproduce also after restarting the ovirt engine? The reason of using URI is once we don't find the LDAP SRV record. I see that it exists, but when the engine started he couldn't find it. In case it indeed reproduces upon startup, the DNS traffic upon startup can help us understand the problem.
Proposed commit: http://gerrit.ovirt.org/#change,1184
Commit: http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commit;h=595c7f0e96c0186dd1bc95d9e784b09f60b9f6e9
Created attachment 557243 [details] capture of DNS traffic when ovirt-engine/jboss-as start I hope that this comment doesn't come too late... (In reply to comment #4) > Does it reproduce also after restarting the ovirt engine? > Yes, it does. > The reason of using URI is once we don't find the LDAP SRV record. > I see that it exists, but when the engine started he couldn't find it. > > In case it indeed reproduces upon startup, the DNS traffic upon startup can > help us understand the problem. Attached. Note that ovirt does _not_ ask for SRV records, it just goes through series of trial-and-error with A and PTR records. You can see also another domain whose configuration looks almost the same but authentication against it works: Domain: rhev.lab.eng.brq.redhat.com User name: vdcadmin.ENG.BRQ.REDHAT.COM This domain is a remote domain.
Note that A record for the rhev.lab.<...> domain points to IP of AD so oVirt assumes the AD is not there. This is not the case with spice.lab.<...> domain so when oVirt does not ask for SRV record of _ldap._tcp.spice.<...>, it's clear that it has no clue where the AD server is. This is a clear blocker if not fixed by previous commit IMO.
Created attachment 557496 [details] capture of DNS traffic: rhevm start to display of webadmin page
RHEV-M unlike oVirt employs no guesswork and asks correctly for _ldap._tcp.<domain> SRV record. Oved, could you have a quick look if your commit indeed fixes the issue or guide me to verify it?
The commit should fix the issue. The problem was a class loading issue with classes used to do the DNS queries. The commit adds these classes to the correct jboss module.
Confirmed on my setup, doing the source modifications manually (module.xml was not yet updated in -3.0.0_0001-1.3.fc16.x86_64), the setup started working for me.
closing ON_QA bugs as oVirt 3.1 was released: http://www.ovirt.org/get-ovirt/