Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 994557

Summary: DS stops to work after disabled or expired user try to login.
Product: Red Hat Enterprise Virtualization Manager Reporter: Ondra Machacek <omachace>
Component: ovirt-engineAssignee: Ravi Nori <rnori>
Status: CLOSED DUPLICATE QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.2.0CC: acathrow, iheim, lpeer, Rhev-m-bugs, yeylon, yzaslavs
Target Milestone: ---Keywords: Regression, Triaged
Target Release: 3.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-08 15:10:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ondra Machacek 2013-08-07 13:49:13 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
sf8

How reproducible:
always

Steps to Reproduce:
1. Add disabled/expired user UserVmManager role on cluster.
2. Try to login to UserPortal. - Denied
3. Try to add new user to rhevm from same domain as disabled/expired user is.

Actual results:
Domain don't respond

Expected results:
Domain respond

Additional info:
Login/logout don't help.
service ovirt-engine restart solve it, then domain work correctly.

engine logs:
------------
2013-08-07 15:46:08,535 INFO  [org.ovirt.engine.core.bll.AddPermissionCommand] (pool-5-thread-7) [30d4cb02] Running command: AddPermissionCommand internal: false. Entities affected :  ID: 99408929-82cf-4dc7-a532-9d998063fa95 Type: VdsGroups
2013-08-07 15:46:08,873 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (pool-5-thread-7) [30d4cb02] Correlation ID: 30d4cb02, Call Stack: null, Custom Event ID: -1, Message: User/Group disabled.eng.brq.redhat.com was granted permission for Role UserRole on Cluster Default, by admin@internal.
2013-08-07 15:46:21,493 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-12) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User disabled.ENG.BRQ.REDHAT.COM cannot login, as it got disabled or locked. Please contact the system administrator.
2013-08-07 15:46:21,493 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp-/127.0.0.1:8702-12) Kerberos error: Clients credentials have been revoked (18)
2013-08-07 15:46:21,493 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp-/127.0.0.1:8702-12) Authentication failed. The user is either locked or disabled
2013-08-07 15:46:21,501 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp-/127.0.0.1:8702-12) Failed ldap search server LDAP://dc-01.rhev.lab.eng.brq.redhat.com:389 using user disabled.ENG.BRQ.REDHAT.COM due to Authentication failed. The user is either locked or disabled. We should not try the next server
2013-08-07 15:46:21,501 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (ajp-/127.0.0.1:8702-12) Failed authenticating user: disabled to domain rhev.lab.eng.brq.redhat.com. Ldap Query Type is getUserByName
2013-08-07 15:46:21,502 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (ajp-/127.0.0.1:8702-12) Authentication failed. The user is either locked or disabled
2013-08-07 15:46:21,502 ERROR [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-12) USER_FAILED_TO_AUTHENTICATE_ACCOUNT_IS_LOCKED_OR_DISABLED : disabled
2013-08-07 15:46:21,504 WARN  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-12) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_ACCOUNT_IS_LOCKED_OR_DISABLED
2013-08-07 15:46:51,593 INFO  [org.ovirt.engine.core.WelcomeServlet] (ajp-/127.0.0.1:8702-12) Detected Locale: en-US
Comment 2 Ondra Machacek 2013-08-08 11:21:30 UTC 
It also stops to work when active/correct user tries to login with incorrect password, or when tries to login with nonexistent user.
Comment 3 Ravi Nori 2013-08-08 15:10:18 UTC 

*** This bug has been marked as a duplicate of bug 994604 ***