994604 – Users cannot log into UserPortal

Bug 994604 - Users cannot log into UserPortal

Summary: Users cannot log into UserPortal

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	oVirt
Classification:	Retired
Component:	ovirt-engine-core
Sub Component:
Version:	3.3
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Ravi Nori
QA Contact:
Docs Contact:
URL:
Whiteboard:	infra
Duplicates (1):	994557 (view as bug list)
Depends On:
Blocks:	918494
TreeView+	depends on / blocked

Reported:	2013-08-07 15:11 UTC by DHC
Modified:	2013-09-23 07:27 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-09-23 07:27:02 UTC
oVirt Team:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	17792	0	None	None	None	Never
oVirt gerrit	17838	0	None	None	None	Never

Description DHC 2013-08-07 15:11:52 UTC

Description of problem:
Seeing and issue where users are not able to log in. Also for some reason the engine is seemingly forgeting about AD users. Removing the AD domain via engine-manage-domains and re-adding it works for enumerating the users, however the first attempt to login as a user results in the engine no longer enumerating the users nor allowing logins.


Version-Release number of selected component (if applicable):
ovirt-engine master

How reproducible:
100%

Steps to Reproduce:

Start the engine bound to an AD for authentication
log in to the user portal as an AD user which has been granted a Role (I used PowerUserRole)

Result: Login will succeed
Data from engine.log:
2013-08-06 15:54:10,088 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-10) Running command: LoginUserCommand internal: false.
2013-08-06 15:54:10,139 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-10) Correlation ID: 23c4709, Call Stack: null, Custom Event ID: -1, Message: User ovirttest logged in.

log out of the user portal
Result: log out succeeds
Data from engine.log:
2013-08-06 15:54:12,448 INFO  [org.ovirt.engine.core.bll.LogoutUserCommand] (ajp--127.0.0.1-8702-2) Running command: LogoutUserCommand internal: false.
2013-08-06 15:54:12,474 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: 52a89e7d, Call Stack: null, Custom Event ID: -1, Message: User ovirttest logged out.

As the same user log in to the user portal again but this purposely input the wrong password.
Result: log in will fail
Data from engine.log:
2013-08-06 15:54:20,830 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-7) Kerberos error: Pre-authentication information was invalid (24)
2013-08-06 15:54:20,832 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the username and password.
2013-08-06 15:54:20,843 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--127.0.0.1-8702-7) Failed ldap search server LDAP://foodc02.foo.test.com:389 using user ovirttest.COM due to Authentication Failed. Please verify the username and password.. We should not try the next server
2013-08-06 15:54:20,850 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-7) Kerberos error: Pre-authentication information was invalid (24)
2013-08-06 15:54:20,851 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the username and password.
2013-08-06 15:54:20,852 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--127.0.0.1-8702-7) Failed ldap search server LDAP://foodc01.foo.test.com:389 using user ovirttest.COM due to Authentication Failed. Please verify the username and password.. We should not try the next server
2013-08-06 15:54:20,853 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-7) Failed authenticating user: ovirttest to domain gso.med.ge.com. Ldap Query Type is getUserByName
2013-08-06 15:54:20,854 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the username and password.
2013-08-06 15:54:20,855 ERROR [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-7) USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD : ovirttest
2013-08-06 15:54:20,856 WARN  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD

Try again to log in as the same user this time typing the correct password.
Result: Login fails!
Data from engine.log:
2013-08-06 15:54:25,186 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-7) Failed authenticating user: ovirttest to domain gso.med.ge.com. Ldap Query Type is getUserByName
2013-08-06 15:54:25,187 ERROR [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-7) USER_FAILED_TO_AUTHENTICATE : ovirttest
2013-08-06 15:54:25,187 WARN  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE

Try again with another AD user.
Result: Login fails!
Data from engine.log:
2013-08-06 15:54:38,056 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-5) Failed authenticating user: ovirtadmin to domain gso.med.ge.com. Ldap Query Type is getUserByName
2013-08-06 15:54:38,057 ERROR [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-5) USER_FAILED_TO_AUTHENTICATE : ovirtadmin
2013-08-06 15:54:38,058 WARN  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-5) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE

Logging into the admin portal as the admin@internal user will yield that engine seems to have forgotten about and can no longer enumerate AD users and groups.
engine stays in this state until it has been restarted.

I also note the two following errors in the engine log file as well:
2013-08-06 15:53:41,098 ERROR [org.ovirt.engine.core.dal.dbbroker.generic.DBConfigUtils] (MSC service thread 1-9) Could not parse option AutoRecoveryAllowedTypes value.
2013-08-06 15:53:41,161 ERROR [org.ovirt.engine.core.dal.dbbroker.generic.DBConfigUtils] (MSC service thread 1-9) Failed to decrypt value for property AttestationTruststorePass will be used encrypted value: javax.crypto.BadPaddingException: Data must start with zero

Comment 1 Ravi Nori 2013-08-07 16:35:31 UTC

I would like to confirm that this is reproducible with AD on current master

Comment 2 Ravi Nori 2013-08-08 15:10:18 UTC

*** Bug 994557 has been marked as a duplicate of this bug. ***

Comment 3 DHC 2013-08-08 23:48:19 UTC

Fix verified against current master.

One note fix verified to work with:
Firefox Version 22.0-1
Google Chrome Version 28.0.1500.95

Noted an odd issue still with Firefox Version 17.0.8-1 (Current Firefox EL6 Version).
The login into the user portal succeeds and  a successful login is logged, however the login remains hung at the login dialog indefinitely. Reloading the page and closing the browser does not change things. Also removing ~/<username>/.mozilla and starting fresh results in the same.

Comment 4 Itamar Heim 2013-08-21 16:39:42 UTC

as RC is built, moving to ON_QA (hopefully did not catch incorrect bugs when doing this)

Comment 5 Itamar Heim 2013-09-23 07:27:02 UTC

closing as this should be in 3.3 (doing so in bulk, so may be incorrect)

Note You need to log in before you can comment on or make changes to this bug.