Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 994604

Summary: Users cannot log into UserPortal
Product: [Retired] oVirt Reporter: DHC <deadhorseconsulting>
Component: ovirt-engine-coreAssignee: Ravi Nori <rnori>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.3CC: acathrow, ecohen, iheim, omachace, yeylon, yzaslavs
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: infra
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-23 07:27:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 918494    

Description DHC 2013-08-07 15:11:52 UTC 
Description of problem:
Seeing and issue where users are not able to log in. Also for some reason the engine is seemingly forgeting about AD users. Removing the AD domain via engine-manage-domains and re-adding it works for enumerating the users, however the first attempt to login as a user results in the engine no longer enumerating the users nor allowing logins.


Version-Release number of selected component (if applicable):
ovirt-engine master

How reproducible:
100%

Steps to Reproduce:

Start the engine bound to an AD for authentication
log in to the user portal as an AD user which has been granted a Role (I used PowerUserRole)

Result: Login will succeed
Data from engine.log:
2013-08-06 15:54:10,088 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-10) Running command: LoginUserCommand internal: false.
2013-08-06 15:54:10,139 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-10) Correlation ID: 23c4709, Call Stack: null, Custom Event ID: -1, Message: User ovirttest logged in.

log out of the user portal
Result: log out succeeds
Data from engine.log:
2013-08-06 15:54:12,448 INFO  [org.ovirt.engine.core.bll.LogoutUserCommand] (ajp--127.0.0.1-8702-2) Running command: LogoutUserCommand internal: false.
2013-08-06 15:54:12,474 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: 52a89e7d, Call Stack: null, Custom Event ID: -1, Message: User ovirttest logged out.

As the same user log in to the user portal again but this purposely input the wrong password.
Result: log in will fail
Data from engine.log:
2013-08-06 15:54:20,830 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-7) Kerberos error: Pre-authentication information was invalid (24)
2013-08-06 15:54:20,832 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the username and password.
2013-08-06 15:54:20,843 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--127.0.0.1-8702-7) Failed ldap search server LDAP://foodc02.foo.test.com:389 using user ovirttest.COM due to Authentication Failed. Please verify the username and password.. We should not try the next server
2013-08-06 15:54:20,850 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-7) Kerberos error: Pre-authentication information was invalid (24)
2013-08-06 15:54:20,851 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the username and password.
2013-08-06 15:54:20,852 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--127.0.0.1-8702-7) Failed ldap search server LDAP://foodc01.foo.test.com:389 using user ovirttest.COM due to Authentication Failed. Please verify the username and password.. We should not try the next server
2013-08-06 15:54:20,853 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-7) Failed authenticating user: ovirttest to domain gso.med.ge.com. Ldap Query Type is getUserByName
2013-08-06 15:54:20,854 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the username and password.
2013-08-06 15:54:20,855 ERROR [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-7) USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD : ovirttest
2013-08-06 15:54:20,856 WARN  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD

Try again to log in as the same user this time typing the correct password.
Result: Login fails!
Data from engine.log:
2013-08-06 15:54:25,186 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-7) Failed authenticating user: ovirttest to domain gso.med.ge.com. Ldap Query Type is getUserByName
2013-08-06 15:54:25,187 ERROR [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-7) USER_FAILED_TO_AUTHENTICATE : ovirttest
2013-08-06 15:54:25,187 WARN  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE

Try again with another AD user.
Result: Login fails!
Data from engine.log:
2013-08-06 15:54:38,056 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-5) Failed authenticating user: ovirtadmin to domain gso.med.ge.com. Ldap Query Type is getUserByName
2013-08-06 15:54:38,057 ERROR [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-5) USER_FAILED_TO_AUTHENTICATE : ovirtadmin
2013-08-06 15:54:38,058 WARN  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-5) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE

Logging into the admin portal as the admin@internal user will yield that engine seems to have forgotten about and can no longer enumerate AD users and groups.
engine stays in this state until it has been restarted.

I also note the two following errors in the engine log file as well:
2013-08-06 15:53:41,098 ERROR [org.ovirt.engine.core.dal.dbbroker.generic.DBConfigUtils] (MSC service thread 1-9) Could not parse option AutoRecoveryAllowedTypes value.
2013-08-06 15:53:41,161 ERROR [org.ovirt.engine.core.dal.dbbroker.generic.DBConfigUtils] (MSC service thread 1-9) Failed to decrypt value for property AttestationTruststorePass will be used encrypted value: javax.crypto.BadPaddingException: Data must start with zero
Comment 1 Ravi Nori 2013-08-07 16:35:31 UTC 
I would like to confirm that this is reproducible with AD on current master
Comment 2 Ravi Nori 2013-08-08 15:10:18 UTC 
*** Bug 994557 has been marked as a duplicate of this bug. ***
Comment 3 DHC 2013-08-08 23:48:19 UTC 
Fix verified against current master.

One note fix verified to work with:
Firefox Version 22.0-1
Google Chrome Version 28.0.1500.95

Noted an odd issue still with Firefox Version 17.0.8-1 (Current Firefox EL6 Version).
The login into the user portal succeeds and  a successful login is logged, however the login remains hung at the login dialog indefinitely. Reloading the page and closing the browser does not change things. Also removing ~/<username>/.mozilla and starting fresh results in the same.
Comment 4 Itamar Heim 2013-08-21 16:39:42 UTC 
as RC is built, moving to ON_QA (hopefully did not catch incorrect bugs when doing this)
Comment 5 Itamar Heim 2013-09-23 07:27:02 UTC 
closing as this should be in 3.3 (doing so in bulk, so may be incorrect)