Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1355822 - oVirt kerberos authentication is no longer working
Summary: oVirt kerberos authentication is no longer working
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: ovirt-engine-extension-aaa-ldap
Classification: oVirt
Component: Extension
Version: 1.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
high vote
Target Milestone: ovirt-4.0.5
: ---
Assignee: Martin Perina
QA Contact: Jiri Belka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-12 15:36 UTC by Dan Lavu
Modified: 2016-09-07 12:38 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-07 12:38:31 UTC
oVirt Team: Infra
rule-engine: ovirt-4.0.z+
rule-engine: planning_ack+
mperina: devel_ack+
pstehlik: testing_ack+


Attachments (Terms of Use)
ovirt-engine logs (deleted)
2016-07-12 15:36 UTC, Dan Lavu
no flags Details

Description Dan Lavu 2016-07-12 15:36:39 UTC
Created attachment 1178954 [details]
ovirt-engine logs

Description of problem:
My previous kerberos configuration use to work in 3.6 but now in 4.0 it is no longer loading correctly.

Version-Release number of selected component (if applicable):
ovirt-engine-4.0.0.6-1.fc23.noarch
ovirt-engine-extension-aaa-ldap-1.2.0-1.fc23.noarch
mod_auth_gssapi-1.4.0-1.fc23.x86_64

How reproducible:
Always

Steps to Reproduce:
1. dnf install -y ovirt-engine-extension-aaa-ldap mod_auth_gssapi

2. Join host to FreeIPA, create HTTP service principal for HTTP i.e. HTTP/ovirt.runlevelone.lan , ipa-getkeytab -p HTTP/ovirt.runlevelone.lan -s idm.runlevelone.lan -k /etc/httpd.keytab ; chown httpd:root /etc/httpd.keytab ; restorecon -Rv /etc/httpd.keytab

3. Configure the files as the following;

#/etc/ovirt-engine/aaa/idm.properties
include = <ipa.properties>
vars.server = idm.runlevelone.lan

vars.user = uid=ovirt,cn=sysaccounts,cn=etc,dc=runlevelone,dc=lan
vars.password = 000000000000000000000000000000

pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

#/etc/ovirt-engine/extensions.d/idm-krb-authz.properties
ovirt.engine.extension.name = idm-krb-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/idm.properties
#config.globals.bindFormat.simple_bindFormat = realm

#/etc/ovirt-engine/extensions.d/idm-krb-http-mapping.properties
ovirt.engine.extension.name = idm-krb-http-mapping
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping
config.mapAuthRecord.type = regex
config.mapAuthRecord.regex.mustMatch = true
config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}

#/etc/ovirt-engine/extensions.d/idm-krb-http-authn.properties
ovirt.engine.extension.name = idm-krb-http-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = idm-krb-http
ovirt.engine.aaa.authn.authz.plugin = idm-krb-authz
ovirt.engine.aaa.authn.mapping.plugin = idm-krb-http-mapping
config.artifact.name = HEADER
config.artifact.arg = X-Remote-User

#/etc/httpd/conf.d/ovirt-sso.conf
<LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)>
	RewriteEngine on
	RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
	RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
	RequestHeader set X-Remote-User %{REMOTE_USER}s
        AuthType GSSAPI
        GssapiLocalName off 
        AuthName "Login"
        GssapiBasicAuth on 
        GssapiCredStore keytab:/etc/httpd.keytab
        Require valid-user
</LocationMatch>

4. restart ovirt-engine and try to login

Actual results:
kerberos users fail to automatically log into ovirt

Expected results:
kerberos users automatically logs into ovirt


Additional info:

* ovirt-engine logs attached
* This configuration use to work in 3.6.

Comment 1 Ondra Machacek 2016-07-12 15:42:37 UTC
Yes, unfortunatelly you need to change it. PLease see this[1]. If you have any additional questions, please ask.

[1] https://gerrit.ovirt.org/#/c/57135/4/README

Comment 2 Ondra Machacek 2016-07-12 15:45:33 UTC
Martin, is this change already documented somewhere?

Comment 3 Martin Perina 2016-07-12 15:54:19 UTC
Yes, this is fixed in ovirt-engine-extension-aaa-ldap-1.2.1 which should be part of oVirt 4.0.1 release. If you want to test the fix before official 4.0.1 release just grab new aaa-ldap packages [1], [2], install them, change Apache config as described and restart both Apache and engine.

RHEV documentation change is tracked under BZ1342192.


[1] http://resources.ovirt.org/pub/ovirt-4.0-pre/rpm/fc23/noarch/ovirt-engine-extension-aaa-ldap-setup-1.2.1-1.fc23.noarch.rpm
[2] http://resources.ovirt.org/pub/ovirt-4.0-pre/rpm/fc23/noarch/ovirt-engine-extension-aaa-ldap-1.2.1-1.fc23.noarch.rpm

Comment 4 Martin Perina 2016-07-12 15:58:02 UTC
Moving to ON_QA as all needed changes are contained in 4.0.1, but we didn't have a bug to cover that before.

Comment 5 Dan Lavu 2016-07-12 19:48:56 UTC
I'm trying to test the fix, but the module is still coming up as "Initialized false". I'm updated the following packages, and changed my apache configuration like so.

Note, I'm using mod_gssapi instead of mod_authz_krb5, so they're some minor differences in the apache configuration, but they are not relevant at the moment.

[root@ovirt extensions.d]# rpm -qa | grep ovirt | grep ldap
ovirt-engine-extension-aaa-ldap-setup-1.2.1-1.fc23.noarch
ovirt-engine-extension-aaa-ldap-1.2.1-1.fc23.noarch

[root@ovirt extensions.d]# cat /etc/httpd/conf.d/ovirt-sso.conf
#<LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)>
<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)>
	RewriteEngine on
	RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
	RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
	RequestHeader set X-Remote-User %{REMOTE_USER}s
        AuthType GSSAPI
        GssapiLocalName off 
        AuthName "Login"
        GssapiBasicAuth on 
        GssapiCredStore keytab:/etc/httpd.keytab
        Require valid-user
        ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
</LocationMatch>

Logs:
2016-07-12 15:34:13,457 ERROR [org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (ServerService Thread Pool -- 50) [] Could not load extension based on configuration file '/etc/ovirt-engine/extensions.d/idm-krb-http-mapping.properties'. Please check the configuration file is valid. Exception message is: Error loading extension 'idm-krb-http-mapping': The module 'org.ovirt.engine-extensions.aaa.misc' cannot be loaded: org.ovirt.engine-extensions.aaa.misc:main
2016-07-12 15:34:13,459 INFO  [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (ServerService Thread Pool -- 50) [] Loading extension 'internal-authn'
2016-07-12 15:34:13,459 INFO  [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (ServerService Thread Pool -- 50) [] Extension 'internal-authn' loaded
2016-07-12 15:34:13,460 INFO  [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (ServerService Thread Pool -- 50) [] Loading extension 'internal-authz'
2016-07-12 15:34:13,460 INFO  [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (ServerService Thread Pool -- 50) [] Extension 'internal-authz' loaded
2016-07-12 15:34:13,462 INFO  [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (ServerService Thread Pool -- 50) [] Initializing extension 'internal-authn'
2016-07-12 15:34:13,474 INFO  [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (ServerService Thread Pool -- 50) [] Extension 'internal-authn' initialized
2016-07-12 15:34:13,475 INFO  [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (ServerService Thread Pool -- 50) [] Initializing extension 'idm-authn'
2016-07-12 15:34:13,475 INFO  [org.ovirt.engineextensions.aaa.ldap.Framework] (ServerService Thread Pool -- 50) [] [ovirt-engine-extension-aaa-ldap.authn::idm-authn] Creating LDAP pool 'authz'
2016-07-12 15:34:13,505 INFO  [org.ovirt.engineextensions.aaa.ldap.Framework] (ServerService Thread Pool -- 50) [] [ovirt-engine-extension-aaa-ldap.authn::idm-authn] LDAP pool 'authz' information: vendor='389 Project' version='389-Directory/1.3.4.0 B2016.161.1643'
2016-07-12 15:34:13,505 INFO  [org.ovirt.engineextensions.aaa.ldap.Framework] (ServerService Thread Pool -- 50) [] [ovirt-engine-extension-aaa-ldap.authn::idm-authn] Creating LDAP pool 'authn'
2016-07-12 15:34:13,551 INFO  [org.ovirt.engineextensions.aaa.ldap.Framework] (ServerService Thread Pool -- 50) [] [ovirt-engine-extension-aaa-ldap.authn::idm-authn] LDAP pool 'authn' information: vendor='389 Project' version='389-Directory/1.3.4.0 B2016.161.1643'
2016-07-12 15:34:13,557 INFO  [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (ServerService Thread Pool -- 50) [] Extension 'idm-authn' initialized
2016-07-12 15:34:13,557 INFO  [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (ServerService Thread Pool -- 50) [] Start of enabled extensions list
2016-07-12 15:34:13,557 INFO  [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (ServerService Thread Pool -- 50) [] Instance name: 'idm-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.2.1', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.2.1-1.fc23', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/etc/ovirt-engine/extensions.d/idm-authz.properties', Initialized: 'false'
2016-07-12 15:34:13,557 INFO  [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (ServerService Thread Pool -- 50) [] Instance name: 'internal-authn', Extension name: '"ovirt-engine-extension-aaa-jdbc".authn', Version: '"1.1.0"', Notes: 'Display name: "ovirt-engine-extension-aaa-jdbc"', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/etc/ovirt-engine/extensions.d/internal-authn.properties', Initialized: 'true'
2016-07-12 15:34:13,557 INFO  [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (ServerService Thread Pool -- 50) [] Instance name: 'idm-krb-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.2.1', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.2.1-1.fc23', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/etc/ovirt-engine/extensions.d/idm-krb-authz.properties', Initialized: 'false'
2016-07-12 15:34:13,557 INFO  [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (ServerService Thread Pool -- 50) [] Instance name: 'internal-authz', Extension name: '"ovirt-engine-extension-aaa-jdbc".authz', Version: '"1.1.0"', Notes: 'Display name: "ovirt-engine-extension-aaa-jdbc"', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/etc/ovirt-engine/extensions.d/internal-authz.properties', Initialized: 'false'
2016-07-12 15:34:13,558 INFO  [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (ServerService Thread Pool -- 50) [] Instance name: 'idm-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.2.1', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.2.1-1.fc23', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/etc/ovirt-engine/extensions.d/idm-authn.properties', Initialized: 'true'

Comment 6 Martin Perina 2016-07-13 17:07:49 UTC
Issue solved by email, ovirt-engine-extension-aaa-misc package was not installed on EL7 engine host.

Comment 7 Jiri Belka 2016-08-19 16:00:13 UTC
Everything seems to work fine but I can't make it work:

~~~
[root@jb-rhevm40 /]# egrep "(authenticated|next-)" /var/log/ovirt-engine/engine.log | sed 's/rhev.lab.eng.brq.redhat/example/g;'
2016-08-19 15:55:45,250 DEBUG [org.ovirt.engine.core.sso.servlets.OAuthAuthorizeServlet] (default task-10) [] Redirecting to url: https://jb-rhevm40.example.com:443/ovirt-engine/oauth2-callback?error_code=not_authenticated&error=The+user+is+not+authenticated.
2016-08-19 15:55:46,501 DEBUG [org.ovirt.engine.core.sso.servlets.OAuthAuthorizeServlet] (default task-26) [] Redirecting to url: /ovirt-engine/sso/interactive-login-next-auth
2016-08-19 15:55:54,481 DEBUG [org.ovirt.engine.core.sso.servlets.OAuthAuthorizeServlet] (default task-30) [] Redirecting to url: /ovirt-engine/sso/interactive-login-next-auth
2016-08-19 15:56:13,972 DEBUG [org.ovirt.engine.core.sso.servlets.OAuthAuthorizeServlet] (default task-26) [] Redirecting to url: /ovirt-engine/sso/interactive-login-next-auth
~~~

No relevant ERROR or WARN:

~~~
[root@jb-rhevm40 /]# awk '$3 == "ERROR"' /var/log/ovirt-engine/engine.log
[root@jb-rhevm40 /]# awk '$3 == "WARN"' /var/log/ovirt-engine/engine.log
2016-08-19 15:54:29,779 WARN  [org.ovirt.engine.core.utils.ConfigUtilsBase] (ServerService Thread Pool -- 54) [] Could not find enum value for option: 'ConfigDir'
2016-08-19 15:54:29,779 WARN  [org.ovirt.engine.core.utils.ConfigUtilsBase] (ServerService Thread Pool -- 54) [] Could not find enum value for option: 'AdminDomain'
2016-08-19 15:54:29,780 WARN  [org.ovirt.engine.core.utils.ConfigUtilsBase] (ServerService Thread Pool -- 54) [] Could not find enum value for option: 'AllowDuplicateMacAddresses'
2016-08-19 15:54:29,780 WARN  [org.ovirt.engine.core.utils.ConfigUtilsBase] (ServerService Thread Pool -- 54) [] Could not find enum value for option: 'DefaultWorkgroup'
2016-08-19 15:54:29,780 WARN  [org.ovirt.engine.core.utils.ConfigUtilsBase] (ServerService Thread Pool -- 54) [] Could not find enum value for option: 'KeystoneAuthUrl'
2016-08-19 15:54:29,780 WARN  [org.ovirt.engine.core.utils.ConfigUtilsBase] (ServerService Thread Pool -- 54) [] Could not find enum value for option: 'LicenseCertificateFingerPrint'
2016-08-19 15:54:29,780 WARN  [org.ovirt.engine.core.utils.ConfigUtilsBase] (ServerService Thread Pool -- 54) [] Could not find enum value for option: 'MacPoolRanges'
2016-08-19 15:54:29,780 WARN  [org.ovirt.engine.core.utils.ConfigUtilsBase] (ServerService Thread Pool -- 54) [] Could not find enum value for option: 'MaxMacsCountInPool'
2016-08-19 15:54:29,780 WARN  [org.ovirt.engine.core.utils.ConfigUtilsBase] (ServerService Thread Pool -- 54) [] Could not find enum value for option: 'VdsFenceOptions'
2016-08-19 15:54:29,780 WARN  [org.ovirt.engine.core.utils.ConfigUtilsBase] (ServerService Thread Pool -- 54) [] Could not find enum value for option: 'SupportBridgesReportByVDSM'
2016-08-19 15:54:29,780 WARN  [org.ovirt.engine.core.utils.ConfigUtilsBase] (ServerService Thread Pool -- 54) [] Could not find enum value for option: 'AdvancedNFSOptionsEnabled'
2016-08-19 15:54:29,781 WARN  [org.ovirt.engine.core.utils.ConfigUtilsBase] (ServerService Thread Pool -- 54) [] Could not find enum value for option: 'AdvancedNFSOptionsEnabled'
2016-08-19 15:54:29,781 WARN  [org.ovirt.engine.core.utils.ConfigUtilsBase] (ServerService Thread Pool -- 54) [] Could not find enum value for option: 'AdvancedNFSOptionsEnabled'
~~~

Comment 8 Red Hat Bugzilla Rules Engine 2016-08-19 16:00:19 UTC
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 10 Jiri Belka 2016-08-19 16:01:41 UTC
[root@jb-rhevm40 /]# rpm -qa ovirt-engine-extension\* ovirt-engine
ovirt-engine-extension-aaa-ldap-1.2.1-1.el7ev.noarch
ovirt-engine-extensions-api-impl-4.0.2.7-0.1.el7ev.noarch
ovirt-engine-extension-aaa-ldap-setup-1.2.1-1.el7ev.noarch
ovirt-engine-extension-aaa-jdbc-1.1.0-1.el7ev.noarch
ovirt-engine-extension-aaa-misc-1.0.1-2.el7ev.noarch
ovirt-engine-4.0.2.7-0.1.el7ev.noarch

Comment 12 Jiri Belka 2016-09-07 12:38:31 UTC
It works now, no idea why but it works (tested via FF). Thus closing this BZ.


Note You need to log in before you can comment on or make changes to this bug.