Ok, I checked with our sysadmin, but there's not more information in the logs.
However, another problem, which I postponed, may be the cause.
As I mentioned, we're using Active Directory for authentification. In the
Jenkins config, I'm using the Matrix-based security.
Since we installed the new version, I always see errors in the GUI and in the
log. For instance, for the mentioned Service_Build user, I see:
Failed to test the validity of the user name Service_Build
org.acegisecurity.BadCredentialsException: Failed to retrieve user information
for Service_Build; nested exception is javax.naming.NamingException: [LDAP:
error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform
this operation a successful bind must be completed on the connection., data 0,
v1db1]; remaining name 'DC=ipie,DC=ch'
at
hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:231)
at
hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:130)
at
hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:95)
at
hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:27)
at
hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:551)
at
hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName_(GlobalMatrixAuthorizationStrategy.java:304)
at
hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:288)
at sun.reflect.GeneratedMethodAccessor3018.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:288)
at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:151)
at
org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:90)
at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:111)
at
org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:574)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:659)
at org.kohsuke.stapler.MetaClass$6.doDispatch(MetaClass.java:241)
at
org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:574)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:659)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:488)
at org.kohsuke.stapler.Stapler.service(Stapler.java:162)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:45)
at winstone.ServletConfiguration.execute(ServletConfiguration.java:248)
at winstone.RequestDispatcher.forward(RequestDispatcher.java:333)
at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:376)
at
hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:95)
at
hudson.plugins.greenballs.GreenBallFilter.doFilter(GreenBallFilter.java:74)
at
hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:98)
at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:87)
at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:47)
at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
at
hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
at
hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
at
hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at
org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:166)
at
hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at
org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
at
hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at
org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
at
hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at
org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
at
hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at
org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173)
at
hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:61)
at
hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at
org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at
hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:66)
at
hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at
hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
at
hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
at winstone.RequestDispatcher.forward(RequestDispatcher.java:331)
at
winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:215)
at winstone.RequestHandlerThread.run(RequestHandlerThread.java:138)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:138)
at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000004DC:
LdapErr: DSID-0C0906E8, comment: In order to perform this operation a
successful bind must be completed on the connection., data 0, v1db1]; remaining
name 'DC=ipie,DC=ch'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3107)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1829)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1752)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:394)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:376)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
at
hudson.plugins.active_directory.LDAPSearchBuilder.search(LDAPSearchBuilder.java:52)
at
hudson.plugins.active_directory.LDAPSearchBuilder.searchOne(LDAPSearchBuilder.java:42)
at
hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:191)
... 70 more
The users however can very well log into Jenkins and are authenticated. Also
the Active Directory test in the config works.
I postponed this error because people can still work, but it's still an error.
And I see the same whenever I try to do something with the Service_Build user.
So maybe this is the root cause of my problems?
It looks like it's a known issue:
https://issues.jenkins-ci.org/browse/JENKINS-12619
Best regards,
Eric
-----Ursprüngliche Nachricht-----
Von: jenkinsci-users@googlegroups.com [mailto:jenkinsci-users@googlegroups.com]
Im Auftrag von Lewis, Eric
Gesendet: Freitag, 8. Juni 2012 16:56
An: jenkinsci-users@googlegroups.com
Betreff: AW: Jenkins CLI user gets locked in Active Directory
I don't see that file. I'll have to check with our Linux admin on Monday.
Best regards,
Eric
-----Ursprüngliche Nachricht-----
Von: Alex Earl [mailto:slide.o....@gmail.com]
Gesendet: Freitag, 8. Juni 2012 16:45
An: Lewis, Eric; jenkinsci-users@googlegroups.com
Betreff: RE: Jenkins CLI user gets locked in Active Directory
Usually they are in /var/log I believe. Look for auth.log or something
similar
Sent from my Windows Phone
From: Lewis, Eric
Sent: 6/8/2012 7:33 AM
To: jenkinsci-users@googlegroups.com
Subject: AW: Jenkins CLI user gets locked in Active Directory
Oh... :-)
Well, I'm not really a Linux guru, so could you tell me where I find those logs?
(Also, I'm not root either)
Best regards,
Eric
-----Ursprüngliche Nachricht-----
Von: Alex Earl [mailto:slide.o....@gmail.com]
Gesendet: Freitag, 8. Juni 2012 16:23
An: Lewis, Eric; jenkinsci-users@googlegroups.com
Betreff: RE: Jenkins CLI user gets locked in Active Directory
I was meaning the logs on the Linux machine.
Sent from my Windows Phone
From: Lewis, Eric
Sent: 6/8/2012 7:06 AM
To: jenkinsci-users@googlegroups.com
Subject: AW: Jenkins CLI user gets locked in Active Directory
Ok, I'll have to check (on Monday) with our Windows admins, since I
don't have access to those logs.
Best regards,
Eric
-----Ursprüngliche Nachricht-----
Von: Alex Earl [mailto:slide.o....@gmail.com]
Gesendet: Freitag, 8. Juni 2012 16:00
An: Lewis, Eric; jenkinsci-users@googlegroups.com
Betreff: RE: Jenkins CLI user gets locked in Active Directory
Can you check the logs for authentication and see if AD is being tried
before the key based auth?
Sent from my Windows Phone
From: Lewis, Eric
Sent: 6/8/2012 6:32 AM
To: jenkinsci-users@googlegroups.com
Subject: AW: Jenkins CLI user gets locked in Active Directory
Sorry! :-)
Yes, Jenkins is running on Red Hat Linux (apparently Red Hat
Enterprise Linux Server release 5.8 (Tikanga))
Best regards,
Eric
-----Ursprüngliche Nachricht-----
Von: jenkinsci-users@googlegroups.com
[mailto:jenkinsci-users@googlegroups.com] Im Auftrag von Slide
Gesendet: Freitag, 8. Juni 2012 15:30
An: jenkinsci-users@googlegroups.com
Betreff: Re: Jenkins CLI user gets locked in Active Directory
Is this running on Linux? More information about your platforms and
such would be useful.
On Tue, Jun 5, 2012 at 5:58 AM, Lewis, Eric <eric.le...@ipi.ch> wrote:
> Hi
>
> We have a user called Service_Build which is used for issuing Jenkins CLI
> commands (either in bash or in Jenkins).
> This user is defined in Active Directory, which is what we use for
> authentication. So normally, I can log in as this user and I have
> administrator rights in Jenkins.
>
> I followed the documentation in the Jenkins wiki and (with help from Rob
> Mandeville) managed to authenticate the Service_Build user with
> public/private key credentials. So that part works well.
>
> However, it looks like Jenkins is still trying to authenticate that user with
> Active Directory, because the user is locked in Active Directory after a
> number of CLI commands (eight in our case).
> Should I have created the private key using the Active Directory password? Or
> how can I prevent that Active Directory locking?
>
> Best regards,
> Eric
--
Website: http://earl-of-code.com
