<html><body><div style="font-family: times new roman, new york, times, serif; font-size: 12pt; color: #000000"><div>Not too informative, so let's start and troubleshoot -</div><div><br></div><div>a. please use dig to get SRV records for kerberos and ldap for the domain and attach it -</div><div><br></div><div>For example - for domain example.com (kerberos realm - EXAMPLE.COM)</div><div>dig SRV _ldap._tcp.example.com </div><div>dg SRV _kerberos._tcp.example.com</div><div><br></div><div><br></div><div>b. Do you have a PTR record at your DNS defined for your IPA server?</div><div><br></div><div>When looking at the code of the manage-domains tool I see the reason that the log is not informative enough is that our translator from "kerberos + ldap error codes" to "human readable" errors failed to translate the message.</div><div>IMHO, we should send a patch for this + provide a way to get more descriptive logging in this case.</div><div>Can you please let us know if the tips I suggested regarding DNS have helped?</div><div><br></div><div><br></div><div><br></div><hr id="zwchr"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Ryan Wilkinson" <ryanwilk@gmail.com><br><b>To: </b>"Yair Zaslavsky" <yzaslavs@redhat.com><br><b>Cc: </b>users@ovirt.org<br><b>Sent: </b>Sunday, April 28, 2013 4:25:33 PM<br><b>Subject: </b>Re: [Users] FreeIPA<br><div><br></div><div dir="ltr">Thanks, here is the engine-manage-domains log:<br><div><br></div>2013-04-27 22:10:32,911 INFO [org.ovirt.engine.core.domains.ManageDomains] Creating kerberos configuration for domain(s): wilk.local<br>2013-04-27 22:10:32,936 INFO [org.ovirt.engine.core.domains.ManageDomains] Successfully created kerberos configuration for domain(s): wilk.local<br>
2013-04-27 22:10:32,936 INFO [org.ovirt.engine.core.domains.ManageDomains] Testing kerberos configuration for domain: wilk.local<br>2013-04-27 22:10:33,219 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: freeipa.wilk.local.<br>
2013-04-27 22:10:33,223 ERROR [org.ovirt.engine.core.domains.ManageDomains] Failure while testing domain wilk.local. Details: Kerberos error. Please check log for further details.<br>2013-04-27 22:20:29,053 INFO [org.ovirt.engine.core.domains.ManageDomains] Creating kerberos configuration for domain(s): wilk.local<br>
2013-04-27 22:20:29,078 INFO [org.ovirt.engine.core.domains.ManageDomains] Successfully created kerberos configuration for domain(s): wilk.local<br>2013-04-27 22:20:29,079 INFO [org.ovirt.engine.core.domains.ManageDomains] Testing kerberos configuration for domain: wilk.local<br>
2013-04-27 22:20:29,257 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: freeipa.wilk.local.<br>2013-04-27 22:20:29,261 ERROR [org.ovirt.engine.core.domains.ManageDomains] Failure while testing domain wilk.local. Details: Kerberos error. Please check log for further details.<br>
</div><div class="gmail_extra"><br><div><br></div><div class="gmail_quote">On Sun, Apr 28, 2013 at 1:17 AM, Yair Zaslavsky <span dir="ltr"><<a href="mailto:yzaslavs@redhat.com" target="_blank">yzaslavs@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-size:12pt;font-family:times new roman,new york,times,serif"><div>Can we get the log?</div><div>It would be helpful to understand the kerberos message to understand what have happened.</div>
<div><br></div><div><br></div><hr><blockquote style="padding-left:5px;font-size:12pt;font-style:normal;margin-left:5px;font-family:Helvetica,Arial,sans-serif;text-decoration:none;font-weight:normal;border-left:2px solid #1010ff">
<b>From: </b>"Ryan Wilkinson" <<a href="mailto:ryanwilk@gmail.com" target="_blank">ryanwilk@gmail.com</a>><br><b>To: </b><a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a><br><b>Sent: </b>Sunday, April 28, 2013 7:35:53 AM<br>
<b>Subject: </b>[Users] FreeIPA<div><div class="h5"><br><div><br></div><div dir="ltr"><div>Getting this error when I try to configure ldap authentication for Ovirt with FreeIPA server:<br>Error: exception message: freeipa.wilk.local.<br>
Failure while testing domain wilk.local. Details: Kerberos error. Please check log for further details.<br>
<br></div>Engine-manage-domains.log gives no further details. When I run "engine-manage-domains -action=add -domain='wilk.local' -user='admin' -provider=IPA -interactive" it is connecting and asking for the password but then giving the error. Any input would be appreciated.<br>
</div>
<br></div></div>_______________________________________________<br>Users mailing list<br><a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br><a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
</blockquote><div><br></div></div></div></blockquote></div><br></div>
</blockquote><div><br></div></div></body></html>