<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hello,<div><br></div><div>I tried to add a IPA directory domain following these instructions: <a href="https://www.rvanderlinden.net/wordpress/ovirt/administrator-portal/administrator-portal-authentication-via-ipa/">https://www.rvanderlinden.net/wordpress/ovirt/administrator-portal/administrator-portal-authentication-via-ipa/</a></div><div><br></div><div>It appears the domain was added successfully, but cannot be validated:</div><div><br></div><div><div>[root@vhost1 ~]# engine-manage-domains -action=add -domain=domain.local -user=admin -provider=ipa -interactive</div><div>Enter password:</div><div><br></div><div>The domain domain.local has been added to the engine as an authentication source but no users from that domain have been granted permissions within the oVirt Manager.</div><div>Users from this domain can be granted permissions from the Web administration interface.</div><div>oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart).</div><div>Manage Domains completed successfully</div><div>[root@vhost1 ~]# service ovirt-engine restart</div><div>Stopping engine-service: [ OK ]</div><div>Starting engine-service: [ OK ]</div><div>[root@vhost1 ~]# engine-manage-domains -action=validate -report</div><div>Error: exception message: Integrity check on decrypted field failed (31) - PREAUTH_FAILED</div><div>WARNING, domain: domain.local may not be functional: Failure while testing domain domain.local. Details: Kerberos error. Please check log for further details.</div><div>Manage Domains completed successfully</div><div>[root@vhost1 ~]# </div></div><div><br></div><div>krb5kdc.log has the following entries:</div><div><div>Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): AS_REQ (1 etypes {23}) 10.0.1.12: NEEDED_PREAUTH: <a href="mailto:admin@DOMAIN.LOCAL">admin@DOMAIN.LOCAL</a> for <a href="mailto:krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL">krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL</a>, Additional pre-authentication required</div><div>Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): closing down fd 10</div><div>Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): AS_REQ (1 etypes {23}) 10.0.1.12: ISSUE: authtime 1376950566, etypes {rep=23 tkt=18 ses=23}, <a href="mailto:admin@DOMAIN.LOCAL">admin@DOMAIN.LOCAL</a> for <a href="mailto:krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL">krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL</a></div><div>Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): closing down fd 10</div><div>Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 10.0.1.12: ISSUE: authtime 1376950566, etypes {rep=23 tkt=18 ses=18}, <a href="mailto:admin@DOMAIN.LOCAL">admin@DOMAIN.LOCAL</a> for <a href="mailto:ldap/auth.domain.local@DOMAIN.LOCAL">ldap/auth.domain.local@DOMAIN.LOCAL</a></div><div>Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): closing down fd 10</div></div><div><br></div><div>Any idea?</div><div><br></div><div>Thanks,</div><div><br></div><div>Haven</div></body></html>