<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Never mind. It is apparently because my admin password contained an "illegal" character. </div><div><br></div><div>Haven</div><div><br></div><div>On Aug 19, 2013, at 3:24 PM, "H. Haven Liu" <<a href="mailto:haven.liu@ucla.edu">haven.liu@ucla.edu</a>> wrote:<br><br></div><blockquote type="cite"><div><meta http-equiv="Content-Type" content="text/html charset=us-ascii">Hello,<div><br></div><div>I tried to add a IPA directory domain following these instructions: <a href="https://www.rvanderlinden.net/wordpress/ovirt/administrator-portal/administrator-portal-authentication-via-ipa/">https://www.rvanderlinden.net/wordpress/ovirt/administrator-portal/administrator-portal-authentication-via-ipa/</a></div><div><br></div><div>It appears the domain was added successfully, but cannot be validated:</div><div><br></div><div><div>[root@vhost1 ~]# engine-manage-domains -action=add -domain=domain.local -user=admin -provider=ipa -interactive</div><div>Enter password:</div><div><br></div><div>The domain domain.local has been added to the engine as an authentication source but no users from that domain have been granted permissions within the oVirt Manager.</div><div>Users from this domain can be granted permissions from the Web administration interface.</div><div>oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart).</div><div>Manage Domains completed successfully</div><div>[root@vhost1 ~]# service ovirt-engine restart</div><div>Stopping engine-service: [ OK ]</div><div>Starting engine-service: [ OK ]</div><div>[root@vhost1 ~]# engine-manage-domains -action=validate -report</div><div>Error: exception message: Integrity check on decrypted field failed (31) - PREAUTH_FAILED</div><div>WARNING, domain: domain.local may not be functional: Failure while testing domain domain.local. Details: Kerberos error. Please check log for further details.</div><div>Manage Domains completed successfully</div><div>[root@vhost1 ~]# </div></div><div><br></div><div>krb5kdc.log has the following entries:</div><div><div>Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): AS_REQ (1 etypes {23}) 10.0.1.12: NEEDED_PREAUTH: <a href="mailto:admin@DOMAIN.LOCAL">admin@DOMAIN.LOCAL</a> for <a href="mailto:krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL">krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL</a>, Additional pre-authentication required</div><div>Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): closing down fd 10</div><div>Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): AS_REQ (1 etypes {23}) 10.0.1.12: ISSUE: authtime 1376950566, etypes {rep=23 tkt=18 ses=23}, <a href="mailto:admin@DOMAIN.LOCAL">admin@DOMAIN.LOCAL</a> for <a href="mailto:krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL">krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL</a></div><div>Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): closing down fd 10</div><div>Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 10.0.1.12: ISSUE: authtime 1376950566, etypes {rep=23 tkt=18 ses=18}, <a href="mailto:admin@DOMAIN.LOCAL">admin@DOMAIN.LOCAL</a> for <a href="mailto:ldap/auth.domain.local@DOMAIN.LOCAL">ldap/auth.domain.local@DOMAIN.LOCAL</a></div><div>Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): closing down fd 10</div></div><div><br></div><div>Any idea?</div><div><br></div><div>Thanks,</div><div><br></div><div>Haven</div></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Users mailing list</span><br><span><a href="mailto:Users@ovirt.org">Users@ovirt.org</a></span><br><span><a href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a></span><br></div></blockquote></body></html>