1:24 a.m.
--Apple-Mail=_62249DE2-929A-466F-B579-4AAF97FDAF62
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
Hello,
I tried to add a IPA directory domain following these instructions: =
https://www.rvanderlinden.net/wordpress/ovirt/administrator-portal/adminis=
trator-portal-authentication-via-ipa/
It appears the domain was added successfully, but cannot be validated:
[root@vhost1 ~]# engine-manage-domains -action=3Dadd =
-domain=3Ddomain.local -user=3Dadmin -provider=3Dipa -interactive
Enter password:
The domain domain.local has been added to the engine as an =
authentication source but no users from that domain have been granted =
permissions within the oVirt Manager.
Users from this domain can be granted permissions from the Web =
administration interface.
oVirt Engine restart is required in order for the changes to take place =
(service ovirt-engine restart).
Manage Domains completed successfully
[root@vhost1 ~]# service ovirt-engine restart
Stopping engine-service: [ OK ]
Starting engine-service: [ OK ]
[root@vhost1 ~]# engine-manage-domains -action=3Dvalidate -report
Error: exception message: Integrity check on decrypted field failed =
(31) - PREAUTH_FAILED
WARNING, domain: domain.local may not be functional: Failure while =
testing domain domain.local. Details: Kerberos error. Please check log =
for further details.
Manage Domains completed successfully
[root@vhost1 ~]#=20
krb5kdc.log has the following entries:
Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): AS_REQ (1 etypes =
{23}) 10.0.1.12: NEEDED_PREAUTH: admin(a)DOMAIN.LOCAL for =
krbtgt/DOMAIN.LOCAL(a)DOMAIN.LOCAL, Additional pre-authentication required
Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): closing down fd =
10
Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): AS_REQ (1 etypes =
{23}) 10.0.1.12: ISSUE: authtime 1376950566, etypes {rep=3D23 tkt=3D18 =
ses=3D23}, admin(a)DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL(a)DOMAIN.LOCAL
Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): closing down fd =
10
Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): TGS_REQ (6 etypes =
{18 17 16 23 1 3}) 10.0.1.12: ISSUE: authtime 1376950566, etypes {rep=3D23=
tkt=3D18 ses=3D18}, admin(a)DOMAIN.LOCAL for =
ldap/auth.domain.local(a)DOMAIN.LOCAL
Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): closing down fd =
10
Any idea?
Thanks,
Haven=
--Apple-Mail=_62249DE2-929A-466F-B579-4AAF97FDAF62
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=us-ascii
<html><head><meta http-equiv=3D"Content-Type"
content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
">Hello,<div><br></div><div>I tried to add a IPA directory
domain =
following these instructions: <a =
href=3D"https://www.rvanderlinden.net/wordpress/ovirt/administrator-...
/administrator-portal-authentication-via-ipa/">https://www.rvanderlinden.n=
et/wordpress/ovirt/administrator-portal/administrator-portal-authenticatio=
n-via-ipa/</a></div><div><br></div><div>It appears the
domain was added =
successfully, but cannot be =
validated:</div><div><br></div><div><div>[root@vhost1
~]# =
engine-manage-domains -action=3Dadd -domain=3Ddomain.local -user=3Dadmin =
-provider=3Dipa -interactive</div><div>Enter =
password:</div><div><br></div><div>The domain domain.local
has been =
added to the engine as an authentication source but no users from that =
domain have been granted permissions within the oVirt =
Manager.</div><div>Users from this domain can be granted permissions =
from the Web administration interface.</div><div>oVirt Engine restart is =
required in order for the changes to take place (service ovirt-engine =
restart).</div><div>Manage Domains completed =
successfully</div><div>[root@vhost1 ~]# service ovirt-engine =
restart</div><div>Stopping engine-service: [ OK =
]</div><div>Starting engine-service: [ OK =
]</div><div>[root@vhost1 ~]# engine-manage-domains =
-action=3Dvalidate -report</div><div>Error: exception message: =
Integrity check on decrypted field failed (31) - =
PREAUTH_FAILED</div><div>WARNING, domain: domain.local may not be =
functional: Failure while testing domain domain.local. Details: Kerberos =
error. Please check log for further details.</div><div>Manage Domains =
completed successfully</div><div>[root@vhost1 =
~]# </div></div><div><br></div><div>krb5kdc.log
has the following =
entries:</div><div><div>Aug 19 15:16:06 auth.domain.local =
krb5kdc[4572](info): AS_REQ (1 etypes {23}) 10.0.1.12: NEEDED_PREAUTH: =
<a href=3D"mailto:admin@DOMAIN.LOCAL">admin@DOMAIN.LOCAL</a> for
<a =
href=3D"mailto:krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL">krbtgt/DOMAIN.LOCAL@DOMAI=
N.LOCAL</a>, Additional pre-authentication required</div><div>Aug 19 =
15:16:06 auth.domain.local krb5kdc[4572](info): closing down fd =
10</div><div>Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): =
AS_REQ (1 etypes {23}) 10.0.1.12: ISSUE: authtime 1376950566, etypes =
{rep=3D23 tkt=3D18 ses=3D23}, <a =
href=3D"mailto:admin@DOMAIN.LOCAL">admin@DOMAIN.LOCAL</a> for <a =
href=3D"mailto:krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL">krbtgt/DOMAIN.LOCAL@DOMAI=
N.LOCAL</a></div><div>Aug 19 15:16:06 auth.domain.local =
krb5kdc[4572](info): closing down fd 10</div><div>Aug 19 15:16:06 =
auth.domain.local krb5kdc[4572](info): TGS_REQ (6 etypes {18 17 16 23 1 =
3}) 10.0.1.12: ISSUE: authtime 1376950566, etypes {rep=3D23 tkt=3D18 =
ses=3D18}, <a
href=3D"mailto:admin@DOMAIN.LOCAL">admin@DOMAIN.LOCAL</a> =
for <a =
href=3D"mailto:ldap/auth.domain.local@DOMAIN.LOCAL">ldap/auth.domain.local=
@DOMAIN.LOCAL</a></div><div>Aug 19 15:16:06 auth.domain.local =
krb5kdc[4572](info): closing down fd =
10</div></div><div><br></div><div>Any =
idea?</div><div><br></div><div>Thanks,</div><div><br></div><div>Haven</div=
</body></html>=
--Apple-Mail=_62249DE2-929A-466F-B579-4AAF97FDAF62--