12:05 a.m.
Hi all!
I'm trying to link a ldap/kerberos to my ovirt without success. I'm
stuck with this:
oVirt engine:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: KDC has no support for encryption type (14) -
BAD_ENCRYPTION_TYPE
Failure while testing domain gsr.inpe.br. Details: Kerberos error.
Please check log for further details.
kdc log:
Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for
krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for encryption type
Any sugestion?
12:14 p.m.
----- Original Message -----
Hi all!
I'm trying to link a ldap/kerberos to my ovirt without success. I'm
stuck with this:
oVirt engine:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: KDC has no support for encryption type
(14) -
BAD_ENCRYPTION_TYPE
Please snoop the connection between the engine and the IPA server. Port 88, full packets
('-s 1500' on tcpdump), into file ('-w /tmp/kerb.pcap' ).
Y.
Failure while testing domain gsr.inpe.br. Details: Kerberos error.
Please check log for further details.
kdc log:
Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for
krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for encryption
type
Any sugestion?
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
12:48 p.m.
Please provide info also on the IPA server you are using (use rpm -qa for that)
----- Original Message -----
From: "Yaniv Kaul" <ykaul(a)redhat.com>
To: "Eduardo Ramos" <eduardo(a)freedominterface.org>
Cc: users(a)ovirt.org
Sent: Thursday, February 21, 2013 11:14:41 AM
Subject: Re: [Users] ovirt kerberos/ldap
----- Original Message -----
> Hi all!
>
> I'm trying to link a ldap/kerberos to my ovirt without success. I'm
> stuck with this:
>
> oVirt engine:
>
> # engine-manage-domains -action=add -domain=gsr.inpe.br
> -user=admin/admin -interactive -provider=IPA
> Enter password:
>
> Error: exception message: KDC has no support for encryption type
> (14) -
> BAD_ENCRYPTION_TYPE
Please snoop the connection between the engine and the IPA server.
Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
/tmp/kerb.pcap' ).
Y.
> Failure while testing domain gsr.inpe.br. Details: Kerberos error.
> Please check log for further details.
>
> kdc log:
>
> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for
> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for encryption
> type
>
> Any sugestion?
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
2:24 p.m.
Morning!
That's my log entry. PCAP attached.
Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for
krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for encryption type
My /etc/krb5.conf
[libdefaults]
default_realm = GSR.INPE.BR
allow_weak_crypto = yes
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
[realms]
GSR.INPE.BR = {
master_kdc = GSR.INPE.BR
kdc = kerberos.gsr.inpe.br
default_domain = gsr.inpe.br
}
[domain_realm]
.gsr.inpe.br = GSR.INPE.BR
gsr.inpe.br = GSR.INPE.BR
[logging]
kdc = SYSLOG:INFO
Is it sufice?
On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
Please provide info also on the IPA server you are using (use rpm -qa
for that)
----- Original Message -----
> From: "Yaniv Kaul" <ykaul(a)redhat.com>
> To: "Eduardo Ramos" <eduardo(a)freedominterface.org>
> Cc: users(a)ovirt.org
> Sent: Thursday, February 21, 2013 11:14:41 AM
> Subject: Re: [Users] ovirt kerberos/ldap
>
> ----- Original Message -----
>> Hi all!
>>
>> I'm trying to link a ldap/kerberos to my ovirt without success. I'm
>> stuck with this:
>>
>> oVirt engine:
>>
>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>> -user=admin/admin -interactive -provider=IPA
>> Enter password:
>>
>> Error: exception message: KDC has no support for encryption type
>> (14) -
>> BAD_ENCRYPTION_TYPE
> Please snoop the connection between the engine and the IPA server.
> Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
> /tmp/kerb.pcap' ).
> Y.
>
>> Failure while testing domain gsr.inpe.br. Details: Kerberos error.
>> Please check log for further details.
>>
>> kdc log:
>>
>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for
>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for encryption
>> type
>>
>> Any sugestion?
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
2:55 p.m.
On 21/02/13 13:24, Eduardo Ramos wrote:
Morning!
That's my log entry. PCAP attached.
Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for
krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for encryption type
You are using rc4_hmac, which is the right encryption protocol usually.
One can disable it (using 'permitted_enctypes' directive).
My /etc/krb5.conf
This is not the krb5.conf file oVirt is using. Please search your system
for oVirt's krb5.conf (sorry, don't have it from the top of my head).
In any case, I'd check the IPA configuration.
Y.
[libdefaults]
default_realm = GSR.INPE.BR
allow_weak_crypto = yes
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
[realms]
GSR.INPE.BR = {
master_kdc = GSR.INPE.BR
kdc = kerberos.gsr.inpe.br
default_domain = gsr.inpe.br
}
[domain_realm]
.gsr.inpe.br = GSR.INPE.BR
gsr.inpe.br = GSR.INPE.BR
[logging]
kdc = SYSLOG:INFO
Is it sufice?
On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
> Please provide info also on the IPA server you are using (use rpm -qa
> for that)
>
>
> ----- Original Message -----
>> From: "Yaniv Kaul" <ykaul(a)redhat.com>
>> To: "Eduardo Ramos" <eduardo(a)freedominterface.org>
>> Cc: users(a)ovirt.org
>> Sent: Thursday, February 21, 2013 11:14:41 AM
>> Subject: Re: [Users] ovirt kerberos/ldap
>>
>> ----- Original Message -----
>>> Hi all!
>>>
>>> I'm trying to link a ldap/kerberos to my ovirt without success. I'm
>>> stuck with this:
>>>
>>> oVirt engine:
>>>
>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>>> -user=admin/admin -interactive -provider=IPA
>>> Enter password:
>>>
>>> Error: exception message: KDC has no support for encryption type
>>> (14) -
>>> BAD_ENCRYPTION_TYPE
>> Please snoop the connection between the engine and the IPA server.
>> Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
>> /tmp/kerb.pcap' ).
>> Y.
>>
>>> Failure while testing domain gsr.inpe.br. Details: Kerberos error.
>>> Please check log for further details.
>>>
>>> kdc log:
>>>
>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for
>>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for encryption
>>> type
>>>
>>> Any sugestion?
>>> _______________________________________________
>>> Users mailing list
>>> Users(a)ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
4:43 p.m.
I got new step!
I added arcfour-hmac-md5:normal into supported_enctypes and
permitted_enctypes directives in kdc.conf.
Then I changed password of my principal using the following:
change_password -e arcfour-hmac-md5:normal admin/adimin
Now, it's ok, but now I got another error that I didn't understand as
follows:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: Checksum failed
Failure while testing domain gsr.inpe.br. Details: Kerberos error.
Please check log for further details.
The log of kdc says:
Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
ses=23}, admin/admin(a)GSR.INPE.BR for krbtgt/GSR.INPE.BR(a)GSR.INPE.BR
And the engine-manage-domains.log says:
2013-02-21 10:36:46,722 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos
configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
created kerberos configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos
configuration for domain: gsr.inpe.br
2013-02-21 10:36:46,819 ERROR
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
exception message: Checksum failed
2013-02-21 10:36:46,822 ERROR
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
testing domain gsr.inpe.br. Details: Kerberos error. Please check log
for further details.
On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
On 21/02/13 13:24, Eduardo Ramos wrote:
> Morning!
>
> That's my log entry. PCAP attached.
>
> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for
> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for encryption type
You are using rc4_hmac, which is the right encryption protocol
usually. One can disable it (using 'permitted_enctypes' directive).
>
> My /etc/krb5.conf
This is not the krb5.conf file oVirt is using. Please search your
system for oVirt's krb5.conf (sorry, don't have it from the top of my
head).
In any case, I'd check the IPA configuration.
Y.
> [libdefaults]
> default_realm = GSR.INPE.BR
> allow_weak_crypto = yes
>
> default_tkt_enctypes = rc4-hmac des-cbc-md5
> default_tgs_enctypes = rc4-hmac des-cbc-md5
>
> [realms]
> GSR.INPE.BR = {
> master_kdc = GSR.INPE.BR
> kdc = kerberos.gsr.inpe.br
> default_domain = gsr.inpe.br
> }
>
> [domain_realm]
> .gsr.inpe.br = GSR.INPE.BR
> gsr.inpe.br = GSR.INPE.BR
>
> [logging]
> kdc = SYSLOG:INFO
>
> Is it sufice?
>
> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
>> Please provide info also on the IPA server you are using (use rpm
>> -qa for that)
>>
>>
>> ----- Original Message -----
>>> From: "Yaniv Kaul" <ykaul(a)redhat.com>
>>> To: "Eduardo Ramos" <eduardo(a)freedominterface.org>
>>> Cc: users(a)ovirt.org
>>> Sent: Thursday, February 21, 2013 11:14:41 AM
>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>
>>> ----- Original Message -----
>>>> Hi all!
>>>>
>>>> I'm trying to link a ldap/kerberos to my ovirt without success.
I'm
>>>> stuck with this:
>>>>
>>>> oVirt engine:
>>>>
>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>>>> -user=admin/admin -interactive -provider=IPA
>>>> Enter password:
>>>>
>>>> Error: exception message: KDC has no support for encryption type
>>>> (14) -
>>>> BAD_ENCRYPTION_TYPE
>>> Please snoop the connection between the engine and the IPA server.
>>> Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
>>> /tmp/kerb.pcap' ).
>>> Y.
>>>
>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos error.
>>>> Please check log for further details.
>>>>
>>>> kdc log:
>>>>
>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for
>>>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for encryption
>>>> type
>>>>
>>>> Any sugestion?
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users(a)ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users(a)ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>
4:59 p.m.
Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf
----- Original Message -----
From: "Eduardo Ramos" <eduardo(a)freedominterface.org>
To: "Yaniv Kaul" <ykaul(a)redhat.com>
Cc: yzaslavs(a)redhat.com, users(a)ovirt.org
Sent: Thursday, February 21, 2013 3:43:04 PM
Subject: Re: [Users] ovirt kerberos/ldap
I got new step!
I added arcfour-hmac-md5:normal into supported_enctypes and
permitted_enctypes directives in kdc.conf.
Then I changed password of my principal using the following:
change_password -e arcfour-hmac-md5:normal admin/adimin
Now, it's ok, but now I got another error that I didn't understand as
follows:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: Checksum failed
Failure while testing domain gsr.inpe.br. Details: Kerberos error.
Please check log for further details.
The log of kdc says:
Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
ses=23}, admin/admin(a)GSR.INPE.BR for krbtgt/GSR.INPE.BR(a)GSR.INPE.BR
And the engine-manage-domains.log says:
2013-02-21 10:36:46,722 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
kerberos
configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
created kerberos configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos
configuration for domain: gsr.inpe.br
2013-02-21 10:36:46,819 ERROR
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
exception message: Checksum failed
2013-02-21 10:36:46,822 ERROR
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
testing domain gsr.inpe.br. Details: Kerberos error. Please check log
for further details.
On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
> On 21/02/13 13:24, Eduardo Ramos wrote:
>> Morning!
>>
>> That's my log entry. PCAP attached.
>>
>> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for
>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for encryption
>> type
>
> You are using rc4_hmac, which is the right encryption protocol
> usually. One can disable it (using 'permitted_enctypes' directive).
>
>>
>> My /etc/krb5.conf
>
> This is not the krb5.conf file oVirt is using. Please search your
> system for oVirt's krb5.conf (sorry, don't have it from the top of
> my
> head).
> In any case, I'd check the IPA configuration.
> Y.
>
>> [libdefaults]
>> default_realm = GSR.INPE.BR
>> allow_weak_crypto = yes
>>
>> default_tkt_enctypes = rc4-hmac des-cbc-md5
>> default_tgs_enctypes = rc4-hmac des-cbc-md5
>>
>> [realms]
>> GSR.INPE.BR = {
>> master_kdc = GSR.INPE.BR
>> kdc = kerberos.gsr.inpe.br
>> default_domain = gsr.inpe.br
>> }
>>
>> [domain_realm]
>> .gsr.inpe.br = GSR.INPE.BR
>> gsr.inpe.br = GSR.INPE.BR
>>
>> [logging]
>> kdc = SYSLOG:INFO
>>
>> Is it sufice?
>>
>> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
>>> Please provide info also on the IPA server you are using (use rpm
>>> -qa for that)
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Yaniv Kaul" <ykaul(a)redhat.com>
>>>> To: "Eduardo Ramos" <eduardo(a)freedominterface.org>
>>>> Cc: users(a)ovirt.org
>>>> Sent: Thursday, February 21, 2013 11:14:41 AM
>>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>>
>>>> ----- Original Message -----
>>>>> Hi all!
>>>>>
>>>>> I'm trying to link a ldap/kerberos to my ovirt without success.
>>>>> I'm
>>>>> stuck with this:
>>>>>
>>>>> oVirt engine:
>>>>>
>>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>>>>> -user=admin/admin -interactive -provider=IPA
>>>>> Enter password:
>>>>>
>>>>> Error: exception message: KDC has no support for encryption
>>>>> type
>>>>> (14) -
>>>>> BAD_ENCRYPTION_TYPE
>>>> Please snoop the connection between the engine and the IPA
>>>> server.
>>>> Port 88, full packets ('-s 1500' on tcpdump), into file
('-w
>>>> /tmp/kerb.pcap' ).
>>>> Y.
>>>>
>>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos
>>>>> error.
>>>>> Please check log for further details.
>>>>>
>>>>> kdc log:
>>>>>
>>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for
>>>>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for
>>>>> encryption
>>>>> type
>>>>>
>>>>> Any sugestion?
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users(a)ovirt.org
>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users(a)ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>
>>
>
10:26 p.m.
Any one has faced that?
On 02/21/2013 10:59 AM, Yair Zaslavsky wrote:
Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf
----- Original Message -----
> From: "Eduardo Ramos" <eduardo(a)freedominterface.org>
> To: "Yaniv Kaul" <ykaul(a)redhat.com>
> Cc: yzaslavs(a)redhat.com, users(a)ovirt.org
> Sent: Thursday, February 21, 2013 3:43:04 PM
> Subject: Re: [Users] ovirt kerberos/ldap
>
> I got new step!
>
> I added arcfour-hmac-md5:normal into supported_enctypes and
> permitted_enctypes directives in kdc.conf.
> Then I changed password of my principal using the following:
>
> change_password -e arcfour-hmac-md5:normal admin/adimin
>
> Now, it's ok, but now I got another error that I didn't understand as
> follows:
>
> # engine-manage-domains -action=add -domain=gsr.inpe.br
> -user=admin/admin -interactive -provider=IPA
> Enter password:
>
> Error: exception message: Checksum failed
> Failure while testing domain gsr.inpe.br. Details: Kerberos error.
> Please check log for further details.
>
> The log of kdc says:
>
> Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
> 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
> ses=23}, admin/admin(a)GSR.INPE.BR for krbtgt/GSR.INPE.BR(a)GSR.INPE.BR
>
> And the engine-manage-domains.log says:
> 2013-02-21 10:36:46,722 INFO
> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
> kerberos
> configuration for domain(s): gsr.inpe.br
> 2013-02-21 10:36:46,745 INFO
> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
> created kerberos configuration for domain(s): gsr.inpe.br
> 2013-02-21 10:36:46,745 INFO
> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos
> configuration for domain: gsr.inpe.br
> 2013-02-21 10:36:46,819 ERROR
> [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
> exception message: Checksum failed
> 2013-02-21 10:36:46,822 ERROR
> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
> testing domain gsr.inpe.br. Details: Kerberos error. Please check log
> for further details.
>
>
> On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
>> On 21/02/13 13:24, Eduardo Ramos wrote:
>>> Morning!
>>>
>>> That's my log entry. PCAP attached.
>>>
>>> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for
>>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for encryption
>>> type
>> You are using rc4_hmac, which is the right encryption protocol
>> usually. One can disable it (using 'permitted_enctypes' directive).
>>
>>> My /etc/krb5.conf
>> This is not the krb5.conf file oVirt is using. Please search your
>> system for oVirt's krb5.conf (sorry, don't have it from the top of
>> my
>> head).
>> In any case, I'd check the IPA configuration.
>> Y.
>>
>>> [libdefaults]
>>> default_realm = GSR.INPE.BR
>>> allow_weak_crypto = yes
>>>
>>> default_tkt_enctypes = rc4-hmac des-cbc-md5
>>> default_tgs_enctypes = rc4-hmac des-cbc-md5
>>>
>>> [realms]
>>> GSR.INPE.BR = {
>>> master_kdc = GSR.INPE.BR
>>> kdc = kerberos.gsr.inpe.br
>>> default_domain = gsr.inpe.br
>>> }
>>>
>>> [domain_realm]
>>> .gsr.inpe.br = GSR.INPE.BR
>>> gsr.inpe.br = GSR.INPE.BR
>>>
>>> [logging]
>>> kdc = SYSLOG:INFO
>>>
>>> Is it sufice?
>>>
>>> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
>>>> Please provide info also on the IPA server you are using (use rpm
>>>> -qa for that)
>>>>
>>>>
>>>> ----- Original Message -----
>>>>> From: "Yaniv Kaul" <ykaul(a)redhat.com>
>>>>> To: "Eduardo Ramos" <eduardo(a)freedominterface.org>
>>>>> Cc: users(a)ovirt.org
>>>>> Sent: Thursday, February 21, 2013 11:14:41 AM
>>>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>>>
>>>>> ----- Original Message -----
>>>>>> Hi all!
>>>>>>
>>>>>> I'm trying to link a ldap/kerberos to my ovirt without
success.
>>>>>> I'm
>>>>>> stuck with this:
>>>>>>
>>>>>> oVirt engine:
>>>>>>
>>>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>>>>>> -user=admin/admin -interactive -provider=IPA
>>>>>> Enter password:
>>>>>>
>>>>>> Error: exception message: KDC has no support for encryption
>>>>>> type
>>>>>> (14) -
>>>>>> BAD_ENCRYPTION_TYPE
>>>>> Please snoop the connection between the engine and the IPA
>>>>> server.
>>>>> Port 88, full packets ('-s 1500' on tcpdump), into file
('-w
>>>>> /tmp/kerb.pcap' ).
>>>>> Y.
>>>>>
>>>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos
>>>>>> error.
>>>>>> Please check log for further details.
>>>>>>
>>>>>> kdc log:
>>>>>>
>>>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for
>>>>>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for
>>>>>> encryption
>>>>>> type
>>>>>>
>>>>>> Any sugestion?
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users(a)ovirt.org
>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users(a)ovirt.org
>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>
>
10:35 p.m.
----- Original Message -----
From: "Eduardo Ramos" <eduardo(a)freedominterface.org>
To: users(a)ovirt.org
Sent: Tuesday, February 26, 2013 9:26:42 PM
Subject: Re: [Users] ovirt kerberos/ldap
Any one has faced that?
On 02/21/2013 10:59 AM, Yair Zaslavsky wrote:
> Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf
>
>
>
> ----- Original Message -----
>> From: "Eduardo Ramos" <eduardo(a)freedominterface.org>
>> To: "Yaniv Kaul" <ykaul(a)redhat.com>
>> Cc: yzaslavs(a)redhat.com, users(a)ovirt.org
>> Sent: Thursday, February 21, 2013 3:43:04 PM
>> Subject: Re: [Users] ovirt kerberos/ldap
>>
>> I got new step!
>>
>> I added arcfour-hmac-md5:normal into supported_enctypes and
>> permitted_enctypes directives in kdc.conf.
>> Then I changed password of my principal using the following:
>>
>> change_password -e arcfour-hmac-md5:normal admin/adimin
Is "adimin" a typo here?
Can I ask why your user name appears like that, with a "/" in it?
Can you try to create user - let's say "myadmin" without the "/"
?
>>
>> Now, it's ok, but now I got another error that I didn't understand
>> as
>> follows:
>>
>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>> -user=admin/admin -interactive -provider=IPA
>> Enter password:
>>
>> Error: exception message: Checksum failed
>> Failure while testing domain gsr.inpe.br. Details: Kerberos error.
>> Please check log for further details.
>>
>> The log of kdc says:
>>
>> Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
>> 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
>> ses=23}, admin/admin(a)GSR.INPE.BR for
>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR
>>
>> And the engine-manage-domains.log says:
>> 2013-02-21 10:36:46,722 INFO
>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
>> kerberos
>> configuration for domain(s): gsr.inpe.br
>> 2013-02-21 10:36:46,745 INFO
>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
>> created kerberos configuration for domain(s): gsr.inpe.br
>> 2013-02-21 10:36:46,745 INFO
>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing
>> kerberos
>> configuration for domain: gsr.inpe.br
>> 2013-02-21 10:36:46,819 ERROR
>> [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
>> exception message: Checksum failed
>> 2013-02-21 10:36:46,822 ERROR
>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
>> testing domain gsr.inpe.br. Details: Kerberos error. Please check
>> log
>> for further details.
>>
>>
>> On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
>>> On 21/02/13 13:24, Eduardo Ramos wrote:
>>>> Morning!
>>>>
>>>> That's my log entry. PCAP attached.
>>>>
>>>> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for
>>>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for
>>>> encryption
>>>> type
>>> You are using rc4_hmac, which is the right encryption protocol
>>> usually. One can disable it (using 'permitted_enctypes'
>>> directive).
>>>
>>>> My /etc/krb5.conf
>>> This is not the krb5.conf file oVirt is using. Please search your
>>> system for oVirt's krb5.conf (sorry, don't have it from the top
>>> of
>>> my
>>> head).
>>> In any case, I'd check the IPA configuration.
>>> Y.
>>>
>>>> [libdefaults]
>>>> default_realm = GSR.INPE.BR
>>>> allow_weak_crypto = yes
>>>>
>>>> default_tkt_enctypes = rc4-hmac des-cbc-md5
>>>> default_tgs_enctypes = rc4-hmac des-cbc-md5
>>>>
>>>> [realms]
>>>> GSR.INPE.BR = {
>>>> master_kdc = GSR.INPE.BR
>>>> kdc = kerberos.gsr.inpe.br
>>>> default_domain = gsr.inpe.br
>>>> }
>>>>
>>>> [domain_realm]
>>>> .gsr.inpe.br = GSR.INPE.BR
>>>> gsr.inpe.br = GSR.INPE.BR
>>>>
>>>> [logging]
>>>> kdc = SYSLOG:INFO
>>>>
>>>> Is it sufice?
>>>>
>>>> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
>>>>> Please provide info also on the IPA server you are using (use
>>>>> rpm
>>>>> -qa for that)
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Yaniv Kaul" <ykaul(a)redhat.com>
>>>>>> To: "Eduardo Ramos"
<eduardo(a)freedominterface.org>
>>>>>> Cc: users(a)ovirt.org
>>>>>> Sent: Thursday, February 21, 2013 11:14:41 AM
>>>>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> Hi all!
>>>>>>>
>>>>>>> I'm trying to link a ldap/kerberos to my ovirt without
>>>>>>> success.
>>>>>>> I'm
>>>>>>> stuck with this:
>>>>>>>
>>>>>>> oVirt engine:
>>>>>>>
>>>>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>>>>>>> -user=admin/admin -interactive -provider=IPA
>>>>>>> Enter password:
>>>>>>>
>>>>>>> Error: exception message: KDC has no support for
encryption
>>>>>>> type
>>>>>>> (14) -
>>>>>>> BAD_ENCRYPTION_TYPE
>>>>>> Please snoop the connection between the engine and the IPA
>>>>>> server.
>>>>>> Port 88, full packets ('-s 1500' on tcpdump), into file
('-w
>>>>>> /tmp/kerb.pcap' ).
>>>>>> Y.
>>>>>>
>>>>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos
>>>>>>> error.
>>>>>>> Please check log for further details.
>>>>>>>
>>>>>>> kdc log:
>>>>>>>
>>>>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>>>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR
>>>>>>> for
>>>>>>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for
>>>>>>> encryption
>>>>>>> type
>>>>>>>
>>>>>>> Any sugestion?
>>>>>>> _______________________________________________
>>>>>>> Users mailing list
>>>>>>> Users(a)ovirt.org
>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users(a)ovirt.org
>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>
>>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
10:58 p.m.
This is a multi-part message in MIME format.
--------------020102080304070403030009
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Yair,
I'm using admin/admin because it's my principal on kerberos. In fact,
the checksum error was because I didn't have admin/admin principal
created yet.
Using kadmin.local I did:
kadmin.local: addprinc admin/admin
So I tried the same:
# engine-manage-domains -action=add -domain=gsr.inpe.br -provider=ipa
-user=admin/admin -interactive
And it returned on the screen um trace of java:
General error has occured[LDAP: error code 80 - SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more information (Unknown error)]
javax.naming.NamingException: [LDAP: error code 80 - SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more information (Unknown error)]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3076)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at javax.naming.InitialContext.init(InitialContext.java:240)
at javax.naming.InitialContext.<init>(InitialContext.java:214)
at
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
at
org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:357)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:183)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:159)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:144)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:637)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:787)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:454)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:249)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:174)
Failure while testing domain gsr.inpe.br. Details: No user information
was found for user
The engine-manage-domain.log has:
[2013-02-26 16:55:49,736 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos
configuration for domain(s): gsr.inpe.br
2013-02-26 16:55:49,740 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] loaded template
kr5.conf file krb5.conf.template
2013-02-26 16:55:49,744 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting
default_tkt_enctypes
2013-02-26 16:55:49,772 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting realms
2013-02-26 16:55:49,773 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting domain realm
2013-02-26 16:55:49,774 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
created kerberos configuration for domain(s): gsr.inpe.br
2013-02-26 16:55:49,774 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos
configuration for domain: gsr.inpe.br
2013-02-26 16:55:49,827 DEBUG
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Check
authentication finished successfully
And /var/log/messages on the ldap/kerberos server has:
Feb 26 16:49:53 ldap krb5kdc[1446]: AS_REQ (1 etypes {23})
150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16
ses=23}, admin/admin(a)GSR.INPE.BR for krbtgt/GSR.INPE.BR(a)GSR.INPE.BR
Feb 26 16:49:53 ldap krb5kdc[1446]: TGS_REQ (6 etypes {3 1 23 16 17 18})
150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16
ses=1}, admin/admin(a)GSR.INPE.BR for ldap/ldap.gsr.inpe.br(a)GSR.INPE.BR
Thanks for response.
On 02/26/2013 04:35 PM, Yair Zaslavsky wrote:
----- Original Message -----
> From: "Eduardo Ramos" <eduardo(a)freedominterface.org>
> To: users(a)ovirt.org
> Sent: Tuesday, February 26, 2013 9:26:42 PM
> Subject: Re: [Users] ovirt kerberos/ldap
>
> Any one has faced that?
>
> On 02/21/2013 10:59 AM, Yair Zaslavsky wrote:
>> Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf
>>
>>
>>
>> ----- Original Message -----
>>> From: "Eduardo Ramos" <eduardo(a)freedominterface.org>
>>> To: "Yaniv Kaul" <ykaul(a)redhat.com>
>>> Cc: yzaslavs(a)redhat.com, users(a)ovirt.org
>>> Sent: Thursday, February 21, 2013 3:43:04 PM
>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>
>>> I got new step!
>>>
>>> I added arcfour-hmac-md5:normal into supported_enctypes and
>>> permitted_enctypes directives in kdc.conf.
>>> Then I changed password of my principal using the following:
>>>
>>> change_password -e arcfour-hmac-md5:normal admin/adimin
Is "adimin" a typo here?
Can I ask why your user name appears like that, with a "/" in it?
Can you try to create user - let's say "myadmin" without the "/"
?
>>> Now, it's ok, but now I got another error that I didn't understand
>>> as
>>> follows:
>>>
>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>>> -user=admin/admin -interactive -provider=IPA
>>> Enter password:
>>>
>>> Error: exception message: Checksum failed
>>> Failure while testing domain gsr.inpe.br. Details: Kerberos error.
>>> Please check log for further details.
>>>
>>> The log of kdc says:
>>>
>>> Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
>>> 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
>>> ses=23}, admin/admin(a)GSR.INPE.BR for
>>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR
>>>
>>> And the engine-manage-domains.log says:
>>> 2013-02-21 10:36:46,722 INFO
>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
>>> kerberos
>>> configuration for domain(s): gsr.inpe.br
>>> 2013-02-21 10:36:46,745 INFO
>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
>>> created kerberos configuration for domain(s): gsr.inpe.br
>>> 2013-02-21 10:36:46,745 INFO
>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing
>>> kerberos
>>> configuration for domain: gsr.inpe.br
>>> 2013-02-21 10:36:46,819 ERROR
>>> [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
>>> exception message: Checksum failed
>>> 2013-02-21 10:36:46,822 ERROR
>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
>>> testing domain gsr.inpe.br. Details: Kerberos error. Please check
>>> log
>>> for further details.
>>>
>>>
>>> On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
>>>> On 21/02/13 13:24, Eduardo Ramos wrote:
>>>>> Morning!
>>>>>
>>>>> That's my log entry. PCAP attached.
>>>>>
>>>>> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for
>>>>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for
>>>>> encryption
>>>>> type
>>>> You are using rc4_hmac, which is the right encryption protocol
>>>> usually. One can disable it (using 'permitted_enctypes'
>>>> directive).
>>>>
>>>>> My /etc/krb5.conf
>>>> This is not the krb5.conf file oVirt is using. Please search your
>>>> system for oVirt's krb5.conf (sorry, don't have it from the top
>>>> of
>>>> my
>>>> head).
>>>> In any case, I'd check the IPA configuration.
>>>> Y.
>>>>
>>>>> [libdefaults]
>>>>> default_realm = GSR.INPE.BR
>>>>> allow_weak_crypto = yes
>>>>>
>>>>> default_tkt_enctypes = rc4-hmac des-cbc-md5
>>>>> default_tgs_enctypes = rc4-hmac des-cbc-md5
>>>>>
>>>>> [realms]
>>>>> GSR.INPE.BR = {
>>>>> master_kdc = GSR.INPE.BR
>>>>> kdc = kerberos.gsr.inpe.br
>>>>> default_domain = gsr.inpe.br
>>>>> }
>>>>>
>>>>> [domain_realm]
>>>>> .gsr.inpe.br = GSR.INPE.BR
>>>>> gsr.inpe.br = GSR.INPE.BR
>>>>>
>>>>> [logging]
>>>>> kdc = SYSLOG:INFO
>>>>>
>>>>> Is it sufice?
>>>>>
>>>>> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
>>>>>> Please provide info also on the IPA server you are using (use
>>>>>> rpm
>>>>>> -qa for that)
>>>>>>
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Yaniv Kaul" <ykaul(a)redhat.com>
>>>>>>> To: "Eduardo Ramos"
<eduardo(a)freedominterface.org>
>>>>>>> Cc: users(a)ovirt.org
>>>>>>> Sent: Thursday, February 21, 2013 11:14:41 AM
>>>>>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> Hi all!
>>>>>>>>
>>>>>>>> I'm trying to link a ldap/kerberos to my ovirt
without
>>>>>>>> success.
>>>>>>>> I'm
>>>>>>>> stuck with this:
>>>>>>>>
>>>>>>>> oVirt engine:
>>>>>>>>
>>>>>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>>>>>>>> -user=admin/admin -interactive -provider=IPA
>>>>>>>> Enter password:
>>>>>>>>
>>>>>>>> Error: exception message: KDC has no support for
encryption
>>>>>>>> type
>>>>>>>> (14) -
>>>>>>>> BAD_ENCRYPTION_TYPE
>>>>>>> Please snoop the connection between the engine and the IPA
>>>>>>> server.
>>>>>>> Port 88, full packets ('-s 1500' on tcpdump), into
file ('-w
>>>>>>> /tmp/kerb.pcap' ).
>>>>>>> Y.
>>>>>>>
>>>>>>>> Failure while testing domain gsr.inpe.br. Details:
Kerberos
>>>>>>>> error.
>>>>>>>> Please check log for further details.
>>>>>>>>
>>>>>>>> kdc log:
>>>>>>>>
>>>>>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes
{23})
>>>>>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE:
admin/admin(a)GSR.INPE.BR
>>>>>>>> for
>>>>>>>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for
>>>>>>>> encryption
>>>>>>>> type
>>>>>>>>
>>>>>>>> Any sugestion?
>>>>>>>> _______________________________________________
>>>>>>>> Users mailing list
>>>>>>>> Users(a)ovirt.org
>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Users mailing list
>>>>>>> Users(a)ovirt.org
>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
--------------020102080304070403030009
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
<html>
<head>
<meta content="text/html; charset=UTF-8"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Yair,<br>
<br>
I'm using admin/admin because it's my principal on kerberos. In
fact, the checksum error was because I didn't have admin/admin
principal created yet.<br>
<br>
Using kadmin.local I did:<br>
<br>
kadmin.local: addprinc admin/admin<br>
<br>
So I tried the same:<br>
<br>
# engine-manage-domains -action=add -domain=gsr.inpe.br
-provider=ipa -user=admin/admin -interactive<br>
<br>
And it returned on the screen um trace of java:<br>
<br>
<small>General error has occured[LDAP: error code 80 - SASL(-1):
generic failure: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (Unknown error)]<br>
javax.naming.NamingException: [LDAP: error code 80 - SASL(-1):
generic failure: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (Unknown error)]<br>
at
com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3076)<br>
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)<br>
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780)<br>
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)<br>
at
com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)<br>
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)<br>
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)<br>
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)<br>
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)<br>
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)<br>
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)<br>
at
javax.naming.InitialContext.init(InitialContext.java:240)<br>
at
javax.naming.InitialContext.<init>(InitialContext.java:214)<br>
at
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)<br>
at
org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78)<br>
at java.security.AccessController.doPrivileged(Native
Method)<br>
at javax.security.auth.Subject.doAs(Subject.java:357)<br>
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:183)<br>
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:159)<br>
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:144)<br>
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:637)<br>
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:787)<br>
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:454)<br>
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:249)<br>
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:174)<br>
Failure while testing domain gsr.inpe.br. Details: No user
information was found for user<br>
<br>
The engine-manage-domain.log has:<br>
<br>
[2013-02-26 16:55:49,736 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
kerberos configuration for domain(s): gsr.inpe.br<br>
2013-02-26 16:55:49,740 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] loaded
template kr5.conf file krb5.conf.template<br>
2013-02-26 16:55:49,744 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting
default_tkt_enctypes <br>
2013-02-26 16:55:49,772 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting
realms<br>
2013-02-26 16:55:49,773 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting
domain realm<br>
2013-02-26 16:55:49,774 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
created kerberos configuration for domain(s): gsr.inpe.br<br>
2013-02-26 16:55:49,774 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing
kerberos configuration for domain: gsr.inpe.br<br>
2013-02-26 16:55:49,827 DEBUG
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Check
authentication finished successfully </small><br>
<br>
And /var/log/messages on the ldap/kerberos server has:<br>
<br>
<small>Feb 26 16:49:53 ldap krb5kdc[1446]: AS_REQ (1 etypes {23})
150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16
ses=23}, <a class="moz-txt-link-abbreviated"
href="mailto:admin/admin@GSR.INPE.BR">admin/admin@GSR.INPE.BR</a> for
<a class="moz-txt-link-abbreviated"
href="mailto:krbtgt/GSR.INPE.BR@GSR.INPE.BR">krbtgt/GSR.INPE.BR@GSR.INPE.BR</a><br>
Feb 26 16:49:53 ldap krb5kdc[1446]: TGS_REQ (6 etypes {3 1 23 16
17 18}) 150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23
tkt=16 ses=1}, <a class="moz-txt-link-abbreviated"
href="mailto:admin/admin@GSR.INPE.BR">admin/admin@GSR.INPE.BR</a> for
<a class="moz-txt-link-abbreviated"
href="mailto:ldap/ldap.gsr.inpe.br@GSR.INPE.BR">ldap/ldap.gsr.inpe.br@GSR.INPE.BR</a></small><br>
<br>
Thanks for response.<br>
<br>
<div class="moz-cite-prefix">On 02/26/2013 04:35 PM, Yair Zaslavsky
wrote:<br>
</div>
<blockquote
cite="mid:1311898597.8823739.1361907328841.JavaMail.root@redhat.com"
type="cite">
<pre wrap="">
----- Original Message -----
</pre>
<blockquote type="cite">
<pre wrap="">From: "Eduardo Ramos" <a
class="moz-txt-link-rfc2396E"
href="mailto:eduardo@freedominterface.org"><eduardo@freedominterface.org></a>
To: <a class="moz-txt-link-abbreviated"
href="mailto:users@ovirt.org">users@ovirt.org</a>
Sent: Tuesday, February 26, 2013 9:26:42 PM
Subject: Re: [Users] ovirt kerberos/ldap
Any one has faced that?
On 02/21/2013 10:59 AM, Yair Zaslavsky wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Path to ovirt krb5.conf file -
/etc/ovirt-engine/krb5.conf
----- Original Message -----
</pre>
<blockquote type="cite">
<pre wrap="">From: "Eduardo Ramos" <a
class="moz-txt-link-rfc2396E"
href="mailto:eduardo@freedominterface.org"><eduardo@freedominterface.org></a>
To: "Yaniv Kaul" <a class="moz-txt-link-rfc2396E"
href="mailto:ykaul@redhat.com"><ykaul@redhat.com></a>
Cc: <a class="moz-txt-link-abbreviated"
href="mailto:yzaslavs@redhat.com">yzaslavs@redhat.com</a>, <a
class="moz-txt-link-abbreviated"
href="mailto:users@ovirt.org">users@ovirt.org</a>
Sent: Thursday, February 21, 2013 3:43:04 PM
Subject: Re: [Users] ovirt kerberos/ldap
I got new step!
I added arcfour-hmac-md5:normal into supported_enctypes and
permitted_enctypes directives in kdc.conf.
Then I changed password of my principal using the following:
change_password -e arcfour-hmac-md5:normal admin/adimin
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">
Is "adimin" a typo here?
Can I ask why your user name appears like that, with a "/" in it?
Can you try to create user - let's say "myadmin" without the "/"
?
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">
Now, it's ok, but now I got another error that I didn't understand
as
follows:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: Checksum failed
Failure while testing domain gsr.inpe.br. Details: Kerberos error.
Please check log for further details.
The log of kdc says:
Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
ses=23}, <a class="moz-txt-link-abbreviated"
href="mailto:admin/admin@GSR.INPE.BR">admin/admin@GSR.INPE.BR</a> for
<a class="moz-txt-link-abbreviated"
href="mailto:krbtgt/GSR.INPE.BR@GSR.INPE.BR">krbtgt/GSR.INPE.BR@GSR.INPE.BR</a>
And the engine-manage-domains.log says:
2013-02-21 10:36:46,722 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
kerberos
configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
created kerberos configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing
kerberos
configuration for domain: gsr.inpe.br
2013-02-21 10:36:46,819 ERROR
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
exception message: Checksum failed
2013-02-21 10:36:46,822 ERROR
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
testing domain gsr.inpe.br. Details: Kerberos error. Please check
log
for further details.
On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On 21/02/13 13:24, Eduardo Ramos wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Morning!
That's my log entry. PCAP attached.
Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: <a class="moz-txt-link-abbreviated"
href="mailto:admin/admin@GSR.INPE.BR">admin/admin@GSR.INPE.BR</a> for
<a class="moz-txt-link-abbreviated"
href="mailto:krbtgt/GSR.INPE.BR@GSR.INPE.BR">krbtgt/GSR.INPE.BR@GSR.INPE.BR</a>,
KDC has no support for
encryption
type
</pre>
</blockquote>
<pre wrap="">You are using rc4_hmac, which is the right
encryption protocol
usually. One can disable it (using 'permitted_enctypes'
directive).
</pre>
<blockquote type="cite">
<pre wrap="">My /etc/krb5.conf
</pre>
</blockquote>
<pre wrap="">This is not the krb5.conf file oVirt is using.
Please search your
system for oVirt's krb5.conf (sorry, don't have it from the top
of
my
head).
In any case, I'd check the IPA configuration.
Y.
</pre>
<blockquote type="cite">
<pre wrap="">[libdefaults]
default_realm = GSR.INPE.BR
allow_weak_crypto = yes
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
[realms]
GSR.INPE.BR = {
master_kdc = GSR.INPE.BR
kdc = kerberos.gsr.inpe.br
default_domain = gsr.inpe.br
}
[domain_realm]
.gsr.inpe.br = GSR.INPE.BR
gsr.inpe.br = GSR.INPE.BR
[logging]
kdc = SYSLOG:INFO
Is it sufice?
On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Please provide info also on the IPA server
you are using (use
rpm
-qa for that)
----- Original Message -----
</pre>
<blockquote type="cite">
<pre wrap="">From: "Yaniv Kaul" <a
class="moz-txt-link-rfc2396E"
href="mailto:ykaul@redhat.com"><ykaul@redhat.com></a>
To: "Eduardo Ramos" <a class="moz-txt-link-rfc2396E"
href="mailto:eduardo@freedominterface.org"><eduardo@freedominterface.org></a>
Cc: <a class="moz-txt-link-abbreviated"
href="mailto:users@ovirt.org">users@ovirt.org</a>
Sent: Thursday, February 21, 2013 11:14:41 AM
Subject: Re: [Users] ovirt kerberos/ldap
----- Original Message -----
</pre>
<blockquote type="cite">
<pre wrap="">Hi all!
I'm trying to link a ldap/kerberos to my ovirt without
success.
I'm
stuck with this:
oVirt engine:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: KDC has no support for encryption
type
(14) -
BAD_ENCRYPTION_TYPE
</pre>
</blockquote>
<pre wrap="">Please snoop the connection between the
engine and the IPA
server.
Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
/tmp/kerb.pcap' ).
Y.
</pre>
<blockquote type="cite">
<pre wrap="">Failure while testing domain
gsr.inpe.br. Details: Kerberos
error.
Please check log for further details.
kdc log:
Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: <a class="moz-txt-link-abbreviated"
href="mailto:admin/admin@GSR.INPE.BR">admin/admin@GSR.INPE.BR</a>
for
<a class="moz-txt-link-abbreviated"
href="mailto:krbtgt/GSR.INPE.BR@GSR.INPE.BR">krbtgt/GSR.INPE.BR@GSR.INPE.BR</a>,
KDC has no support for
encryption
type
Any sugestion?
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated"
href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<a class="moz-txt-link-freetext"
href="http://lists.ovirt.org/mailman/listinfo/users">http://...
</pre>
</blockquote>
<pre
wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated"
href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<a class="moz-txt-link-freetext"
href="http://lists.ovirt.org/mailman/listinfo/users">http://...
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
</blockquote>
<pre wrap="">
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated"
href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<a class="moz-txt-link-freetext"
href="http://lists.ovirt.org/mailman/listinfo/users">http://...
</pre>
</blockquote>
</blockquote>
<br>
</body>
</html>
--------------020102080304070403030009--
11:19 p.m.
This is a multi-part message in MIME format.
--------------090604010009050801020605
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Hi!
Is there any chance to use ldap simple authentication?
What schema should I have?
On 02/26/2013 04:58 PM, Eduardo Ramos wrote:
Yair,
I'm using admin/admin because it's my principal on kerberos. In fact,
the checksum error was because I didn't have admin/admin principal
created yet.
Using kadmin.local I did:
kadmin.local: addprinc admin/admin
So I tried the same:
# engine-manage-domains -action=add -domain=gsr.inpe.br -provider=ipa
-user=admin/admin -interactive
And it returned on the screen um trace of java:
General error has occured[LDAP: error code 80 - SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Unknown error)]
javax.naming.NamingException: [LDAP: error code 80 - SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Unknown error)]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3076)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at javax.naming.InitialContext.init(InitialContext.java:240)
at javax.naming.InitialContext.<init>(InitialContext.java:214)
at
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
at
org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:357)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:183)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:159)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:144)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:637)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:787)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:454)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:249)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:174)
Failure while testing domain gsr.inpe.br. Details: No user information
was found for user
The engine-manage-domain.log has:
[2013-02-26 16:55:49,736 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos
configuration for domain(s): gsr.inpe.br
2013-02-26 16:55:49,740 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] loaded template
kr5.conf file krb5.conf.template
2013-02-26 16:55:49,744 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting
default_tkt_enctypes
2013-02-26 16:55:49,772 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting realms
2013-02-26 16:55:49,773 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting domain realm
2013-02-26 16:55:49,774 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
created kerberos configuration for domain(s): gsr.inpe.br
2013-02-26 16:55:49,774 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos
configuration for domain: gsr.inpe.br
2013-02-26 16:55:49,827 DEBUG
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Check
authentication finished successfully
And /var/log/messages on the ldap/kerberos server has:
Feb 26 16:49:53 ldap krb5kdc[1446]: AS_REQ (1 etypes {23})
150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16
ses=23}, admin/admin(a)GSR.INPE.BR for krbtgt/GSR.INPE.BR(a)GSR.INPE.BR
Feb 26 16:49:53 ldap krb5kdc[1446]: TGS_REQ (6 etypes {3 1 23 16 17
18}) 150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16
ses=1}, admin/admin(a)GSR.INPE.BR for ldap/ldap.gsr.inpe.br(a)GSR.INPE.BR
Thanks for response.
On 02/26/2013 04:35 PM, Yair Zaslavsky wrote:
> ----- Original Message -----
>> From: "Eduardo Ramos"<eduardo(a)freedominterface.org>
>> To:users@ovirt.org
>> Sent: Tuesday, February 26, 2013 9:26:42 PM
>> Subject: Re: [Users] ovirt kerberos/ldap
>>
>> Any one has faced that?
>>
>> On 02/21/2013 10:59 AM, Yair Zaslavsky wrote:
>>> Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf
>>>
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Eduardo Ramos"<eduardo(a)freedominterface.org>
>>>> To: "Yaniv Kaul"<ykaul(a)redhat.com>
>>>> Cc:yzaslavs@redhat.com,users@ovirt.org
>>>> Sent: Thursday, February 21, 2013 3:43:04 PM
>>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>>
>>>> I got new step!
>>>>
>>>> I added arcfour-hmac-md5:normal into supported_enctypes and
>>>> permitted_enctypes directives in kdc.conf.
>>>> Then I changed password of my principal using the following:
>>>>
>>>> change_password -e arcfour-hmac-md5:normal admin/adimin
> Is "adimin" a typo here?
> Can I ask why your user name appears like that, with a "/" in it?
> Can you try to create user - let's say "myadmin" without the
"/" ?
>
>>>> Now, it's ok, but now I got another error that I didn't
understand
>>>> as
>>>> follows:
>>>>
>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>>>> -user=admin/admin -interactive -provider=IPA
>>>> Enter password:
>>>>
>>>> Error: exception message: Checksum failed
>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos error.
>>>> Please check log for further details.
>>>>
>>>> The log of kdc says:
>>>>
>>>> Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
>>>> 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
>>>> ses=23},admin/admin(a)GSR.INPE.BR for
>>>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR
>>>>
>>>> And the engine-manage-domains.log says:
>>>> 2013-02-21 10:36:46,722 INFO
>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
>>>> kerberos
>>>> configuration for domain(s): gsr.inpe.br
>>>> 2013-02-21 10:36:46,745 INFO
>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
>>>> created kerberos configuration for domain(s): gsr.inpe.br
>>>> 2013-02-21 10:36:46,745 INFO
>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing
>>>> kerberos
>>>> configuration for domain: gsr.inpe.br
>>>> 2013-02-21 10:36:46,819 ERROR
>>>> [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
>>>> exception message: Checksum failed
>>>> 2013-02-21 10:36:46,822 ERROR
>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
>>>> testing domain gsr.inpe.br. Details: Kerberos error. Please check
>>>> log
>>>> for further details.
>>>>
>>>>
>>>> On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
>>>>> On 21/02/13 13:24, Eduardo Ramos wrote:
>>>>>> Morning!
>>>>>>
>>>>>> That's my log entry. PCAP attached.
>>>>>>
>>>>>> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE:admin/admin@GSR.INPE.BR for
>>>>>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for
>>>>>> encryption
>>>>>> type
>>>>> You are using rc4_hmac, which is the right encryption protocol
>>>>> usually. One can disable it (using 'permitted_enctypes'
>>>>> directive).
>>>>>
>>>>>> My /etc/krb5.conf
>>>>> This is not the krb5.conf file oVirt is using. Please search your
>>>>> system for oVirt's krb5.conf (sorry, don't have it from the
top
>>>>> of
>>>>> my
>>>>> head).
>>>>> In any case, I'd check the IPA configuration.
>>>>> Y.
>>>>>
>>>>>> [libdefaults]
>>>>>> default_realm = GSR.INPE.BR
>>>>>> allow_weak_crypto = yes
>>>>>>
>>>>>> default_tkt_enctypes = rc4-hmac des-cbc-md5
>>>>>> default_tgs_enctypes = rc4-hmac des-cbc-md5
>>>>>>
>>>>>> [realms]
>>>>>> GSR.INPE.BR = {
>>>>>> master_kdc = GSR.INPE.BR
>>>>>> kdc = kerberos.gsr.inpe.br
>>>>>> default_domain = gsr.inpe.br
>>>>>> }
>>>>>>
>>>>>> [domain_realm]
>>>>>> .gsr.inpe.br = GSR.INPE.BR
>>>>>> gsr.inpe.br = GSR.INPE.BR
>>>>>>
>>>>>> [logging]
>>>>>> kdc = SYSLOG:INFO
>>>>>>
>>>>>> Is it sufice?
>>>>>>
>>>>>> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
>>>>>>> Please provide info also on the IPA server you are using
(use
>>>>>>> rpm
>>>>>>> -qa for that)
>>>>>>>
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Yaniv Kaul"<ykaul(a)redhat.com>
>>>>>>>> To: "Eduardo
Ramos"<eduardo(a)freedominterface.org>
>>>>>>>> Cc:users@ovirt.org
>>>>>>>> Sent: Thursday, February 21, 2013 11:14:41 AM
>>>>>>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>>> Hi all!
>>>>>>>>>
>>>>>>>>> I'm trying to link a ldap/kerberos to my ovirt
without
>>>>>>>>> success.
>>>>>>>>> I'm
>>>>>>>>> stuck with this:
>>>>>>>>>
>>>>>>>>> oVirt engine:
>>>>>>>>>
>>>>>>>>> # engine-manage-domains -action=add
-domain=gsr.inpe.br
>>>>>>>>> -user=admin/admin -interactive -provider=IPA
>>>>>>>>> Enter password:
>>>>>>>>>
>>>>>>>>> Error: exception message: KDC has no support for
encryption
>>>>>>>>> type
>>>>>>>>> (14) -
>>>>>>>>> BAD_ENCRYPTION_TYPE
>>>>>>>> Please snoop the connection between the engine and the
IPA
>>>>>>>> server.
>>>>>>>> Port 88, full packets ('-s 1500' on tcpdump),
into file ('-w
>>>>>>>> /tmp/kerb.pcap' ).
>>>>>>>> Y.
>>>>>>>>
>>>>>>>>> Failure while testing domain gsr.inpe.br. Details:
Kerberos
>>>>>>>>> error.
>>>>>>>>> Please check log for further details.
>>>>>>>>>
>>>>>>>>> kdc log:
>>>>>>>>>
>>>>>>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes
{23})
>>>>>>>>> 150.163.73.78:
BAD_ENCRYPTION_TYPE:admin/admin@GSR.INPE.BR
>>>>>>>>> for
>>>>>>>>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support
for
>>>>>>>>> encryption
>>>>>>>>> type
>>>>>>>>>
>>>>>>>>> Any sugestion?
>>>>>>>>> _______________________________________________
>>>>>>>>> Users mailing list
>>>>>>>>> Users(a)ovirt.org
>>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Users mailing list
>>>>>>>> Users(a)ovirt.org
>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
--------------090604010009050801020605
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi!<br>
<br>
Is there any chance to use ldap simple authentication?<br>
What schema should I have?<br>
<br>
<div class="moz-cite-prefix">On 02/26/2013 04:58 PM, Eduardo Ramos
wrote:<br>
</div>
<blockquote cite="mid:512D13E6.3020308@freedominterface.org"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Yair,<br>
<br>
I'm using admin/admin because it's my principal on kerberos. In
fact, the checksum error was because I didn't have admin/admin
principal created yet.<br>
<br>
Using kadmin.local I did:<br>
<br>
kadmin.local: addprinc admin/admin<br>
<br>
So I tried the same:<br>
<br>
# engine-manage-domains -action=add -domain=gsr.inpe.br
-provider=ipa -user=admin/admin -interactive<br>
<br>
And it returned on the screen um trace of java:<br>
<br>
<small>General error has occured[LDAP: error code 80 - SASL(-1):
generic failure: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (Unknown error)]<br>
javax.naming.NamingException: [LDAP: error code 80 - SASL(-1):
generic failure: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (Unknown error)]<br>
at
com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3076)<br>
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)<br>
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780)<br>
at
com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)<br>
at
com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)<br>
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)<br>
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)<br>
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)<br>
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)<br>
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)<br>
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)<br>
at
javax.naming.InitialContext.init(InitialContext.java:240)<br>
at
javax.naming.InitialContext.<init>(InitialContext.java:214)<br>
at
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)<br>
at
org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78)<br>
at
java.security.AccessController.doPrivileged(Native
Method)<br>
at
javax.security.auth.Subject.doAs(Subject.java:357)<br>
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:183)<br>
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:159)<br>
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:144)<br>
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:637)<br>
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:787)<br>
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:454)<br>
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:249)<br>
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:174)<br>
Failure while testing domain gsr.inpe.br. Details: No user
information was found for user<br>
<br>
The engine-manage-domain.log has:<br>
<br>
[2013-02-26 16:55:49,736 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
kerberos configuration for domain(s): gsr.inpe.br<br>
2013-02-26 16:55:49,740 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] loaded
template kr5.conf file krb5.conf.template<br>
2013-02-26 16:55:49,744 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting
default_tkt_enctypes <br>
2013-02-26 16:55:49,772 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting
realms<br>
2013-02-26 16:55:49,773 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting
domain realm<br>
2013-02-26 16:55:49,774 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains]
Successfully created kerberos configuration for domain(s):
gsr.inpe.br<br>
2013-02-26 16:55:49,774 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing
kerberos configuration for domain: gsr.inpe.br<br>
2013-02-26 16:55:49,827 DEBUG
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Check
authentication finished successfully </small><br>
<br>
And /var/log/messages on the ldap/kerberos server has:<br>
<br>
<small>Feb 26 16:49:53 ldap krb5kdc[1446]: AS_REQ (1 etypes {23})
150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23
tkt=16 ses=23}, <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:admin/admin@GSR.INPE.BR">admin/admin@GSR.INPE.BR</a>
for <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:krbtgt/GSR.INPE.BR@GSR.INPE.BR">krbtgt/GSR.INPE.BR@GSR.INPE.BR</a><br>
Feb 26 16:49:53 ldap krb5kdc[1446]: TGS_REQ (6 etypes {3 1 23 16
17 18}) 150.163.73.211: ISSUE: authtime 1361908193, etypes
{rep=23 tkt=16 ses=1}, <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:admin/admin@GSR.INPE.BR">admin/admin@GSR.INPE.BR</a>
for <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:ldap/ldap.gsr.inpe.br@GSR.INPE.BR">ldap/ldap.gsr.inpe.br@GSR.INPE.BR</a></small><br>
<br>
Thanks for response.<br>
<br>
<div class="moz-cite-prefix">On 02/26/2013 04:35 PM, Yair
Zaslavsky wrote:<br>
</div>
<blockquote
cite="mid:1311898597.8823739.1361907328841.JavaMail.root@redhat.com"
type="cite">
<pre wrap="">
----- Original Message -----
</pre>
<blockquote type="cite">
<pre wrap="">From: "Eduardo Ramos" <a
moz-do-not-send="true" class="moz-txt-link-rfc2396E"
href="mailto:eduardo@freedominterface.org"><eduardo@freedominterface.org></a>
To: <a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:users@ovirt.org">users@ovirt.org</a>
Sent: Tuesday, February 26, 2013 9:26:42 PM
Subject: Re: [Users] ovirt kerberos/ldap
Any one has faced that?
On 02/21/2013 10:59 AM, Yair Zaslavsky wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Path to ovirt krb5.conf file -
/etc/ovirt-engine/krb5.conf
----- Original Message -----
</pre>
<blockquote type="cite">
<pre wrap="">From: "Eduardo Ramos" <a
moz-do-not-send="true" class="moz-txt-link-rfc2396E"
href="mailto:eduardo@freedominterface.org"><eduardo@freedominterface.org></a>
To: "Yaniv Kaul" <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:ykaul@redhat.com"><ykaul@redhat.com></a>
Cc: <a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:yzaslavs@redhat.com">yzaslavs@redhat.com</a>, <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:users@ovirt.org">users@ovirt.org</a>
Sent: Thursday, February 21, 2013 3:43:04 PM
Subject: Re: [Users] ovirt kerberos/ldap
I got new step!
I added arcfour-hmac-md5:normal into supported_enctypes and
permitted_enctypes directives in kdc.conf.
Then I changed password of my principal using the following:
change_password -e arcfour-hmac-md5:normal admin/adimin
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">Is "adimin" a typo here?
Can I ask why your user name appears like that, with a "/" in it?
Can you try to create user - let's say "myadmin" without the "/"
?
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Now, it's ok, but now I got another error
that I didn't understand
as
follows:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: Checksum failed
Failure while testing domain gsr.inpe.br. Details: Kerberos error.
Please check log for further details.
The log of kdc says:
Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
ses=23}, <a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:admin/admin@GSR.INPE.BR">admin/admin@GSR.INPE.BR</a> for
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:krbtgt/GSR.INPE.BR@GSR.INPE.BR">krbtgt/GSR.INPE.BR@GSR.INPE.BR</a>
And the engine-manage-domains.log says:
2013-02-21 10:36:46,722 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
kerberos
configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
created kerberos configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing
kerberos
configuration for domain: gsr.inpe.br
2013-02-21 10:36:46,819 ERROR
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
exception message: Checksum failed
2013-02-21 10:36:46,822 ERROR
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
testing domain gsr.inpe.br. Details: Kerberos error. Please check
log
for further details.
On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On 21/02/13 13:24, Eduardo Ramos wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Morning!
That's my log entry. PCAP attached.
Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:admin/admin@GSR.INPE.BR">admin/admin@GSR.INPE.BR</a> for
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:krbtgt/GSR.INPE.BR@GSR.INPE.BR">krbtgt/GSR.INPE.BR@GSR.INPE.BR</a>,
KDC has no support for
encryption
type
</pre>
</blockquote>
<pre wrap="">You are using rc4_hmac, which is the right
encryption protocol
usually. One can disable it (using 'permitted_enctypes'
directive).
</pre>
<blockquote type="cite">
<pre wrap="">My /etc/krb5.conf
</pre>
</blockquote>
<pre wrap="">This is not the krb5.conf file oVirt is
using. Please search your
system for oVirt's krb5.conf (sorry, don't have it from the top
of
my
head).
In any case, I'd check the IPA configuration.
Y.
</pre>
<blockquote type="cite">
<pre wrap="">[libdefaults]
default_realm = GSR.INPE.BR
allow_weak_crypto = yes
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
[realms]
GSR.INPE.BR = {
master_kdc = GSR.INPE.BR
kdc = kerberos.gsr.inpe.br
default_domain = gsr.inpe.br
}
[domain_realm]
.gsr.inpe.br = GSR.INPE.BR
gsr.inpe.br = GSR.INPE.BR
[logging]
kdc = SYSLOG:INFO
Is it sufice?
On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Please provide info also on the IPA
server you are using (use
rpm
-qa for that)
----- Original Message -----
</pre>
<blockquote type="cite">
<pre wrap="">From: "Yaniv Kaul" <a
moz-do-not-send="true" class="moz-txt-link-rfc2396E"
href="mailto:ykaul@redhat.com"><ykaul@redhat.com></a>
To: "Eduardo Ramos" <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:eduardo@freedominterface.org"><eduardo@freedominterface.org></a>
Cc: <a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:users@ovirt.org">users@ovirt.org</a>
Sent: Thursday, February 21, 2013 11:14:41 AM
Subject: Re: [Users] ovirt kerberos/ldap
----- Original Message -----
</pre>
<blockquote type="cite">
<pre wrap="">Hi all!
I'm trying to link a ldap/kerberos to my ovirt without
success.
I'm
stuck with this:
oVirt engine:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: KDC has no support for encryption
type
(14) -
BAD_ENCRYPTION_TYPE
</pre>
</blockquote>
<pre wrap="">Please snoop the connection between the
engine and the IPA
server.
Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
/tmp/kerb.pcap' ).
Y.
</pre>
<blockquote type="cite">
<pre wrap="">Failure while testing domain
gsr.inpe.br. Details: Kerberos
error.
Please check log for further details.
kdc log:
Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:admin/admin@GSR.INPE.BR">admin/admin@GSR.INPE.BR</a>
for
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:krbtgt/GSR.INPE.BR@GSR.INPE.BR">krbtgt/GSR.INPE.BR@GSR.INPE.BR</a>,
KDC has no support for
encryption
type
Any sugestion?
_______________________________________________
Users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://lists.ovirt.org/mailman/listinfo/users">http://...
</pre>
</blockquote>
<pre
wrap="">_______________________________________________
Users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://lists.ovirt.org/mailman/listinfo/users">http://...
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">_______________________________________________
Users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://lists.ovirt.org/mailman/listinfo/users">http://...
</pre>
</blockquote>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated"
href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<a class="moz-txt-link-freetext"
href="http://lists.ovirt.org/mailman/listinfo/users">http://...
</pre>
</blockquote>
<br>
</body>
</html>
--------------090604010009050801020605--
12:52 a.m.
On 27/02/2013 22:19, Eduardo Ramos wrote:
Hi!
Is there any chance to use ldap simple authentication?
What schema should I have?
in the works, hopefully soon (which means several weeks at least)
On 02/26/2013 04:58 PM, Eduardo Ramos wrote:
> Yair,
>
> I'm using admin/admin because it's my principal on kerberos. In fact,
> the checksum error was because I didn't have admin/admin principal
> created yet.
>
> Using kadmin.local I did:
>
> kadmin.local: addprinc admin/admin
>
> So I tried the same:
>
> # engine-manage-domains -action=add -domain=gsr.inpe.br -provider=ipa
> -user=admin/admin -interactive
>
> And it returned on the screen um trace of java:
>
> General error has occured[LDAP: error code 80 - SASL(-1): generic
> failure: GSSAPI Error: Unspecified GSS failure. Minor code may
> provide more information (Unknown error)]
> javax.naming.NamingException: [LDAP: error code 80 - SASL(-1): generic
> failure: GSSAPI Error: Unspecified GSS failure. Minor code may
> provide more information (Unknown error)]
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3076)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780)
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
> at
> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
> at
> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
> at javax.naming.InitialContext.init(InitialContext.java:240)
> at javax.naming.InitialContext.<init>(InitialContext.java:214)
> at
> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
> at
> org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:357)
> at
>
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:183)
> at
>
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:159)
> at
>
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:144)
> at
>
org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:637)
> at
>
org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:787)
> at
> org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:454)
> at
>
org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:249)
> at
> org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:174)
> Failure while testing domain gsr.inpe.br. Details: No user information
> was found for user
>
> The engine-manage-domain.log has:
>
> [2013-02-26 16:55:49,736 INFO
> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos
> configuration for domain(s): gsr.inpe.br
> 2013-02-26 16:55:49,740 DEBUG
> [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] loaded template
> kr5.conf file krb5.conf.template
> 2013-02-26 16:55:49,744 DEBUG
> [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting
> default_tkt_enctypes
> 2013-02-26 16:55:49,772 DEBUG
> [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting realms
> 2013-02-26 16:55:49,773 DEBUG
> [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting domain realm
> 2013-02-26 16:55:49,774 INFO
> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
> created kerberos configuration for domain(s): gsr.inpe.br
> 2013-02-26 16:55:49,774 INFO
> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos
> configuration for domain: gsr.inpe.br
> 2013-02-26 16:55:49,827 DEBUG
> [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Check
> authentication finished successfully
>
> And /var/log/messages on the ldap/kerberos server has:
>
> Feb 26 16:49:53 ldap krb5kdc[1446]: AS_REQ (1 etypes {23})
> 150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16
> ses=23}, admin/admin(a)GSR.INPE.BR for krbtgt/GSR.INPE.BR(a)GSR.INPE.BR
> Feb 26 16:49:53 ldap krb5kdc[1446]: TGS_REQ (6 etypes {3 1 23 16 17
> 18}) 150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16
> ses=1}, admin/admin(a)GSR.INPE.BR for ldap/ldap.gsr.inpe.br(a)GSR.INPE.BR
>
> Thanks for response.
>
> On 02/26/2013 04:35 PM, Yair Zaslavsky wrote:
>> ----- Original Message -----
>>> From: "Eduardo Ramos"<eduardo(a)freedominterface.org>
>>> To:users@ovirt.org
>>> Sent: Tuesday, February 26, 2013 9:26:42 PM
>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>
>>> Any one has faced that?
>>>
>>> On 02/21/2013 10:59 AM, Yair Zaslavsky wrote:
>>>> Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf
>>>>
>>>>
>>>>
>>>> ----- Original Message -----
>>>>> From: "Eduardo Ramos"<eduardo(a)freedominterface.org>
>>>>> To: "Yaniv Kaul"<ykaul(a)redhat.com>
>>>>> Cc:yzaslavs@redhat.com,users@ovirt.org
>>>>> Sent: Thursday, February 21, 2013 3:43:04 PM
>>>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>>>
>>>>> I got new step!
>>>>>
>>>>> I added arcfour-hmac-md5:normal into supported_enctypes and
>>>>> permitted_enctypes directives in kdc.conf.
>>>>> Then I changed password of my principal using the following:
>>>>>
>>>>> change_password -e arcfour-hmac-md5:normal admin/adimin
>> Is "adimin" a typo here?
>> Can I ask why your user name appears like that, with a "/" in it?
>> Can you try to create user - let's say "myadmin" without the
"/" ?
>>
>>>>> Now, it's ok, but now I got another error that I didn't
understand
>>>>> as
>>>>> follows:
>>>>>
>>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>>>>> -user=admin/admin -interactive -provider=IPA
>>>>> Enter password:
>>>>>
>>>>> Error: exception message: Checksum failed
>>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos error.
>>>>> Please check log for further details.
>>>>>
>>>>> The log of kdc says:
>>>>>
>>>>> Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
>>>>> 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
>>>>> ses=23},admin/admin(a)GSR.INPE.BR for
>>>>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR
>>>>>
>>>>> And the engine-manage-domains.log says:
>>>>> 2013-02-21 10:36:46,722 INFO
>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
>>>>> kerberos
>>>>> configuration for domain(s): gsr.inpe.br
>>>>> 2013-02-21 10:36:46,745 INFO
>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
>>>>> created kerberos configuration for domain(s): gsr.inpe.br
>>>>> 2013-02-21 10:36:46,745 INFO
>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing
>>>>> kerberos
>>>>> configuration for domain: gsr.inpe.br
>>>>> 2013-02-21 10:36:46,819 ERROR
>>>>> [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
>>>>> exception message: Checksum failed
>>>>> 2013-02-21 10:36:46,822 ERROR
>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
>>>>> testing domain gsr.inpe.br. Details: Kerberos error. Please check
>>>>> log
>>>>> for further details.
>>>>>
>>>>>
>>>>> On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
>>>>>> On 21/02/13 13:24, Eduardo Ramos wrote:
>>>>>>> Morning!
>>>>>>>
>>>>>>> That's my log entry. PCAP attached.
>>>>>>>
>>>>>>> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>>>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE:admin/admin@GSR.INPE.BR
for
>>>>>>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for
>>>>>>> encryption
>>>>>>> type
>>>>>> You are using rc4_hmac, which is the right encryption protocol
>>>>>> usually. One can disable it (using 'permitted_enctypes'
>>>>>> directive).
>>>>>>
>>>>>>> My /etc/krb5.conf
>>>>>> This is not the krb5.conf file oVirt is using. Please search
your
>>>>>> system for oVirt's krb5.conf (sorry, don't have it from
the top
>>>>>> of
>>>>>> my
>>>>>> head).
>>>>>> In any case, I'd check the IPA configuration.
>>>>>> Y.
>>>>>>
>>>>>>> [libdefaults]
>>>>>>> default_realm = GSR.INPE.BR
>>>>>>> allow_weak_crypto = yes
>>>>>>>
>>>>>>> default_tkt_enctypes = rc4-hmac des-cbc-md5
>>>>>>> default_tgs_enctypes = rc4-hmac des-cbc-md5
>>>>>>>
>>>>>>> [realms]
>>>>>>> GSR.INPE.BR = {
>>>>>>> master_kdc = GSR.INPE.BR
>>>>>>> kdc = kerberos.gsr.inpe.br
>>>>>>> default_domain = gsr.inpe.br
>>>>>>> }
>>>>>>>
>>>>>>> [domain_realm]
>>>>>>> .gsr.inpe.br = GSR.INPE.BR
>>>>>>> gsr.inpe.br = GSR.INPE.BR
>>>>>>>
>>>>>>> [logging]
>>>>>>> kdc = SYSLOG:INFO
>>>>>>>
>>>>>>> Is it sufice?
>>>>>>>
>>>>>>> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
>>>>>>>> Please provide info also on the IPA server you are using
(use
>>>>>>>> rpm
>>>>>>>> -qa for that)
>>>>>>>>
>>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>>> From: "Yaniv Kaul"<ykaul(a)redhat.com>
>>>>>>>>> To: "Eduardo
Ramos"<eduardo(a)freedominterface.org>
>>>>>>>>> Cc:users@ovirt.org
>>>>>>>>> Sent: Thursday, February 21, 2013 11:14:41 AM
>>>>>>>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>>>>>>>
>>>>>>>>> ----- Original Message -----
>>>>>>>>>> Hi all!
>>>>>>>>>>
>>>>>>>>>> I'm trying to link a ldap/kerberos to my
ovirt without
>>>>>>>>>> success.
>>>>>>>>>> I'm
>>>>>>>>>> stuck with this:
>>>>>>>>>>
>>>>>>>>>> oVirt engine:
>>>>>>>>>>
>>>>>>>>>> # engine-manage-domains -action=add
-domain=gsr.inpe.br
>>>>>>>>>> -user=admin/admin -interactive -provider=IPA
>>>>>>>>>> Enter password:
>>>>>>>>>>
>>>>>>>>>> Error: exception message: KDC has no support for
encryption
>>>>>>>>>> type
>>>>>>>>>> (14) -
>>>>>>>>>> BAD_ENCRYPTION_TYPE
>>>>>>>>> Please snoop the connection between the engine and
the IPA
>>>>>>>>> server.
>>>>>>>>> Port 88, full packets ('-s 1500' on tcpdump),
into file ('-w
>>>>>>>>> /tmp/kerb.pcap' ).
>>>>>>>>> Y.
>>>>>>>>>
>>>>>>>>>> Failure while testing domain gsr.inpe.br.
Details: Kerberos
>>>>>>>>>> error.
>>>>>>>>>> Please check log for further details.
>>>>>>>>>>
>>>>>>>>>> kdc log:
>>>>>>>>>>
>>>>>>>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1
etypes {23})
>>>>>>>>>> 150.163.73.78:
BAD_ENCRYPTION_TYPE:admin/admin@GSR.INPE.BR
>>>>>>>>>> for
>>>>>>>>>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no
support for
>>>>>>>>>> encryption
>>>>>>>>>> type
>>>>>>>>>>
>>>>>>>>>> Any sugestion?
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Users mailing list
>>>>>>>>>> Users(a)ovirt.org
>>>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Users mailing list
>>>>>>>>> Users(a)ovirt.org
>>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users(a)ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>
>
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
4286
days inactive
4293
days old
11 comments
4 participants
participants (4)
-
Eduardo Ramos -
Itamar Heim -
Yair Zaslavsky -
Yaniv Kaul