----- Original Message -----
From: "Nathan Stratton" <nathan@robotics.net> To: "Yaniv Kaul" <ykaul@redhat.com> Cc: "Oved Ourfalli" <ovedo@redhat.com>, users@ovirt.org Sent: Thursday, February 23, 2012 7:38:42 PM Subject: Re: [Users] LDAP
On Thu, 23 Feb 2012, Yaniv Kaul wrote:
LDAP cannot be 'just used'. It needs to be connected to (we use Kerberos, many use SSL/TLS) and it needs the correct schema configuration. FreeIPA uses Kerberos and LDAP.
True, but I use LDAP to auth a bunch of boxes on a private network and that seams to work fine. Anyway... Still trying to get this to work. I now have freeipa installed with a user setup. I am able to kinit that user and everything works fine however I get the following error:
[root@ovirt-engine log]# engine-manage-domains -action=add -domain=blinkmind.net -user=nathan -passwordFile=/etc/shadow -interactive Error: exception message: Integrity check on decrypted field failed (31) - PREAUTH_FAILED Failure while testing domain blinkmind.net. Details: Kerberos error. Please check log for further details.
IIRC, we only support using -interactive or using -passwordFile, and not both. The fact that you don't get a warning on that is a bug. Found this blog with a similar error that is caused due to password expiration (in the engine log, and not while running the manage domains utility, but that might also help): http://blog.rtfm.co.hu/2012/02/rhev-error-from-kerberos-integrity-check-on-d... But the information there doesn't go very well with the fact that kinit is successful. Is the file containing the correct password? Try using only -interactive, and enter the password interactively. Also, attaching the log of the utility might be helpful. Also, try logging in with that user to the IPA machine, that way you'll know if you need to change your password (I saw that sometimes kinit doesn't ask you to change the password, but logging in does). Hope it helps, Oved
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users