Re: [Users] LDAP

Thursday, 23 February 2012

----- Original Message -----
...
 From: "Nathan Stratton" <nathan(a)robotics.net&gt;
 To: "Yaniv Kaul" <ykaul(a)redhat.com&gt;
 Cc: "Oved Ourfalli" <ovedo(a)redhat.com&gt;, users(a)ovirt.org
 Sent: Thursday, February 23, 2012 7:38:42 PM
 Subject: Re: [Users] LDAP

 On Thu, 23 Feb 2012, Yaniv Kaul wrote:

 > LDAP cannot be 'just used'. It needs to be connected to (we use
 > Kerberos,
 > many use SSL/TLS) and it needs the correct schema configuration.
 > FreeIPA uses Kerberos and LDAP.

 True, but I use LDAP to auth a bunch of boxes on a private network
 and
 that seams to work fine. Anyway... Still trying to get this to work.
 I now
 have freeipa installed with a user setup. I am able to kinit that
 user and
 everything works fine however I get the following error:

 [root@ovirt-engine log]# engine-manage-domains -action=add
 -domain=blinkmind.net -user=nathan -passwordFile=/etc/shadow
 -interactive
 Error:  exception message: Integrity check on decrypted field failed
 (31)
 - PREAUTH_FAILED
 Failure while testing domain blinkmind.net. Details: Kerberos error.
 Please check log for further details.
  IIRC, we only support using -interactive or using -passwordFile, and not both.
The fact that you don't get a warning on that is a bug.

Found this blog with a similar error that is caused due to password expiration (in the
engine log, and not while running the manage domains utility, but that might also help):
http://blog.rtfm.co.hu/2012/02/rhev-error-from-kerberos-integrity-check-o...

But the information there doesn't go very well with the fact that kinit is
successful.
Is the file containing the correct password? Try using only -interactive, and enter the
password interactively.
Also, attaching the log of the utility might be helpful.
Also, try logging in with that user to the IPA machine, that way you'll know if you
need to change your password (I saw that sometimes kinit doesn't  ask you to change
the password, but logging in does).

Hope it helps,
Oved

...

 ><>
 Nathan Stratton                                CTO, BlinkMind, Inc.
 nathan at robotics.net                         nathan at
 blinkmind.com
 http://www.robotics.net
                        http://www.blinkmind.com
 _______________________________________________
 Users mailing list
 Users(a)ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Re: [Users] LDAP