Any one has faced that? On 02/21/2013 10:59 AM, Yair Zaslavsky wrote:
Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf
----- Original Message -----
From: "Eduardo Ramos" <eduardo@freedominterface.org> To: "Yaniv Kaul" <ykaul@redhat.com> Cc: yzaslavs@redhat.com, users@ovirt.org Sent: Thursday, February 21, 2013 3:43:04 PM Subject: Re: [Users] ovirt kerberos/ldap
I got new step!
I added arcfour-hmac-md5:normal into supported_enctypes and permitted_enctypes directives in kdc.conf. Then I changed password of my principal using the following:
change_password -e arcfour-hmac-md5:normal admin/adimin
Now, it's ok, but now I got another error that I didn't understand as follows:
# engine-manage-domains -action=add -domain=gsr.inpe.br -user=admin/admin -interactive -provider=IPA Enter password:
Error: exception message: Checksum failed Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details.
The log of kdc says:
Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23}) 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16 ses=23}, admin/admin@GSR.INPE.BR for krbtgt/GSR.INPE.BR@GSR.INPE.BR
And the engine-manage-domains.log says: 2013-02-21 10:36:46,722 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): gsr.inpe.br 2013-02-21 10:36:46,745 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): gsr.inpe.br 2013-02-21 10:36:46,745 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: gsr.inpe.br 2013-02-21 10:36:46,819 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: Checksum failed 2013-02-21 10:36:46,822 ERROR [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details.
On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
On 21/02/13 13:24, Eduardo Ramos wrote:
Morning!
That's my log entry. PCAP attached.
Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin@GSR.INPE.BR for krbtgt/GSR.INPE.BR@GSR.INPE.BR, KDC has no support for encryption type You are using rc4_hmac, which is the right encryption protocol usually. One can disable it (using 'permitted_enctypes' directive).
My /etc/krb5.conf This is not the krb5.conf file oVirt is using. Please search your system for oVirt's krb5.conf (sorry, don't have it from the top of my head). In any case, I'd check the IPA configuration. Y.
[libdefaults] default_realm = GSR.INPE.BR allow_weak_crypto = yes
default_tkt_enctypes = rc4-hmac des-cbc-md5 default_tgs_enctypes = rc4-hmac des-cbc-md5
[realms] GSR.INPE.BR = { master_kdc = GSR.INPE.BR kdc = kerberos.gsr.inpe.br default_domain = gsr.inpe.br }
[domain_realm] .gsr.inpe.br = GSR.INPE.BR gsr.inpe.br = GSR.INPE.BR
[logging] kdc = SYSLOG:INFO
Is it sufice?
On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
Please provide info also on the IPA server you are using (use rpm -qa for that)
----- Original Message -----
From: "Yaniv Kaul" <ykaul@redhat.com> To: "Eduardo Ramos" <eduardo@freedominterface.org> Cc: users@ovirt.org Sent: Thursday, February 21, 2013 11:14:41 AM Subject: Re: [Users] ovirt kerberos/ldap
----- Original Message ----- > Hi all! > > I'm trying to link a ldap/kerberos to my ovirt without success. > I'm > stuck with this: > > oVirt engine: > > # engine-manage-domains -action=add -domain=gsr.inpe.br > -user=admin/admin -interactive -provider=IPA > Enter password: > > Error: exception message: KDC has no support for encryption > type > (14) - > BAD_ENCRYPTION_TYPE Please snoop the connection between the engine and the IPA server. Port 88, full packets ('-s 1500' on tcpdump), into file ('-w /tmp/kerb.pcap' ). Y.
> Failure while testing domain gsr.inpe.br. Details: Kerberos > error. > Please check log for further details. > > kdc log: > > Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) > 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin@GSR.INPE.BR for > krbtgt/GSR.INPE.BR@GSR.INPE.BR, KDC has no support for > encryption > type > > Any sugestion? > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users