Re: [Users] ovirt kerberos/ldap

Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf ----- Original Message ----- > From: "Eduardo Ramos" <eduardo(a)freedominterface.org&gt; > To: "Yaniv Kaul" <ykaul(a)redhat.com&gt; > Cc: yzaslavs(a)redhat.com, users(a)ovirt.org > Sent: Thursday, February 21, 2013 3:43:04 PM > Subject: Re: [Users] ovirt kerberos/ldap > > I got new step! > > I added arcfour-hmac-md5:normal into supported_enctypes and > permitted_enctypes directives in kdc.conf. > Then I changed password of my principal using the following: > > change_password -e arcfour-hmac-md5:normal admin/adimin > > Now, it's ok, but now I got another error that I didn't understand as > follows: > > # engine-manage-domains -action=add -domain=gsr.inpe.br > -user=admin/admin -interactive -provider=IPA > Enter password: > > Error: exception message: Checksum failed > Failure while testing domain gsr.inpe.br. Details: Kerberos error. > Please check log for further details. > > The log of kdc says: > > Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23}) > 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16 > ses=23}, admin/admin(a)GSR.INPE.BR for krbtgt/GSR.INPE.BR(a)GSR.INPE.BR > > And the engine-manage-domains.log says: > 2013-02-21 10:36:46,722 INFO > [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating > kerberos > configuration for domain(s): gsr.inpe.br > 2013-02-21 10:36:46,745 INFO > [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully > created kerberos configuration for domain(s): gsr.inpe.br > 2013-02-21 10:36:46,745 INFO > [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos > configuration for domain: gsr.inpe.br > 2013-02-21 10:36:46,819 ERROR > [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: > exception message: Checksum failed > 2013-02-21 10:36:46,822 ERROR > [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while > testing domain gsr.inpe.br. Details: Kerberos error. Please check log > for further details. > > > On 02/21/2013 08:55 AM, Yaniv Kaul wrote: >> On 21/02/13 13:24, Eduardo Ramos wrote: >>> Morning! >>> >>> That's my log entry. PCAP attached. >>> >>> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) >>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for >>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for encryption >>> type >> You are using rc4_hmac, which is the right encryption protocol >> usually. One can disable it (using 'permitted_enctypes' directive). >> >>> My /etc/krb5.conf >> This is not the krb5.conf file oVirt is using. Please search your >> system for oVirt's krb5.conf (sorry, don't have it from the top of >> my >> head). >> In any case, I'd check the IPA configuration. >> Y. >> >>> [libdefaults] >>> default_realm = GSR.INPE.BR >>> allow_weak_crypto = yes >>> >>> default_tkt_enctypes = rc4-hmac des-cbc-md5 >>> default_tgs_enctypes = rc4-hmac des-cbc-md5 >>> >>> [realms] >>> GSR.INPE.BR = { >>> master_kdc = GSR.INPE.BR >>> kdc = kerberos.gsr.inpe.br >>> default_domain = gsr.inpe.br >>> } >>> >>> [domain_realm] >>> .gsr.inpe.br = GSR.INPE.BR >>> gsr.inpe.br = GSR.INPE.BR >>> >>> [logging] >>> kdc = SYSLOG:INFO >>> >>> Is it sufice? >>> >>> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote: >>>> Please provide info also on the IPA server you are using (use rpm >>>> -qa for that) >>>> >>>> >>>> ----- Original Message ----- >>>>> From: "Yaniv Kaul" <ykaul(a)redhat.com&gt; >>>>> To: "Eduardo Ramos" <eduardo(a)freedominterface.org&gt; >>>>> Cc: users(a)ovirt.org >>>>> Sent: Thursday, February 21, 2013 11:14:41 AM >>>>> Subject: Re: [Users] ovirt kerberos/ldap >>>>> >>>>> ----- Original Message ----- >>>>>> Hi all! >>>>>> >>>>>> I'm trying to link a ldap/kerberos to my ovirt without success. >>>>>> I'm >>>>>> stuck with this: >>>>>> >>>>>> oVirt engine: >>>>>> >>>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br >>>>>> -user=admin/admin -interactive -provider=IPA >>>>>> Enter password: >>>>>> >>>>>> Error: exception message: KDC has no support for encryption >>>>>> type >>>>>> (14) - >>>>>> BAD_ENCRYPTION_TYPE >>>>> Please snoop the connection between the engine and the IPA >>>>> server. >>>>> Port 88, full packets ('-s 1500' on tcpdump), into file ('-w >>>>> /tmp/kerb.pcap' ). >>>>> Y. >>>>> >>>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos >>>>>> error. >>>>>> Please check log for further details. >>>>>> >>>>>> kdc log: >>>>>> >>>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) >>>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for >>>>>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for >>>>>> encryption >>>>>> type >>>>>> >>>>>> Any sugestion? >>>>>> _______________________________________________ >>>>>> Users mailing list >>>>>> Users(a)ovirt.org >>>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>>> >>>>> _______________________________________________ >>>>> Users mailing list >>>>> Users(a)ovirt.org >>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>> >