Re: [Users] ovirt kerberos/ldap

From: "Eduardo Ramos" <eduardo(a)freedominterface.org&gt; To: "Yaniv Kaul" <ykaul(a)redhat.com&gt; Cc: yzaslavs(a)redhat.com, users(a)ovirt.org Sent: Thursday, February 21, 2013 3:43:04 PM Subject: Re: [Users] ovirt kerberos/ldap I got new step! I added arcfour-hmac-md5:normal into supported_enctypes and permitted_enctypes directives in kdc.conf. Then I changed password of my principal using the following: change_password -e arcfour-hmac-md5:normal admin/adimin Now, it's ok, but now I got another error that I didn't understand as follows: # engine-manage-domains -action=add -domain=gsr.inpe.br -user=admin/admin -interactive -provider=IPA Enter password: Error: exception message: Checksum failed Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details. The log of kdc says: Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23}) 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16 ses=23}, admin/admin(a)GSR.INPE.BR for krbtgt/GSR.INPE.BR(a)GSR.INPE.BR And the engine-manage-domains.log says: 2013-02-21 10:36:46,722 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): gsr.inpe.br 2013-02-21 10:36:46,745 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): gsr.inpe.br 2013-02-21 10:36:46,745 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: gsr.inpe.br 2013-02-21 10:36:46,819 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: Checksum failed 2013-02-21 10:36:46,822 ERROR [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details. On 02/21/2013 08:55 AM, Yaniv Kaul wrote: > On 21/02/13 13:24, Eduardo Ramos wrote: >> Morning! >> >> That's my log entry. PCAP attached. >> >> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) >> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for >> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for encryption >> type > > You are using rc4_hmac, which is the right encryption protocol > usually. One can disable it (using 'permitted_enctypes' directive). > >> >> My /etc/krb5.conf > > This is not the krb5.conf file oVirt is using. Please search your > system for oVirt's krb5.conf (sorry, don't have it from the top of > my > head). > In any case, I'd check the IPA configuration. > Y. > >> [libdefaults] >> default_realm = GSR.INPE.BR >> allow_weak_crypto = yes >> >> default_tkt_enctypes = rc4-hmac des-cbc-md5 >> default_tgs_enctypes = rc4-hmac des-cbc-md5 >> >> [realms] >> GSR.INPE.BR = { >> master_kdc = GSR.INPE.BR >> kdc = kerberos.gsr.inpe.br >> default_domain = gsr.inpe.br >> } >> >> [domain_realm] >> .gsr.inpe.br = GSR.INPE.BR >> gsr.inpe.br = GSR.INPE.BR >> >> [logging] >> kdc = SYSLOG:INFO >> >> Is it sufice? >> >> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote: >>> Please provide info also on the IPA server you are using (use rpm >>> -qa for that) >>> >>> >>> ----- Original Message ----- >>>> From: "Yaniv Kaul" <ykaul(a)redhat.com&gt; >>>> To: "Eduardo Ramos" <eduardo(a)freedominterface.org&gt; >>>> Cc: users(a)ovirt.org >>>> Sent: Thursday, February 21, 2013 11:14:41 AM >>>> Subject: Re: [Users] ovirt kerberos/ldap >>>> >>>> ----- Original Message ----- >>>>> Hi all! >>>>> >>>>> I'm trying to link a ldap/kerberos to my ovirt without success. >>>>> I'm >>>>> stuck with this: >>>>> >>>>> oVirt engine: >>>>> >>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br >>>>> -user=admin/admin -interactive -provider=IPA >>>>> Enter password: >>>>> >>>>> Error: exception message: KDC has no support for encryption >>>>> type >>>>> (14) - >>>>> BAD_ENCRYPTION_TYPE >>>> Please snoop the connection between the engine and the IPA >>>> server. >>>> Port 88, full packets ('-s 1500' on tcpdump), into file ('-w >>>> /tmp/kerb.pcap' ). >>>> Y. >>>> >>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos >>>>> error. >>>>> Please check log for further details. >>>>> >>>>> kdc log: >>>>> >>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) >>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for >>>>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for >>>>> encryption >>>>> type >>>>> >>>>> Any sugestion? >>>>> _______________________________________________ >>>>> Users mailing list >>>>> Users(a)ovirt.org >>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>> >>>> _______________________________________________ >>>> Users mailing list >>>> Users(a)ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>>> >> >