On Thu, 23 Feb 2012, Oved Ourfalli wrote:
IIRC, we only support using -interactive or using -passwordFile, and not both. The fact that you don't get a warning on that is a bug.
:) Opps.
Found this blog with a similar error that is caused due to password expiration (in the engine log, and not while running the manage domains utility, but that might also help): http://blog.rtfm.co.hu/2012/02/rhev-error-from-kerberos-integrity-check-on-d...
But the information there doesn't go very well with the fact that kinit is successful.
Ya, I saw that also, (been doing a lot of googling), but: -bash-4.2# kinit nathan Password for nathan@BLINKMIND.NET: -bash-4.2# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: nathan@BLINKMIND.NET Valid starting Expires Service principal 02/23/12 12:07:21 02/24/12 12:07:16 krbtgt/BLINKMIND.NET@BLINKMIND.NET renew until 03/01/12 12:07:16
Is the file containing the correct password? Try using only -interactive, and enter the password interactively.
Yep, the password is correct, I get the same error no matter what password I use. However when I try with -interactive I get more debug info (see below).
Also, attaching the log of the utility might be helpful.
How would I get that? I don't see anyting anywhere in /var/log/*
Also, try logging in with that user to the IPA machine, that way you'll know if you need to change your password (I saw that sometimes kinit doesn't ask you to change the password, but logging in does).
Yep, that works fine. If I do it with -interactive I get the errors below. It seams to have an issue with DNS, but yet it is pulling the two SRV records AND hitting the right servers. Also both ovirt-engine and ipa-master have forward and reverse dns and proper /etc/hosts files. -bash-4.2# engine-manage-domains -action=add -domain=blinkmind.net -user=nathan -interactive Enter password: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)]] at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:168) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:232) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) at javax.naming.InitialContext.init(InitialContext.java:240) at javax.naming.InitialContext.<init>(InitialContext.java:214) at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:357) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:154) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:140) at org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:563) at org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:709) at org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:404) at org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:235) at org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:163) Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)] at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212) at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:123) ... 23 more Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193) ... 24 more Caused by: KrbException: Server not found in Kerberos database (7) - UNKNOWN_SERVER at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:72) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:193) at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:205) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114) at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610) ... 27 more Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:144) at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65) at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:54) ... 33 more Error: LDAP query Failed. Error in DNS configuration. Please verify the oVirt Engine host has a valid reverse DNS (PTR) record. Failure while testing domain blinkmind.net. Details: No user information was found for user -bash-4.2# nslookup ipa-master.blinkmind.net Server: 10.10.0.10 Address: 10.10.0.10#53 Name: ipa-master.blinkmind.net Address: 10.13.0.105 -bash-4.2# nslookup 10.13.0.105 Server: 10.10.0.10 Address: 10.10.0.10#53 105.0.13.10.in-addr.arpa name = ipa-master.blinkmind.net. -bash-4.2# nslookup ovirt-engine.blinkmind.net Server: 10.10.0.10 Address: 10.10.0.10#53 Name: ovirt-engine.blinkmind.net Address: 10.13.0.245 -bash-4.2# nslookup 10.13.0.245 Server: 10.10.0.10 Address: 10.10.0.10#53 245.0.13.10.in-addr.arpa name = ovirt-engine.blinkmind.net.