On Thu, 23 Feb 2012, Oved Ourfalli wrote:
IIRC, we only support using -interactive or using -passwordFile, and
not both.
The fact that you don't get a warning on that is a bug.
:) Opps.
Found this blog with a similar error that is caused due to password
expiration (in the engine log, and not while running the manage domains utility, but that
might also help):
http://blog.rtfm.co.hu/2012/02/rhev-error-from-kerberos-integrity-check-o...
But the information there doesn't go very well with the fact that kinit is
successful.
Ya, I saw that also, (been doing a lot of googling), but:
-bash-4.2# kinit nathan
Password for nathan(a)BLINKMIND.NET:
-bash-4.2# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nathan(a)BLINKMIND.NET
Valid starting Expires Service principal
02/23/12 12:07:21 02/24/12 12:07:16 krbtgt/BLINKMIND.NET(a)BLINKMIND.NET
renew until 03/01/12 12:07:16
Is the file containing the correct password? Try using only
-interactive, and enter the password interactively.
Yep, the password is correct, I get the same error no matter what password
I use. However when I try with -interactive I get more debug info (see
below).
Also, attaching the log of the utility might be helpful.
How would I get that? I don't see anyting anywhere in /var/log/*
Also, try logging in with that user to the IPA machine, that way
you'll know if you need to change your password (I saw that sometimes kinit
doesn't ask you to change the password, but logging in does).
Yep, that works fine. If I do it with -interactive I get the errors below.
It seams to have an issue with DNS, but yet it is pulling the two SRV
records AND hitting the right servers. Also both ovirt-engine and
ipa-master have forward and reverse dns and proper /etc/hosts files.
-bash-4.2# engine-manage-domains -action=add -domain=blinkmind.net
-user=nathan -interactive
Enter password:
javax.naming.AuthenticationException: GSSAPI [Root exception is
javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Server not
found in Kerberos database (7) - UNKNOWN_SERVER)]]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:168)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:232)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at javax.naming.InitialContext.init(InitialContext.java:240)
at javax.naming.InitialContext.<init>(InitialContext.java:214)
at
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
at
org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:357)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:154)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:140)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:563)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:709)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:404)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:235)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:163)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused
by GSSException: No valid credentials provided (Mechanism level: Server
not found in Kerberos database (7) - UNKNOWN_SERVER)]
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:123)
... 23 more
Caused by: GSSException: No valid credentials provided (Mechanism level:
Server not found in Kerberos database (7) - UNKNOWN_SERVER)
at
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180)
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
... 24 more
Caused by: KrbException: Server not found in Kerberos database (7) -
UNKNOWN_SERVER
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:72)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:193)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:205)
at
sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297)
at
sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114)
at
sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555)
at
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610)
... 27 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:144)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:54)
... 33 more
Error: LDAP query Failed. Error in DNS configuration. Please verify the
oVirt Engine host has a valid reverse DNS (PTR) record.
Failure while testing domain
blinkmind.net. Details: No user information
was found for user
-bash-4.2# nslookup
ipa-master.blinkmind.net
Server: 10.10.0.10
Address: 10.10.0.10#53
Name:
ipa-master.blinkmind.net
Address: 10.13.0.105
-bash-4.2# nslookup 10.13.0.105
Server: 10.10.0.10
Address: 10.10.0.10#53
105.0.13.10.in-addr.arpa name =
ipa-master.blinkmind.net.
-bash-4.2# nslookup
ovirt-engine.blinkmind.net
Server: 10.10.0.10
Address: 10.10.0.10#53
Name:
ovirt-engine.blinkmind.net
Address: 10.13.0.245
-bash-4.2# nslookup 10.13.0.245
Server: 10.10.0.10
Address: 10.10.0.10#53
245.0.13.10.in-addr.arpa name =
ovirt-engine.blinkmind.net.