--Apple-Mail=_62249DE2-929A-466F-B579-4AAF97FDAF62 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hello, I tried to add a IPA directory domain following these instructions: = https://www.rvanderlinden.net/wordpress/ovirt/administrator-portal/adminis= trator-portal-authentication-via-ipa/ It appears the domain was added successfully, but cannot be validated: [root@vhost1 ~]# engine-manage-domains -action=3Dadd = -domain=3Ddomain.local -user=3Dadmin -provider=3Dipa -interactive Enter password: The domain domain.local has been added to the engine as an = authentication source but no users from that domain have been granted = permissions within the oVirt Manager. Users from this domain can be granted permissions from the Web = administration interface. oVirt Engine restart is required in order for the changes to take place = (service ovirt-engine restart). Manage Domains completed successfully [root@vhost1 ~]# service ovirt-engine restart Stopping engine-service: [ OK ] Starting engine-service: [ OK ] [root@vhost1 ~]# engine-manage-domains -action=3Dvalidate -report Error: exception message: Integrity check on decrypted field failed = (31) - PREAUTH_FAILED WARNING, domain: domain.local may not be functional: Failure while = testing domain domain.local. Details: Kerberos error. Please check log = for further details. Manage Domains completed successfully [root@vhost1 ~]#=20 krb5kdc.log has the following entries: Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): AS_REQ (1 etypes = {23}) 10.0.1.12: NEEDED_PREAUTH: admin@DOMAIN.LOCAL for = krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL, Additional pre-authentication required Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): closing down fd = 10 Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): AS_REQ (1 etypes = {23}) 10.0.1.12: ISSUE: authtime 1376950566, etypes {rep=3D23 tkt=3D18 = ses=3D23}, admin@DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): closing down fd = 10 Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): TGS_REQ (6 etypes = {18 17 16 23 1 3}) 10.0.1.12: ISSUE: authtime 1376950566, etypes {rep=3D23= tkt=3D18 ses=3D18}, admin@DOMAIN.LOCAL for = ldap/auth.domain.local@DOMAIN.LOCAL Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): closing down fd = 10 Any idea? Thanks, Haven= --Apple-Mail=_62249DE2-929A-466F-B579-4AAF97FDAF62 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html = charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; = ">Hello,<div><br></div><div>I tried to add a IPA directory domain = following these instructions: <a = href=3D"https://www.rvanderlinden.net/wordpress/ovirt/administrator-portal= /administrator-portal-authentication-via-ipa/">https://www.rvanderlinden.n= et/wordpress/ovirt/administrator-portal/administrator-portal-authenticatio= n-via-ipa/</a></div><div><br></div><div>It appears the domain was added = successfully, but cannot be = validated:</div><div><br></div><div><div>[root@vhost1 ~]# = engine-manage-domains -action=3Dadd -domain=3Ddomain.local -user=3Dadmin = -provider=3Dipa -interactive</div><div>Enter = password:</div><div><br></div><div>The domain domain.local has been = added to the engine as an authentication source but no users from that = domain have been granted permissions within the oVirt = Manager.</div><div>Users from this domain can be granted permissions = from the Web administration interface.</div><div>oVirt Engine restart is = required in order for the changes to take place (service ovirt-engine = restart).</div><div>Manage Domains completed = successfully</div><div>[root@vhost1 ~]# service ovirt-engine = restart</div><div>Stopping engine-service: [ OK = ]</div><div>Starting engine-service: [ OK = ]</div><div>[root@vhost1 ~]# engine-manage-domains = -action=3Dvalidate -report</div><div>Error: exception message: = Integrity check on decrypted field failed (31) - = PREAUTH_FAILED</div><div>WARNING, domain: domain.local may not be = functional: Failure while testing domain domain.local. Details: Kerberos = error. Please check log for further details.</div><div>Manage Domains = completed successfully</div><div>[root@vhost1 = ~]# </div></div><div><br></div><div>krb5kdc.log has the following = entries:</div><div><div>Aug 19 15:16:06 auth.domain.local = krb5kdc[4572](info): AS_REQ (1 etypes {23}) 10.0.1.12: NEEDED_PREAUTH: = <a href=3D"mailto:admin@DOMAIN.LOCAL">admin@DOMAIN.LOCAL</a> for <a = href=3D"mailto:krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL">krbtgt/DOMAIN.LOCAL@DOMAI= N.LOCAL</a>, Additional pre-authentication required</div><div>Aug 19 = 15:16:06 auth.domain.local krb5kdc[4572](info): closing down fd = 10</div><div>Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): = AS_REQ (1 etypes {23}) 10.0.1.12: ISSUE: authtime 1376950566, etypes = {rep=3D23 tkt=3D18 ses=3D23}, <a = href=3D"mailto:admin@DOMAIN.LOCAL">admin@DOMAIN.LOCAL</a> for <a = href=3D"mailto:krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL">krbtgt/DOMAIN.LOCAL@DOMAI= N.LOCAL</a></div><div>Aug 19 15:16:06 auth.domain.local = krb5kdc[4572](info): closing down fd 10</div><div>Aug 19 15:16:06 = auth.domain.local krb5kdc[4572](info): TGS_REQ (6 etypes {18 17 16 23 1 = 3}) 10.0.1.12: ISSUE: authtime 1376950566, etypes {rep=3D23 tkt=3D18 = ses=3D18}, <a href=3D"mailto:admin@DOMAIN.LOCAL">admin@DOMAIN.LOCAL</a> = for <a = href=3D"mailto:ldap/auth.domain.local@DOMAIN.LOCAL">ldap/auth.domain.local= @DOMAIN.LOCAL</a></div><div>Aug 19 15:16:06 auth.domain.local = krb5kdc[4572](info): closing down fd = 10</div></div><div><br></div><div>Any = idea?</div><div><br></div><div>Thanks,</div><div><br></div><div>Haven</div=
</body></html>=
--Apple-Mail=_62249DE2-929A-466F-B579-4AAF97FDAF62--