--Apple-Mail-04EDF644-A5F6-467A-B8A7-2B8F9DC4E760 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Never mind. It is apparently because my admin password contained an "illegal= " character.=20 Haven On Aug 19, 2013, at 3:24 PM, "H. Haven Liu" <haven.liu@ucla.edu> wrote:
Hello, =20 I tried to add a IPA directory domain following these instructions: https:= //www.rvanderlinden.net/wordpress/ovirt/administrator-portal/administrator-p= ortal-authentication-via-ipa/ =20 It appears the domain was added successfully, but cannot be validated: =20 [root@vhost1 ~]# engine-manage-domains -action=3Dadd -domain=3Ddomain.loca= l -user=3Dadmin -provider=3Dipa -interactive Enter password: =20 The domain domain.local has been added to the engine as an authentication s= ource but no users from that domain have been granted permissions within the= oVirt Manager. Users from this domain can be granted permissions from the Web administrat= ion interface. oVirt Engine restart is required in order for the changes to take place (s= ervice ovirt-engine restart). Manage Domains completed successfully [root@vhost1 ~]# service ovirt-engine restart Stopping engine-service: [ OK ] Starting engine-service: [ OK ] [root@vhost1 ~]# engine-manage-domains -action=3Dvalidate -report Error: exception message: Integrity check on decrypted field failed (31) -= PREAUTH_FAILED WARNING, domain: domain.local may not be functional: Failure while testing= domain domain.local. Details: Kerberos error. Please check log for further d= etails. Manage Domains completed successfully [root@vhost1 ~]#=20 =20 krb5kdc.log has the following entries: Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): AS_REQ (1 etypes {2= 3}) 10.0.1.12: NEEDED_PREAUTH: admin@DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL@DO= MAIN.LOCAL, Additional pre-authentication required Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): closing down fd 10 Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): AS_REQ (1 etypes {2= 3}) 10.0.1.12: ISSUE: authtime 1376950566, etypes {rep=3D23 tkt=3D18 ses=3D2= 3}, admin@DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): closing down fd 10 Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): TGS_REQ (6 etypes {= 18 17 16 23 1 3}) 10.0.1.12: ISSUE: authtime 1376950566, etypes {rep=3D23 tk= t=3D18 ses=3D18}, admin@DOMAIN.LOCAL for ldap/auth.domain.local@DOMAIN.LOCAL=
Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): closing down fd 10 =20 Any idea? =20 Thanks, =20 Haven _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
<div>Haven</div><div><br></div><div>On Aug 19, 2013, at 3:24 PM, "H. Haven L= iu" <<a href=3D"mailto:haven.liu@ucla.edu">haven.liu@ucla.edu</a>> wro= te:<br><br></div><blockquote type=3D"cite"><div><meta http-equiv=3D"Content-= Type" content=3D"text/html charset=3Dus-ascii">Hello,<div><br></div><div>I t= ried to add a IPA directory domain following these instructions: <a hre= f=3D"https://www.rvanderlinden.net/wordpress/ovirt/administrator-portal/admi= nistrator-portal-authentication-via-ipa/">https://www.rvanderlinden.net/word=
--Apple-Mail-04EDF644-A5F6-467A-B8A7-2B8F9DC4E760 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D= utf-8"></head><body dir=3D"auto"><div>Never mind. It is apparently because m= y admin password contained an "illegal" character. </div><div><br></div= press/ovirt/administrator-portal/administrator-portal-authentication-via-ipa= /</a></div><div><br></div><div>It appears the domain was added successfully,= but cannot be validated:</div><div><br></div><div><div>[root@vhost1 ~]# eng= ine-manage-domains -action=3Dadd -domain=3Ddomain.local -user=3Dadmin -provi= der=3Dipa -interactive</div><div>Enter password:</div><div><br></div><div>Th= e domain domain.local has been added to the engine as an authentication sour= ce but no users from that domain have been granted permissions within the oV= irt Manager.</div><div>Users from this domain can be granted permissions fro= m the Web administration interface.</div><div>oVirt Engine restart is requir= ed in order for the changes to take place (service ovirt-engine restart).</d= iv><div>Manage Domains completed successfully</div><div>[root@vhost1 ~]# ser= vice ovirt-engine restart</div><div>Stopping engine-service: [ OK &nbs= p;]</div><div>Starting engine-service: [ OK ]</div><div>[root@vh= ost1 ~]# engine-manage-domains -action=3Dvalidate -report</div><div>Error: &= nbsp;exception message: Integrity check on decrypted field failed (31) - PRE= AUTH_FAILED</div><div>WARNING, domain: domain.local may not be functional: Fa= ilure while testing domain domain.local. Details: Kerberos error. Please che= ck log for further details.</div><div>Manage Domains completed successfully<= /div><div>[root@vhost1 ~]# </div></div><div><br></div><div>krb5kdc.log h= as the following entries:</div><div><div>Aug 19 15:16:06 auth.domain.local k= rb5kdc[4572](info): AS_REQ (1 etypes {23}) 10.0.1.12: NEEDED_PREAUTH: <a hre= f=3D"mailto:admin@DOMAIN.LOCAL">admin@DOMAIN.LOCAL</a> for <a href=3D"mailto= :krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL">krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL</a>, Add= itional pre-authentication required</div><div>Aug 19 15:16:06 auth.domain.lo= cal krb5kdc[4572](info): closing down fd 10</div><div>Aug 19 15:16:06 auth.d= omain.local krb5kdc[4572](info): AS_REQ (1 etypes {23}) 10.0.1.12: ISSUE: au= thtime 1376950566, etypes {rep=3D23 tkt=3D18 ses=3D23}, <a href=3D"mailto:ad= min@DOMAIN.LOCAL">admin@DOMAIN.LOCAL</a> for <a href=3D"mailto:krbtgt/DOMAIN= .LOCAL@DOMAIN.LOCAL">krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL</a></div><div>Aug 19 1= 5:16:06 auth.domain.local krb5kdc[4572](info): closing down fd 10</div><div>= Aug 19 15:16:06 auth.domain.local krb5kdc[4572](info): TGS_REQ (6 etypes {18= 17 16 23 1 3}) 10.0.1.12: ISSUE: authtime 1376950566, etypes {rep=3D23 tkt=3D= 18 ses=3D18}, <a href=3D"mailto:admin@DOMAIN.LOCAL">admin@DOMAIN.LOCAL</a> f= or <a href=3D"mailto:ldap/auth.domain.local@DOMAIN.LOCAL">ldap/auth.domain.l= ocal@DOMAIN.LOCAL</a></div><div>Aug 19 15:16:06 auth.domain.local krb5kdc[45= 72](info): closing down fd 10</div></div><div><br></div><div>Any idea?</div>= <div><br></div><div>Thanks,</div><div><br></div><div>Haven</div></div></bloc= kquote><blockquote type=3D"cite"><div><span>________________________________= _______________</span><br><span>Users mailing list</span><br><span><a href=3D= "mailto:Users@ovirt.org">Users@ovirt.org</a></span><br><span><a href=3D"http= ://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/li= stinfo/users</a></span><br></div></blockquote></body></html>= --Apple-Mail-04EDF644-A5F6-467A-B8A7-2B8F9DC4E760--