On 11/23/2013 05:36 PM, i iordanov wrote:
Hi guys,
I'm trying to work around the impossibility of adding local users into
oVirt by setting up a FreeIPA server for my test rig... :(
Everything is Fedora 19 and whatever package versions come with it.
1) I have an A-record, a PTR-record and the necessary SRV records for my
server in dnsmasq on my OpenWRT router:
ptr-record=60.2.168.192.in-addr.arpa,"freeipa.iiordanov.com"
srv-host=_kerberos-master._tcp,freeipa.iiordanov.com,88,0,100
srv-host=_kerberos-master._udp,freeipa.iiordanov.com,88,0,100
srv-host=_kerberos._tcp,freeipa.iiordanov.com,88,0,100
srv-host=_kerberos._udp,freeipa.iiordanov.com,88,0,100
srv-host=_kpasswd._tcp,freeipa.iiordanov.com,464,0,100
srv-host=_kpasswd._udp,freeipa.iiordanov.com,464,0,100
srv-host=_ldap._tcp,freeipa.iiordanov.com,389,0,100
2) I have run ipa-server-install and everything completed without error.
I've disabled the firewall on the server completely and the iptables chains
are all clean. I've rebooted the server just in case.
3) When I try to add the IPA server to oVirt, I get a nasty error!
# engine-manage-domains -action=add -domain=iiordanov.com -user=admin
-provider=ipa -interactive
Enter password:
General error has occurednull
java.lang.NegativeArraySizeException
at
sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367)
at
sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722)
at sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200)
at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861)
at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385)
at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104)
at
com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430)
at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at org.ovirt.engine.core.ldap.RootDSEData.<init>(RootDSEData.java:52)
at
org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:257)
at
org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:356)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135)
at
org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:746)
at
org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:917)
at
org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:539)
at
org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:311)
at
org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:206)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.jboss.modules.Module.run(Module.java:260)
at org.jboss.modules.Main.main(Main.java:291)
Failure while testing domain %1$s. Details: %2$s: One of the parameters for
this error is null and no default message to show
Can anybody spot the trouble here? Any help is appreciated!
This is an issue that we have already detected with OpenLDAP, and it
looks like at least two users (including you) are experiencing it with
IPA as well, maybe something changed in a recent versions of IPA. I
believe this is related to the setting of the "minimum security strength
factor" in the LDAP server.
I have proposed a change to make the error from engine-manage-domains
more explicit:
http://gerrit.ovirt.org/21505
However this doesn't fix the issue, just makes it easier (hopefully) to
detect.
I would really appreciate if you can test to change the minssf parameter
in your LDAP server. Locate the following parameter in the
/etc/dirsrv/slapd-YOUR-REALM/dse.ldif file:
dn: cn=config
nsslapd-minssf: 0
The value will probably be 0, as shown. Stop your IPA server, change it
to 1, start the IPA server, and try again to add the domain with
engine-manage-domains. Please report your results.
--
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.