On 11/21/2012 09:40 PM, Cristian Falcas wrote:
On Wed, Nov 21, 2012 at 9:37 PM, Cristian Falcas<cristi.falcas@gmail.com <mailto:cristi.falcas@gmail.com>> wrote:
On Wed, Nov 21, 2012 at 8:10 AM, Itamar Heim <iheim@redhat.com<mailto:iheim@redhat.com>> wrote:<mailto:cristi.falcas@gmail.com>>
On 11/21/2012 08:09 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Cristian Falcas" <cristi.falcas@gmail.com
To: "Yair Zaslavsky" <yzaslavs@redhat.com
<mailto:yzaslavs@redhat.com>>
Cc: users@ovirt.org <mailto:users@ovirt.org>yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto:cristi.falcas@gmail.com> >
Sent: Wednesday, November 21, 2012 6:40:34 AM
Subject: Re: [Users] I don't know how to add AD users
On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky <
To: "Itamar Heim" < iheim@redhat.com
<mailto:iheim@redhat.com> >
Cc: "Yair Zaslavsky" < yzaslavs@redhat.com
<mailto:yzaslavs@redhat.com> >, users@ovirt.org
<mailto:users@ovirt.org>iheim@redhat.com <mailto:iheim@redhat.com> >
Sent: Tuesday, November 20, 2012 7:33:39 PM
Subject: Re: [Users] I don't know how to add AD users
On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim <<mailto:cristi.falcas@gmail.com> <mailto:
wrote:
On 11/20/2012 03:00 PM, Cristian Falcas wrote:
Hi,
So there is no way to use the domain I have at work, right?
I will need to make a freeipa installation in order to
add new users.
there is no reason this shouldn't work with active
directory 2003
(assuming its forest level isn't still in AD 2000
compatibility
mode?).
tcpdump for the traffic during engine-manage-domains
should help
diagnosing why.
Cristian
On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas
< cristi.falcas@gmail.com
cristi.falcas@gmail. com >> wrote:
On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <
iheim@redhat.com <mailto:iheim@redhat.com>
On 11/20/2012 09:56 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky
< yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>
<mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> >
<mailto: yzaslavs@redhat.com
<mailto:yzaslavs@redhat.com> <mailto:
yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> >>>
wrote:
On 11/20/2012 09:05 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky
< yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>
<mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> >
<mailto: yzaslavs@redhat.com
<mailto:yzaslavs@redhat.com> <mailto:
yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> >>
<mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>
<mailto: yzaslavs@redhat.com
<mailto:yzaslavs@redhat.com> > <mailto:
yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>
<mailto: yzaslavs@redhat.com
<mailto:yzaslavs@redhat.com> >>> > wrote:
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim
< iheim@redhat.com <mailto:iheim@redhat.com> <mailto:
iheim@redhat.com <mailto:iheim@redhat.com> >
<mailto: iheim@redhat.com <mailto:iheim@redhat.com>
<mailto: iheim@redhat.com <mailto:iheim@redhat.com> >>
<mailto: iheim@redhat.com <mailto:iheim@redhat.com>
<mailto: iheim@redhat.com <mailto:iheim@redhat.com> >
<mailto: iheim@redhat.com <mailto:iheim@redhat.com>
<mailto: iheim@redhat.com <mailto:iheim@redhat.com> >>>
<mailto: iheim@redhat.com <mailto:iheim@redhat.com>
<mailto: iheim@redhat.com <mailto:iheim@redhat.com> >
<mailto: iheim@redhat.com <mailto:iheim@redhat.com>
<mailto: iheim@redhat.com <mailto:iheim@redhat.com> >>
<mailto: iheim@redhat.com <mailto:iheim@redhat.com>
<mailto: iheim@redhat.com <mailto:iheim@redhat.com> >
<mailto: iheim@redhat.com <mailto:iheim@redhat.com>
<mailto: iheim@redhat.com <mailto:iheim@redhat.com>
>>>>> wrote:
On 11/19/2012 11:29 AM, Vinzenz
Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian
Falcas wrote:
Hi,
I'm trying to add some users
to ovirt
using an AD.
This is the configuration I
used for a
mediawiki
site, which is
working correctly:
$wgAuth = new
LdapAuthenticationPlugin();
$wgLDAPUseLocal = true;
$wgLDAPDomainNames = array(
"a_domain");
$wgLDAPServerNames = array(
"a_domain"=>" site.example.com <http://site.example.com>
< http://site.example.com > < http://site.example.com >
< http://site.example.com >
< http://site.example.com >
< http://site.example.com >");
$wgLDAPEncryptionType = array(
"a_domain"=>"clear");
$wgLDAPSearchStrings = array(
"a_domain"=>"rom_domain\\USER- ________NAME");
$wgLDAPBaseDNs = array(
"a_domain"=>"dc=company,dc=___ _____com");
Those are the commands I
tried using:
engine-manage-domains -action=add
-domain= site.example.com <http://site.example.com>
< http://site.example.com > < http://site.example.com >
< http://site.example.com >
< http://site.example.com >
< http://site.example.com >
-provider=ActiveDirectory
-user= user.name <http://user.name>
< http://user.name > < http://user.name >
< http://user.name > < http://user.name >
< http://user.name > -interactive
engine-manage-domains -action=add
-domain=a_domain
-provider=ActiveDirectory
-user= user.name@company.com <mailto:user.name@company.com>
<mailto: user.name@company.com
<mailto:user.name@company.com> >
<mailto: user.name@company.com
<mailto:user.name@company.com>
<mailto: user.name@company.com
<mailto:user.name@company.com> > ><http://m__p__le.com><mailto: user.name@company.com
<mailto:user.name@company.com> <mailto:
user.name@company.com <mailto:user.name@company.com> >
<mailto: user.name@company.com
<mailto:user.name@company.com>
<mailto: user.name@company.com
<mailto:user.name@company.com> > >__>
<mailto: user.name@company.com
<mailto:user.name@company.com>
<mailto: user.name@company.com
<mailto:user.name@company.com> >
<mailto: user.name@company.com
<mailto:user.name@company.com>
<mailto: user.name@company.com
<mailto:user.name@company.com> > >
<mailto: user.name@company.com
<mailto:user.name@company.com>
<mailto: user.name@company.com
<mailto:user.name@company.com> >
<mailto: user.name@company.com
<mailto:user.name@company.com>
<mailto: user.name@company.com
<mailto:user.name@company.com> > >__>__>
<mailto: user.name@company.com
<mailto:user.name@company.com>
<mailto: user.name@company.com
<mailto:user.name@company.com> >
<mailto: user.name@company.com
<mailto:user.name@company.com>
<mailto: user.name@company.com
<mailto:user.name@company.com> > >
<mailto: user.name@company.com
<mailto:user.name@company.com>
<mailto: user.name@company.com
<mailto:user.name@company.com> >
<mailto: user.name@company.com
<mailto:user.name@company.com>
<mailto: user.name@company.com
<mailto:user.name@company.com> > >__>
<mailto: user.name@company.com
<mailto:user.name@company.com>
<mailto: user.name@company.com
<mailto:user.name@company.com> >
<mailto: user.name@company.com
<mailto:user.name@company.com>
<mailto: user.name@company.com
<mailto:user.name@company.com> > >
<mailto: user.name@company.com
<mailto:user.name@company.com>
<mailto: user.name@company.com
<mailto:user.name@company.com> >
<mailto: user.name@company.com
<mailto:user.name@company.com>
<mailto: user.name@company.com
<mailto:user.name@company.com> > >__>__>__> -interactive
engine-manage-domains -action=add
-domain=a_domain
-provider=ActiveDirectory
-user=user.name@site.example._ _______com
<mailto: user.name@site
<mailto: user.name@site >.
<mailto: user.name@site
<mailto: user.name@site >.>__ exa m__p__le.com<http://p__le.com> < http://example.com >
< http://examp__le.com > < http://example.com >
<mailto: user.name@site .
<mailto: user.name@site .>__ exam p__le.com
<mailto: user.name@site. __ examp le.com <http://le.com>
<mailto: user.name@site. example.com<mailto: user.name@site <mailto: user.name@site >>.<http://a__m__p__le.com>
<mailto: user.name@site <mailto: user.name@site >
<mailto: user.name@site
<mailto: user.name@site >>.>__ ex a__m__p__le.com<http://m__p__le.com>
< http://exam__p__le.com >
< http://examp__le.com > < http://example.com >
<mailto: user.name@site
<mailto: user.name@site >.
<mailto: user.name@site
<mailto: user.name@site >.>__ exa m__p__le.com<http://p__le.com> < http://example.com >
< http://examp__le.com > < http://example.com >
<mailto: user.name@site .
<mailto: user.name@site .>__ exam p__le.com
<mailto: user.name@site. __ examp le.com <http://le.com>
<mailto: user.name@site. example.com
<http://example.com> >>>>> -interactive<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>>>
You don't add an user this way.
You add the
domain. You
have to
pass the
domain admin user and the domain
admin password.
any domain user will do, doesn't have
to be an admin.
what does the log say?
Then you can use the domain
within the engine.
e.g. search
users, add
access rights for vms etc.
Even login to the engine and
assigning rights
within
the engine
you can
handle from the engine itself.
Regards,
And the output on all tries:
Enter password:
Error: Authentication Failed.
Please
verify the fully
qualified domain
name that is used for
authentication is
correct..
Problematic domain
is: domain_used_in_command
Failure while applying Kerberos
configuration. Details:
Authentication
Failed. Please verify the
fully qualified
domain
name that
is used for
authentication is correct.
Can someone help me with the
correct
parameters?
Best regards,
Cristian Falcas
______________________________ _________________________
Users mailing list
Users@ovirt.org <mailto:Users@ovirt.org> <mailto:
Users@ovirt.org <mailto:Users@ovirt.org> >
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >
<mailto: Users@ovirt.org <mailto:Users@ovirt.org><mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>>>
http://lists.ovirt.org/_______ _mailman/listinfo/users
< http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users
< http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users
< http://lists.ovirt.org/____ mailman/listinfo/users >
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users
< http://lists.ovirt.org/____ mailman/listinfo/users >
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >
< http://lists.ovirt.org/__ mailman/listinfo/users
< http://lists.ovirt.org/ mailman/listinfo/users >>>>
--
Regards,
Vinzenz Feenstra | Senior
Software Engineer
RedHat Engineering Virtualization
R & D
Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625>
<tel:%2B420%20532%20294%20625>
<tel:%2B420%20532%20294%20625>
<tel:%2B420%20532%20294%20625>
<tel:%2B420%20532%20294%20625>
IRC: vfeenstr or evilissimo
Better technology. Faster
innovation. Powered
by community
collaboration.
See how it works at redhat.com <http://redhat.com>
< http://redhat.com >
< http://redhat.com > < http://redhat.com >
< http://redhat.com >
______________________________ _________________________
Users mailing list
Users@ovirt.org <mailto:Users@ovirt.org> <mailto:
Users@ovirt.org <mailto:Users@ovirt.org> >
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
http://lists.ovirt.org/_______ _mailman/listinfo/users
< http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users
< http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users
< http://lists.ovirt.org/____ mailman/listinfo/users >
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users
< http://lists.ovirt.org/____ mailman/listinfo/users >
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >
< http://lists.ovirt.org/__ mailman/listinfo/users
< http://lists.ovirt.org/ mailman/listinfo/users >>>>
______________________________ _________________________
Users mailing list
Users@ovirt.org <mailto:Users@ovirt.org> <mailto:
Users@ovirt.org <mailto:Users@ovirt.org> >
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>><mailto: Users@ovirt.org <mailto:Users@ovirt.org><mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>>>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
http://lists.ovirt.org/_______ _mailman/listinfo/users
< http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users
< http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users
< http://lists.ovirt.org/____ mailman/listinfo/users >
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users
< http://lists.ovirt.org/____ mailman/listinfo/users >
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >
< http://lists.ovirt.org/__ mailman/listinfo/users
< http://lists.ovirt.org/ mailman/listinfo/users >>>>
Hi,
This is the command I used (the same error
is with
-interactive
parameter):
engine-manage-domains -action=add
-domain= example.com <http://example.com> <
http://example.com >
< http://example.com >
< http://example.com >
< http://example.com > -provider=ActiveDirectory
-user=user.name@a_domain
-passwordFile=/tmp/pass
[root@localhost ~]# cat /tmp/pass
qwerty[root@localhost ~]#
This is the log:
2012-11-20 00:30:40,443 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Creating
kerberos
configuration for domain(s): example.com
<http://example.com>
< http://example.com >
< http://example.com > < http://example.com >
< http://example.com >
2012-11-20 00:30:40,525 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Successfully
created kerberos configuration for domain(s):
example.com <http://example.com> < http://example.com >
< http://example.com >
< http://example.com >
< http://example.com >
2012-11-20 00:30:40,526 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Testing
kerberos
configuration for domain: example.com <http://example.com>
< http://example.com >
< http://example.com > < http://example.com >
< http://example.com >
2012-11-20 00:30:40,830 ERROR
[org.ovirt.engine.core.utils._ _____kerberos.__
KerberosConfigCheck]
Error:
exception message: Cannot locate KDC
2012-11-20 00:30:40,851 ERROR
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Failure
while
testing domain example.com <http://example.com>
< http://example.com > < http://example.com >
< http://example.com >
< http://example.com >. Details: Kerberos
error. Please check log for further details.
Hi, the error indicates you don't have
kerberos configured.
manage-domains validates by default using
GSSAPI/Kerberos (if I
understand correctly, this is equivalent to
run ldapsearch
with -Y
gssapi option).
I wonder if -x (simple authentication) will
work for you as
well (as
manage-domains contains code for simple
authentication as
well).
This is the ldapsearch command that works
(it retrieves
users)
from the
same machine:
ldapsearch -H ldap:// example.com <http://example.com>
< http://example.com > < http://example.com >
< http://example.com >
< http://example.com > -b
dc=example,dc=com -D user.name@a_domain -w
qwerty
Best regards,
Cristian Falcas
______________________________ _______________________
Users mailing list
Users@ovirt.org <mailto:Users@ovirt.org> <mailto:
Users@ovirt.org <mailto:Users@ovirt.org> >
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >><mailto: Users@ovirt.org <mailto:Users@ovirt.org>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >
<mailto: Users@ovirt.org <mailto:Users@ovirt.org>
<mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>>_kerberos._ tcp.EXAMPLE.COM <http://tcp.EXAMPLE.COM>http://lists.ovirt.org/______ mailman/listinfo/users
< http://lists.ovirt.org/____ mailman/listinfo/users >
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >
< http://lists.ovirt.org/__ mailman/listinfo/users
< http://lists.ovirt.org/ mailman/listinfo/users >>>
Hi,
I used "-x" for ldapsearch and the result is the
same: list
retrieved.
Is there any equivalent for engine-manage-domains?
Cristian
Hi Christian, there is no code allowing to add
simple-authentication
domains to Manage-Domains.
In the past we did have the ability to do that, but
there are
several problematic issues.
What ldap server are you working against? Maybe I
missed that
Hi,
The server is a Microfost AD 2003.
Best regards,
Cristian Falcas
this should work, is the AD also the DNS server for the
ovirt
engine machine?
yes
Could you take a look at the tcp dump? There are only 2
messages
relevant to this (let me know if you want the full dump):
- 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard
query SRV<http://site1.example.com> SRV 0 100 88
- 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard
query response
SRV 0 100 88 site1.example.com
site2.example.com <http://site2.example.com> SRV 0
100 88 site3.example.com <http://site3.example.com>usual company.com <http://company.com>. So it worked with:
Also, I tries to run ldapsearch with -Y gssapi:
ldap_sasl_interactive_bind_s: Unknown authentication
method (-6)
additional info: SASL(-4): no mechanism available: No
worthy mechs
found
Best regards,
Cristian Falcas
The SRV records look fine.
If I remember correctly, your DNS should have a
reverse-resolve PTR
record to your engine machine. Does it exists?
I don't think so (10.0.0.xx is engine machine,
10.0.0.yyy is dns):
[root@localhost ~]# nslookup 10.0.0.xx
Server: 10.0.0.yyy
Address: 10.0.0.yyy#53
** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN
[root@localhost ~]# host 10.0.0.xx
Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN)
I will ask them to add a DNS record for the machine.
Indeed do that.
In the engine we require both reverse-resolve PTR record,
Kerberos SRV record and LDAP SRV record.
Make sure you have all three in the DNS.
The PTR + Kerberos records are used for the kerberos
authentication (and constructing the krb5.conf file in the
engine-manage-domains utility).
The LDAP SRV record is used for the directory queries (it is
used in the utility + the ovirt engine, to look for LDAP
servers).
Yair - sounds like we need a how to troubleshoot AD issues?
Hi,
So, after all, I was using the wrong domain. In my company we use
everywhere (web, email, etc) as the domain "a_domain" instead of the
engine-manage-domains -action=add -domain=company.com
<http://company.com> -provider=ActiveDirectory -user=user.name
<http://user.name> -passwordFile=/tmp/passhost -t srv _kerberos._tcp.company.com <http://tcp.company.com>
Some steps I did for my investigation:
1. test if the domain has a kerberos service:
kinit user.name@company.com <mailto:user.name@company.com> -V
2. use kinit instead of engine-manage-domains (mush faster)
cp /etc/ovirt-engine/krb5.conf /etc/
3. test with:COMPANY.COM <http://COMPANY.COM> = {
Just to let others know what errors I had and how I fixed them:
1. Client not found in Kerberos database while getting initial
credentials: wrong user name
2. Cannot find KDC for requested realm: the realm you are using in
the command line is not define in krb5.conf file.
- at the beginning I was using kinit user.name@a_domain -V, but
there was no a_domain realm defined.
- check the file and try to update it or correct your kinit command
in order to use the correct realm
[realms]kinit user.name <http://user.name>
kdc = site1.company.com.:88
kdc = site2.company.com.:88
kdc = site3.company.com.:88
}
3. KDC reply did not match expectations while getting initial
credentials: you may have the same realm in your command line and in
the krb5.conf file, but the server thinks this is not correct.
- use wireshark to see what realm the server has: protocol KRB5,
messages AS-REQ and AS-REP
Thank you for all your help.
Cristian
I forgot. Use this kinit command for tests instead:
Because I was using the realm in the command line I had all of the above
problems
do you mind adding these to a wiki for steps to troubleshoot for the next one to tackle this?
thanks,
Itamar