4:43 p.m.
I got new step!
I added arcfour-hmac-md5:normal into supported_enctypes and
permitted_enctypes directives in kdc.conf.
Then I changed password of my principal using the following:
change_password -e arcfour-hmac-md5:normal admin/adimin
Now, it's ok, but now I got another error that I didn't understand as
follows:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: Checksum failed
Failure while testing domain gsr.inpe.br. Details: Kerberos error.
Please check log for further details.
The log of kdc says:
Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
ses=23}, admin/admin(a)GSR.INPE.BR for krbtgt/GSR.INPE.BR(a)GSR.INPE.BR
And the engine-manage-domains.log says:
2013-02-21 10:36:46,722 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos
configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
created kerberos configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos
configuration for domain: gsr.inpe.br
2013-02-21 10:36:46,819 ERROR
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
exception message: Checksum failed
2013-02-21 10:36:46,822 ERROR
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
testing domain gsr.inpe.br. Details: Kerberos error. Please check log
for further details.
On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
On 21/02/13 13:24, Eduardo Ramos wrote:
> Morning!
>
> That's my log entry. PCAP attached.
>
> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for
> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for encryption type
You are using rc4_hmac, which is the right encryption protocol
usually. One can disable it (using 'permitted_enctypes' directive).
>
> My /etc/krb5.conf
This is not the krb5.conf file oVirt is using. Please search your
system for oVirt's krb5.conf (sorry, don't have it from the top of my
head).
In any case, I'd check the IPA configuration.
Y.
> [libdefaults]
> default_realm = GSR.INPE.BR
> allow_weak_crypto = yes
>
> default_tkt_enctypes = rc4-hmac des-cbc-md5
> default_tgs_enctypes = rc4-hmac des-cbc-md5
>
> [realms]
> GSR.INPE.BR = {
> master_kdc = GSR.INPE.BR
> kdc = kerberos.gsr.inpe.br
> default_domain = gsr.inpe.br
> }
>
> [domain_realm]
> .gsr.inpe.br = GSR.INPE.BR
> gsr.inpe.br = GSR.INPE.BR
>
> [logging]
> kdc = SYSLOG:INFO
>
> Is it sufice?
>
> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
>> Please provide info also on the IPA server you are using (use rpm
>> -qa for that)
>>
>>
>> ----- Original Message -----
>>> From: "Yaniv Kaul" <ykaul(a)redhat.com>
>>> To: "Eduardo Ramos" <eduardo(a)freedominterface.org>
>>> Cc: users(a)ovirt.org
>>> Sent: Thursday, February 21, 2013 11:14:41 AM
>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>
>>> ----- Original Message -----
>>>> Hi all!
>>>>
>>>> I'm trying to link a ldap/kerberos to my ovirt without success.
I'm
>>>> stuck with this:
>>>>
>>>> oVirt engine:
>>>>
>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>>>> -user=admin/admin -interactive -provider=IPA
>>>> Enter password:
>>>>
>>>> Error: exception message: KDC has no support for encryption type
>>>> (14) -
>>>> BAD_ENCRYPTION_TYPE
>>> Please snoop the connection between the engine and the IPA server.
>>> Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
>>> /tmp/kerb.pcap' ).
>>> Y.
>>>
>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos error.
>>>> Please check log for further details.
>>>>
>>>> kdc log:
>>>>
>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin(a)GSR.INPE.BR for
>>>> krbtgt/GSR.INPE.BR(a)GSR.INPE.BR, KDC has no support for encryption
>>>> type
>>>>
>>>> Any sugestion?
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users(a)ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users(a)ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>