I got new step! I added arcfour-hmac-md5:normal into supported_enctypes and permitted_enctypes directives in kdc.conf. Then I changed password of my principal using the following: change_password -e arcfour-hmac-md5:normal admin/adimin Now, it's ok, but now I got another error that I didn't understand as follows: # engine-manage-domains -action=add -domain=gsr.inpe.br -user=admin/admin -interactive -provider=IPA Enter password: Error: exception message: Checksum failed Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details. The log of kdc says: Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23}) 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16 ses=23}, admin/admin@GSR.INPE.BR for krbtgt/GSR.INPE.BR@GSR.INPE.BR And the engine-manage-domains.log says: 2013-02-21 10:36:46,722 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): gsr.inpe.br 2013-02-21 10:36:46,745 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): gsr.inpe.br 2013-02-21 10:36:46,745 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: gsr.inpe.br 2013-02-21 10:36:46,819 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: Checksum failed 2013-02-21 10:36:46,822 ERROR [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details. On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
On 21/02/13 13:24, Eduardo Ramos wrote:
Morning!
That's my log entry. PCAP attached.
Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin@GSR.INPE.BR for krbtgt/GSR.INPE.BR@GSR.INPE.BR, KDC has no support for encryption type
You are using rc4_hmac, which is the right encryption protocol usually. One can disable it (using 'permitted_enctypes' directive).
My /etc/krb5.conf
This is not the krb5.conf file oVirt is using. Please search your system for oVirt's krb5.conf (sorry, don't have it from the top of my head). In any case, I'd check the IPA configuration. Y.
[libdefaults] default_realm = GSR.INPE.BR allow_weak_crypto = yes
default_tkt_enctypes = rc4-hmac des-cbc-md5 default_tgs_enctypes = rc4-hmac des-cbc-md5
[realms] GSR.INPE.BR = { master_kdc = GSR.INPE.BR kdc = kerberos.gsr.inpe.br default_domain = gsr.inpe.br }
[domain_realm] .gsr.inpe.br = GSR.INPE.BR gsr.inpe.br = GSR.INPE.BR
[logging] kdc = SYSLOG:INFO
Is it sufice?
On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
Please provide info also on the IPA server you are using (use rpm -qa for that)
----- Original Message -----
From: "Yaniv Kaul" <ykaul@redhat.com> To: "Eduardo Ramos" <eduardo@freedominterface.org> Cc: users@ovirt.org Sent: Thursday, February 21, 2013 11:14:41 AM Subject: Re: [Users] ovirt kerberos/ldap
----- Original Message -----
Hi all!
I'm trying to link a ldap/kerberos to my ovirt without success. I'm stuck with this:
oVirt engine:
# engine-manage-domains -action=add -domain=gsr.inpe.br -user=admin/admin -interactive -provider=IPA Enter password:
Error: exception message: KDC has no support for encryption type (14) - BAD_ENCRYPTION_TYPE Please snoop the connection between the engine and the IPA server. Port 88, full packets ('-s 1500' on tcpdump), into file ('-w /tmp/kerb.pcap' ). Y.
Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details.
kdc log:
Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin@GSR.INPE.BR for krbtgt/GSR.INPE.BR@GSR.INPE.BR, KDC has no support for encryption type
Any sugestion? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users