'/etc/httpd/s-oVirt-Krb.keytab' is apache keytab, you can't try to test login with it. You should try something like `kinit myuser` and then curl. And be sure that 'myuser' has appropriate permissions in oVirt. Do you have properly setup your browser and enabled negotiation (for example for firefox [1])? [1] https://docs.fedoraproject.org/en-US/Fedora/11/html/Security_Guide/sect-Secu... On 09/30/2016 03:34 PM, aleksey.maksimov@it-kb.ru wrote:
# kinit -V -k -t /etc/httpd/s-oVirt-Krb.keytab HTTP/kom-ad01-ovirt1.ad.holding.com
Using existing cache: persistent:0:0 Using principal: HTTP/kom-ad01-ovirt1.ad.holding.com@AD.HOLDING.COM Using keytab: /etc/httpd/s-oVirt-Krb.keytab Authenticated to Kerberos v5
# klist
Ticket cache: KEYRING:persistent:0:0 Default principal: HTTP/kom-ad01-ovirt1.ad.holding.com@AD.HOLDING.COM
Valid starting Expires Service principal 09/30/2016 16:28:02 10/01/2016 02:28:02 krbtgt/AD.HOLDING.COM@AD.HOLDING.COM renew until 10/07/2016 16:28:02
# curl --negotiate -u : -X GET -H "Accept: application/xml" -k https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
<html><head><title>Error</title></head><body>Unauthorized</body></html>
However, if I open this URL (https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api) in browser it opens without errors and authorization requests
# tail -f /var/log/httpd/ssl_error_log # tail -f /var/log/ovirt-engine/engine.log
In the logs nothing in that moment when I open the portal in the browser.
30.09.2016, 15:52, "Ondra Machacek" <omachace@redhat.com>:
So if you run kinit and then:
$ curl --negotiate -u : -X GET -H "Accept: application/xml" -k https://fqdn/ovirt-engine/api
It's fine?
Please tell me how to find the cause of the problem. What are the steps to troubleshooting to do?
On oVirt engine check:
/var/log/httpd/ssl_error_log /var/log/ovirt-engine/engine.log
On AD check kerberos log.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users