Re: [Users] LDAP

----- Original Message ----- > From: "Nathan Stratton" <nathan(a)robotics.net&gt; > To: "Oved Ourfalli" <ovedo(a)redhat.com&gt; > Cc: users(a)ovirt.org, "Yaniv Kaul" <ykaul(a)redhat.com&gt; > Sent: Thursday, February 23, 2012 8:13:33 PM > Subject: Re: [Users] LDAP > > On Thu, 23 Feb 2012, Oved Ourfalli wrote: > >> IIRC, we only support using -interactive or using -passwordFile, >> and not both. >> The fact that you don't get a warning on that is a bug. > > :) Opps. > >> Found this blog with a similar error that is caused due to password >> expiration (in the engine log, and not while running the manage >> domains utility, but that might also help): >> http://blog.rtfm.co.hu/2012/02/rhev-error-from-kerberos-integrity-check-o... >> >> But the information there doesn't go very well with the fact that >> kinit is successful. > > Ya, I saw that also, (been doing a lot of googling), but: > > -bash-4.2# kinit nathan > Password for nathan(a)BLINKMIND.NET: > -bash-4.2# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: nathan(a)BLINKMIND.NET > > Valid starting Expires Service principal > 02/23/12 12:07:21 02/24/12 12:07:16 > krbtgt/BLINKMIND.NET(a)BLINKMIND.NET > renew until 03/01/12 12:07:16 > > >> Is the file containing the correct password? Try using only >> -interactive, and enter the password interactively. > > Yep, the password is correct, I get the same error no matter what > password > I use. However when I try with -interactive I get more debug info > (see > below). > >> Also, attaching the log of the utility might be helpful. > > How would I get that? I don't see anyting anywhere in /var/log/* > It should be in /var/log/ovirt-engine/engine-manage-domains/engine-manage-domains.log (or in /var/log/engine/engine-manage-domains/engine-manage-domains.log... not sure). >> Also, try logging in with that user to the IPA machine, that way >> you'll know if you need to change your password (I saw that >> sometimes kinit doesn't ask you to change the password, but >> logging in does). > > Yep, that works fine. If I do it with -interactive I get the errors > below. > It seams to have an issue with DNS, but yet it is pulling the two SRV > records AND hitting the right servers. Also both ovirt-engine and > ipa-master have forward and reverse dns and proper /etc/hosts files. > > -bash-4.2# engine-manage-domains -action=add -domain=blinkmind.net > -user=nathan -interactive > Enter password: > > javax.naming.AuthenticationException: GSSAPI [Root exception is > javax.security.sasl.SaslException: GSS initiate failed [Caused by > GSSException: No valid credentials provided (Mechanism level: Server > not > found in Kerberos database (7) - UNKNOWN_SERVER)]] > at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:168) > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:232) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685) > at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306) > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) > at > com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) > at > javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) > at > javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) > at javax.naming.InitialContext.init(InitialContext.java:240) > at javax.naming.InitialContext.<init>(InitialContext.java:214) > at > javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99) > at > org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:357) > at > org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174) > at > org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:154) > at > org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:140) > at > org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:563) > at > org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:709) > at > org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:404) > at > org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:235) > at > org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:163) > Caused by: javax.security.sasl.SaslException: GSS initiate failed > [Caused > by GSSException: No valid credentials provided (Mechanism level: > Server > not found in Kerberos database (7) - UNKNOWN_SERVER)]

> at > com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212) > at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:123) > ... 23 more > Caused by: GSSException: No valid credentials provided (Mechanism > level: > Server not found in Kerberos database (7) - UNKNOWN_SERVER) > at > sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679) > at > sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) > at > sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180) > at > com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193) > ... 24 more > Caused by: KrbException: Server not found in Kerberos database (7) - > UNKNOWN_SERVER > at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:72) > at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:193) > at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:205) > at > sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297) > at > sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114) > at > sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555) > at > sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610) > ... 27 more > Caused by: KrbException: Identifier doesn't match expected value > (906) > at sun.security.krb5.internal.KDCRep.init(KDCRep.java:144) > at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65) > at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60) > at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:54) > ... 33 more > Error: LDAP query Failed. Error in DNS configuration. Please verify > the > oVirt Engine host has a valid reverse DNS (PTR) record. > Failure while testing domain blinkmind.net. Details: No user > information > was found for user > Please try doing "dig -x <ip address of IPA server>" Look at the answer section, to make sure it shows a PTR record of it: dig -x 1.2.3.4 ... ... ... ;; ANSWER SECTION: 4.3.2.1.in-addr.arpa. 84063 IN PTR my_server.my_domain. ... ... ... > > > > -bash-4.2# nslookup ipa-master.blinkmind.net > Server: 10.10.0.10 > Address: 10.10.0.10#53 > > Name: ipa-master.blinkmind.net > Address: 10.13.0.105 > > -bash-4.2# nslookup 10.13.0.105 > Server: 10.10.0.10 > Address: 10.10.0.10#53 > > 105.0.13.10.in-addr.arpa name = ipa-master.blinkmind.net. > > -bash-4.2# nslookup ovirt-engine.blinkmind.net > Server: 10.10.0.10 > Address: 10.10.0.10#53 > > Name: ovirt-engine.blinkmind.net > Address: 10.13.0.245 > > -bash-4.2# nslookup 10.13.0.245 > Server: 10.10.0.10 > Address: 10.10.0.10#53 > > 245.0.13.10.in-addr.arpa name = ovirt-engine.blinkmind.net. > > _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users