On 02/23/2012 08:26 PM, Oved Ourfalli wrote:
----- Original Message -----
From: "Nathan Stratton" <nathan@robotics.net> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: users@ovirt.org, "Yaniv Kaul" <ykaul@redhat.com> Sent: Thursday, February 23, 2012 8:13:33 PM Subject: Re: [Users] LDAP
On Thu, 23 Feb 2012, Oved Ourfalli wrote:
IIRC, we only support using -interactive or using -passwordFile, and not both. The fact that you don't get a warning on that is a bug.
:) Opps.
Found this blog with a similar error that is caused due to password expiration (in the engine log, and not while running the manage domains utility, but that might also help): http://blog.rtfm.co.hu/2012/02/rhev-error-from-kerberos-integrity-check-on-d...
But the information there doesn't go very well with the fact that kinit is successful.
Ya, I saw that also, (been doing a lot of googling), but:
-bash-4.2# kinit nathan Password for nathan@BLINKMIND.NET: -bash-4.2# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: nathan@BLINKMIND.NET
Valid starting Expires Service principal 02/23/12 12:07:21 02/24/12 12:07:16 krbtgt/BLINKMIND.NET@BLINKMIND.NET renew until 03/01/12 12:07:16
Is the file containing the correct password? Try using only -interactive, and enter the password interactively.
Yep, the password is correct, I get the same error no matter what password I use. However when I try with -interactive I get more debug info (see below).
Also, attaching the log of the utility might be helpful.
How would I get that? I don't see anyting anywhere in /var/log/*
It should be in /var/log/ovirt-engine/engine-manage-domains/engine-manage-domains.log (or in /var/log/engine/engine-manage-domains/engine-manage-domains.log... not sure).
Also, try logging in with that user to the IPA machine, that way you'll know if you need to change your password (I saw that sometimes kinit doesn't ask you to change the password, but logging in does).
Yep, that works fine. If I do it with -interactive I get the errors below. It seams to have an issue with DNS, but yet it is pulling the two SRV records AND hitting the right servers. Also both ovirt-engine and ipa-master have forward and reverse dns and proper /etc/hosts files.
-bash-4.2# engine-manage-domains -action=add -domain=blinkmind.net -user=nathan -interactive Enter password:
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)]] at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:168) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:232) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) at javax.naming.InitialContext.init(InitialContext.java:240) at javax.naming.InitialContext.<init>(InitialContext.java:214) at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:357) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:154) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:140) at org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:563) at org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:709) at org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:404) at org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:235) at org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:163) Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)]
Not sure if help is still needed in this issue (krb error code 7 ) - from my experience, this usually happened when DNS was not configured correctly - IMHO - you need to configure a reverse PTR record to the machine that runs engine-core. In addition, make sure that ldap and krb have proper DNS srv records. Oved - do we have a wiki (upstream) explaining these DNS issues?
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212) at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:123) ... 23 more Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193) ... 24 more Caused by: KrbException: Server not found in Kerberos database (7) - UNKNOWN_SERVER at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:72) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:193) at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:205) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114) at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610) ... 27 more Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:144) at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65) at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:54) ... 33 more Error: LDAP query Failed. Error in DNS configuration. Please verify the oVirt Engine host has a valid reverse DNS (PTR) record. Failure while testing domain blinkmind.net. Details: No user information was found for user
Please try doing "dig -x <ip address of IPA server>"
Look at the answer section, to make sure it shows a PTR record of it: dig -x 1.2.3.4 ... ... ... ;; ANSWER SECTION: 4.3.2.1.in-addr.arpa. 84063 IN PTR my_server.my_domain. ... ... ...
-bash-4.2# nslookup ipa-master.blinkmind.net Server: 10.10.0.10 Address: 10.10.0.10#53
Name: ipa-master.blinkmind.net Address: 10.13.0.105
-bash-4.2# nslookup 10.13.0.105 Server: 10.10.0.10 Address: 10.10.0.10#53
105.0.13.10.in-addr.arpa name = ipa-master.blinkmind.net.
-bash-4.2# nslookup ovirt-engine.blinkmind.net Server: 10.10.0.10 Address: 10.10.0.10#53
Name: ovirt-engine.blinkmind.net Address: 10.13.0.245
-bash-4.2# nslookup 10.13.0.245 Server: 10.10.0.10 Address: 10.10.0.10#53
245.0.13.10.in-addr.arpa name = ovirt-engine.blinkmind.net.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users