On 27/02/2013 22:19, Eduardo Ramos wrote:
Hi!
Is there any chance to use ldap simple authentication? What schema should I have?
in the works, hopefully soon (which means several weeks at least)
On 02/26/2013 04:58 PM, Eduardo Ramos wrote:
Yair,
I'm using admin/admin because it's my principal on kerberos. In fact, the checksum error was because I didn't have admin/admin principal created yet.
Using kadmin.local I did:
kadmin.local: addprinc admin/admin
So I tried the same:
# engine-manage-domains -action=add -domain=gsr.inpe.br -provider=ipa -user=admin/admin -interactive
And it returned on the screen um trace of java:
General error has occured[LDAP: error code 80 - SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error)] javax.naming.NamingException: [LDAP: error code 80 - SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error)] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3076) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) at javax.naming.InitialContext.init(InitialContext.java:240) at javax.naming.InitialContext.<init>(InitialContext.java:214) at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:357) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:183) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:159) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:144) at org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:637) at org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:787) at org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:454) at org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:249) at org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:174) Failure while testing domain gsr.inpe.br. Details: No user information was found for user
The engine-manage-domain.log has:
[2013-02-26 16:55:49,736 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): gsr.inpe.br 2013-02-26 16:55:49,740 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] loaded template kr5.conf file krb5.conf.template 2013-02-26 16:55:49,744 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting default_tkt_enctypes 2013-02-26 16:55:49,772 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting realms 2013-02-26 16:55:49,773 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting domain realm 2013-02-26 16:55:49,774 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): gsr.inpe.br 2013-02-26 16:55:49,774 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: gsr.inpe.br 2013-02-26 16:55:49,827 DEBUG [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Check authentication finished successfully
And /var/log/messages on the ldap/kerberos server has:
Feb 26 16:49:53 ldap krb5kdc[1446]: AS_REQ (1 etypes {23}) 150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16 ses=23}, admin/admin@GSR.INPE.BR for krbtgt/GSR.INPE.BR@GSR.INPE.BR Feb 26 16:49:53 ldap krb5kdc[1446]: TGS_REQ (6 etypes {3 1 23 16 17 18}) 150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16 ses=1}, admin/admin@GSR.INPE.BR for ldap/ldap.gsr.inpe.br@GSR.INPE.BR
Thanks for response.
On 02/26/2013 04:35 PM, Yair Zaslavsky wrote:
----- Original Message -----
From: "Eduardo Ramos"<eduardo@freedominterface.org> To:users@ovirt.org Sent: Tuesday, February 26, 2013 9:26:42 PM Subject: Re: [Users] ovirt kerberos/ldap
Any one has faced that?
On 02/21/2013 10:59 AM, Yair Zaslavsky wrote:
Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf
----- Original Message -----
From: "Eduardo Ramos"<eduardo@freedominterface.org> To: "Yaniv Kaul"<ykaul@redhat.com> Cc:yzaslavs@redhat.com,users@ovirt.org Sent: Thursday, February 21, 2013 3:43:04 PM Subject: Re: [Users] ovirt kerberos/ldap
I got new step!
I added arcfour-hmac-md5:normal into supported_enctypes and permitted_enctypes directives in kdc.conf. Then I changed password of my principal using the following:
change_password -e arcfour-hmac-md5:normal admin/adimin Is "adimin" a typo here? Can I ask why your user name appears like that, with a "/" in it? Can you try to create user - let's say "myadmin" without the "/" ?
Now, it's ok, but now I got another error that I didn't understand as follows:
# engine-manage-domains -action=add -domain=gsr.inpe.br -user=admin/admin -interactive -provider=IPA Enter password:
Error: exception message: Checksum failed Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details.
The log of kdc says:
Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23}) 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16 ses=23},admin/admin@GSR.INPE.BR for krbtgt/GSR.INPE.BR@GSR.INPE.BR
And the engine-manage-domains.log says: 2013-02-21 10:36:46,722 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): gsr.inpe.br 2013-02-21 10:36:46,745 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): gsr.inpe.br 2013-02-21 10:36:46,745 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: gsr.inpe.br 2013-02-21 10:36:46,819 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: Checksum failed 2013-02-21 10:36:46,822 ERROR [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details.
On 02/21/2013 08:55 AM, Yaniv Kaul wrote: > On 21/02/13 13:24, Eduardo Ramos wrote: >> Morning! >> >> That's my log entry. PCAP attached. >> >> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) >> 150.163.73.78: BAD_ENCRYPTION_TYPE:admin/admin@GSR.INPE.BR for >> krbtgt/GSR.INPE.BR@GSR.INPE.BR, KDC has no support for >> encryption >> type > You are using rc4_hmac, which is the right encryption protocol > usually. One can disable it (using 'permitted_enctypes' > directive). > >> My /etc/krb5.conf > This is not the krb5.conf file oVirt is using. Please search your > system for oVirt's krb5.conf (sorry, don't have it from the top > of > my > head). > In any case, I'd check the IPA configuration. > Y. > >> [libdefaults] >> default_realm = GSR.INPE.BR >> allow_weak_crypto = yes >> >> default_tkt_enctypes = rc4-hmac des-cbc-md5 >> default_tgs_enctypes = rc4-hmac des-cbc-md5 >> >> [realms] >> GSR.INPE.BR = { >> master_kdc = GSR.INPE.BR >> kdc = kerberos.gsr.inpe.br >> default_domain = gsr.inpe.br >> } >> >> [domain_realm] >> .gsr.inpe.br = GSR.INPE.BR >> gsr.inpe.br = GSR.INPE.BR >> >> [logging] >> kdc = SYSLOG:INFO >> >> Is it sufice? >> >> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote: >>> Please provide info also on the IPA server you are using (use >>> rpm >>> -qa for that) >>> >>> >>> ----- Original Message ----- >>>> From: "Yaniv Kaul"<ykaul@redhat.com> >>>> To: "Eduardo Ramos"<eduardo@freedominterface.org> >>>> Cc:users@ovirt.org >>>> Sent: Thursday, February 21, 2013 11:14:41 AM >>>> Subject: Re: [Users] ovirt kerberos/ldap >>>> >>>> ----- Original Message ----- >>>>> Hi all! >>>>> >>>>> I'm trying to link a ldap/kerberos to my ovirt without >>>>> success. >>>>> I'm >>>>> stuck with this: >>>>> >>>>> oVirt engine: >>>>> >>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br >>>>> -user=admin/admin -interactive -provider=IPA >>>>> Enter password: >>>>> >>>>> Error: exception message: KDC has no support for encryption >>>>> type >>>>> (14) - >>>>> BAD_ENCRYPTION_TYPE >>>> Please snoop the connection between the engine and the IPA >>>> server. >>>> Port 88, full packets ('-s 1500' on tcpdump), into file ('-w >>>> /tmp/kerb.pcap' ). >>>> Y. >>>> >>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos >>>>> error. >>>>> Please check log for further details. >>>>> >>>>> kdc log: >>>>> >>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) >>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE:admin/admin@GSR.INPE.BR >>>>> for >>>>> krbtgt/GSR.INPE.BR@GSR.INPE.BR, KDC has no support for >>>>> encryption >>>>> type >>>>> >>>>> Any sugestion? >>>>> _______________________________________________ >>>>> Users mailing list >>>>> Users@ovirt.org >>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>> >>>> _______________________________________________ >>>> Users mailing list >>>> Users@ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>>>
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users