I am working on getting ovirt working with our LDAP enviornment and have run into a few issues. Based on my googling my understanding is that ovirt should query DNS for a ldap SRV record. However based on my wireshark captures I never see such a request. I ended up installing phpPgAdmin and found the vdc_options table and someting called DomainName. I figured that was a good place to start so I put our domain there and now I see the DNS SRV queries. In the logs I see: 2012-02-19 12:58:26,532 ERROR [org.ovirt.engine.core.bll.adbroker.GetRootDSETask] (pool-5-thread-47) Couldnt deduce provider type for domain blinkmind.net 2012-02-19 12:58:26,533 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (http--0.0.0.0-8080-10) Failed ldap search server LDAP://ldap-master.dal.blinkmind.net:389 due to org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException: Failed to get rootDSE record for server LDAP://ldap-master.dal.blinkmind.net:389. We should try the next server: org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException: Failed to get rootDSE record for server LDAP://ldap-master.dal.blinkmind.net:389 at org.ovirt.engine.core.bll.adbroker.GetRootDSETask.call(GetRootDSETask.java:68) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.DirectorySearcher$1.call(DirectorySearcher.java:101) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.DirectorySearcher$1.call(DirectorySearcher.java:97) [engine-bll.jar:] at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) [:1.6.0_22] at java.util.concurrent.FutureTask.run(FutureTask.java:166) [:1.6.0_22] at org.ovirt.engine.core.utils.threadpool.ThreadPoolUtil$InternalWrapperRunnable.run(ThreadPoolUtil.java:57) [utils-3.0.0-0001.jar:] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) [:1.6.0_22] at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) [:1.6.0_22] at java.util.concurrent.FutureTask.run(FutureTask.java:166) [:1.6.0_22] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [:1.6.0_22] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [:1.6.0_22] at java.lang.Thread.run(Thread.java:679) [:1.6.0_22] 2012-02-19 12:58:26,537 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (http--0.0.0.0-8080-10) Failed authenticating user: nathan to domain blinkmind.net. Ldap Query Type is getUserByName 2012-02-19 12:58:26,538 ERROR [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-10) USER_FAILED_TO_AUTHENTICATE_CONNECTION_ERROR : nathan 2012-02-19 12:58:26,539 WARN [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-10) CanDoAction of action LoginAdminUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_CONNECTION_ERROR All our linux boxes use the same LDAP server without issue, so I know that part is working. P.S. What is LDAPSecurityAuthentication (option_id 2) and what should it be set to?
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com
On 02/19/2012 09:02 PM, Nathan Stratton wrote:
I am working on getting ovirt working with our LDAP enviornment and have run into a few issues. Based on my googling my understanding is that ovirt should query DNS for a ldap SRV record. However based on my wireshark captures I never see such a request.
I ended up installing phpPgAdmin and found the vdc_options table and someting called DomainName. I figured that was a good place to start so I put our domain there and now I see the DNS SRV queries.
I'd try with wireshark to capture ports 88, 53 and 389 (something like '-s 1500 -w /tmp/file.pcap port 53 or port 88 or port 389' if you are using tcpdump). Then check that indeed the responses from DNS correlate well with what we are trying to connect to. (BTW, there was a regression in the code not so long ago in that area - are you using latest code?). Y.
In the logs I see:
2012-02-19 12:58:26,532 ERROR [org.ovirt.engine.core.bll.adbroker.GetRootDSETask] (pool-5-thread-47) Couldnt deduce provider type for domain blinkmind.net 2012-02-19 12:58:26,533 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (http--0.0.0.0-8080-10) Failed ldap search server LDAP://ldap-master.dal.blinkmind.net:389 due to org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException: Failed to get rootDSE record for server LDAP://ldap-master.dal.blinkmind.net:389. We should try the next server: org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException: Failed to get rootDSE record for server LDAP://ldap-master.dal.blinkmind.net:389 at org.ovirt.engine.core.bll.adbroker.GetRootDSETask.call(GetRootDSETask.java:68) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.DirectorySearcher$1.call(DirectorySearcher.java:101) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.DirectorySearcher$1.call(DirectorySearcher.java:97) [engine-bll.jar:] at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) [:1.6.0_22] at java.util.concurrent.FutureTask.run(FutureTask.java:166) [:1.6.0_22] at org.ovirt.engine.core.utils.threadpool.ThreadPoolUtil$InternalWrapperRunnable.run(ThreadPoolUtil.java:57) [utils-3.0.0-0001.jar:] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) [:1.6.0_22]
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) [:1.6.0_22] at java.util.concurrent.FutureTask.run(FutureTask.java:166) [:1.6.0_22] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [:1.6.0_22] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [:1.6.0_22] at java.lang.Thread.run(Thread.java:679) [:1.6.0_22]
2012-02-19 12:58:26,537 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (http--0.0.0.0-8080-10) Failed authenticating user: nathan to domain blinkmind.net. Ldap Query Type is getUserByName 2012-02-19 12:58:26,538 ERROR [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-10) USER_FAILED_TO_AUTHENTICATE_CONNECTION_ERROR : nathan 2012-02-19 12:58:26,539 WARN [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-10) CanDoAction of action LoginAdminUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_CONNECTION_ERROR
All our linux boxes use the same LDAP server without issue, so I know that part is working.
P.S. What is LDAPSecurityAuthentication (option_id 2) and what should it be set to?
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Sun, 19 Feb 2012, Yaniv Kaul wrote:
I'd try with wireshark to capture ports 88, 53 and 389 (something like '-s 1500 -w /tmp/file.pcap port 53 or port 88 or port 389' if you are using tcpdump).
http://share.robotics.net/ldap.pcap
Then check that indeed the responses from DNS correlate well with what we are trying to connect to.
Yep, its hitting the LDAP server, just not getting what it wants back. Is it possible that it does not like the "<ROOT>" and that it should be ""? I.E. If I do: [root@ovirt-engine ~]# ldapsearch -H ldap://10.10.0.105 -x -s base -b "" + # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: + # # dn: structuralObjectClass: OpenLDAProotDSE configContext: cn=config namingContexts: dc=blinkmind,dc=net supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.1.8 supportedFeatures: 1.3.6.1.1.14 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 supportedLDAPVersion: 3 entryDN: subschemaSubentry: cn=Subschema # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 But if I do: [root@ovirt-engine ~]# ldapsearch -H ldap://10.10.0.105 -x -s base -b "<ROOT>" + # extended LDIF # # LDAPv3 # base <<ROOT>> with scope baseObject # filter: (objectclass=*) # requesting: + # # search result search: 2 result: 34 Invalid DN syntax text: invalid DN # numResponses: 1
(BTW, there was a regression in the code not so long ago in that area - are you using latest code?).
3.0.0_0001-1.6.fc16
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com
----- Original Message -----
On Sun, 19 Feb 2012, Yaniv Kaul wrote:
I'd try with wireshark to capture ports 88, 53 and 389 (something like '-s 1500 -w /tmp/file.pcap port 53 or port 88 or port 389' if you are using tcpdump).
http://share.robotics.net/ldap.pcap
Then check that indeed the responses from DNS correlate well with what we are trying to connect to.
Yep, its hitting the LDAP server, just not getting what it wants back. Is it possible that it does not like the "<ROOT>" and that it should be ""?
I.E. If I do:
[root@ovirt-engine ~]# ldapsearch -H ldap://10.10.0.105 -x -s base -b "" + # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: + #
# dn: structuralObjectClass: OpenLDAProotDSE
Sorry, my fault - should have seen it earlier - we do not support OpenLDAP yet - we fail to parse its rootDSE, therefore do not have a way to proceed. I think there's a RFE for it somewhere filed, but if not, worth filing. Y.
configContext: cn=config namingContexts: dc=blinkmind,dc=net supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.1.8 supportedFeatures: 1.3.6.1.1.14 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 supportedLDAPVersion: 3 entryDN: subschemaSubentry: cn=Subschema
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
But if I do:
[root@ovirt-engine ~]# ldapsearch -H ldap://10.10.0.105 -x -s base -b "<ROOT>" + # extended LDIF # # LDAPv3 # base <<ROOT>> with scope baseObject # filter: (objectclass=*) # requesting: + #
# search result search: 2 result: 34 Invalid DN syntax text: invalid DN
# numResponses: 1
(BTW, there was a regression in the code not so long ago in that area - are you using latest code?).
3.0.0_0001-1.6.fc16
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com
On Sun, 19 Feb 2012, Yaniv Kaul wrote:
Sorry, my fault - should have seen it earlier - we do not support OpenLDAP yet - we fail to parse its rootDSE, therefore do not have a way to proceed. I think there's a RFE for it somewhere filed, but if not, worth filing.
Ouch, do you support Apache Directory Server?
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com
Y.
On 02/19/2012 10:30 PM, Nathan Stratton wrote:
On Sun, 19 Feb 2012, Yaniv Kaul wrote:
Sorry, my fault - should have seen it earlier - we do not support OpenLDAP yet - we fail to parse its rootDSE, therefore do not have a way to proceed. I think there's a RFE for it somewhere filed, but if not, worth filing.
Ouch, do you support Apache Directory Server? Sorry Nathan, we do not support this one as well.
Yair
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com
Y.
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 02/19/2012 10:36 PM, Yair Zaslavsky wrote:
On 02/19/2012 10:30 PM, Nathan Stratton wrote:
On Sun, 19 Feb 2012, Yaniv Kaul wrote:
Sorry, my fault - should have seen it earlier - we do not support OpenLDAP yet - we fail to parse its rootDSE, therefore do not have a way to proceed. I think there's a RFE for it somewhere filed, but if not, worth filing.
Ouch, do you support Apache Directory Server? Sorry Nathan, we do not support this one as well.
the current code supports AD, freeIPA/IPA and 389ds/RHDS. if apache directory server is similar to any of them, you could try hacking the code to add support for it.
On Sun, 19 Feb 2012, Itamar Heim wrote:
the current code supports AD, freeIPA/IPA and 389ds/RHDS. if apache directory server is similar to any of them, you could try hacking the code to add support for it.
Ok, will go with 389 for now, its in the family, tho Gluster is in the family and you don't support it as a storage file system... : ) Just kidding, you guys are great, keep up the good work.
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com
On 02/19/2012 11:11 PM, Nathan Stratton wrote:
On Sun, 19 Feb 2012, Itamar Heim wrote:
the current code supports AD, freeIPA/IPA and 389ds/RHDS. if apache directory server is similar to any of them, you could try hacking the code to add support for it.
Ok, will go with 389 for now, its in the family, tho Gluster is in the family and you don't support it as a storage file system... : )
please remember you need 389ds with kerberos support. gluster is in the works... see: http://www.ovirt.org/wiki/AddingGlusterSupportToOvirt
Just kidding, you guys are great, keep up the good work.
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com
Hey, More information on the domain infrastructure we have can be found in: http://www.ovirt.org/wiki/DomainInfrastructure (I might update it more soon, but it can give you a basic view of how the domain management in oVirt is working, and what do you need to update in order to support a new ldap provider). Oved ----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Nathan Stratton" <nathan@robotics.net> Cc: users@ovirt.org Sent: Sunday, February 19, 2012 11:14:24 PM Subject: Re: [Users] LDAP
On 02/19/2012 11:11 PM, Nathan Stratton wrote:
On Sun, 19 Feb 2012, Itamar Heim wrote:
the current code supports AD, freeIPA/IPA and 389ds/RHDS. if apache directory server is similar to any of them, you could try hacking the code to add support for it.
Ok, will go with 389 for now, its in the family, tho Gluster is in the family and you don't support it as a storage file system... : )
please remember you need 389ds with kerberos support.
gluster is in the works... see: http://www.ovirt.org/wiki/AddingGlusterSupportToOvirt
Just kidding, you guys are great, keep up the good work.
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 02/20/2012 09:39 AM, Oved Ourfalli wrote:
Hey,
More information on the domain infrastructure we have can be found in: http://www.ovirt.org/wiki/DomainInfrastructure (I might update it more soon, but it can give you a basic view of how the domain management in oVirt is working, and what do you need to update in order to support a new ldap provider).
Oved
Thanks Oved for the Wiki, I added a minor change of the package name (it refered nogah, not ovirt).
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Nathan Stratton" <nathan@robotics.net> Cc: users@ovirt.org Sent: Sunday, February 19, 2012 11:14:24 PM Subject: Re: [Users] LDAP
On 02/19/2012 11:11 PM, Nathan Stratton wrote:
On Sun, 19 Feb 2012, Itamar Heim wrote:
the current code supports AD, freeIPA/IPA and 389ds/RHDS. if apache directory server is similar to any of them, you could try hacking the code to add support for it.
Ok, will go with 389 for now, its in the family, tho Gluster is in the family and you don't support it as a storage file system... : )
please remember you need 389ds with kerberos support.
gluster is in the works... see: http://www.ovirt.org/wiki/AddingGlusterSupportToOvirt
Just kidding, you guys are great, keep up the good work.
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 02/20/2012 09:39 AM, Oved Ourfalli wrote:
Hey,
More information on the domain infrastructure we have can be found in: http://www.ovirt.org/wiki/DomainInfrastructure (I might update it more soon, but it can give you a basic view of how the domain management in oVirt is working, and what do you need to update in order to support a new ldap provider).
Oved
I just would like to add that in general, when one wants to add a new LDAP server support, it should be realized that there are two main issues to take care of: a. How authentication to LDAP server is performed (examples we encountered in the past - Kerberos/GSSAPI and SIMPLE). b. How to perform the ldap queries (i.e - use proper schema) This is at least how I see it. Yair
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Nathan Stratton" <nathan@robotics.net> Cc: users@ovirt.org Sent: Sunday, February 19, 2012 11:14:24 PM Subject: Re: [Users] LDAP
On 02/19/2012 11:11 PM, Nathan Stratton wrote:
On Sun, 19 Feb 2012, Itamar Heim wrote:
the current code supports AD, freeIPA/IPA and 389ds/RHDS. if apache directory server is similar to any of them, you could try hacking the code to add support for it.
Ok, will go with 389 for now, its in the family, tho Gluster is in the family and you don't support it as a storage file system... : )
please remember you need 389ds with kerberos support.
gluster is in the works... see: http://www.ovirt.org/wiki/AddingGlusterSupportToOvirt
Just kidding, you guys are great, keep up the good work.
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 02/20/2012 12:02 PM, Yair Zaslavsky wrote:
On 02/20/2012 09:39 AM, Oved Ourfalli wrote:
Hey,
More information on the domain infrastructure we have can be found in: http://www.ovirt.org/wiki/DomainInfrastructure (I might update it more soon, but it can give you a basic view of how the domain management in oVirt is working, and what do you need to update in order to support a new ldap provider).
Oved I just would like to add that in general, when one wants to add a new LDAP server support, it should be realized that there are two main issues to take care of: a. How authentication to LDAP server is performed (examples we encountered in the past - Kerberos/GSSAPI and SIMPLE).
The lack of SSL support is glaring. Except for AD, the whole world is using SSL (TLS actually) for authentication and/or encryption.
b. How to perform the ldap queries (i.e - use proper schema)
Most products allow you to specify the search attribute (samaccountname in AD for example). Do we really need a lot more from the scheme? (The base DN to search from is also a bit missing, but that's not part of the scheme, but our own configuration) Y.
This is at least how I see it.
Yair
----- Original Message -----
From: "Itamar Heim"<iheim@redhat.com> To: "Nathan Stratton"<nathan@robotics.net> Cc: users@ovirt.org Sent: Sunday, February 19, 2012 11:14:24 PM Subject: Re: [Users] LDAP
On Sun, 19 Feb 2012, Itamar Heim wrote:
the current code supports AD, freeIPA/IPA and 389ds/RHDS. if apache directory server is similar to any of them, you could try hacking the code to add support for it. Ok, will go with 389 for now, its in the family, tho Gluster is in the family and you don't support it as a storage file system... : )
On 02/19/2012 11:11 PM, Nathan Stratton wrote: please remember you need 389ds with kerberos support.
gluster is in the works... see: http://www.ovirt.org/wiki/AddingGlusterSupportToOvirt
Just kidding, you guys are great, keep up the good work.
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Sun, 19 Feb 2012, Itamar Heim wrote:
On 02/19/2012 11:11 PM, Nathan Stratton wrote:
On Sun, 19 Feb 2012, Itamar Heim wrote:
the current code supports AD, freeIPA/IPA and 389ds/RHDS. if apache directory server is similar to any of them, you could try hacking the code to add support for it.
Ok, will go with 389 for now, its in the family, tho Gluster is in the family and you don't support it as a storage file system... : )
please remember you need 389ds with kerberos support.
Got it installed and setup, I am able to authenticate from linux boxes with the new 389 LDAP so I know that works. However still running into issues getting ovirt-engine to work with it. http://share.robotics.net/ldap.pcap As you can see from the pcap, I see a DNS SRV query for _ldap._tcp.blinkmind.net and the box does talk to the LDAP box. I don't see anyting on port 88, or a ldap query for the kerberos or does it try to just use the same IP as ldap? 2012-02-21 16:59:48,411 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (http--0.0.0.0-8080-1) Failed ldap search server LDAP://ldap-master.hou.blinkmind.net:389 due to org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We should not try the next server: org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException at org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy.authenticateToKDC(GSSAPIDirContextAuthenticationStrategy.java:150) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy.explicitAuth(GSSAPIDirContextAuthenticationStrategy.java:119) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy.authenticate(GSSAPIDirContextAuthenticationStrategy.java:111) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.GSSAPILdapTemplateWrapper.useAuthenticationStrategy(GSSAPILdapTemplateWrapper.java:90) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.PrepareLdapConnectionTask.call(PrepareLdapConnectionTask.java:56) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.DirectorySearcher$1.call(DirectorySearcher.java:108) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.DirectorySearcher$1.call(DirectorySearcher.java:97) [engine-bll.jar:] at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) [:1.6.0_22] at java.util.concurrent.FutureTask.run(FutureTask.java:166) [:1.6.0_22] at org.ovirt.engine.core.utils.threadpool.ThreadPoolUtil$InternalWrapperRunnable.run(ThreadPoolUtil.java:57) [utils-3.0.0-0001.jar:] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) [:1.6.0_22] at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) [:1.6.0_22] at java.util.concurrent.FutureTask.run(FutureTask.java:166) [:1.6.0_22] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [:1.6.0_22] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [:1.6.0_22] at java.lang.Thread.run(Thread.java:679) [:1.6.0_22] 2012-02-21 16:59:48,415 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (http--0.0.0.0-8080-1) Failed authenticating user: nathan to domain blinkmind.net. Ldap Query Type is getUserByName 2012-02-21 16:59:48,416 ERROR [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-1) USER_FAILED_TO_AUTHENTICATE_NO_KDCS_FOUND : nathan 2012-02-21 16:59:48,416 WARN [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-1) CanDoAction of action LoginAdminUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_NO_KDCS_FOUND
----- Original Message -----
From: "Nathan Stratton" <nathan@robotics.net> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org Sent: Wednesday, February 22, 2012 1:03:33 AM Subject: Re: [Users] LDAP
On Sun, 19 Feb 2012, Itamar Heim wrote:
On 02/19/2012 11:11 PM, Nathan Stratton wrote:
On Sun, 19 Feb 2012, Itamar Heim wrote:
the current code supports AD, freeIPA/IPA and 389ds/RHDS. if apache directory server is similar to any of them, you could try hacking the code to add support for it.
Ok, will go with 389 for now, its in the family, tho Gluster is in the family and you don't support it as a storage file system... : )
please remember you need 389ds with kerberos support.
Got it installed and setup, I am able to authenticate from linux boxes with the new 389 LDAP so I know that works. However still running into issues getting ovirt-engine to work with it.
http://share.robotics.net/ldap.pcap
As you can see from the pcap, I see a DNS SRV query for _ldap._tcp.blinkmind.net and the box does talk to the LDAP box. I don't see anyting on port 88, or a ldap query for the kerberos or does it try to just use the same IP as ldap?
2012-02-21 16:59:48,411 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (http--0.0.0.0-8080-1) Failed ldap search server LDAP://ldap-master.hou.blinkmind.net:389 due to org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We should not try the next server: org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException at org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy.authenticateToKDC(GSSAPIDirContextAuthenticationStrategy.java:150) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy.explicitAuth(GSSAPIDirContextAuthenticationStrategy.java:119) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy.authenticate(GSSAPIDirContextAuthenticationStrategy.java:111) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.GSSAPILdapTemplateWrapper.useAuthenticationStrategy(GSSAPILdapTemplateWrapper.java:90) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.PrepareLdapConnectionTask.call(PrepareLdapConnectionTask.java:56) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.DirectorySearcher$1.call(DirectorySearcher.java:108) [engine-bll.jar:] at org.ovirt.engine.core.bll.adbroker.DirectorySearcher$1.call(DirectorySearcher.java:97) [engine-bll.jar:] at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) [:1.6.0_22] at java.util.concurrent.FutureTask.run(FutureTask.java:166) [:1.6.0_22] at org.ovirt.engine.core.utils.threadpool.ThreadPoolUtil$InternalWrapperRunnable.run(ThreadPoolUtil.java:57) [utils-3.0.0-0001.jar:] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) [:1.6.0_22] at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) [:1.6.0_22] at java.util.concurrent.FutureTask.run(FutureTask.java:166) [:1.6.0_22] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [:1.6.0_22] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [:1.6.0_22] at java.lang.Thread.run(Thread.java:679) [:1.6.0_22]
2012-02-21 16:59:48,415 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (http--0.0.0.0-8080-1) Failed authenticating user: nathan to domain blinkmind.net. Ldap Query Type is getUserByName 2012-02-21 16:59:48,416 ERROR [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-1) USER_FAILED_TO_AUTHENTICATE_NO_KDCS_FOUND : nathan 2012-02-21 16:59:48,416 WARN [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-1) CanDoAction of action LoginAdminUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_NO_KDCS_FOUND
Hey, This error usually happens where there is no krb5.conf file, or there is one, but your domain isn't in that. The krb5.conf file should be located in $JBOSS_HOME/standalone/configuration directory. How did you configure the new domain? Using engine-manage-domains utility? Attaching the full server log and the krb5.conf file may help understand the problem. We query for LDAP SRV records in the engine. In the utility we also query for kerberos SRV records, and update the krb5.conf file accordingly. Then, the kerberos authentication uses the host updated in the krb5.conf file to perform the authentication. Oved
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Wed, 22 Feb 2012, Oved Ourfalli wrote:
Hey,
This error usually happens where there is no krb5.conf file, or there is one, but your domain isn't in that. The krb5.conf file should be located in $JBOSS_HOME/standalone/configuration directory.
Ya, I gave up on the 389/Kerberos, looking at FreeIPA now. BTW, why can't we just use LDAP???
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com
On 02/22/2012 11:02 PM, Nathan Stratton wrote:
On Wed, 22 Feb 2012, Oved Ourfalli wrote:
Hey,
This error usually happens where there is no krb5.conf file, or there is one, but your domain isn't in that. The krb5.conf file should be located in $JBOSS_HOME/standalone/configuration directory.
Ya, I gave up on the 389/Kerberos, looking at FreeIPA now.
BTW, why can't we just use LDAP???
LDAP cannot be 'just used'. It needs to be connected to (we use Kerberos, many use SSL/TLS) and it needs the correct schema configuration. FreeIPA uses Kerberos and LDAP. Patches are welcome for the rest. Y.
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Thu, 23 Feb 2012, Yaniv Kaul wrote:
LDAP cannot be 'just used'. It needs to be connected to (we use Kerberos, many use SSL/TLS) and it needs the correct schema configuration. FreeIPA uses Kerberos and LDAP.
True, but I use LDAP to auth a bunch of boxes on a private network and that seams to work fine. Anyway... Still trying to get this to work. I now have freeipa installed with a user setup. I am able to kinit that user and everything works fine however I get the following error: [root@ovirt-engine log]# engine-manage-domains -action=add -domain=blinkmind.net -user=nathan -passwordFile=/etc/shadow -interactive Error: exception message: Integrity check on decrypted field failed (31) - PREAUTH_FAILED Failure while testing domain blinkmind.net. Details: Kerberos error. Please check log for further details.
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com
----- Original Message -----
From: "Nathan Stratton" <nathan@robotics.net> To: "Yaniv Kaul" <ykaul@redhat.com> Cc: "Oved Ourfalli" <ovedo@redhat.com>, users@ovirt.org Sent: Thursday, February 23, 2012 7:38:42 PM Subject: Re: [Users] LDAP
On Thu, 23 Feb 2012, Yaniv Kaul wrote:
LDAP cannot be 'just used'. It needs to be connected to (we use Kerberos, many use SSL/TLS) and it needs the correct schema configuration. FreeIPA uses Kerberos and LDAP.
True, but I use LDAP to auth a bunch of boxes on a private network and that seams to work fine. Anyway... Still trying to get this to work. I now have freeipa installed with a user setup. I am able to kinit that user and everything works fine however I get the following error:
[root@ovirt-engine log]# engine-manage-domains -action=add -domain=blinkmind.net -user=nathan -passwordFile=/etc/shadow -interactive Error: exception message: Integrity check on decrypted field failed (31) - PREAUTH_FAILED Failure while testing domain blinkmind.net. Details: Kerberos error. Please check log for further details.
IIRC, we only support using -interactive or using -passwordFile, and not both. The fact that you don't get a warning on that is a bug. Found this blog with a similar error that is caused due to password expiration (in the engine log, and not while running the manage domains utility, but that might also help): http://blog.rtfm.co.hu/2012/02/rhev-error-from-kerberos-integrity-check-on-d... But the information there doesn't go very well with the fact that kinit is successful. Is the file containing the correct password? Try using only -interactive, and enter the password interactively. Also, attaching the log of the utility might be helpful. Also, try logging in with that user to the IPA machine, that way you'll know if you need to change your password (I saw that sometimes kinit doesn't ask you to change the password, but logging in does). Hope it helps, Oved
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Thu, 23 Feb 2012, Oved Ourfalli wrote:
IIRC, we only support using -interactive or using -passwordFile, and not both. The fact that you don't get a warning on that is a bug.
:) Opps.
Found this blog with a similar error that is caused due to password expiration (in the engine log, and not while running the manage domains utility, but that might also help): http://blog.rtfm.co.hu/2012/02/rhev-error-from-kerberos-integrity-check-on-d...
But the information there doesn't go very well with the fact that kinit is successful.
Ya, I saw that also, (been doing a lot of googling), but: -bash-4.2# kinit nathan Password for nathan@BLINKMIND.NET: -bash-4.2# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: nathan@BLINKMIND.NET Valid starting Expires Service principal 02/23/12 12:07:21 02/24/12 12:07:16 krbtgt/BLINKMIND.NET@BLINKMIND.NET renew until 03/01/12 12:07:16
Is the file containing the correct password? Try using only -interactive, and enter the password interactively.
Yep, the password is correct, I get the same error no matter what password I use. However when I try with -interactive I get more debug info (see below).
Also, attaching the log of the utility might be helpful.
How would I get that? I don't see anyting anywhere in /var/log/*
Also, try logging in with that user to the IPA machine, that way you'll know if you need to change your password (I saw that sometimes kinit doesn't ask you to change the password, but logging in does).
Yep, that works fine. If I do it with -interactive I get the errors below. It seams to have an issue with DNS, but yet it is pulling the two SRV records AND hitting the right servers. Also both ovirt-engine and ipa-master have forward and reverse dns and proper /etc/hosts files. -bash-4.2# engine-manage-domains -action=add -domain=blinkmind.net -user=nathan -interactive Enter password: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)]] at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:168) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:232) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) at javax.naming.InitialContext.init(InitialContext.java:240) at javax.naming.InitialContext.<init>(InitialContext.java:214) at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:357) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:154) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:140) at org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:563) at org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:709) at org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:404) at org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:235) at org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:163) Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)] at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212) at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:123) ... 23 more Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193) ... 24 more Caused by: KrbException: Server not found in Kerberos database (7) - UNKNOWN_SERVER at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:72) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:193) at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:205) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114) at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610) ... 27 more Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:144) at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65) at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:54) ... 33 more Error: LDAP query Failed. Error in DNS configuration. Please verify the oVirt Engine host has a valid reverse DNS (PTR) record. Failure while testing domain blinkmind.net. Details: No user information was found for user -bash-4.2# nslookup ipa-master.blinkmind.net Server: 10.10.0.10 Address: 10.10.0.10#53 Name: ipa-master.blinkmind.net Address: 10.13.0.105 -bash-4.2# nslookup 10.13.0.105 Server: 10.10.0.10 Address: 10.10.0.10#53 105.0.13.10.in-addr.arpa name = ipa-master.blinkmind.net. -bash-4.2# nslookup ovirt-engine.blinkmind.net Server: 10.10.0.10 Address: 10.10.0.10#53 Name: ovirt-engine.blinkmind.net Address: 10.13.0.245 -bash-4.2# nslookup 10.13.0.245 Server: 10.10.0.10 Address: 10.10.0.10#53 245.0.13.10.in-addr.arpa name = ovirt-engine.blinkmind.net.
----- Original Message -----
From: "Nathan Stratton" <nathan@robotics.net> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: users@ovirt.org, "Yaniv Kaul" <ykaul@redhat.com> Sent: Thursday, February 23, 2012 8:13:33 PM Subject: Re: [Users] LDAP
On Thu, 23 Feb 2012, Oved Ourfalli wrote:
IIRC, we only support using -interactive or using -passwordFile, and not both. The fact that you don't get a warning on that is a bug.
:) Opps.
Found this blog with a similar error that is caused due to password expiration (in the engine log, and not while running the manage domains utility, but that might also help): http://blog.rtfm.co.hu/2012/02/rhev-error-from-kerberos-integrity-check-on-d...
But the information there doesn't go very well with the fact that kinit is successful.
Ya, I saw that also, (been doing a lot of googling), but:
-bash-4.2# kinit nathan Password for nathan@BLINKMIND.NET: -bash-4.2# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: nathan@BLINKMIND.NET
Valid starting Expires Service principal 02/23/12 12:07:21 02/24/12 12:07:16 krbtgt/BLINKMIND.NET@BLINKMIND.NET renew until 03/01/12 12:07:16
Is the file containing the correct password? Try using only -interactive, and enter the password interactively.
Yep, the password is correct, I get the same error no matter what password I use. However when I try with -interactive I get more debug info (see below).
Also, attaching the log of the utility might be helpful.
How would I get that? I don't see anyting anywhere in /var/log/*
It should be in /var/log/ovirt-engine/engine-manage-domains/engine-manage-domains.log (or in /var/log/engine/engine-manage-domains/engine-manage-domains.log... not sure).
Also, try logging in with that user to the IPA machine, that way you'll know if you need to change your password (I saw that sometimes kinit doesn't ask you to change the password, but logging in does).
Yep, that works fine. If I do it with -interactive I get the errors below. It seams to have an issue with DNS, but yet it is pulling the two SRV records AND hitting the right servers. Also both ovirt-engine and ipa-master have forward and reverse dns and proper /etc/hosts files.
-bash-4.2# engine-manage-domains -action=add -domain=blinkmind.net -user=nathan -interactive Enter password:
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)]] at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:168) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:232) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) at javax.naming.InitialContext.init(InitialContext.java:240) at javax.naming.InitialContext.<init>(InitialContext.java:214) at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:357) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:154) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:140) at org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:563) at org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:709) at org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:404) at org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:235) at org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:163) Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)] at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212) at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:123) ... 23 more Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193) ... 24 more Caused by: KrbException: Server not found in Kerberos database (7) - UNKNOWN_SERVER at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:72) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:193) at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:205) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114) at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610) ... 27 more Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:144) at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65) at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:54) ... 33 more Error: LDAP query Failed. Error in DNS configuration. Please verify the oVirt Engine host has a valid reverse DNS (PTR) record. Failure while testing domain blinkmind.net. Details: No user information was found for user
Please try doing "dig -x <ip address of IPA server>" Look at the answer section, to make sure it shows a PTR record of it: dig -x 1.2.3.4 ... ... ... ;; ANSWER SECTION: 4.3.2.1.in-addr.arpa. 84063 IN PTR my_server.my_domain. ... ... ...
-bash-4.2# nslookup ipa-master.blinkmind.net Server: 10.10.0.10 Address: 10.10.0.10#53
Name: ipa-master.blinkmind.net Address: 10.13.0.105
-bash-4.2# nslookup 10.13.0.105 Server: 10.10.0.10 Address: 10.10.0.10#53
105.0.13.10.in-addr.arpa name = ipa-master.blinkmind.net.
-bash-4.2# nslookup ovirt-engine.blinkmind.net Server: 10.10.0.10 Address: 10.10.0.10#53
Name: ovirt-engine.blinkmind.net Address: 10.13.0.245
-bash-4.2# nslookup 10.13.0.245 Server: 10.10.0.10 Address: 10.10.0.10#53
245.0.13.10.in-addr.arpa name = ovirt-engine.blinkmind.net.
On Thu, 23 Feb 2012, Oved Ourfalli wrote:
It should be in /var/log/ovirt-engine/engine-manage-domains/engine-manage-domains.log (or in /var/log/engine/engine-manage-domains/engine-manage-domains.log... not sure).
Hmm, dont have that, all I have is /var/log/ovirt-engine/engine.log files. and engine-setup log files. I think the issue was old kerberos tickets, I flushed them all and retried and now I get: -bash-4.2# engine-manage-domains -action=add -domain=blinkmind.net -user=nathan -interactive Enter password: No user in Directory was found for nathan@BLINKMIND.NET. Trying next LDAP server in list Failure while testing domain blinkmind.net. Details: No user information was found for user If I look on the ipa-server I do see the following in the LDAP access log: [23/Feb/2012:18:33:34 +0000] conn=19 op=232 SRCH base="dc=blinkmind,dc=net" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=nathan@BLINKMIND.NET))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto" [23/Feb/2012:18:33:34 +0000] conn=19 op=232 RESULT err=0 tag=101 nentries=1 etime=0 [23/Feb/2012:18:33:34 +0000] conn=17 op=74 SRCH base="cn=global_policy,cn=BLINKMIND.NET,cn=kerberos,dc=blinkmind,dc=net" scope=0 filter="(objectClass=krbPwdPolicy)" attrs="cn krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [23/Feb/2012:18:33:34 +0000] conn=17 op=74 RESULT err=0 tag=101 nentries=1 etime=0 [23/Feb/2012:18:33:34 +0000] conn=19 op=233 SRCH base="dc=blinkmind,dc=net" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/BLINKMIND.NET@BLINKMIND.NET))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto" [23/Feb/2012:18:33:34 +0000] conn=19 op=233 RESULT err=0 tag=101 nentries=1 etime=0 [23/Feb/2012:18:33:34 +0000] conn=19 op=234 SRCH base="cn=global_policy,cn=BLINKMIND.NET,cn=kerberos,dc=blinkmind,dc=net" scope=0 filter="(objectClass=krbPwdPolicy)" attrs="cn krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [23/Feb/2012:18:33:34 +0000] conn=19 op=234 RESULT err=0 tag=101 nentries=1 etime=0 [23/Feb/2012:18:33:34 +0000] conn=20 op=220 SRCH base="dc=blinkmind,dc=net" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=nathan@BLINKMIND.NET))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto" [23/Feb/2012:18:33:34 +0000] conn=20 op=220 RESULT err=0 tag=101 nentries=1 etime=0 [23/Feb/2012:18:33:34 +0000] conn=18 op=71 SRCH base="cn=global_policy,cn=BLINKMIND.NET,cn=kerberos,dc=blinkmind,dc=net" scope=0 filter="(objectClass=krbPwdPolicy)" attrs="cn krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [23/Feb/2012:18:33:34 +0000] conn=18 op=71 RESULT err=0 tag=101 nentries=1 etime=0 [23/Feb/2012:18:33:34 +0000] conn=20 op=221 SRCH base="dc=blinkmind,dc=net" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/BLINKMIND.NET@BLINKMIND.NET))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto" [23/Feb/2012:18:33:34 +0000] conn=20 op=221 RESULT err=0 tag=101 nentries=1 etime=0 [23/Feb/2012:18:33:34 +0000] conn=20 op=222 SRCH base="cn=global_policy,cn=BLINKMIND.NET,cn=kerberos,dc=blinkmind,dc=net" scope=0 filter="(objectClass=krbPwdPolicy)" attrs="cn krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [23/Feb/2012:18:33:34 +0000] conn=20 op=222 RESULT err=0 tag=101 nentries=1 etime=0 [23/Feb/2012:18:33:34 +0000] conn=20 op=223 SRCH base="cn=global_policy,cn=BLINKMIND.NET,cn=kerberos,dc=blinkmind,dc=net" scope=0 filter="(objectClass=krbPwdPolicy)" attrs="cn krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [23/Feb/2012:18:33:34 +0000] conn=20 op=223 RESULT err=0 tag=101 nentries=1 etime=0 [23/Feb/2012:18:33:34 +0000] conn=20 op=224 SRCH base="uid=nathan,cn=users,cn=accounts,dc=blinkmind,dc=net" scope=0 filter="(objectClass=*)" attrs="objectClass" [23/Feb/2012:18:33:34 +0000] conn=20 op=224 RESULT err=0 tag=101 nentries=1 etime=0 [23/Feb/2012:18:33:34 +0000] conn=20 op=225 MOD dn="uid=nathan,cn=users,cn=accounts,dc=blinkmind,dc=net" [23/Feb/2012:18:33:34 +0000] conn=20 op=225 RESULT err=0 tag=103 nentries=0 etime=0 [23/Feb/2012:18:33:34 +0000] conn=49 fd=75 slot=75 connection from 10.13.0.245 to 10.13.0.105 [23/Feb/2012:18:33:34 +0000] conn=19 op=235 SRCH base="dc=blinkmind,dc=net" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/BLINKMIND.NET@BLINKMIND.NET))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto" [23/Feb/2012:18:33:34 +0000] conn=19 op=235 RESULT err=0 tag=101 nentries=1 etime=0 [23/Feb/2012:18:33:34 +0000] conn=19 op=236 SRCH base="dc=blinkmind,dc=net" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ldap/ipa-master.blinkmind.net@BLINKMIND.NET))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto" [23/Feb/2012:18:33:34 +0000] conn=19 op=236 RESULT err=0 tag=101 nentries=1 etime=0 [23/Feb/2012:18:33:34 +0000] conn=19 op=237 SRCH base="dc=blinkmind,dc=net" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=nathan@BLINKMIND.NET))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto" [23/Feb/2012:18:33:34 +0000] conn=19 op=237 RESULT err=0 tag=101 nentries=1 etime=0 [23/Feb/2012:18:33:34 +0000] conn=17 op=75 SRCH base="cn=global_policy,cn=BLINKMIND.NET,cn=kerberos,dc=blinkmind,dc=net" scope=0 filter="(objectClass=krbPwdPolicy)" attrs="cn krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [23/Feb/2012:18:33:34 +0000] conn=17 op=75 RESULT err=0 tag=101 nentries=1 etime=0 [23/Feb/2012:18:33:34 +0000] conn=49 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [23/Feb/2012:18:33:34 +0000] conn=49 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [23/Feb/2012:18:33:34 +0000] conn=49 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [23/Feb/2012:18:33:34 +0000] conn=49 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [23/Feb/2012:18:33:34 +0000] conn=49 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [23/Feb/2012:18:33:34 +0000] conn=49 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=nathan,cn=users,cn=accounts,dc=blinkmind,dc=net" [23/Feb/2012:18:33:34 +0000] conn=49 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs=ALL [23/Feb/2012:18:33:34 +0000] conn=49 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [23/Feb/2012:18:33:34 +0000] conn=50 fd=76 slot=76 connection from 10.13.0.245 to 10.13.0.105 [23/Feb/2012:18:33:34 +0000] conn=50 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [23/Feb/2012:18:33:34 +0000] conn=50 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [23/Feb/2012:18:33:34 +0000] conn=50 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [23/Feb/2012:18:33:34 +0000] conn=50 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [23/Feb/2012:18:33:34 +0000] conn=50 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [23/Feb/2012:18:33:34 +0000] conn=50 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=nathan,cn=users,cn=accounts,dc=blinkmind,dc=net" [23/Feb/2012:18:33:34 +0000] conn=50 op=3 SRCH base="dc=blinkmind,dc=net" scope=2 filter="(&(samaccounttype=805306368)(userprincipalname=nathan@BLINKMIND.NET))" attrs="nsUniqueId ipaUniqueID objectguid objectClass javaSerializedData javaClassName javaFactory javaCodebase javaReferenceAddress javaClassNames javaremotelocation" [23/Feb/2012:18:33:34 +0000] conn=50 op=3 RESULT err=0 tag=101 nentries=0 etime=0 notes=U [23/Feb/2012:18:33:34 +0000] conn=50 op=4 UNBIND [23/Feb/2012:18:33:34 +0000] conn=50 op=4 fd=76 closed - U1 [23/Feb/2012:18:33:34 +0000] conn=49 op=-1 fd=75 closed - B1
On 02/23/2012 08:26 PM, Oved Ourfalli wrote:
----- Original Message -----
From: "Nathan Stratton" <nathan@robotics.net> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: users@ovirt.org, "Yaniv Kaul" <ykaul@redhat.com> Sent: Thursday, February 23, 2012 8:13:33 PM Subject: Re: [Users] LDAP
On Thu, 23 Feb 2012, Oved Ourfalli wrote:
IIRC, we only support using -interactive or using -passwordFile, and not both. The fact that you don't get a warning on that is a bug.
:) Opps.
Found this blog with a similar error that is caused due to password expiration (in the engine log, and not while running the manage domains utility, but that might also help): http://blog.rtfm.co.hu/2012/02/rhev-error-from-kerberos-integrity-check-on-d...
But the information there doesn't go very well with the fact that kinit is successful.
Ya, I saw that also, (been doing a lot of googling), but:
-bash-4.2# kinit nathan Password for nathan@BLINKMIND.NET: -bash-4.2# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: nathan@BLINKMIND.NET
Valid starting Expires Service principal 02/23/12 12:07:21 02/24/12 12:07:16 krbtgt/BLINKMIND.NET@BLINKMIND.NET renew until 03/01/12 12:07:16
Is the file containing the correct password? Try using only -interactive, and enter the password interactively.
Yep, the password is correct, I get the same error no matter what password I use. However when I try with -interactive I get more debug info (see below).
Also, attaching the log of the utility might be helpful.
How would I get that? I don't see anyting anywhere in /var/log/*
It should be in /var/log/ovirt-engine/engine-manage-domains/engine-manage-domains.log (or in /var/log/engine/engine-manage-domains/engine-manage-domains.log... not sure).
Also, try logging in with that user to the IPA machine, that way you'll know if you need to change your password (I saw that sometimes kinit doesn't ask you to change the password, but logging in does).
Yep, that works fine. If I do it with -interactive I get the errors below. It seams to have an issue with DNS, but yet it is pulling the two SRV records AND hitting the right servers. Also both ovirt-engine and ipa-master have forward and reverse dns and proper /etc/hosts files.
-bash-4.2# engine-manage-domains -action=add -domain=blinkmind.net -user=nathan -interactive Enter password:
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)]] at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:168) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:232) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) at javax.naming.InitialContext.init(InitialContext.java:240) at javax.naming.InitialContext.<init>(InitialContext.java:214) at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:357) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:154) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:140) at org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:563) at org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:709) at org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:404) at org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:235) at org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:163) Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)]
Not sure if help is still needed in this issue (krb error code 7 ) - from my experience, this usually happened when DNS was not configured correctly - IMHO - you need to configure a reverse PTR record to the machine that runs engine-core. In addition, make sure that ldap and krb have proper DNS srv records. Oved - do we have a wiki (upstream) explaining these DNS issues?
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212) at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:123) ... 23 more Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193) ... 24 more Caused by: KrbException: Server not found in Kerberos database (7) - UNKNOWN_SERVER at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:72) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:193) at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:205) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114) at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610) ... 27 more Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:144) at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65) at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:54) ... 33 more Error: LDAP query Failed. Error in DNS configuration. Please verify the oVirt Engine host has a valid reverse DNS (PTR) record. Failure while testing domain blinkmind.net. Details: No user information was found for user
Please try doing "dig -x <ip address of IPA server>"
Look at the answer section, to make sure it shows a PTR record of it: dig -x 1.2.3.4 ... ... ... ;; ANSWER SECTION: 4.3.2.1.in-addr.arpa. 84063 IN PTR my_server.my_domain. ... ... ...
-bash-4.2# nslookup ipa-master.blinkmind.net Server: 10.10.0.10 Address: 10.10.0.10#53
Name: ipa-master.blinkmind.net Address: 10.13.0.105
-bash-4.2# nslookup 10.13.0.105 Server: 10.10.0.10 Address: 10.10.0.10#53
105.0.13.10.in-addr.arpa name = ipa-master.blinkmind.net.
-bash-4.2# nslookup ovirt-engine.blinkmind.net Server: 10.10.0.10 Address: 10.10.0.10#53
Name: ovirt-engine.blinkmind.net Address: 10.13.0.245
-bash-4.2# nslookup 10.13.0.245 Server: 10.10.0.10 Address: 10.10.0.10#53
245.0.13.10.in-addr.arpa name = ovirt-engine.blinkmind.net.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 02/22/2012 11:02 PM, Nathan Stratton wrote:
On Wed, 22 Feb 2012, Oved Ourfalli wrote:
Hey,
This error usually happens where there is no krb5.conf file, or there is one, but your domain isn't in that. The krb5.conf file should be located in $JBOSS_HOME/standalone/configuration directory.
Ya, I gave up on the 389/Kerberos, looking at FreeIPA now.
BTW, why can't we just use LDAP???
well, this goes to history, as ovirt was ported from a C# solution focused that evolved to server virtualization from VDI (virtual desktops). virtual desktops were mostly windows. so integration with AD was a must, and was based on kerberos (in C#) java port first supported backward compatibility. nothing prevents adding LDAP support, but it probably requires supporting multiple LDAP redundant servers and SSL. btw, the code for basic LDAP (WITHOUT SECURITY) may still work, if you change the authentication type to "SIMPLE". but it is never discussed as a deployment option, as it is not secure.
On 02/23/2012 09:20 AM, Itamar Heim wrote:
On 02/22/2012 11:02 PM, Nathan Stratton wrote:
On Wed, 22 Feb 2012, Oved Ourfalli wrote:
Hey,
This error usually happens where there is no krb5.conf file, or there is one, but your domain isn't in that. The krb5.conf file should be located in $JBOSS_HOME/standalone/configuration directory.
Ya, I gave up on the 389/Kerberos, looking at FreeIPA now.
BTW, why can't we just use LDAP???
well, this goes to history, as ovirt was ported from a C# solution focused that evolved to server virtualization from VDI (virtual desktops). virtual desktops were mostly windows. so integration with AD was a must, and was based on kerberos (in C#) java port first supported backward compatibility. nothing prevents adding LDAP support, but it probably requires supporting multiple LDAP redundant servers and SSL.
btw, the code for basic LDAP (WITHOUT SECURITY) may still work, if you change the authentication type to "SIMPLE". but it is never discussed as a deployment option, as it is not secure.
But what about schema differentiation?
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 02/23/2012 09:33 AM, Yair Zaslavsky wrote:
On 02/23/2012 09:20 AM, Itamar Heim wrote:
On 02/22/2012 11:02 PM, Nathan Stratton wrote:
On Wed, 22 Feb 2012, Oved Ourfalli wrote:
Hey,
This error usually happens where there is no krb5.conf file, or there is one, but your domain isn't in that. The krb5.conf file should be located in $JBOSS_HOME/standalone/configuration directory.
Ya, I gave up on the 389/Kerberos, looking at FreeIPA now.
BTW, why can't we just use LDAP???
well, this goes to history, as ovirt was ported from a C# solution focused that evolved to server virtualization from VDI (virtual desktops). virtual desktops were mostly windows. so integration with AD was a must, and was based on kerberos (in C#) java port first supported backward compatibility. nothing prevents adding LDAP support, but it probably requires supporting multiple LDAP redundant servers and SSL.
btw, the code for basic LDAP (WITHOUT SECURITY) may still work, if you change the authentication type to "SIMPLE". but it is never discussed as a deployment option, as it is not secure.
But what about schema differentiation?
well, SIMPLE would work only for schemes which are already supported. I'm just saying for tetsing purpose 389ds without kerberos may work as well in SIMPLE mode. same for other LDAP providers, should patches for detecting their type and supporting their scheme (btw, we say scheme, but we use very few fields from it for someone to work on this and support other providers)
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: users@ovirt.org Sent: Thursday, February 23, 2012 9:37:43 AM Subject: Re: [Users] LDAP
On 02/23/2012 09:33 AM, Yair Zaslavsky wrote:
On 02/23/2012 09:20 AM, Itamar Heim wrote:
On 02/22/2012 11:02 PM, Nathan Stratton wrote:
On Wed, 22 Feb 2012, Oved Ourfalli wrote:
Hey,
This error usually happens where there is no krb5.conf file, or there is one, but your domain isn't in that. The krb5.conf file should be located in $JBOSS_HOME/standalone/configuration directory.
Ya, I gave up on the 389/Kerberos, looking at FreeIPA now.
BTW, why can't we just use LDAP???
well, this goes to history, as ovirt was ported from a C# solution focused that evolved to server virtualization from VDI (virtual desktops). virtual desktops were mostly windows. so integration with AD was a must, and was based on kerberos (in C#) java port first supported backward compatibility. nothing prevents adding LDAP support, but it probably requires supporting multiple LDAP redundant servers and SSL.
btw, the code for basic LDAP (WITHOUT SECURITY) may still work, if you change the authentication type to "SIMPLE". but it is never discussed as a deployment option, as it is not secure.
But what about schema differentiation?
well, SIMPLE would work only for schemes which are already supported. I'm just saying for testing purpose 389ds without kerberos may work as well in SIMPLE mode. same for other LDAP providers, should patches for detecting their type and supporting their scheme (btw, we say scheme, but we use very few fields from it for someone to work on this and support other providers)
btw, the feature was tested with RHDS, and not 389ds. They are indeed based on the same schema so it should work, but it wasn't tested, so there might be some tweaks needed to make it work.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (5)
-
Itamar Heim -
Nathan Stratton -
Oved Ourfalli -
Yair Zaslavsky -
Yaniv Kaul