------OSDCNA0F0ZP8RJNEPTMP6K3VSHMEQ5 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Juan Hernandez <jhernand(a)redhat.com&gt; wrote: That did the trick. I edited the file as I had no hope of getting an ldapmodify command going on my own. That's why I installed IPA in the first place. :) -- Junk. ------OSDCNA0F0ZP8RJNEPTMP6K3VSHMEQ5 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit <html><head></head><body><div class="gmail_quote">Juan Hernandez &amp;lt;jhernand(a)redhat.com&amp;gt; wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> <pre class="k9mail"><br />On 11/13/2013 10:11 PM, Junk wrote:<br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;">Hi I was having odd issues with my IPA domain so rather than<br />troubleshoot it properly I thought it would be a good idea to remove it<br />and then add it again.<br /><br />I removed it with <br />engine-manage-domains -action=delete -domain=clarkconnect.lan<br /><br />and when I try to add it with <br />engine-manage-domains -action=add -domain=clarkconnect.lan -user=admin<br />-provider=IPA -interactive<br /><br />which worked fine the first time I get<br /><br />General error has occurednull<br />java.lang.NegativeArraySizeException<br /> at<br />sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367)<br /> at<br />sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722)<br /> at sun.security.jgss.krb5.WrapToken_v2.&lt;init&gt;(WrapToken_v2.java:200)<br /> at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861)<br /> at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385)<br /> at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104)<br /> at<br />com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89)<br /> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430)<br /> at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555)<br /> at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)<br /> at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)<br /> at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)<br /> at<br />com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)<br /> at<br />com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)<br /> at<br />com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)<br /> at<br />javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)<br /> at org.ovirt.engine.core.ldap.RootDSEData.&lt;init&gt;(RootDSEData.java:52)<br /> at<br />org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:257)<br /> at<br />org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87)<br /> at java.security.AccessController.doPrivileged(Native Method)<br /> at javax.security.auth.Subject.doAs(Subject.java:356)<br /> at<br />org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)<br /> at<br />org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150)<br /> at<br />org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135)<br /> at<br />org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:746)<br /> at<br />org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:917)<br /> at<br />org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:539)<br /> at<br />org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:311)<br /> at<br />org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:206)<br /> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br /> at<br />sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)<br /> at<br />sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br /> at java.lang.reflect.Method.invoke(Method.java:606)<br /> at org.jboss.modules.Module.run(Module.java:260)<br /> at org.jboss.modules.Main.main(Main.java:291)<br />Failure while testing domain %1$s. Details: %2$s: One of the parameters<br />for this error is null and no default message to show<br /><br /><br />in the engine-manage-domains.log I get<br /><br />2013-11-13 20:53:41,318 INFO<br />[org.ovirt.engine.core.domains.ManageDomains] Creating kerberos<br />configuration for domain(s): clarkconnect.lan<br />2013-11-13 20:53:41,525 INFO<br />[org.ovirt.engine.core.domains.ManageDomains] Successfully created<br />kerberos configuration for domain(s): clarkconnect.lan<br />2013-11-13 20:53:41,526 INFO<br />[org.ovirt.engine.core.domains.ManageDomains] Testing kerberos<br />configuration for domain: clarkconnect.lan<br />2013-11-13 20:53:48,718 ERROR<br />[org.ovirt.engine.core.domains.ManageDomains] Failure while testing<br />domain %1$s. Details: %2$s: One of the parameters for this error is null<br />and no default message to show<br /><br />any ideas?<br /><br />Junk</blockquote><br /><br />We have seen a similar issue with OpenLDAP that required to set the<br />minimum security strength factor (SSF) to 1 instead of the default 0.<br />This default triggers a bug in the Java virtual machine Kerberos support.<br /><br />IPA us es the 389 directory server, and it also has the possibility to<br />configure this, as described here:<br /><br /><a href="http://directory.fedoraproject.org/wiki/Minimum_SSF_Setting&qu... /><br />To check that you can run a query like this in your IPA installation:<br /><br /># kinit admin<br /># ldapsearch \<br />-H ldap://your_ipa_server \<br />-Y GSSAPI \<br />-LLL \<br />-b 'cn=config' \<br />-s base \<br />nsslapd-minssf<br /><br />The output will probably be like this:<br /><br />dn: cn=config<br />nsslapd-minssf: 0<br /><br />The important thing there is the value 0. You can try to change it to 1,<br />via LDAP or modifying directly the file<br />/etc/dirsrv/slapd-YOUR-REALM/dse.ldif. Do this with the directory server<br />stopped, and remember how to revert it in case things fail.<br /><br />Let us know if this helps.<br /><br />By the way, for those interested in how to change this in OpenLDAP, it<br />requires something like this:<br /><br /># cat &gt; fixssf.ldif &lt;&lt;'.'<br />dn: cn=config<br />replace: olcSaslSecProps<br />olcSaslSecProps: noanonymous,noplain,minssf=1<br />-<br />.<br /><br /># ldapmodify -H ldapi:/// -Y EXTERNAL -f fixssf.ldif<br /></pre></blockquote></div><br clear="all">That did the trick. I edited the file as I had no hope of getting an ldapmodify command going on my own. That&#39;s why I installed IPA in the first place. :)<br> -- <br> Junk.</body></html> ------OSDCNA0F0ZP8RJNEPTMP6K3VSHMEQ5--

I was stumped by this as well, but Juan's fix resolved the issue. I added this to the wiki: http://www.ovirt.org/Troubleshooting#Adding_an_IPA_domain_to_ovirt_engine