[Users] engine-manage-domains fails when re-adding a domain

Hi I was having odd issues with my IPA domain so rather than troubleshoot it properly I thought it would be a good idea to remove it and then add it again. I removed it with engine-manage-domains -action=delete -domain=clarkconnect.lan and when I try to add it with engine-manage-domains -action=add -domain=clarkconnect.lan -user=admin -provider=IPA -interactive which worked fine the first time I get General error has occurednull java.lang.NegativeArraySizeException at sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367) at sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722) at sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200) at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861) at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385) at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104) at com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.ovirt.engine.core.ldap.RootDSEData.<init>(RootDSEData.java:52) at org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:257) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:356) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135) at org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:746) at org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:917) at org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:539) at org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:311) at org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:206) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.modules.Module.run(Module.java:260) at org.jboss.modules.Main.main(Main.java:291) Failure while testing domain %1$s. Details: %2$s: One of the parameters for this error is null and no default message to show in the engine-manage-domains.log I get 2013-11-13 20:53:41,318 INFO [org.ovirt.engine.core.domains.ManageDomains] Creating kerberos configuration for domain(s): clarkconnect.lan 2013-11-13 20:53:41,525 INFO [org.ovirt.engine.core.domains.ManageDomains] Successfully created kerberos configuration for domain(s): clarkconnect.lan 2013-11-13 20:53:41,526 INFO [org.ovirt.engine.core.domains.ManageDomains] Testing kerberos configuration for domain: clarkconnect.lan 2013-11-13 20:53:48,718 ERROR [org.ovirt.engine.core.domains.ManageDomains] Failure while testing domain %1$s. Details: %2$s: One of the parameters for this error is null and no default message to show any ideas? Junk

On 11/13/2013 10:11 PM, Junk wrote:
Hi I was having odd issues with my IPA domain so rather than troubleshoot it properly I thought it would be a good idea to remove it and then add it again.
I removed it with engine-manage-domains -action=delete -domain=clarkconnect.lan
and when I try to add it with engine-manage-domains -action=add -domain=clarkconnect.lan -user=admin -provider=IPA -interactive
which worked fine the first time I get
General error has occurednull java.lang.NegativeArraySizeException at sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367) at sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722) at sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200) at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861) at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385) at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104) at com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.ovirt.engine.core.ldap.RootDSEData.<init>(RootDSEData.java:52) at org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:257) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:356) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135) at org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:746) at org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:917) at org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:539) at org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:311) at org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:206) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.modules.Module.run(Module.java:260) at org.jboss.modules.Main.main(Main.java:291) Failure while testing domain %1$s. Details: %2$s: One of the parameters for this error is null and no default message to show
in the engine-manage-domains.log I get
2013-11-13 20:53:41,318 INFO [org.ovirt.engine.core.domains.ManageDomains] Creating kerberos configuration for domain(s): clarkconnect.lan 2013-11-13 20:53:41,525 INFO [org.ovirt.engine.core.domains.ManageDomains] Successfully created kerberos configuration for domain(s): clarkconnect.lan 2013-11-13 20:53:41,526 INFO [org.ovirt.engine.core.domains.ManageDomains] Testing kerberos configuration for domain: clarkconnect.lan 2013-11-13 20:53:48,718 ERROR [org.ovirt.engine.core.domains.ManageDomains] Failure while testing domain %1$s. Details: %2$s: One of the parameters for this error is null and no default message to show
any ideas?
Junk
We have seen a similar issue with OpenLDAP that required to set the minimum security strength factor (SSF) to 1 instead of the default 0. This default triggers a bug in the Java virtual machine Kerberos support. IPA uses the 389 directory server, and it also has the possibility to configure this, as described here: http://directory.fedoraproject.org/wiki/Minimum_SSF_Setting To check that you can run a query like this in your IPA installation: # kinit admin # ldapsearch \ -H ldap://your_ipa_server \ -Y GSSAPI \ -LLL \ -b 'cn=config' \ -s base \ nsslapd-minssf The output will probably be like this: dn: cn=config nsslapd-minssf: 0 The important thing there is the value 0. You can try to change it to 1, via LDAP or modifying directly the file /etc/dirsrv/slapd-YOUR-REALM/dse.ldif. Do this with the directory server stopped, and remember how to revert it in case things fail. Let us know if this helps. By the way, for those interested in how to change this in OpenLDAP, it requires something like this: # cat > fixssf.ldif <<'.' dn: cn=config replace: olcSaslSecProps olcSaslSecProps: noanonymous,noplain,minssf=1 - . # ldapmodify -H ldapi:/// -Y EXTERNAL -f fixssf.ldif -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.

------OSDCNA0F0ZP8RJNEPTMP6K3VSHMEQ5 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Juan Hernandez <jhernand@redhat.com> wrote:
On 11/13/2013 10:11 PM, Junk wrote:
Hi I was having odd issues with my IPA domain so rather than troubleshoot it properly I thought it would be a good idea to remove it and then add it again.
I removed it with engine-manage-domains -action=delete -domain=clarkconnect.lan
and when I try to add it with engine-manage-domains -action=add -domain=clarkconnect.lan -user=admin -provider=IPA -interactive
which worked fine the first time I get
General error has occurednull java.lang.NegativeArraySizeException at
sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367)
at
sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722)
at sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200) at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861) at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385) at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104) at
com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772) at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at org.ovirt.engine.core.ldap.RootDSEData.<init>(RootDSEData.java:52) at
org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:257)
at
org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87)
at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:356) at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135)
at
org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:746)
at
org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:917)
at
org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:539)
at
org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:311)
at
org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:206)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.modules.Module.run(Module.java:260) at org.jboss.modules.Main.main(Main.java:291) Failure while testing domain %1$s. Details: %2$s: One of the
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) parameters
for this error is null and no default message to show
in the engine-manage-domains.log I get
2013-11-13 20:53:41,318 INFO [org.ovirt.engine.core.domains.ManageDomains] Creating kerberos configuration for domain(s): clarkconnect.lan 2013-11-13 20:53:41,525 INFO [org.ovirt.engine.core.domains.ManageDomains] Successfully created kerberos configuration for domain(s): clarkconnect.lan 2013-11-13 20:53:41,526 INFO [org.ovirt.engine.core.domains.ManageDomains] Testing kerberos configuration for domain: clarkconnect.lan 2013-11-13 20:53:48,718 ERROR [org.ovirt.engine.core.domains.ManageDomains] Failure while testing domain %1$s. Details: %2$s: One of the parameters for this error is null and no default message to show
any ideas?
Junk
We have seen a similar issue with OpenLDAP that required to set the minimum security strength factor (SSF) to 1 instead of the default 0. This default triggers a bug in the Java virtual machine Kerberos support.
IPA uses the 389 directory server, and it also has the possibility to configure this, as described here:
http://directory.fedoraproject.org/wiki/Minimum_SSF_Setting
To check that you can run a query like this in your IPA installation:
# kinit admin # ldapsearch \ -H ldap://your_ipa_server \ -Y GSSAPI \ -LLL \ -b 'cn=config' \ -s base \ nsslapd-minssf
The output will probably be like this:
dn: cn=config nsslapd-minssf: 0
The important thing there is the value 0. You can try to change it to 1, via LDAP or modifying directly the file /etc/dirsrv/slapd-YOUR-REALM/dse.ldif. Do this with the directory server stopped, and remember how to revert it in case things fail.
Let us know if this helps.
By the way, for those interested in how to change this in OpenLDAP, it requires something like this:
# cat > fixssf.ldif <<'.' dn: cn=config replace: olcSaslSecProps olcSaslSecProps: noanonymous,noplain,minssf=1 - .
# ldapmodify -H ldapi:/// -Y EXTERNAL -f fixssf.ldif
-- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
That did the trick. I edited the file as I had no hope of getting an ldapmodify command going on my own. That's why I installed IPA in the first place. :) -- Junk. ------OSDCNA0F0ZP8RJNEPTMP6K3VSHMEQ5 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit <html><head></head><body><div class="gmail_quote">Juan Hernandez <jhernand@redhat.com> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> <pre class="k9mail"><br />On 11/13/2013 10:11 PM, Junk wrote:<br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;">Hi I was having odd issues with my IPA domain so rather than<br />troubleshoot it properly I thought it would be a good idea to remove it<br />and then add it again.<br /><br />I removed it with <br />engine-manage-domains -action=delete -domain=clarkconnect.lan<br /><br />and when I try to add it with <br />engine-manage-domains -action=add -domain=clarkconnect.lan -user=admin<br />-provider=IPA -interactive<br /><br />which worked fine the first time I get<br /><br />General error has occurednull<br />java.lang.NegativeArraySizeException<br /> at<br />sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367)<br /> at<br />sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722)<br /> at sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200)<br /> at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861)<br /> at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385)<br /> at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104)<br /> at<br />com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89)<br /> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430)<br /> at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555)<br /> at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)<br /> at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)<br /> at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)<br /> at<br />com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)<br /> at<br />com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)<br /> at<br />com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)<br /> at<br />javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)<br /> at org.ovirt.engine.core.ldap.RootDSEData.<init>(RootDSEData.java:52)<br /> at<br />org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:257)<br /> at<br />org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87)<br /> at java.security.AccessController.doPrivileged(Native Method)<br /> at javax.security.auth.Subject.doAs(Subject.java:356)<br /> at<br />org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)<br /> at<br />org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150)<br /> at<br />org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135)<br /> at<br />org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:746)<br /> at<br />org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:917)<br /> at<br />org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:539)<br /> at<br />org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:311)<br /> at<br />org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:206)<br /> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br /> at<br />sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)<br /> at<br />sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br /> at java.lang.reflect.Method.invoke(Method.java:606)<br /> at org.jboss.modules.Module.run(Module.java:260)<br /> at org.jboss.modules.Main.main(Main.java:291)<br />Failure while testing domain %1$s. Details: %2$s: One of the parameters<br />for this error is null and no default message to show<br /><br /><br />in the engine-manage-domains.log I get<br /><br />2013-11-13 20:53:41,318 INFO<br />[org.ovirt.engine.core.domains.ManageDomains] Creating kerberos<br />configuration for domain(s): clarkconnect.lan<br />2013-11-13 20:53:41,525 INFO<br />[org.ovirt.engine.core.domains.ManageDomains] Successfully created<br />kerberos configuration for domain(s): clarkconnect.lan<br />2013-11-13 20:53:41,526 INFO<br />[org.ovirt.engine.core.domains.ManageDomains] Testing kerberos<br />configuration for domain: clarkconnect.lan<br />2013-11-13 20:53:48,718 ERROR<br />[org.ovirt.engine.core.domains.ManageDomains] Failure while testing<br />domain %1$s. Details: %2$s: One of the parameters for this error is null<br />and no default message to show<br /><br />any ideas?<br /><br />Junk</blockquote><br /><br />We have seen a similar issue with OpenLDAP that required to set the<br />minimum security strength factor (SSF) to 1 instead of the default 0.<br />This default triggers a bug in the Java virtual machine Kerberos support.<br /><br />IPA us es the 389 directory server, and it also has the possibility to<br />configure this, as described here:<br /><br /><a href="http://directory.fedoraproject.org/wiki/Minimum_SSF_Setting">http://directory.fedoraproject.org/wiki/Minimum_SSF_Setting</a><br /><br />To check that you can run a query like this in your IPA installation:<br /><br /># kinit admin<br /># ldapsearch \<br />-H ldap://your_ipa_server \<br />-Y GSSAPI \<br />-LLL \<br />-b 'cn=config' \<br />-s base \<br />nsslapd-minssf<br /><br />The output will probably be like this:<br /><br />dn: cn=config<br />nsslapd-minssf: 0<br /><br />The important thing there is the value 0. You can try to change it to 1,<br />via LDAP or modifying directly the file<br />/etc/dirsrv/slapd-YOUR-REALM/dse.ldif. Do this with the directory server<br />stopped, and remember how to revert it in case things fail.<br /><br />Let us know if this helps.<br /><br />By the way, for those interested in how to change this in OpenLDAP, it<br />requires something like this:<br /><br /># cat > fixssf.ldif <<'.'<br />dn: cn=config<br />replace: olcSaslSecProps<br />olcSaslSecProps: noanonymous,noplain,minssf=1<br />-<br />.<br /><br /># ldapmodify -H ldapi:/// -Y EXTERNAL -f fixssf.ldif<br /></pre></blockquote></div><br clear="all">That did the trick. I edited the file as I had no hope of getting an ldapmodify command going on my own. That's why I installed IPA in the first place. :)<br> -- <br> Junk.</body></html> ------OSDCNA0F0ZP8RJNEPTMP6K3VSHMEQ5--

On 11/15/2013 08:47 PM, Junk wrote:
Juan Hernandez <jhernand@redhat.com> wrote:
On 11/13/2013 10:11 PM, Junk wrote:
Hi I was having odd issues with my IPA domain so rather than troubleshoot it properly I thought it would be a good idea to remove it and then add it again.
I removed it with engine-manage-domains -action=delete -domain=clarkconnect.lan
and when I try to add it with engine-manage-domains -action=add -domain=clarkconnect.lan -user=admin -provider=IPA -interactive
which worked fine the first time I get
General error has occurednull java.lang.NegativeArraySizeException at sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367) at sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722) at sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200) at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861) at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385) at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104) at com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.ovirt.engine.core.ldap.RootDSEData.<init>(RootDSEData.java:52) at org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:257) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:356) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135) at org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:746) at org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:917) at org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:539) at org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:311) at org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:206) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.modules.Module.run(Module.java:260) at org.jboss.modules.Main.main(Main.java:291) Failure while testing domain %1$s. Details: %2$s: One of the parameters for this error is null and no default message to show
in the engine-manage-domains.log I get
2013-11-13 20:53:41,318 INFO [org.ovirt.engine.core.domains.ManageDomains] Creating kerberos configuration for domain(s): clarkconnect.lan 2013-11-13 20:53:41,525 INFO [org.ovirt.engine.core.domains.ManageDomains] Successfully created kerberos configuration for domain(s): clarkconnect.lan 2013-11-13 20:53:41,526 INFO [org.ovirt.engine.core.domains.ManageDomains] Testing kerberos configuration for domain: clarkconnect.lan 2013-11-13 20:53:48,718 ERROR [org.ovirt.engine.core.domains.ManageDomains] Failure while testing domain %1$s. Details: %2$s: One of the parameters for this error is null and no default message to show
any ideas?
Junk
We have seen a similar issue with OpenLDAP that required to set the minimum security strength factor (SSF) to 1 instead of the default 0. This default triggers a bug in the Java virtual machine Kerberos support.
IPA us es the 389 directory server, and it also has the possibility to configure this, as described here:
http://directory.fedoraproject.org/wiki/Minimum_SSF_Setting
To check that you can run a query like this in your IPA installation:
# kinit admin # ldapsearch \ -H ldap://your_ipa_server \ -Y GSSAPI \ -LLL \ -b 'cn=config' \ -s base \ nsslapd-minssf
The output will probably be like this:
dn: cn=config nsslapd-minssf: 0
The important thing there is the value 0. You can try to change it to 1, via LDAP or modifying directly the file /etc/dirsrv/slapd-YOUR-REALM/dse.ldif. Do this with the directory server stopped, and remember how to revert it in case things fail.
Let us know if this helps.
By the way, for those interested in how to change this in OpenLDAP, it requires something like this:
# cat > fixssf.ldif <<'.' dn: cn=config replace: olcSaslSecProps olcSaslSecProps: noanonymous,noplain,minssf=1 - .
# ldapmodify -H ldapi:/// -Y EXTERNAL -f fixssf.ldif
That did the trick. I edited the file as I had no hope of getting an ldapmodify command going on my own. That's why I installed IPA in the first place. :) -- Junk.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
how about wikifyig this under 'troubleshooting manage-domains' or something like that?

how about wikifyig this under 'troubleshooting manage-domains' or something like that?
I was stumped by this as well, but Juan's fix resolved the issue. I added this to the wiki: http://www.ovirt.org/Troubleshooting#Adding_an_IPA_domain_to_ovirt_engine
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (4)
-
Itamar Heim
-
Jason Brooks
-
Juan Hernandez
-
Junk