[Users] freeipa and ovirt can't add domain
Hi, I have been trying for a week or so to be able to get a domain based on freeipa added to my ovirt/F16 setup so that I can add users. I started out with 3.0.0 rpms from the ovirt repos, I've since built my own rpms from git, 3.1.0. I've set up ipa and can log in with kinit. I get this error when I run engine-manage-domains: [root@barleyville ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@BVTEST.ORG Valid starting Expires Service principal 04/25/12 18:17:07 04/26/12 18:17:05 krbtgt/BVTEST.ORG@BVTEST.ORG [root@barleyville ~]# engine-manage-domains -action=add -domain=bvtest.org -user=admin -passwordFile=/root/dompass Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: bvtest.org Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct. Is there some other logs I can provide? Thanks for any help, I'm about to give up. details: ovirt-engine-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-dbscripts-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-jboss-deps-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-log-collector-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-tools-common-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-debuginfo-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-setup-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-image-uploader-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-config-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-userportal-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-webadmin-portal-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-genericapi-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-notification-service-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-backend-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-restapi-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-iso-uploader-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-jbossas-1.2-2.fc16.x86_64 vdsm-4.9.3.3-0.fc16.x86_64 vdsm-cli-4.9.3.3-0.fc16.noarch vdsm-bootstrap-4.9.3.3-0.fc16.noarch libipa_hbac-python-1.8.2-10.fc16.x86_64 freeipa-server-2.1.4-5.fc16.x86_64 freeipa-python-2.1.4-5.fc16.x86_64 freeipa-admintools-2.1.4-5.fc16.x86_64 freeipa-server-selinux-2.1.4-5.fc16.x86_64 freeipa-client-2.1.4-5.fc16.x86_64 libipa_hbac-1.8.2-10.fc16.x86_64
Quoting Jesse Brandeburg <jesse.brandeburg@intel.com>:
Hi, I have been trying for a week or so to be able to get a domain based on freeipa added to my ovirt/F16 setup so that I can add users.
I started out with 3.0.0 rpms from the ovirt repos, I've since built my own rpms from git, 3.1.0.
I've set up ipa and can log in with kinit. I get this error when I run engine-manage-domains: [root@barleyville ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@BVTEST.ORG
Valid starting Expires Service principal 04/25/12 18:17:07 04/26/12 18:17:05 krbtgt/BVTEST.ORG@BVTEST.ORG [root@barleyville ~]# engine-manage-domains -action=add -domain=bvtest.org -user=admin -passwordFile=/root/dompass Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: bvtest.org Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Is there some other logs I can provide? Thanks for any help, I'm about to give up.
What's in your engine-manage-domains.log? -Sharad
details: ovirt-engine-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-dbscripts-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-jboss-deps-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-log-collector-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-tools-common-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-debuginfo-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-setup-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-image-uploader-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-config-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-userportal-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-webadmin-portal-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-genericapi-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-notification-service-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-backend-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-restapi-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-iso-uploader-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-jbossas-1.2-2.fc16.x86_64 vdsm-4.9.3.3-0.fc16.x86_64 vdsm-cli-4.9.3.3-0.fc16.noarch vdsm-bootstrap-4.9.3.3-0.fc16.noarch libipa_hbac-python-1.8.2-10.fc16.x86_64 freeipa-server-2.1.4-5.fc16.x86_64 freeipa-python-2.1.4-5.fc16.x86_64 freeipa-admintools-2.1.4-5.fc16.x86_64 freeipa-server-selinux-2.1.4-5.fc16.x86_64 freeipa-client-2.1.4-5.fc16.x86_64 libipa_hbac-1.8.2-10.fc16.x86_64 _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Thu, 26 Apr 2012 14:35:32 -0400 <snmishra@linux.vnet.ibm.com> wrote:
What's in your engine-manage-domains.log?
hm, didn't know that log was there 2012-04-26 09:15:37,544 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): bvtest.org 2012-04-26 09:15:37,648 ERROR [org.ovirt.engine.core.dns.DnsSRVLocator] Error: could not find DNS SRV record name: _kerberos._tcp.BVTEST.ORG. Exception message is: DNS name not found [response code 3] Possible causes: missing DNS entries in the DNS server or DNS resolving issues from engine-core machine. Please Ensure correct DNS entries exist in the DNS server and ensure the DNS server is reachable from the engine-core machine. I'll go add that _kerberos._tcp.BVTEST.ORG option to dnsmasq and let you know how it goes! Thanks
----- Original Message -----
From: "Jesse Brandeburg" <jesse.brandeburg@intel.com> To: snmishra@linux.vnet.ibm.com Cc: users@ovirt.org Sent: Thursday, April 26, 2012 3:18:57 PM Subject: Re: [Users] freeipa and ovirt can't add domain
On Thu, 26 Apr 2012 14:35:32 -0400 <snmishra@linux.vnet.ibm.com> wrote:
What's in your engine-manage-domains.log?
hm, didn't know that log was there 2012-04-26 09:15:37,544 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): bvtest.org 2012-04-26 09:15:37,648 ERROR [org.ovirt.engine.core.dns.DnsSRVLocator] Error: could not find DNS SRV record name: _kerberos._tcp.BVTEST.ORG. Exception message is: DNS name not found [response code 3] Possible causes: missing DNS entries in the DNS server or DNS resolving issues from engine-core machine. Please Ensure correct DNS entries exist in the DNS server and ensure the DNS server is reachable from the engine-core machine.
I'll go add that _kerberos._tcp.BVTEST.ORG option to dnsmasq and let you know how it goes! Thanks
From memory you will want to do _ldap._tcp... while you are there.
Steve
Quoting Steve Gordon <sgordon@redhat.com>:
----- Original Message -----
From: "Jesse Brandeburg" <jesse.brandeburg@intel.com> To: snmishra@linux.vnet.ibm.com Cc: users@ovirt.org Sent: Thursday, April 26, 2012 3:18:57 PM Subject: Re: [Users] freeipa and ovirt can't add domain
On Thu, 26 Apr 2012 14:35:32 -0400 <snmishra@linux.vnet.ibm.com> wrote:
What's in your engine-manage-domains.log?
hm, didn't know that log was there 2012-04-26 09:15:37,544 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): bvtest.org 2012-04-26 09:15:37,648 ERROR [org.ovirt.engine.core.dns.DnsSRVLocator] Error: could not find DNS SRV record name: _kerberos._tcp.BVTEST.ORG. Exception message is: DNS name not found [response code 3] Possible causes: missing DNS entries in the DNS server or DNS resolving issues from engine-core machine. Please Ensure correct DNS entries exist in the DNS server and ensure the DNS server is reachable from the engine-core machine.
I'll go add that _kerberos._tcp.BVTEST.ORG option to dnsmasq and let you know how it goes! Thanks
From memory you will want to do _ldap._tcp... while you are there.
Here is something else to try - # nslookup
set q=srv _ldap._tcp.ibm.com Server: 9.42.xx.xxx Address: 9.42.xx.xxx
Non-authoritative answer: _ldap._tcp.ibm.com service = 0 100 389 aaaa.ibm.com. _ldap._tcp.ibm.com service = 0 100 389 bbb.watson.ibm.com. _ldap._tcp.ibm.com service = 0 100 389 ccc.pok.ibm.com. _ldap._tcp.ibm.com service = 0 100 389 ddd.pok.ibm.com. -Sharad
Steve
On Thu, 26 Apr 2012 12:18:57 -0700 Jesse Brandeburg <jesse.brandeburg@intel.com> wrote:
On Thu, 26 Apr 2012 14:35:32 -0400 <snmishra@linux.vnet.ibm.com> wrote:
What's in your engine-manage-domains.log?
hm, didn't know that log was there 2012-04-26 09:15:37,544 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): bvtest.org 2012-04-26 09:15:37,648 ERROR [org.ovirt.engine.core.dns.DnsSRVLocator] Error: could not find DNS SRV record name: _kerberos._tcp.BVTEST.ORG. Exception message is: DNS name not found [response code 3] Possible causes: missing DNS entries in the DNS server or DNS resolving issues from engine-core machine. Please Ensure correct DNS entries exist in the DNS server and ensure the DNS server is reachable from the engine-core machine.
I'll go add that _kerberos._tcp.BVTEST.ORG option to dnsmasq and let you know how it goes! I did all the _*. stuff that was in the ipa template.
well that put me in the right direction now moving onto this: 2012-04-26 12:26:21,014 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): bvtest.org 2012-04-26 12:26:21,044 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): bvtest.org 2012-04-26 12:26:21,044 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: bvtest.org so thats good, but I get this back from command line: [root]# engine-manage-domains -action=add -domain=bvtest.org -user=admin -passwordFile=/root/dompass No user in Directory was found for admin@BVTEST.ORG. Trying next LDAP server in list Failure while testing domain bvtest.org. Details: No user information was found for user I'm now trying to figure out how to run ldapsearch to check my ldap config.
Quoting Jesse Brandeburg <jesse.brandeburg@intel.com>:
On Thu, 26 Apr 2012 12:18:57 -0700 Jesse Brandeburg <jesse.brandeburg@intel.com> wrote:
On Thu, 26 Apr 2012 14:35:32 -0400 <snmishra@linux.vnet.ibm.com> wrote:
What's in your engine-manage-domains.log?
hm, didn't know that log was there 2012-04-26 09:15:37,544 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): bvtest.org 2012-04-26 09:15:37,648 ERROR [org.ovirt.engine.core.dns.DnsSRVLocator] Error: could not find DNS SRV record name: _kerberos._tcp.BVTEST.ORG. Exception message is: DNS name not found [response code 3] Possible causes: missing DNS entries in the DNS server or DNS resolving issues from engine-core machine. Please Ensure correct DNS entries exist in the DNS server and ensure the DNS server is reachable from the engine-core machine.
I'll go add that _kerberos._tcp.BVTEST.ORG option to dnsmasq and let you know how it goes! I did all the _*. stuff that was in the ipa template.
well that put me in the right direction now moving onto this:
2012-04-26 12:26:21,014 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): bvtest.org 2012-04-26 12:26:21,044 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): bvtest.org 2012-04-26 12:26:21,044 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: bvtest.org
so thats good, but I get this back from command line:
[root]# engine-manage-domains -action=add -domain=bvtest.org -user=admin -passwordFile=/root/dompass No user in Directory was found for admin@BVTEST.ORG. Trying next LDAP server in list Failure while testing domain bvtest.org. Details: No user information was found for user
I'm now trying to figure out how to run ldapsearch to check my ldap config.
I would run nslookup to see all the ldap servers it found in the domain and then run ldapsearch on each one to verify your config. -Sharad
participants (3)
-
Jesse Brandeburg -
snmishra@linux.vnet.ibm.com -
Steve Gordon