Getting this error when I try to configure ldap authentication for Ovirt with FreeIPA server: Error: exception message: freeipa.wilk.local. Failure while testing domain wilk.local. Details: Kerberos error. Please check log for further details. Engine-manage-domains.log gives no further details. When I run "engine-manage-domains -action=add -domain='wilk.local' -user='admin' -provider=IPA -interactive" it is connecting and asking for the password but then giving the error. Any input would be appreciated.
------=_Part_3183241_1314084742.1367133431141 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Can we get the log? It would be helpful to understand the kerberos message to understand what have happened. ----- Original Message -----
From: "Ryan Wilkinson" <ryanwilk@gmail.com> To: users@ovirt.org Sent: Sunday, April 28, 2013 7:35:53 AM Subject: [Users] FreeIPA
Getting this error when I try to configure ldap authentication for Ovirt with FreeIPA server: Error: exception message: freeipa.wilk.local. Failure while testing domain wilk.local. Details: Kerberos error. Please check log for further details.
Engine-manage-domains.log gives no further details. When I run "engine-manage-domains -action=add -domain='wilk.local' -user='admin' -provider=IPA -interactive" it is connecting and asking for the password but then giving the error. Any input would be appreciated.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
------=_Part_3183241_1314084742.1367133431141 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><body><div style=3D"font-family: times new roman, new york, times, se= rif; font-size: 12pt; color: #000000"><div>Can we get the log?</div><div>It= would be helpful to understand the kerberos message to understand what hav= e happened.</div><div><br></div><div><br></div><hr id=3D"zwchr"><blockquote= style=3D"border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;co= lor:#000;font-weight:normal;font-style:normal;text-decoration:none;font-fam= ily:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Ryan Wilkinso= n" <ryanwilk@gmail.com><br><b>To: </b>users@ovirt.org<br><b>Sent: </b=
Sunday, April 28, 2013 7:35:53 AM<br><b>Subject: </b>[Users] FreeIPA<br><d= iv><br></div><div dir=3D"ltr"><div>Getting this error when I try to configu= re ldap authentication for Ovirt with FreeIPA server:<br>Error: excep= tion message: freeipa.wilk.local.<br>Failure while testing domain wilk.loca= l. Details: Kerberos error. Please check log for further details.<br> <br></div>Engine-manage-domains.log gives no further details. When I = run "engine-manage-domains -action=3Dadd -domain=3D'wilk.local' -user=3D'ad= min' -provider=3DIPA -interactive" it is connecting and asking for the pass= word but then giving the error. Any input would be appreciated.<br> </div> <br>_______________________________________________<br>Users mailing list<b= r>Users@ovirt.org<br>http://lists.ovirt.org/mailman/listinfo/users<br></blo= ckquote><div><br></div></div></body></html> ------=_Part_3183241_1314084742.1367133431141--
Thanks, here is the engine-manage-domains log: 2013-04-27 22:10:32,911 INFO [org.ovirt.engine.core.domains.ManageDomains] Creating kerberos configuration for domain(s): wilk.local 2013-04-27 22:10:32,936 INFO [org.ovirt.engine.core.domains.ManageDomains] Successfully created kerberos configuration for domain(s): wilk.local 2013-04-27 22:10:32,936 INFO [org.ovirt.engine.core.domains.ManageDomains] Testing kerberos configuration for domain: wilk.local 2013-04-27 22:10:33,219 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: freeipa.wilk.local. 2013-04-27 22:10:33,223 ERROR [org.ovirt.engine.core.domains.ManageDomains] Failure while testing domain wilk.local. Details: Kerberos error. Please check log for further details. 2013-04-27 22:20:29,053 INFO [org.ovirt.engine.core.domains.ManageDomains] Creating kerberos configuration for domain(s): wilk.local 2013-04-27 22:20:29,078 INFO [org.ovirt.engine.core.domains.ManageDomains] Successfully created kerberos configuration for domain(s): wilk.local 2013-04-27 22:20:29,079 INFO [org.ovirt.engine.core.domains.ManageDomains] Testing kerberos configuration for domain: wilk.local 2013-04-27 22:20:29,257 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: freeipa.wilk.local. 2013-04-27 22:20:29,261 ERROR [org.ovirt.engine.core.domains.ManageDomains] Failure while testing domain wilk.local. Details: Kerberos error. Please check log for further details. On Sun, Apr 28, 2013 at 1:17 AM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
Can we get the log? It would be helpful to understand the kerberos message to understand what have happened.
------------------------------
*From: *"Ryan Wilkinson" <ryanwilk@gmail.com> *To: *users@ovirt.org *Sent: *Sunday, April 28, 2013 7:35:53 AM *Subject: *[Users] FreeIPA
Getting this error when I try to configure ldap authentication for Ovirt with FreeIPA server: Error: exception message: freeipa.wilk.local. Failure while testing domain wilk.local. Details: Kerberos error. Please check log for further details.
Engine-manage-domains.log gives no further details. When I run "engine-manage-domains -action=add -domain='wilk.local' -user='admin' -provider=IPA -interactive" it is connecting and asking for the password but then giving the error. Any input would be appreciated.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
------=_Part_3205444_488448834.1367156107790 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Not too informative, so let's start and troubleshoot - a. please use dig to get SRV records for kerberos and ldap for the domain and attach it - For example - for domain example.com (kerberos realm - EXAMPLE.COM) dig SRV _ldap._tcp.example.com dg SRV _kerberos._tcp.example.com b. Do you have a PTR record at your DNS defined for your IPA server? When looking at the code of the manage-domains tool I see the reason that the log is not informative enough is that our translator from "kerberos + ldap error codes" to "human readable" errors failed to translate the message. IMHO, we should send a patch for this + provide a way to get more descriptive logging in this case. Can you please let us know if the tips I suggested regarding DNS have helped? ----- Original Message -----
From: "Ryan Wilkinson" <ryanwilk@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: users@ovirt.org Sent: Sunday, April 28, 2013 4:25:33 PM Subject: Re: [Users] FreeIPA
Thanks, here is the engine-manage-domains log:
2013-04-27 22:10:32,911 INFO [org.ovirt.engine.core.domains.ManageDomains] Creating kerberos configuration for domain(s): wilk.local 2013-04-27 22:10:32,936 INFO [org.ovirt.engine.core.domains.ManageDomains] Successfully created kerberos configuration for domain(s): wilk.local 2013-04-27 22:10:32,936 INFO [org.ovirt.engine.core.domains.ManageDomains] Testing kerberos configuration for domain: wilk.local 2013-04-27 22:10:33,219 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: freeipa.wilk.local. 2013-04-27 22:10:33,223 ERROR [org.ovirt.engine.core.domains.ManageDomains] Failure while testing domain wilk.local. Details: Kerberos error. Please check log for further details. 2013-04-27 22:20:29,053 INFO [org.ovirt.engine.core.domains.ManageDomains] Creating kerberos configuration for domain(s): wilk.local 2013-04-27 22:20:29,078 INFO [org.ovirt.engine.core.domains.ManageDomains] Successfully created kerberos configuration for domain(s): wilk.local 2013-04-27 22:20:29,079 INFO [org.ovirt.engine.core.domains.ManageDomains] Testing kerberos configuration for domain: wilk.local 2013-04-27 22:20:29,257 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: freeipa.wilk.local. 2013-04-27 22:20:29,261 ERROR [org.ovirt.engine.core.domains.ManageDomains] Failure while testing domain wilk.local. Details: Kerberos error. Please check log for further details.
On Sun, Apr 28, 2013 at 1:17 AM, Yair Zaslavsky < yzaslavs@redhat.com > wrote:
Can we get the log?
It would be helpful to understand the kerberos message to understand what have happened.
From: "Ryan Wilkinson" < ryanwilk@gmail.com >
To: users@ovirt.org
Sent: Sunday, April 28, 2013 7:35:53 AM
Subject: [Users] FreeIPA
Getting this error when I try to configure ldap authentication for Ovirt with FreeIPA server:
Error: exception message: freeipa.wilk.local.
Failure while testing domain wilk.local. Details: Kerberos error. Please check log for further details.
Engine-manage-domains.log gives no further details. When I run "engine-manage-domains -action=add -domain='wilk.local' -user='admin' -provider=IPA -interactive" it is connecting and asking for the password but then giving the error. Any input would be appreciated.
_______________________________________________
Users mailing list
Users@ovirt.org
<div>When looking at the code of the manage-domains tool I see the reason =
------=_Part_3205444_488448834.1367156107790 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><body><div style=3D"font-family: times new roman, new york, times, se= rif; font-size: 12pt; color: #000000"><div>Not too informative, so let's st= art and troubleshoot -</div><div><br></div><div>a. please use dig to get SR= V records for kerberos and ldap for the domain and attach it -</div><div><b= r></div><div>For example - for domain example.com (kerberos realm - EXAMPLE= .COM)</div><div>dig SRV _ldap._tcp.example.com </div><div>dg SRV _kerb= eros._tcp.example.com</div><div><br></div><div><br></div><div>b. Do you hav= e a PTR record at your DNS defined for your IPA server?</div><div><br></div= that the log is not informative enough is that our translator from "kerbero= s + ldap error codes" to "human readable" errors failed to translate the me= ssage.</div><div>IMHO, we should send a patch for this + provide a way to g= et more descriptive logging in this case.</div><div>Can you please let us k= now if the tips I suggested regarding DNS have helped?</div><div><br></div>= <div><br></div><div><br></div><hr id=3D"zwchr"><blockquote style=3D"border-= left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-wei= ght:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Ari= al,sans-serif;font-size:12pt;"><b>From: </b>"Ryan Wilkinson" <ryanwilk@g= mail.com><br><b>To: </b>"Yair Zaslavsky" <yzaslavs@redhat.com><br>= <b>Cc: </b>users@ovirt.org<br><b>Sent: </b>Sunday, April 28, 2013 4:25:33 P= M<br><b>Subject: </b>Re: [Users] FreeIPA<br><div><br></div><div dir=3D"ltr"=
Thanks, here is the engine-manage-domains log:<br><div><br></div>2013-04-2= 7 22:10:32,911 INFO [org.ovirt.engine.core.domains.ManageDomains] Cre= ating kerberos configuration for domain(s): wilk.local<br>2013-04-27 22:10:= 32,936 INFO [org.ovirt.engine.core.domains.ManageDomains] Successfull= y created kerberos configuration for domain(s): wilk.local<br> 2013-04-27 22:10:32,936 INFO [org.ovirt.engine.core.domains.ManageDom= ains] Testing kerberos configuration for domain: wilk.local<br>2013-04-27 2= 2:10:33,219 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck= ] Error: exception message: freeipa.wilk.local.<br> 2013-04-27 22:10:33,223 ERROR [org.ovirt.engine.core.domains.ManageDomains]= Failure while testing domain wilk.local. Details: Kerberos error. Please c= heck log for further details.<br>2013-04-27 22:20:29,053 INFO [org.ov= irt.engine.core.domains.ManageDomains] Creating kerberos configuration for = domain(s): wilk.local<br> 2013-04-27 22:20:29,078 INFO [org.ovirt.engine.core.domains.ManageDom= ains] Successfully created kerberos configuration for domain(s): wilk.local= <br>2013-04-27 22:20:29,079 INFO [org.ovirt.engine.core.domains.Manag= eDomains] Testing kerberos configuration for domain: wilk.local<br> 2013-04-27 22:20:29,257 ERROR [org.ovirt.engine.core.utils.kerberos.Kerbero= sConfigCheck] Error: exception message: freeipa.wilk.local.<br>2013-0= 4-27 22:20:29,261 ERROR [org.ovirt.engine.core.domains.ManageDomains] Failu= re while testing domain wilk.local. Details: Kerberos error. Please check l= og for further details.<br> </div><div class=3D"gmail_extra"><br><div><br></div><div class=3D"gmail_quo= te">On Sun, Apr 28, 2013 at 1:17 AM, Yair Zaslavsky <span dir=3D"ltr"><<= a href=3D"mailto:yzaslavs@redhat.com" target=3D"_blank">yzaslavs@redhat.com= </a>></span> wrote:<br> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= x #ccc solid;padding-left:1ex"><div><div style=3D"font-size:12pt;font-famil= y:times new roman,new york,times,serif"><div>Can we get the log?</div><div>= It would be helpful to understand the kerberos message to understand what h= ave happened.</div> <div><br></div><div><br></div><hr><blockquote style=3D"padding-left:5px;fon= t-size:12pt;font-style:normal;margin-left:5px;font-family:Helvetica,Arial,s= ans-serif;text-decoration:none;font-weight:normal;border-left:2px solid #10= 10ff"> <b>From: </b>"Ryan Wilkinson" <<a href=3D"mailto:ryanwilk@gmail.com" tar= get=3D"_blank">ryanwilk@gmail.com</a>><br><b>To: </b><a href=3D"mailto:u= sers@ovirt.org" target=3D"_blank">users@ovirt.org</a><br><b>Sent: </b>Sunda= y, April 28, 2013 7:35:53 AM<br> <b>Subject: </b>[Users] FreeIPA<div><div class=3D"h5"><br><div><br></div><d= iv dir=3D"ltr"><div>Getting this error when I try to configure ldap authent= ication for Ovirt with FreeIPA server:<br>Error: exception message: f= reeipa.wilk.local.<br> Failure while testing domain wilk.local. Details: Kerberos error. Please ch= eck log for further details.<br> <br></div>Engine-manage-domains.log gives no further details. When I = run "engine-manage-domains -action=3Dadd -domain=3D'wilk.local' -user=3D'ad= min' -provider=3DIPA -interactive" it is connecting and asking for the pass= word but then giving the error. Any input would be appreciated.<br>
</div> <br></div></div>_______________________________________________<br>Users ma= iling list<br><a href=3D"mailto:Users@ovirt.org" target=3D"_blank">Users@ov= irt.org</a><br><a href=3D"http://lists.ovirt.org/mailman/listinfo/users" ta= rget=3D"_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br> </blockquote><div><br></div></div></div></blockquote></div><br></div> </blockquote><div><br></div></div></body></html> ------=_Part_3205444_488448834.1367156107790--
participants (2)
-
Ryan Wilkinson -
Yair Zaslavsky