7:35 a.m.
Getting this error when I try to configure ldap authentication for Ovirt
with FreeIPA server:
Error: exception message: freeipa.wilk.local.
Failure while testing domain wilk.local. Details: Kerberos error. Please
check log for further details.
Engine-manage-domains.log gives no further details. When I run
"engine-manage-domains -action=add -domain='wilk.local'
-user='admin'
-provider=IPA -interactive" it is connecting and asking for the password
but then giving the error. Any input would be appreciated.
10:17 a.m.
------=_Part_3183241_1314084742.1367133431141
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Can we get the log?
It would be helpful to understand the kerberos message to understand what have happened.
----- Original Message -----
From: "Ryan Wilkinson" <ryanwilk(a)gmail.com>
To: users(a)ovirt.org
Sent: Sunday, April 28, 2013 7:35:53 AM
Subject: [Users] FreeIPA
Getting this error when I try to configure ldap authentication for
Ovirt with
FreeIPA server:
Error: exception message: freeipa.wilk.local.
Failure while testing domain wilk.local. Details: Kerberos error. Please
check log for further details.
Engine-manage-domains.log gives no further details. When I run
"engine-manage-domains -action=add -domain='wilk.local'
-user='admin'
-provider=IPA -interactive" it is connecting and asking for the password but
then giving the error. Any input would be appreciated.
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
------=_Part_3183241_1314084742.1367133431141
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
<html><body><div style=3D"font-family: times new roman, new york,
times, se=
rif; font-size: 12pt; color: #000000"><div>Can we get the
log?</div><div>It=
would be helpful to understand the kerberos message to understand what hav=
e
happened.</div><div><br></div><div><br></div><hr
id=3D"zwchr"><blockquote=
style=3D"border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;co=
lor:#000;font-weight:normal;font-style:normal;text-decoration:none;font-fam=
ily:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From:
</b>"Ryan Wilkinso=
n" &lt;ryanwilk(a)gmail.com&gt;<br><b>To:
</b>users(a)ovirt.org<br><b>Sent: </b=
Sunday, April 28, 2013 7:35:53 AM<br><b>Subject:
</b>[Users] FreeIPA<br><d=
iv><br></div><div
dir=3D"ltr"><div>Getting this error when I try to configu=
re ldap authentication for Ovirt with FreeIPA server:<br>Error: excep=
tion message: freeipa.wilk.local.<br>Failure while testing domain wilk.loca=
l. Details: Kerberos error. Please check log for further details.<br>
<br></div>Engine-manage-domains.log gives no further details. When I
=
run "engine-manage-domains -action=3Dadd -domain=3D'wilk.local'
-user=3D'ad=
min' -provider=3DIPA -interactive" it is connecting and asking for the pass=
word but then giving the error. Any input would be appreciated.<br>
</div>
<br>_______________________________________________<br>Users mailing
list<b=
r>Users@ovirt.org<br>http://lists.ovirt.org/mailman/listinfo/users<br></blo=
ckquote><div><br></div></div></body></html>
------=_Part_3183241_1314084742.1367133431141--
4:25 p.m.
Thanks, here is the engine-manage-domains log:
2013-04-27 22:10:32,911 INFO [org.ovirt.engine.core.domains.ManageDomains]
Creating kerberos configuration for domain(s): wilk.local
2013-04-27 22:10:32,936 INFO [org.ovirt.engine.core.domains.ManageDomains]
Successfully created kerberos configuration for domain(s): wilk.local
2013-04-27 22:10:32,936 INFO [org.ovirt.engine.core.domains.ManageDomains]
Testing kerberos configuration for domain: wilk.local
2013-04-27 22:10:33,219 ERROR
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
exception message: freeipa.wilk.local.
2013-04-27 22:10:33,223 ERROR [org.ovirt.engine.core.domains.ManageDomains]
Failure while testing domain wilk.local. Details: Kerberos error. Please
check log for further details.
2013-04-27 22:20:29,053 INFO [org.ovirt.engine.core.domains.ManageDomains]
Creating kerberos configuration for domain(s): wilk.local
2013-04-27 22:20:29,078 INFO [org.ovirt.engine.core.domains.ManageDomains]
Successfully created kerberos configuration for domain(s): wilk.local
2013-04-27 22:20:29,079 INFO [org.ovirt.engine.core.domains.ManageDomains]
Testing kerberos configuration for domain: wilk.local
2013-04-27 22:20:29,257 ERROR
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
exception message: freeipa.wilk.local.
2013-04-27 22:20:29,261 ERROR [org.ovirt.engine.core.domains.ManageDomains]
Failure while testing domain wilk.local. Details: Kerberos error. Please
check log for further details.
On Sun, Apr 28, 2013 at 1:17 AM, Yair Zaslavsky <yzaslavs(a)redhat.com> wrote:
Can we get the log?
It would be helpful to understand the kerberos message to understand what
have happened.
------------------------------
*From: *"Ryan Wilkinson" <ryanwilk(a)gmail.com>
*To: *users(a)ovirt.org
*Sent: *Sunday, April 28, 2013 7:35:53 AM
*Subject: *[Users] FreeIPA
Getting this error when I try to configure ldap authentication for Ovirt
with FreeIPA server:
Error: exception message: freeipa.wilk.local.
Failure while testing domain wilk.local. Details: Kerberos error. Please
check log for further details.
Engine-manage-domains.log gives no further details. When I run
"engine-manage-domains -action=add -domain='wilk.local'
-user='admin'
-provider=IPA -interactive" it is connecting and asking for the password
but then giving the error. Any input would be appreciated.
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
4:35 p.m.
------=_Part_3205444_488448834.1367156107790
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Not too informative, so let's start and troubleshoot -
a. please use dig to get SRV records for kerberos and ldap for the domain and attach it -
For example - for domain example.com (kerberos realm - EXAMPLE.COM)
dig SRV _ldap._tcp.example.com
dg SRV _kerberos._tcp.example.com
b. Do you have a PTR record at your DNS defined for your IPA server?
When looking at the code of the manage-domains tool I see the reason that the log is not
informative enough is that our translator from "kerberos + ldap error codes" to
"human readable" errors failed to translate the message.
IMHO, we should send a patch for this + provide a way to get more descriptive logging in
this case.
Can you please let us know if the tips I suggested regarding DNS have helped?
----- Original Message -----
From: "Ryan Wilkinson" <ryanwilk(a)gmail.com>
To: "Yair Zaslavsky" <yzaslavs(a)redhat.com>
Cc: users(a)ovirt.org
Sent: Sunday, April 28, 2013 4:25:33 PM
Subject: Re: [Users] FreeIPA
Thanks, here is the engine-manage-domains log:
2013-04-27 22:10:32,911 INFO
[org.ovirt.engine.core.domains.ManageDomains]
Creating kerberos configuration for domain(s): wilk.local
2013-04-27 22:10:32,936 INFO [org.ovirt.engine.core.domains.ManageDomains]
Successfully created kerberos configuration for domain(s): wilk.local
2013-04-27 22:10:32,936 INFO [org.ovirt.engine.core.domains.ManageDomains]
Testing kerberos configuration for domain: wilk.local
2013-04-27 22:10:33,219 ERROR
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception
message: freeipa.wilk.local.
2013-04-27 22:10:33,223 ERROR [org.ovirt.engine.core.domains.ManageDomains]
Failure while testing domain wilk.local. Details: Kerberos error. Please
check log for further details.
2013-04-27 22:20:29,053 INFO [org.ovirt.engine.core.domains.ManageDomains]
Creating kerberos configuration for domain(s): wilk.local
2013-04-27 22:20:29,078 INFO [org.ovirt.engine.core.domains.ManageDomains]
Successfully created kerberos configuration for domain(s): wilk.local
2013-04-27 22:20:29,079 INFO [org.ovirt.engine.core.domains.ManageDomains]
Testing kerberos configuration for domain: wilk.local
2013-04-27 22:20:29,257 ERROR
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception
message: freeipa.wilk.local.
2013-04-27 22:20:29,261 ERROR [org.ovirt.engine.core.domains.ManageDomains]
Failure while testing domain wilk.local. Details: Kerberos error. Please
check log for further details.
On Sun, Apr 28, 2013 at 1:17 AM, Yair Zaslavsky <
yzaslavs(a)redhat.com >
wrote:
> Can we get the log?
> It would be helpful to understand the kerberos message to understand what
> have happened.
> > From: "Ryan Wilkinson" < ryanwilk(a)gmail.com
>
>
> > To: users(a)ovirt.org
>
> > Sent: Sunday, April 28, 2013 7:35:53 AM
>
> > Subject: [Users] FreeIPA
>
> > Getting this error when I try to configure ldap
authentication for Ovirt
> > with
> > FreeIPA server:
>
> > Error: exception message: freeipa.wilk.local.
>
> > Failure while testing domain wilk.local. Details: Kerberos error. Please
> > check log for further details.
>
> > Engine-manage-domains.log gives no further details. When I
run
> > "engine-manage-domains -action=add -domain='wilk.local'
-user='admin'
> > -provider=IPA -interactive" it is connecting and asking for the password
> > but
> > then giving the error. Any input would be appreciated.
>
> > _______________________________________________
>
> > Users mailing list
>
> > Users(a)ovirt.org
>
> > http://lists.ovirt.org/mailman/listinfo/users
>
------=_Part_3205444_488448834.1367156107790
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
<html><body><div style=3D"font-family: times new roman, new york,
times, se=
rif; font-size: 12pt; color: #000000"><div>Not too informative, so let's
st=
art and troubleshoot -</div><div><br></div><div>a. please
use dig to get SR=
V records for kerberos and ldap for the domain and attach it
-</div><div><b=
r></div><div>For example - for domain example.com (kerberos realm -
EXAMPLE=
.COM)</div><div>dig SRV
_ldap._tcp.example.com </div><div>dg SRV _kerb=
eros._tcp.example.com</div><div><br></div><div><br></div><div>b.
Do you hav=
e a PTR record at your DNS defined for your IPA
server?</div><div><br></div=
<div>When looking at the code of the manage-domains tool I see
the reason =
that the log is not informative enough is that our translator from
"kerbero=
s + ldap error codes" to "human readable" errors failed to translate the
me=
ssage.</div><div>IMHO, we should send a patch for this + provide a way to g=
et more descriptive logging in this case.</div><div>Can you please let us k=
now if the tips I suggested regarding DNS have
helped?</div><div><br></div>=
<div><br></div><div><br></div><hr
id=3D"zwchr"><blockquote style=3D"border-=
left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-wei=
ght:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Ari=
al,sans-serif;font-size:12pt;"><b>From: </b>"Ryan Wilkinson"
<ryanwilk@g=
mail.com><br><b>To: </b>"Yair Zaslavsky"
&lt;yzaslavs(a)redhat.com&gt;<br>=
<b>Cc: </b>users(a)ovirt.org<br><b>Sent: </b>Sunday, April 28,
2013 4:25:33 P=
M<br><b>Subject: </b>Re: [Users]
FreeIPA<br><div><br></div><div dir=3D"ltr"=
Thanks, here is the engine-manage-domains
log:<br><div><br></div>2013-04-2=
7 22:10:32,911
INFO [org.ovirt.engine.core.domains.ManageDomains] Cre=
ating kerberos configuration for domain(s): wilk.local<br>2013-04-27 22:10:=
32,936 INFO [org.ovirt.engine.core.domains.ManageDomains] Successfull=
y created kerberos configuration for domain(s): wilk.local<br>
2013-04-27 22:10:32,936 INFO [org.ovirt.engine.core.domains.ManageDom=
ains] Testing kerberos configuration for domain: wilk.local<br>2013-04-27 2=
2:10:33,219 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck=
] Error: exception message: freeipa.wilk.local.<br>
2013-04-27 22:10:33,223 ERROR [org.ovirt.engine.core.domains.ManageDomains]=
Failure while testing domain wilk.local. Details: Kerberos error. Please c=
heck log for further details.<br>2013-04-27 22:20:29,053 INFO [org.ov=
irt.engine.core.domains.ManageDomains] Creating kerberos configuration for =
domain(s): wilk.local<br>
2013-04-27 22:20:29,078 INFO [org.ovirt.engine.core.domains.ManageDom=
ains] Successfully created kerberos configuration for domain(s): wilk.local=
<br>2013-04-27 22:20:29,079 INFO [org.ovirt.engine.core.domains.Manag=
eDomains] Testing kerberos configuration for domain: wilk.local<br>
2013-04-27 22:20:29,257 ERROR [org.ovirt.engine.core.utils.kerberos.Kerbero=
sConfigCheck] Error: exception message: freeipa.wilk.local.<br>2013-0=
4-27 22:20:29,261 ERROR [org.ovirt.engine.core.domains.ManageDomains] Failu=
re while testing domain wilk.local. Details: Kerberos error. Please check l=
og for further details.<br>
</div><div
class=3D"gmail_extra"><br><div><br></div><div
class=3D"gmail_quo=
te">On Sun, Apr 28, 2013 at 1:17 AM, Yair Zaslavsky <span
dir=3D"ltr"><<=
a href=3D"mailto:yzaslavs@redhat.com"
target=3D"_blank">yzaslavs(a)redhat.com=
</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
.8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div><div
style=3D"font-size:12pt;font-famil=
y:times new roman,new york,times,serif"><div>Can we get the
log?</div><div>=
It would be helpful to understand the kerberos message to understand what h=
ave happened.</div>
<div><br></div><div><br></div><hr><blockquote
style=3D"padding-left:5px;fon=
t-size:12pt;font-style:normal;margin-left:5px;font-family:Helvetica,Arial,s=
ans-serif;text-decoration:none;font-weight:normal;border-left:2px solid #10=
10ff">
<b>From: </b>"Ryan Wilkinson" <<a
href=3D"mailto:ryanwilk@gmail.com" tar=
get=3D"_blank">ryanwilk(a)gmail.com</a>&gt;<br><b>To:
</b><a href=3D"mailto:u=
sers(a)ovirt.org"
target=3D"_blank">users(a)ovirt.org</a><br><b>Sent:
</b>Sunda=
y, April 28, 2013 7:35:53 AM<br>
<b>Subject: </b>[Users] FreeIPA<div><div
class=3D"h5"><br><div><br></div><d=
iv dir=3D"ltr"><div>Getting this error when I try to configure ldap
authent=
ication for Ovirt with FreeIPA server:<br>Error: exception message: f=
reeipa.wilk.local.<br>
Failure while testing domain wilk.local. Details: Kerberos error. Please ch=
eck log for further details.<br>
<br></div>Engine-manage-domains.log gives no further details. When I
=
run "engine-manage-domains -action=3Dadd -domain=3D'wilk.local'
-user=3D'ad=
min' -provider=3DIPA -interactive" it is connecting and asking for the pass=
word but then giving the error. Any input would be appreciated.<br>
</div>
<br></div></div>_______________________________________________<br>Users
ma=
iling list<br><a href=3D"mailto:Users@ovirt.org"
target=3D"_blank">Users@ov=
irt.org</a><br><a
href=3D"http://lists.ovirt.org/mailman/listinfo/users" ta=
rget=3D"_blank">http://lists.ovirt.org/mailman/listinfo/user...
</blockquote><div><br></div></div></div></blockquote></div><br></div>
</blockquote><div><br></div></div></body></html>
------=_Part_3205444_488448834.1367156107790--
4238
days inactive
4238
days old
3 comments
2 participants
participants (2)
-
Ryan Wilkinson -
Yair Zaslavsky