[Engine-devel] OpenLdap and Kerberos for oVirt on f19

Piotr Kliczewski piotr.kliczewski at gmail.com
Thu Nov 14 11:25:58 UTC 2013


Working closely with Juan we manged to find the issue. During the
process of configuration changed the hostname and I commented old
hostname in the /etc/hostname file.
Removing the comment helped.

On Thu, Nov 14, 2013 at 11:19 AM, Piotr Kliczewski
<piotr.kliczewski at gmail.com> wrote:
> On Thu, Nov 14, 2013 at 11:05 AM, Juan Hernandez <jhernand at redhat.com> wrote:
>> On 11/14/2013 11:01 AM, Piotr Kliczewski wrote:
>>> Hello everyone,
>>>
>>> I working on configuring OpenLdap 2.4.36 with kerberos for oVirt running on f19.
>>>
>>> I follow following instruction:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5
>>>
>>> Please note that the instruction was written for f18. In order to have
>>> step 18 working from
>>> command line I had to set SASL_NOCANON to off. The reason was that I got:
>>>
>>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>>> additional info: SASL(-13): authentication failure: GSSAPI Failure:
>>> gss_accept_sec_context
>>>
>>> When SASL_NOCANON is off I can search the ldap but have the same issue
>>> from java code:
>>>
>>> I got javax.naming.AuthenticationException: [LDAP: error code 49 -
>>> SASL(-13): authentication failure: GSSAPI Failure:
>>> gss_accept_sec_context].
>>> Have this when connecting using engine-manage-domains
>>> (http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=blob;f=backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/kerberos/JndiAction.java;h=467d64cb03523ba7e5144a57d6a60428f039656f;hb=refs/heads/master
>>> line 84).
>>>
>>> Can you please point me where is my config issue?
>>>
>>> I copied engine-devel for reference.
>>>
>>
>> Do you have the cyrus-sasl-gssapi package installed? That should have
>> been part of step 1. Try this:
>>
>> # yum -y install cyrus-sasl-gssapi
>>
>> I think that once that is installed you shouldn't need to set
>> SASL_NOCANON off.
>>
> You are right the package was not installed I restarted slapd, krb5kdc
> and kadmin after installing. I kinit one more time and tried to
> ldapsearch as in step 18 but with the same result.
>> --
>> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
>> 3ºD, 28016 Madrid, Spain
>> Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.



More information about the Engine-devel mailing list