[Users] LDAP

Oved Ourfalli ovedo at redhat.com
Thu Feb 23 17:49:23 UTC 2012 


----- Original Message -----
> From: "Nathan Stratton" <nathan at robotics.net>
> To: "Yaniv Kaul" <ykaul at redhat.com>
> Cc: "Oved Ourfalli" <ovedo at redhat.com>, users at ovirt.org
> Sent: Thursday, February 23, 2012 7:38:42 PM
> Subject: Re: [Users] LDAP
> 
> On Thu, 23 Feb 2012, Yaniv Kaul wrote:
> 
> > LDAP cannot be 'just used'. It needs to be connected to (we use
> > Kerberos,
> > many use SSL/TLS) and it needs the correct schema configuration.
> > FreeIPA uses Kerberos and LDAP.
> 
> True, but I use LDAP to auth a bunch of boxes on a private network
> and
> that seams to work fine. Anyway... Still trying to get this to work.
> I now
> have freeipa installed with a user setup. I am able to kinit that
> user and
> everything works fine however I get the following error:
> 
> [root at ovirt-engine log]# engine-manage-domains -action=add
> -domain=blinkmind.net -user=nathan -passwordFile=/etc/shadow
> -interactive
> Error:  exception message: Integrity check on decrypted field failed
> (31)
> - PREAUTH_FAILED
> Failure while testing domain blinkmind.net. Details: Kerberos error.
> Please check log for further details.
> 
IIRC, we only support using -interactive or using -passwordFile, and not both.
The fact that you don't get a warning on that is a bug.

Found this blog with a similar error that is caused due to password expiration (in the engine log, and not while running the manage domains utility, but that might also help):
http://blog.rtfm.co.hu/2012/02/rhev-error-from-kerberos-integrity-check-on-decrypted-field-failed/

But the information there doesn't go very well with the fact that kinit is successful.
Is the file containing the correct password? Try using only -interactive, and enter the password interactively.
Also, attaching the log of the utility might be helpful.
Also, try logging in with that user to the IPA machine, that way you'll know if you need to change your password (I saw that sometimes kinit doesn't  ask you to change the password, but logging in does).

Hope it helps,
Oved

> 
> ><>
> Nathan Stratton                                CTO, BlinkMind, Inc.
> nathan at robotics.net                         nathan at
> blinkmind.com
> http://www.robotics.net
>                        http://www.blinkmind.com
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list