[Users] LDAP

Nathan Stratton nathan at robotics.net
Thu Feb 23 18:13:33 UTC 2012 

On Thu, 23 Feb 2012, Oved Ourfalli wrote:

> IIRC, we only support using -interactive or using -passwordFile, and not both.
> The fact that you don't get a warning on that is a bug.

:) Opps.

> Found this blog with a similar error that is caused due to password expiration (in the engine log, and not while running the manage domains utility, but that might also help):
> http://blog.rtfm.co.hu/2012/02/rhev-error-from-kerberos-integrity-check-on-decrypted-field-failed/
>
> But the information there doesn't go very well with the fact that kinit is successful.

Ya, I saw that also, (been doing a lot of googling), but:

-bash-4.2# kinit nathan
Password for nathan at BLINKMIND.NET:
-bash-4.2# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nathan at BLINKMIND.NET

Valid starting     Expires            Service principal
02/23/12 12:07:21  02/24/12 12:07:16  krbtgt/BLINKMIND.NET at BLINKMIND.NET
 	renew until 03/01/12 12:07:16


> Is the file containing the correct password? Try using only -interactive, and enter the password interactively.

Yep, the password is correct, I get the same error no matter what password 
I use. However when I try with -interactive I get more debug info (see 
below).

> Also, attaching the log of the utility might be helpful.

How would I get that? I don't see anyting anywhere in /var/log/*

> Also, try logging in with that user to the IPA machine, that way you'll know if you need to change your password (I saw that sometimes kinit doesn't  ask you to change the password, but logging in does).

Yep, that works fine. If I do it with -interactive I get the errors below. 
It seams to have an issue with DNS, but yet it is pulling the two SRV 
records AND hitting the right servers. Also both ovirt-engine and 
ipa-master have forward and reverse dns and proper /etc/hosts files.

-bash-4.2# engine-manage-domains -action=add -domain=blinkmind.net 
-user=nathan -interactive
Enter password:

javax.naming.AuthenticationException: GSSAPI [Root exception is 
javax.security.sasl.SaslException: GSS initiate failed [Caused by 
GSSException: No valid credentials provided (Mechanism level: Server not 
found in Kerberos database (7) - UNKNOWN_SERVER)]]
 	at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:168)
 	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:232)
 	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)
 	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
 	at 
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
 	at 
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
 	at 
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
 	at 
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
 	at 
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
 	at 
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
 	at javax.naming.InitialContext.init(InitialContext.java:240)
 	at javax.naming.InitialContext.<init>(InitialContext.java:214)
 	at 
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
 	at 
org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78)
 	at java.security.AccessController.doPrivileged(Native Method)
 	at javax.security.auth.Subject.doAs(Subject.java:357)
 	at 
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)
 	at 
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:154)
 	at 
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:140)
 	at 
org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:563)
 	at 
org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:709)
 	at 
org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:404)
 	at 
org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:235)
 	at 
org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:163)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused 
by GSSException: No valid credentials provided (Mechanism level: Server 
not found in Kerberos database (7) - UNKNOWN_SERVER)]
 	at 
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
 	at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:123)
 	... 23 more
Caused by: GSSException: No valid credentials provided (Mechanism level: 
Server not found in Kerberos database (7) - UNKNOWN_SERVER)
 	at 
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679)
 	at 
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
 	at 
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180)
 	at 
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
 	... 24 more
Caused by: KrbException: Server not found in Kerberos database (7) - 
UNKNOWN_SERVER
 	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:72)
 	at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:193)
 	at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:205)
 	at 
sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297)
 	at 
sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114)
 	at 
sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555)
 	at 
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610)
 	... 27 more
Caused by: KrbException: Identifier doesn't match expected value (906)
 	at sun.security.krb5.internal.KDCRep.init(KDCRep.java:144)
 	at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
 	at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
 	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:54)
 	... 33 more
Error: LDAP query Failed. Error in DNS configuration. Please verify the 
oVirt Engine host has a valid reverse DNS (PTR) record.
Failure while testing domain blinkmind.net. Details: No user information 
was found for user




-bash-4.2# nslookup ipa-master.blinkmind.net
Server:		10.10.0.10
Address:	10.10.0.10#53

Name:	ipa-master.blinkmind.net
Address: 10.13.0.105

-bash-4.2# nslookup 10.13.0.105
Server:		10.10.0.10
Address:	10.10.0.10#53

105.0.13.10.in-addr.arpa	name = ipa-master.blinkmind.net.

-bash-4.2# nslookup ovirt-engine.blinkmind.net
Server:		10.10.0.10
Address:	10.10.0.10#53

Name:	ovirt-engine.blinkmind.net
Address: 10.13.0.245

-bash-4.2# nslookup 10.13.0.245
Server:		10.10.0.10
Address:	10.10.0.10#53

245.0.13.10.in-addr.arpa	name = ovirt-engine.blinkmind.net.

More information about the Users mailing list