[Users] LDAP

Oved Ourfalli ovedo at redhat.com
Thu Feb 23 18:26:00 UTC 2012 


----- Original Message -----
> From: "Nathan Stratton" <nathan at robotics.net>
> To: "Oved Ourfalli" <ovedo at redhat.com>
> Cc: users at ovirt.org, "Yaniv Kaul" <ykaul at redhat.com>
> Sent: Thursday, February 23, 2012 8:13:33 PM
> Subject: Re: [Users] LDAP
> 
> On Thu, 23 Feb 2012, Oved Ourfalli wrote:
> 
> > IIRC, we only support using -interactive or using -passwordFile,
> > and not both.
> > The fact that you don't get a warning on that is a bug.
> 
> :) Opps.
> 
> > Found this blog with a similar error that is caused due to password
> > expiration (in the engine log, and not while running the manage
> > domains utility, but that might also help):
> > http://blog.rtfm.co.hu/2012/02/rhev-error-from-kerberos-integrity-check-on-decrypted-field-failed/
> >
> > But the information there doesn't go very well with the fact that
> > kinit is successful.
> 
> Ya, I saw that also, (been doing a lot of googling), but:
> 
> -bash-4.2# kinit nathan
> Password for nathan at BLINKMIND.NET:
> -bash-4.2# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: nathan at BLINKMIND.NET
> 
> Valid starting     Expires            Service principal
> 02/23/12 12:07:21  02/24/12 12:07:16
>  krbtgt/BLINKMIND.NET at BLINKMIND.NET
>  	renew until 03/01/12 12:07:16
> 
> 
> > Is the file containing the correct password? Try using only
> > -interactive, and enter the password interactively.
> 
> Yep, the password is correct, I get the same error no matter what
> password
> I use. However when I try with -interactive I get more debug info
> (see
> below).
> 
> > Also, attaching the log of the utility might be helpful.
> 
> How would I get that? I don't see anyting anywhere in /var/log/*
> 

It should be in /var/log/ovirt-engine/engine-manage-domains/engine-manage-domains.log 
(or in /var/log/engine/engine-manage-domains/engine-manage-domains.log... not sure).

> > Also, try logging in with that user to the IPA machine, that way
> > you'll know if you need to change your password (I saw that
> > sometimes kinit doesn't  ask you to change the password, but
> > logging in does).
> 
> Yep, that works fine. If I do it with -interactive I get the errors
> below.
> It seams to have an issue with DNS, but yet it is pulling the two SRV
> records AND hitting the right servers. Also both ovirt-engine and
> ipa-master have forward and reverse dns and proper /etc/hosts files.
> 
> -bash-4.2# engine-manage-domains -action=add -domain=blinkmind.net
> -user=nathan -interactive
> Enter password:
> 
> javax.naming.AuthenticationException: GSSAPI [Root exception is
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Server
> not
> found in Kerberos database (7) - UNKNOWN_SERVER)]]
>  	at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:168)
>  	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:232)
>  	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)
>  	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
>  	at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>  	at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>  	at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
>  	at
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
>  	at
> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>  	at
> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
>  	at javax.naming.InitialContext.init(InitialContext.java:240)
>  	at javax.naming.InitialContext.<init>(InitialContext.java:214)
>  	at
> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
>  	at
> org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78)
>  	at java.security.AccessController.doPrivileged(Native Method)
>  	at javax.security.auth.Subject.doAs(Subject.java:357)
>  	at
> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)
>  	at
> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:154)
>  	at
> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:140)
>  	at
> org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:563)
>  	at
> org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:709)
>  	at
> org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:404)
>  	at
> org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:235)
>  	at
> org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:163)
> Caused by: javax.security.sasl.SaslException: GSS initiate failed
> [Caused
> by GSSException: No valid credentials provided (Mechanism level:
> Server
> not found in Kerberos database (7) - UNKNOWN_SERVER)]
>  	at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
>  	at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:123)
>  	... 23 more
> Caused by: GSSException: No valid credentials provided (Mechanism
> level:
> Server not found in Kerberos database (7) - UNKNOWN_SERVER)
>  	at
> sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679)
>  	at
> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
>  	at
> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180)
>  	at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
>  	... 24 more
> Caused by: KrbException: Server not found in Kerberos database (7) -
> UNKNOWN_SERVER
>  	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:72)
>  	at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:193)
>  	at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:205)
>  	at
> sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297)
>  	at
> sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114)
>  	at
> sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555)
>  	at
> sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610)
>  	... 27 more
> Caused by: KrbException: Identifier doesn't match expected value
> (906)
>  	at sun.security.krb5.internal.KDCRep.init(KDCRep.java:144)
>  	at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
>  	at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
>  	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:54)
>  	... 33 more
> Error: LDAP query Failed. Error in DNS configuration. Please verify
> the
> oVirt Engine host has a valid reverse DNS (PTR) record.
> Failure while testing domain blinkmind.net. Details: No user
> information
> was found for user
> 

Please try doing
"dig -x <ip address of IPA server>"

Look at the answer section, to make sure it shows a PTR record of it:
dig -x 1.2.3.4
...
...
...
;; ANSWER SECTION:
4.3.2.1.in-addr.arpa. 84063  IN      PTR     my_server.my_domain.
...
...
...
> 
> 
> 
> -bash-4.2# nslookup ipa-master.blinkmind.net
> Server:		10.10.0.10
> Address:	10.10.0.10#53
> 
> Name:	ipa-master.blinkmind.net
> Address: 10.13.0.105
> 
> -bash-4.2# nslookup 10.13.0.105
> Server:		10.10.0.10
> Address:	10.10.0.10#53
> 
> 105.0.13.10.in-addr.arpa	name = ipa-master.blinkmind.net.
> 
> -bash-4.2# nslookup ovirt-engine.blinkmind.net
> Server:		10.10.0.10
> Address:	10.10.0.10#53
> 
> Name:	ovirt-engine.blinkmind.net
> Address: 10.13.0.245
> 
> -bash-4.2# nslookup 10.13.0.245
> Server:		10.10.0.10
> Address:	10.10.0.10#53
> 
> 245.0.13.10.in-addr.arpa	name = ovirt-engine.blinkmind.net.
> 
>

More information about the Users mailing list