[Users] LDAP

Yair Zaslavsky yzaslavs at redhat.com
Fri Feb 24 11:07:16 UTC 2012 

On 02/23/2012 08:26 PM, Oved Ourfalli wrote:
> 
> 
> ----- Original Message -----
>> From: "Nathan Stratton" <nathan at robotics.net>
>> To: "Oved Ourfalli" <ovedo at redhat.com>
>> Cc: users at ovirt.org, "Yaniv Kaul" <ykaul at redhat.com>
>> Sent: Thursday, February 23, 2012 8:13:33 PM
>> Subject: Re: [Users] LDAP
>>
>> On Thu, 23 Feb 2012, Oved Ourfalli wrote:
>>
>>> IIRC, we only support using -interactive or using -passwordFile,
>>> and not both.
>>> The fact that you don't get a warning on that is a bug.
>>
>> :) Opps.
>>
>>> Found this blog with a similar error that is caused due to password
>>> expiration (in the engine log, and not while running the manage
>>> domains utility, but that might also help):
>>> http://blog.rtfm.co.hu/2012/02/rhev-error-from-kerberos-integrity-check-on-decrypted-field-failed/
>>>
>>> But the information there doesn't go very well with the fact that
>>> kinit is successful.
>>
>> Ya, I saw that also, (been doing a lot of googling), but:
>>
>> -bash-4.2# kinit nathan
>> Password for nathan at BLINKMIND.NET:
>> -bash-4.2# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: nathan at BLINKMIND.NET
>>
>> Valid starting     Expires            Service principal
>> 02/23/12 12:07:21  02/24/12 12:07:16
>>  krbtgt/BLINKMIND.NET at BLINKMIND.NET
>>  	renew until 03/01/12 12:07:16
>>
>>
>>> Is the file containing the correct password? Try using only
>>> -interactive, and enter the password interactively.
>>
>> Yep, the password is correct, I get the same error no matter what
>> password
>> I use. However when I try with -interactive I get more debug info
>> (see
>> below).
>>
>>> Also, attaching the log of the utility might be helpful.
>>
>> How would I get that? I don't see anyting anywhere in /var/log/*
>>
> 
> It should be in /var/log/ovirt-engine/engine-manage-domains/engine-manage-domains.log 
> (or in /var/log/engine/engine-manage-domains/engine-manage-domains.log... not sure).
> 
>>> Also, try logging in with that user to the IPA machine, that way
>>> you'll know if you need to change your password (I saw that
>>> sometimes kinit doesn't  ask you to change the password, but
>>> logging in does).
>>
>> Yep, that works fine. If I do it with -interactive I get the errors
>> below.
>> It seams to have an issue with DNS, but yet it is pulling the two SRV
>> records AND hitting the right servers. Also both ovirt-engine and
>> ipa-master have forward and reverse dns and proper /etc/hosts files.
>>
>> -bash-4.2# engine-manage-domains -action=add -domain=blinkmind.net
>> -user=nathan -interactive
>> Enter password:
>>
>> javax.naming.AuthenticationException: GSSAPI [Root exception is
>> javax.security.sasl.SaslException: GSS initiate failed [Caused by
>> GSSException: No valid credentials provided (Mechanism level: Server
>> not
>> found in Kerberos database (7) - UNKNOWN_SERVER)]]
>>  	at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:168)
>>  	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:232)
>>  	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)
>>  	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
>>  	at
>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>>  	at
>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>>  	at
>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
>>  	at
>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
>>  	at
>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>>  	at
>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
>>  	at javax.naming.InitialContext.init(InitialContext.java:240)
>>  	at javax.naming.InitialContext.<init>(InitialContext.java:214)
>>  	at
>> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
>>  	at
>> org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78)
>>  	at java.security.AccessController.doPrivileged(Native Method)
>>  	at javax.security.auth.Subject.doAs(Subject.java:357)
>>  	at
>> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)
>>  	at
>> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:154)
>>  	at
>> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:140)
>>  	at
>> org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:563)
>>  	at
>> org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:709)
>>  	at
>> org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:404)
>>  	at
>> org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:235)
>>  	at
>> org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:163)
>> Caused by: javax.security.sasl.SaslException: GSS initiate failed
>> [Caused
>> by GSSException: No valid credentials provided (Mechanism level:
>> Server
>> not found in Kerberos database (7) - UNKNOWN_SERVER)]
Not sure if help is still needed in this issue (krb error code 7 ) -
from my experience, this usually happened when DNS was not configured
correctly -
IMHO - you need to configure a reverse PTR record to the machine that
runs engine-core.
In addition, make sure that ldap and krb  have proper DNS srv records.
Oved - do we have a wiki (upstream) explaining these DNS issues?

>>  	at
>> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
>>  	at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:123)
>>  	... 23 more
>> Caused by: GSSException: No valid credentials provided (Mechanism
>> level:
>> Server not found in Kerberos database (7) - UNKNOWN_SERVER)
>>  	at
>> sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679)
>>  	at
>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
>>  	at
>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180)
>>  	at
>> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
>>  	... 24 more
>> Caused by: KrbException: Server not found in Kerberos database (7) -
>> UNKNOWN_SERVER
>>  	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:72)
>>  	at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:193)
>>  	at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:205)
>>  	at
>> sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297)
>>  	at
>> sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114)
>>  	at
>> sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555)
>>  	at
>> sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610)
>>  	... 27 more
>> Caused by: KrbException: Identifier doesn't match expected value
>> (906)
>>  	at sun.security.krb5.internal.KDCRep.init(KDCRep.java:144)
>>  	at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
>>  	at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
>>  	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:54)
>>  	... 33 more
>> Error: LDAP query Failed. Error in DNS configuration. Please verify
>> the
>> oVirt Engine host has a valid reverse DNS (PTR) record.
>> Failure while testing domain blinkmind.net. Details: No user
>> information
>> was found for user
>>
> 
> Please try doing
> "dig -x <ip address of IPA server>"
> 
> Look at the answer section, to make sure it shows a PTR record of it:
> dig -x 1.2.3.4
> ...
> ...
> ...
> ;; ANSWER SECTION:
> 4.3.2.1.in-addr.arpa. 84063  IN      PTR     my_server.my_domain.
> ...
> ...
> ...
>>
>>
>>
>> -bash-4.2# nslookup ipa-master.blinkmind.net
>> Server:		10.10.0.10
>> Address:	10.10.0.10#53
>>
>> Name:	ipa-master.blinkmind.net
>> Address: 10.13.0.105
>>
>> -bash-4.2# nslookup 10.13.0.105
>> Server:		10.10.0.10
>> Address:	10.10.0.10#53
>>
>> 105.0.13.10.in-addr.arpa	name = ipa-master.blinkmind.net.
>>
>> -bash-4.2# nslookup ovirt-engine.blinkmind.net
>> Server:		10.10.0.10
>> Address:	10.10.0.10#53
>>
>> Name:	ovirt-engine.blinkmind.net
>> Address: 10.13.0.245
>>
>> -bash-4.2# nslookup 10.13.0.245
>> Server:		10.10.0.10
>> Address:	10.10.0.10#53
>>
>> 245.0.13.10.in-addr.arpa	name = ovirt-engine.blinkmind.net.
>>
>>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

More information about the Users mailing list