[Users] FreeIPA
Yair Zaslavsky
yzaslavs at redhat.com
Sun Apr 28 13:35:07 UTC 2013
Not too informative, so let's start and troubleshoot -
a. please use dig to get SRV records for kerberos and ldap for the domain and attach it -
For example - for domain example.com (kerberos realm - EXAMPLE.COM)
dig SRV _ldap._tcp.example.com
dg SRV _kerberos._tcp.example.com
b. Do you have a PTR record at your DNS defined for your IPA server?
When looking at the code of the manage-domains tool I see the reason that the log is not informative enough is that our translator from "kerberos + ldap error codes" to "human readable" errors failed to translate the message.
IMHO, we should send a patch for this + provide a way to get more descriptive logging in this case.
Can you please let us know if the tips I suggested regarding DNS have helped?
----- Original Message -----
> From: "Ryan Wilkinson" <ryanwilk at gmail.com>
> To: "Yair Zaslavsky" <yzaslavs at redhat.com>
> Cc: users at ovirt.org
> Sent: Sunday, April 28, 2013 4:25:33 PM
> Subject: Re: [Users] FreeIPA
> Thanks, here is the engine-manage-domains log:
> 2013-04-27 22:10:32,911 INFO [org.ovirt.engine.core.domains.ManageDomains]
> Creating kerberos configuration for domain(s): wilk.local
> 2013-04-27 22:10:32,936 INFO [org.ovirt.engine.core.domains.ManageDomains]
> Successfully created kerberos configuration for domain(s): wilk.local
> 2013-04-27 22:10:32,936 INFO [org.ovirt.engine.core.domains.ManageDomains]
> Testing kerberos configuration for domain: wilk.local
> 2013-04-27 22:10:33,219 ERROR
> [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception
> message: freeipa.wilk.local.
> 2013-04-27 22:10:33,223 ERROR [org.ovirt.engine.core.domains.ManageDomains]
> Failure while testing domain wilk.local. Details: Kerberos error. Please
> check log for further details.
> 2013-04-27 22:20:29,053 INFO [org.ovirt.engine.core.domains.ManageDomains]
> Creating kerberos configuration for domain(s): wilk.local
> 2013-04-27 22:20:29,078 INFO [org.ovirt.engine.core.domains.ManageDomains]
> Successfully created kerberos configuration for domain(s): wilk.local
> 2013-04-27 22:20:29,079 INFO [org.ovirt.engine.core.domains.ManageDomains]
> Testing kerberos configuration for domain: wilk.local
> 2013-04-27 22:20:29,257 ERROR
> [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception
> message: freeipa.wilk.local.
> 2013-04-27 22:20:29,261 ERROR [org.ovirt.engine.core.domains.ManageDomains]
> Failure while testing domain wilk.local. Details: Kerberos error. Please
> check log for further details.
> On Sun, Apr 28, 2013 at 1:17 AM, Yair Zaslavsky < yzaslavs at redhat.com >
> wrote:
> > Can we get the log?
>
> > It would be helpful to understand the kerberos message to understand what
> > have happened.
>
> > > From: "Ryan Wilkinson" < ryanwilk at gmail.com >
> >
>
> > > To: users at ovirt.org
> >
>
> > > Sent: Sunday, April 28, 2013 7:35:53 AM
> >
>
> > > Subject: [Users] FreeIPA
> >
>
> > > Getting this error when I try to configure ldap authentication for Ovirt
> > > with
> > > FreeIPA server:
> >
>
> > > Error: exception message: freeipa.wilk.local.
> >
>
> > > Failure while testing domain wilk.local. Details: Kerberos error. Please
> > > check log for further details.
> >
>
> > > Engine-manage-domains.log gives no further details. When I run
> > > "engine-manage-domains -action=add -domain='wilk.local' -user='admin'
> > > -provider=IPA -interactive" it is connecting and asking for the password
> > > but
> > > then giving the error. Any input would be appreciated.
> >
>
> > > _______________________________________________
> >
>
> > > Users mailing list
> >
>
> > > Users at ovirt.org
> >
>
> > > http://lists.ovirt.org/mailman/listinfo/users
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20130428/161218ed/attachment-0001.html>
More information about the Users
mailing list