[Users] ovirt kerberos/ldap

Yaniv Kaul ykaul at redhat.com
Thu Feb 21 11:55:55 UTC 2013 

On 21/02/13 13:24, Eduardo Ramos wrote:
> Morning!
>
> That's my log entry. PCAP attached.
>
> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) 
> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin at GSR.INPE.BR for 
> krbtgt/GSR.INPE.BR at GSR.INPE.BR, KDC has no support for encryption type

You are using rc4_hmac, which is the right encryption protocol usually. 
One can disable it (using 'permitted_enctypes' directive).

>
> My /etc/krb5.conf

This is not the krb5.conf file oVirt is using. Please search your system 
for oVirt's krb5.conf (sorry, don't have it from the top of my head).
In any case, I'd check the IPA configuration.
Y.

> [libdefaults]
>       default_realm = GSR.INPE.BR
>       allow_weak_crypto = yes
>
>         default_tkt_enctypes = rc4-hmac des-cbc-md5
>         default_tgs_enctypes = rc4-hmac des-cbc-md5
>
> [realms]
>       GSR.INPE.BR = {
>       master_kdc =  GSR.INPE.BR
>       kdc = kerberos.gsr.inpe.br
>       default_domain = gsr.inpe.br
>       }
>
> [domain_realm]
>       .gsr.inpe.br = GSR.INPE.BR
>       gsr.inpe.br = GSR.INPE.BR
>
> [logging]
>    kdc = SYSLOG:INFO
>
> Is it sufice?
>
> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
>> Please provide info also on the IPA server you are using (use rpm -qa 
>> for that)
>>
>>
>> ----- Original Message -----
>>> From: "Yaniv Kaul" <ykaul at redhat.com>
>>> To: "Eduardo Ramos" <eduardo at freedominterface.org>
>>> Cc: users at ovirt.org
>>> Sent: Thursday, February 21, 2013 11:14:41 AM
>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>
>>> ----- Original Message -----
>>>> Hi all!
>>>>
>>>> I'm trying to link a ldap/kerberos to my ovirt without success. I'm
>>>> stuck with this:
>>>>
>>>> oVirt engine:
>>>>
>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>>>> -user=admin/admin -interactive -provider=IPA
>>>> Enter password:
>>>>
>>>> Error:  exception message: KDC has no support for encryption type
>>>> (14) -
>>>> BAD_ENCRYPTION_TYPE
>>> Please snoop the connection between the engine and the IPA server.
>>> Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
>>> /tmp/kerb.pcap' ).
>>> Y.
>>>
>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos error.
>>>> Please check log for further details.
>>>>
>>>> kdc log:
>>>>
>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin at GSR.INPE.BR for
>>>> krbtgt/GSR.INPE.BR at GSR.INPE.BR, KDC has no support for encryption
>>>> type
>>>>
>>>> Any sugestion?
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>

More information about the Users mailing list