[Users] ovirt kerberos/ldap

Eduardo Ramos eduardo at freedominterface.org
Thu Feb 21 13:43:04 UTC 2013 

I got new step!

I added arcfour-hmac-md5:normal into supported_enctypes and 
permitted_enctypes directives in kdc.conf.
Then I changed password of my principal using the following:

change_password -e arcfour-hmac-md5:normal admin/adimin

Now, it's ok, but now I got another error that I didn't understand as 
follows:

# engine-manage-domains -action=add -domain=gsr.inpe.br 
-user=admin/admin -interactive -provider=IPA
Enter password:

Error:  exception message: Checksum failed
Failure while testing domain gsr.inpe.br. Details: Kerberos error. 
Please check log for further details.

The log of kdc says:

Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23}) 
150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16 
ses=23}, admin/admin at GSR.INPE.BR for krbtgt/GSR.INPE.BR at GSR.INPE.BR

And the engine-manage-domains.log says:
2013-02-21 10:36:46,722 INFO 
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos 
configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO 
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully 
created kerberos configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO 
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos 
configuration for domain: gsr.inpe.br
2013-02-21 10:36:46,819 ERROR 
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: 
exception message: Checksum failed
2013-02-21 10:36:46,822 ERROR 
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while 
testing domain gsr.inpe.br. Details: Kerberos error. Please check log 
for further details.


On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
> On 21/02/13 13:24, Eduardo Ramos wrote:
>> Morning!
>>
>> That's my log entry. PCAP attached.
>>
>> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) 
>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin at GSR.INPE.BR for 
>> krbtgt/GSR.INPE.BR at GSR.INPE.BR, KDC has no support for encryption type
>
> You are using rc4_hmac, which is the right encryption protocol 
> usually. One can disable it (using 'permitted_enctypes' directive).
>
>>
>> My /etc/krb5.conf
>
> This is not the krb5.conf file oVirt is using. Please search your 
> system for oVirt's krb5.conf (sorry, don't have it from the top of my 
> head).
> In any case, I'd check the IPA configuration.
> Y.
>
>> [libdefaults]
>>       default_realm = GSR.INPE.BR
>>       allow_weak_crypto = yes
>>
>>         default_tkt_enctypes = rc4-hmac des-cbc-md5
>>         default_tgs_enctypes = rc4-hmac des-cbc-md5
>>
>> [realms]
>>       GSR.INPE.BR = {
>>       master_kdc =  GSR.INPE.BR
>>       kdc = kerberos.gsr.inpe.br
>>       default_domain = gsr.inpe.br
>>       }
>>
>> [domain_realm]
>>       .gsr.inpe.br = GSR.INPE.BR
>>       gsr.inpe.br = GSR.INPE.BR
>>
>> [logging]
>>    kdc = SYSLOG:INFO
>>
>> Is it sufice?
>>
>> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
>>> Please provide info also on the IPA server you are using (use rpm 
>>> -qa for that)
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Yaniv Kaul" <ykaul at redhat.com>
>>>> To: "Eduardo Ramos" <eduardo at freedominterface.org>
>>>> Cc: users at ovirt.org
>>>> Sent: Thursday, February 21, 2013 11:14:41 AM
>>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>>
>>>> ----- Original Message -----
>>>>> Hi all!
>>>>>
>>>>> I'm trying to link a ldap/kerberos to my ovirt without success. I'm
>>>>> stuck with this:
>>>>>
>>>>> oVirt engine:
>>>>>
>>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>>>>> -user=admin/admin -interactive -provider=IPA
>>>>> Enter password:
>>>>>
>>>>> Error:  exception message: KDC has no support for encryption type
>>>>> (14) -
>>>>> BAD_ENCRYPTION_TYPE
>>>> Please snoop the connection between the engine and the IPA server.
>>>> Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
>>>> /tmp/kerb.pcap' ).
>>>> Y.
>>>>
>>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos error.
>>>>> Please check log for further details.
>>>>>
>>>>> kdc log:
>>>>>
>>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin at GSR.INPE.BR for
>>>>> krbtgt/GSR.INPE.BR at GSR.INPE.BR, KDC has no support for encryption
>>>>> type
>>>>>
>>>>> Any sugestion?
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at ovirt.org
>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>
>>
>

More information about the Users mailing list