[Users] ovirt kerberos/ldap

Yair Zaslavsky yzaslavs at redhat.com
Thu Feb 21 13:59:39 UTC 2013 

Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf



----- Original Message -----
> From: "Eduardo Ramos" <eduardo at freedominterface.org>
> To: "Yaniv Kaul" <ykaul at redhat.com>
> Cc: yzaslavs at redhat.com, users at ovirt.org
> Sent: Thursday, February 21, 2013 3:43:04 PM
> Subject: Re: [Users] ovirt kerberos/ldap
> 
> I got new step!
> 
> I added arcfour-hmac-md5:normal into supported_enctypes and
> permitted_enctypes directives in kdc.conf.
> Then I changed password of my principal using the following:
> 
> change_password -e arcfour-hmac-md5:normal admin/adimin
> 
> Now, it's ok, but now I got another error that I didn't understand as
> follows:
> 
> # engine-manage-domains -action=add -domain=gsr.inpe.br
> -user=admin/admin -interactive -provider=IPA
> Enter password:
> 
> Error:  exception message: Checksum failed
> Failure while testing domain gsr.inpe.br. Details: Kerberos error.
> Please check log for further details.
> 
> The log of kdc says:
> 
> Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
> 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
> ses=23}, admin/admin at GSR.INPE.BR for krbtgt/GSR.INPE.BR at GSR.INPE.BR
> 
> And the engine-manage-domains.log says:
> 2013-02-21 10:36:46,722 INFO
> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
> kerberos
> configuration for domain(s): gsr.inpe.br
> 2013-02-21 10:36:46,745 INFO
> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
> created kerberos configuration for domain(s): gsr.inpe.br
> 2013-02-21 10:36:46,745 INFO
> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos
> configuration for domain: gsr.inpe.br
> 2013-02-21 10:36:46,819 ERROR
> [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
> exception message: Checksum failed
> 2013-02-21 10:36:46,822 ERROR
> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
> testing domain gsr.inpe.br. Details: Kerberos error. Please check log
> for further details.
> 
> 
> On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
> > On 21/02/13 13:24, Eduardo Ramos wrote:
> >> Morning!
> >>
> >> That's my log entry. PCAP attached.
> >>
> >> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
> >> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin at GSR.INPE.BR for
> >> krbtgt/GSR.INPE.BR at GSR.INPE.BR, KDC has no support for encryption
> >> type
> >
> > You are using rc4_hmac, which is the right encryption protocol
> > usually. One can disable it (using 'permitted_enctypes' directive).
> >
> >>
> >> My /etc/krb5.conf
> >
> > This is not the krb5.conf file oVirt is using. Please search your
> > system for oVirt's krb5.conf (sorry, don't have it from the top of
> > my
> > head).
> > In any case, I'd check the IPA configuration.
> > Y.
> >
> >> [libdefaults]
> >>       default_realm = GSR.INPE.BR
> >>       allow_weak_crypto = yes
> >>
> >>         default_tkt_enctypes = rc4-hmac des-cbc-md5
> >>         default_tgs_enctypes = rc4-hmac des-cbc-md5
> >>
> >> [realms]
> >>       GSR.INPE.BR = {
> >>       master_kdc =  GSR.INPE.BR
> >>       kdc = kerberos.gsr.inpe.br
> >>       default_domain = gsr.inpe.br
> >>       }
> >>
> >> [domain_realm]
> >>       .gsr.inpe.br = GSR.INPE.BR
> >>       gsr.inpe.br = GSR.INPE.BR
> >>
> >> [logging]
> >>    kdc = SYSLOG:INFO
> >>
> >> Is it sufice?
> >>
> >> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
> >>> Please provide info also on the IPA server you are using (use rpm
> >>> -qa for that)
> >>>
> >>>
> >>> ----- Original Message -----
> >>>> From: "Yaniv Kaul" <ykaul at redhat.com>
> >>>> To: "Eduardo Ramos" <eduardo at freedominterface.org>
> >>>> Cc: users at ovirt.org
> >>>> Sent: Thursday, February 21, 2013 11:14:41 AM
> >>>> Subject: Re: [Users] ovirt kerberos/ldap
> >>>>
> >>>> ----- Original Message -----
> >>>>> Hi all!
> >>>>>
> >>>>> I'm trying to link a ldap/kerberos to my ovirt without success.
> >>>>> I'm
> >>>>> stuck with this:
> >>>>>
> >>>>> oVirt engine:
> >>>>>
> >>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
> >>>>> -user=admin/admin -interactive -provider=IPA
> >>>>> Enter password:
> >>>>>
> >>>>> Error:  exception message: KDC has no support for encryption
> >>>>> type
> >>>>> (14) -
> >>>>> BAD_ENCRYPTION_TYPE
> >>>> Please snoop the connection between the engine and the IPA
> >>>> server.
> >>>> Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
> >>>> /tmp/kerb.pcap' ).
> >>>> Y.
> >>>>
> >>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos
> >>>>> error.
> >>>>> Please check log for further details.
> >>>>>
> >>>>> kdc log:
> >>>>>
> >>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
> >>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin at GSR.INPE.BR for
> >>>>> krbtgt/GSR.INPE.BR at GSR.INPE.BR, KDC has no support for
> >>>>> encryption
> >>>>> type
> >>>>>
> >>>>> Any sugestion?
> >>>>> _______________________________________________
> >>>>> Users mailing list
> >>>>> Users at ovirt.org
> >>>>> http://lists.ovirt.org/mailman/listinfo/users
> >>>>>
> >>>> _______________________________________________
> >>>> Users mailing list
> >>>> Users at ovirt.org
> >>>> http://lists.ovirt.org/mailman/listinfo/users
> >>>>
> >>
> >
> 
>

More information about the Users mailing list