[Users] ovirt kerberos/ldap

Eduardo Ramos eduardo at freedominterface.org
Tue Feb 26 19:26:42 UTC 2013


Any one has faced that?

On 02/21/2013 10:59 AM, Yair Zaslavsky wrote:
> Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf
>
>
>
> ----- Original Message -----
>> From: "Eduardo Ramos" <eduardo at freedominterface.org>
>> To: "Yaniv Kaul" <ykaul at redhat.com>
>> Cc: yzaslavs at redhat.com, users at ovirt.org
>> Sent: Thursday, February 21, 2013 3:43:04 PM
>> Subject: Re: [Users] ovirt kerberos/ldap
>>
>> I got new step!
>>
>> I added arcfour-hmac-md5:normal into supported_enctypes and
>> permitted_enctypes directives in kdc.conf.
>> Then I changed password of my principal using the following:
>>
>> change_password -e arcfour-hmac-md5:normal admin/adimin
>>
>> Now, it's ok, but now I got another error that I didn't understand as
>> follows:
>>
>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>> -user=admin/admin -interactive -provider=IPA
>> Enter password:
>>
>> Error:  exception message: Checksum failed
>> Failure while testing domain gsr.inpe.br. Details: Kerberos error.
>> Please check log for further details.
>>
>> The log of kdc says:
>>
>> Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
>> 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
>> ses=23}, admin/admin at GSR.INPE.BR for krbtgt/GSR.INPE.BR at GSR.INPE.BR
>>
>> And the engine-manage-domains.log says:
>> 2013-02-21 10:36:46,722 INFO
>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
>> kerberos
>> configuration for domain(s): gsr.inpe.br
>> 2013-02-21 10:36:46,745 INFO
>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
>> created kerberos configuration for domain(s): gsr.inpe.br
>> 2013-02-21 10:36:46,745 INFO
>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos
>> configuration for domain: gsr.inpe.br
>> 2013-02-21 10:36:46,819 ERROR
>> [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
>> exception message: Checksum failed
>> 2013-02-21 10:36:46,822 ERROR
>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
>> testing domain gsr.inpe.br. Details: Kerberos error. Please check log
>> for further details.
>>
>>
>> On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
>>> On 21/02/13 13:24, Eduardo Ramos wrote:
>>>> Morning!
>>>>
>>>> That's my log entry. PCAP attached.
>>>>
>>>> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin at GSR.INPE.BR for
>>>> krbtgt/GSR.INPE.BR at GSR.INPE.BR, KDC has no support for encryption
>>>> type
>>> You are using rc4_hmac, which is the right encryption protocol
>>> usually. One can disable it (using 'permitted_enctypes' directive).
>>>
>>>> My /etc/krb5.conf
>>> This is not the krb5.conf file oVirt is using. Please search your
>>> system for oVirt's krb5.conf (sorry, don't have it from the top of
>>> my
>>> head).
>>> In any case, I'd check the IPA configuration.
>>> Y.
>>>
>>>> [libdefaults]
>>>>        default_realm = GSR.INPE.BR
>>>>        allow_weak_crypto = yes
>>>>
>>>>          default_tkt_enctypes = rc4-hmac des-cbc-md5
>>>>          default_tgs_enctypes = rc4-hmac des-cbc-md5
>>>>
>>>> [realms]
>>>>        GSR.INPE.BR = {
>>>>        master_kdc =  GSR.INPE.BR
>>>>        kdc = kerberos.gsr.inpe.br
>>>>        default_domain = gsr.inpe.br
>>>>        }
>>>>
>>>> [domain_realm]
>>>>        .gsr.inpe.br = GSR.INPE.BR
>>>>        gsr.inpe.br = GSR.INPE.BR
>>>>
>>>> [logging]
>>>>     kdc = SYSLOG:INFO
>>>>
>>>> Is it sufice?
>>>>
>>>> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
>>>>> Please provide info also on the IPA server you are using (use rpm
>>>>> -qa for that)
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Yaniv Kaul" <ykaul at redhat.com>
>>>>>> To: "Eduardo Ramos" <eduardo at freedominterface.org>
>>>>>> Cc: users at ovirt.org
>>>>>> Sent: Thursday, February 21, 2013 11:14:41 AM
>>>>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> Hi all!
>>>>>>>
>>>>>>> I'm trying to link a ldap/kerberos to my ovirt without success.
>>>>>>> I'm
>>>>>>> stuck with this:
>>>>>>>
>>>>>>> oVirt engine:
>>>>>>>
>>>>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>>>>>>> -user=admin/admin -interactive -provider=IPA
>>>>>>> Enter password:
>>>>>>>
>>>>>>> Error:  exception message: KDC has no support for encryption
>>>>>>> type
>>>>>>> (14) -
>>>>>>> BAD_ENCRYPTION_TYPE
>>>>>> Please snoop the connection between the engine and the IPA
>>>>>> server.
>>>>>> Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
>>>>>> /tmp/kerb.pcap' ).
>>>>>> Y.
>>>>>>
>>>>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos
>>>>>>> error.
>>>>>>> Please check log for further details.
>>>>>>>
>>>>>>> kdc log:
>>>>>>>
>>>>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>>>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin at GSR.INPE.BR for
>>>>>>> krbtgt/GSR.INPE.BR at GSR.INPE.BR, KDC has no support for
>>>>>>> encryption
>>>>>>> type
>>>>>>>
>>>>>>> Any sugestion?
>>>>>>> _______________________________________________
>>>>>>> Users mailing list
>>>>>>> Users at ovirt.org
>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at ovirt.org
>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>
>>




More information about the Users mailing list