[Users] ovirt kerberos/ldap

Yair Zaslavsky yzaslavs at redhat.com
Tue Feb 26 19:35:28 UTC 2013



----- Original Message -----
> From: "Eduardo Ramos" <eduardo at freedominterface.org>
> To: users at ovirt.org
> Sent: Tuesday, February 26, 2013 9:26:42 PM
> Subject: Re: [Users] ovirt kerberos/ldap
> 
> Any one has faced that?
> 
> On 02/21/2013 10:59 AM, Yair Zaslavsky wrote:
> > Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf
> >
> >
> >
> > ----- Original Message -----
> >> From: "Eduardo Ramos" <eduardo at freedominterface.org>
> >> To: "Yaniv Kaul" <ykaul at redhat.com>
> >> Cc: yzaslavs at redhat.com, users at ovirt.org
> >> Sent: Thursday, February 21, 2013 3:43:04 PM
> >> Subject: Re: [Users] ovirt kerberos/ldap
> >>
> >> I got new step!
> >>
> >> I added arcfour-hmac-md5:normal into supported_enctypes and
> >> permitted_enctypes directives in kdc.conf.
> >> Then I changed password of my principal using the following:
> >>
> >> change_password -e arcfour-hmac-md5:normal admin/adimin

Is "adimin" a typo here?
Can I ask why your user name appears like that, with a "/" in it?
Can you try to create user  - let's say "myadmin" without the "/" ?

> >>
> >> Now, it's ok, but now I got another error that I didn't understand
> >> as
> >> follows:
> >>
> >> # engine-manage-domains -action=add -domain=gsr.inpe.br
> >> -user=admin/admin -interactive -provider=IPA
> >> Enter password:
> >>
> >> Error:  exception message: Checksum failed
> >> Failure while testing domain gsr.inpe.br. Details: Kerberos error.
> >> Please check log for further details.
> >>
> >> The log of kdc says:
> >>
> >> Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
> >> 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
> >> ses=23}, admin/admin at GSR.INPE.BR for
> >> krbtgt/GSR.INPE.BR at GSR.INPE.BR
> >>
> >> And the engine-manage-domains.log says:
> >> 2013-02-21 10:36:46,722 INFO
> >> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
> >> kerberos
> >> configuration for domain(s): gsr.inpe.br
> >> 2013-02-21 10:36:46,745 INFO
> >> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
> >> created kerberos configuration for domain(s): gsr.inpe.br
> >> 2013-02-21 10:36:46,745 INFO
> >> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing
> >> kerberos
> >> configuration for domain: gsr.inpe.br
> >> 2013-02-21 10:36:46,819 ERROR
> >> [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
> >> exception message: Checksum failed
> >> 2013-02-21 10:36:46,822 ERROR
> >> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
> >> testing domain gsr.inpe.br. Details: Kerberos error. Please check
> >> log
> >> for further details.
> >>
> >>
> >> On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
> >>> On 21/02/13 13:24, Eduardo Ramos wrote:
> >>>> Morning!
> >>>>
> >>>> That's my log entry. PCAP attached.
> >>>>
> >>>> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
> >>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin at GSR.INPE.BR for
> >>>> krbtgt/GSR.INPE.BR at GSR.INPE.BR, KDC has no support for
> >>>> encryption
> >>>> type
> >>> You are using rc4_hmac, which is the right encryption protocol
> >>> usually. One can disable it (using 'permitted_enctypes'
> >>> directive).
> >>>
> >>>> My /etc/krb5.conf
> >>> This is not the krb5.conf file oVirt is using. Please search your
> >>> system for oVirt's krb5.conf (sorry, don't have it from the top
> >>> of
> >>> my
> >>> head).
> >>> In any case, I'd check the IPA configuration.
> >>> Y.
> >>>
> >>>> [libdefaults]
> >>>>        default_realm = GSR.INPE.BR
> >>>>        allow_weak_crypto = yes
> >>>>
> >>>>          default_tkt_enctypes = rc4-hmac des-cbc-md5
> >>>>          default_tgs_enctypes = rc4-hmac des-cbc-md5
> >>>>
> >>>> [realms]
> >>>>        GSR.INPE.BR = {
> >>>>        master_kdc =  GSR.INPE.BR
> >>>>        kdc = kerberos.gsr.inpe.br
> >>>>        default_domain = gsr.inpe.br
> >>>>        }
> >>>>
> >>>> [domain_realm]
> >>>>        .gsr.inpe.br = GSR.INPE.BR
> >>>>        gsr.inpe.br = GSR.INPE.BR
> >>>>
> >>>> [logging]
> >>>>     kdc = SYSLOG:INFO
> >>>>
> >>>> Is it sufice?
> >>>>
> >>>> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
> >>>>> Please provide info also on the IPA server you are using (use
> >>>>> rpm
> >>>>> -qa for that)
> >>>>>
> >>>>>
> >>>>> ----- Original Message -----
> >>>>>> From: "Yaniv Kaul" <ykaul at redhat.com>
> >>>>>> To: "Eduardo Ramos" <eduardo at freedominterface.org>
> >>>>>> Cc: users at ovirt.org
> >>>>>> Sent: Thursday, February 21, 2013 11:14:41 AM
> >>>>>> Subject: Re: [Users] ovirt kerberos/ldap
> >>>>>>
> >>>>>> ----- Original Message -----
> >>>>>>> Hi all!
> >>>>>>>
> >>>>>>> I'm trying to link a ldap/kerberos to my ovirt without
> >>>>>>> success.
> >>>>>>> I'm
> >>>>>>> stuck with this:
> >>>>>>>
> >>>>>>> oVirt engine:
> >>>>>>>
> >>>>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
> >>>>>>> -user=admin/admin -interactive -provider=IPA
> >>>>>>> Enter password:
> >>>>>>>
> >>>>>>> Error:  exception message: KDC has no support for encryption
> >>>>>>> type
> >>>>>>> (14) -
> >>>>>>> BAD_ENCRYPTION_TYPE
> >>>>>> Please snoop the connection between the engine and the IPA
> >>>>>> server.
> >>>>>> Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
> >>>>>> /tmp/kerb.pcap' ).
> >>>>>> Y.
> >>>>>>
> >>>>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos
> >>>>>>> error.
> >>>>>>> Please check log for further details.
> >>>>>>>
> >>>>>>> kdc log:
> >>>>>>>
> >>>>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
> >>>>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin at GSR.INPE.BR
> >>>>>>> for
> >>>>>>> krbtgt/GSR.INPE.BR at GSR.INPE.BR, KDC has no support for
> >>>>>>> encryption
> >>>>>>> type
> >>>>>>>
> >>>>>>> Any sugestion?
> >>>>>>> _______________________________________________
> >>>>>>> Users mailing list
> >>>>>>> Users at ovirt.org
> >>>>>>> http://lists.ovirt.org/mailman/listinfo/users
> >>>>>>>
> >>>>>> _______________________________________________
> >>>>>> Users mailing list
> >>>>>> Users at ovirt.org
> >>>>>> http://lists.ovirt.org/mailman/listinfo/users
> >>>>>>
> >>
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 



More information about the Users mailing list