[Users] ovirt kerberos/ldap
Eduardo Ramos
eduardo at freedominterface.org
Tue Feb 26 19:58:30 UTC 2013
Yair,
I'm using admin/admin because it's my principal on kerberos. In fact,
the checksum error was because I didn't have admin/admin principal
created yet.
Using kadmin.local I did:
kadmin.local: addprinc admin/admin
So I tried the same:
# engine-manage-domains -action=add -domain=gsr.inpe.br -provider=ipa
-user=admin/admin -interactive
And it returned on the screen um trace of java:
General error has occured[LDAP: error code 80 - SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more information (Unknown error)]
javax.naming.NamingException: [LDAP: error code 80 - SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more information (Unknown error)]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3076)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at javax.naming.InitialContext.init(InitialContext.java:240)
at javax.naming.InitialContext.<init>(InitialContext.java:214)
at
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
at
org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:357)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:183)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:159)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:144)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:637)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:787)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:454)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:249)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:174)
Failure while testing domain gsr.inpe.br. Details: No user information
was found for user
The engine-manage-domain.log has:
[2013-02-26 16:55:49,736 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos
configuration for domain(s): gsr.inpe.br
2013-02-26 16:55:49,740 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] loaded template
kr5.conf file krb5.conf.template
2013-02-26 16:55:49,744 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting
default_tkt_enctypes
2013-02-26 16:55:49,772 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting realms
2013-02-26 16:55:49,773 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting domain realm
2013-02-26 16:55:49,774 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
created kerberos configuration for domain(s): gsr.inpe.br
2013-02-26 16:55:49,774 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos
configuration for domain: gsr.inpe.br
2013-02-26 16:55:49,827 DEBUG
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Check
authentication finished successfully
And /var/log/messages on the ldap/kerberos server has:
Feb 26 16:49:53 ldap krb5kdc[1446]: AS_REQ (1 etypes {23})
150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16
ses=23}, admin/admin at GSR.INPE.BR for krbtgt/GSR.INPE.BR at GSR.INPE.BR
Feb 26 16:49:53 ldap krb5kdc[1446]: TGS_REQ (6 etypes {3 1 23 16 17 18})
150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16
ses=1}, admin/admin at GSR.INPE.BR for ldap/ldap.gsr.inpe.br at GSR.INPE.BR
Thanks for response.
On 02/26/2013 04:35 PM, Yair Zaslavsky wrote:
>
> ----- Original Message -----
>> From: "Eduardo Ramos" <eduardo at freedominterface.org>
>> To: users at ovirt.org
>> Sent: Tuesday, February 26, 2013 9:26:42 PM
>> Subject: Re: [Users] ovirt kerberos/ldap
>>
>> Any one has faced that?
>>
>> On 02/21/2013 10:59 AM, Yair Zaslavsky wrote:
>>> Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf
>>>
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Eduardo Ramos" <eduardo at freedominterface.org>
>>>> To: "Yaniv Kaul" <ykaul at redhat.com>
>>>> Cc: yzaslavs at redhat.com, users at ovirt.org
>>>> Sent: Thursday, February 21, 2013 3:43:04 PM
>>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>>
>>>> I got new step!
>>>>
>>>> I added arcfour-hmac-md5:normal into supported_enctypes and
>>>> permitted_enctypes directives in kdc.conf.
>>>> Then I changed password of my principal using the following:
>>>>
>>>> change_password -e arcfour-hmac-md5:normal admin/adimin
> Is "adimin" a typo here?
> Can I ask why your user name appears like that, with a "/" in it?
> Can you try to create user - let's say "myadmin" without the "/" ?
>
>>>> Now, it's ok, but now I got another error that I didn't understand
>>>> as
>>>> follows:
>>>>
>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>>>> -user=admin/admin -interactive -provider=IPA
>>>> Enter password:
>>>>
>>>> Error: exception message: Checksum failed
>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos error.
>>>> Please check log for further details.
>>>>
>>>> The log of kdc says:
>>>>
>>>> Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
>>>> 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
>>>> ses=23}, admin/admin at GSR.INPE.BR for
>>>> krbtgt/GSR.INPE.BR at GSR.INPE.BR
>>>>
>>>> And the engine-manage-domains.log says:
>>>> 2013-02-21 10:36:46,722 INFO
>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
>>>> kerberos
>>>> configuration for domain(s): gsr.inpe.br
>>>> 2013-02-21 10:36:46,745 INFO
>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
>>>> created kerberos configuration for domain(s): gsr.inpe.br
>>>> 2013-02-21 10:36:46,745 INFO
>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing
>>>> kerberos
>>>> configuration for domain: gsr.inpe.br
>>>> 2013-02-21 10:36:46,819 ERROR
>>>> [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
>>>> exception message: Checksum failed
>>>> 2013-02-21 10:36:46,822 ERROR
>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
>>>> testing domain gsr.inpe.br. Details: Kerberos error. Please check
>>>> log
>>>> for further details.
>>>>
>>>>
>>>> On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
>>>>> On 21/02/13 13:24, Eduardo Ramos wrote:
>>>>>> Morning!
>>>>>>
>>>>>> That's my log entry. PCAP attached.
>>>>>>
>>>>>> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin at GSR.INPE.BR for
>>>>>> krbtgt/GSR.INPE.BR at GSR.INPE.BR, KDC has no support for
>>>>>> encryption
>>>>>> type
>>>>> You are using rc4_hmac, which is the right encryption protocol
>>>>> usually. One can disable it (using 'permitted_enctypes'
>>>>> directive).
>>>>>
>>>>>> My /etc/krb5.conf
>>>>> This is not the krb5.conf file oVirt is using. Please search your
>>>>> system for oVirt's krb5.conf (sorry, don't have it from the top
>>>>> of
>>>>> my
>>>>> head).
>>>>> In any case, I'd check the IPA configuration.
>>>>> Y.
>>>>>
>>>>>> [libdefaults]
>>>>>> default_realm = GSR.INPE.BR
>>>>>> allow_weak_crypto = yes
>>>>>>
>>>>>> default_tkt_enctypes = rc4-hmac des-cbc-md5
>>>>>> default_tgs_enctypes = rc4-hmac des-cbc-md5
>>>>>>
>>>>>> [realms]
>>>>>> GSR.INPE.BR = {
>>>>>> master_kdc = GSR.INPE.BR
>>>>>> kdc = kerberos.gsr.inpe.br
>>>>>> default_domain = gsr.inpe.br
>>>>>> }
>>>>>>
>>>>>> [domain_realm]
>>>>>> .gsr.inpe.br = GSR.INPE.BR
>>>>>> gsr.inpe.br = GSR.INPE.BR
>>>>>>
>>>>>> [logging]
>>>>>> kdc = SYSLOG:INFO
>>>>>>
>>>>>> Is it sufice?
>>>>>>
>>>>>> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
>>>>>>> Please provide info also on the IPA server you are using (use
>>>>>>> rpm
>>>>>>> -qa for that)
>>>>>>>
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Yaniv Kaul" <ykaul at redhat.com>
>>>>>>>> To: "Eduardo Ramos" <eduardo at freedominterface.org>
>>>>>>>> Cc: users at ovirt.org
>>>>>>>> Sent: Thursday, February 21, 2013 11:14:41 AM
>>>>>>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>>> Hi all!
>>>>>>>>>
>>>>>>>>> I'm trying to link a ldap/kerberos to my ovirt without
>>>>>>>>> success.
>>>>>>>>> I'm
>>>>>>>>> stuck with this:
>>>>>>>>>
>>>>>>>>> oVirt engine:
>>>>>>>>>
>>>>>>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>>>>>>>>> -user=admin/admin -interactive -provider=IPA
>>>>>>>>> Enter password:
>>>>>>>>>
>>>>>>>>> Error: exception message: KDC has no support for encryption
>>>>>>>>> type
>>>>>>>>> (14) -
>>>>>>>>> BAD_ENCRYPTION_TYPE
>>>>>>>> Please snoop the connection between the engine and the IPA
>>>>>>>> server.
>>>>>>>> Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
>>>>>>>> /tmp/kerb.pcap' ).
>>>>>>>> Y.
>>>>>>>>
>>>>>>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos
>>>>>>>>> error.
>>>>>>>>> Please check log for further details.
>>>>>>>>>
>>>>>>>>> kdc log:
>>>>>>>>>
>>>>>>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>>>>>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/admin at GSR.INPE.BR
>>>>>>>>> for
>>>>>>>>> krbtgt/GSR.INPE.BR at GSR.INPE.BR, KDC has no support for
>>>>>>>>> encryption
>>>>>>>>> type
>>>>>>>>>
>>>>>>>>> Any sugestion?
>>>>>>>>> _______________________________________________
>>>>>>>>> Users mailing list
>>>>>>>>> Users at ovirt.org
>>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Users mailing list
>>>>>>>> Users at ovirt.org
>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20130226/6f138428/attachment-0001.html>
More information about the Users
mailing list