[Users] ovirt kerberos/ldap
Eduardo Ramos
eduardo at freedominterface.org
Wed Feb 27 20:19:56 UTC 2013
Hi!
Is there any chance to use ldap simple authentication?
What schema should I have?
On 02/26/2013 04:58 PM, Eduardo Ramos wrote:
> Yair,
>
> I'm using admin/admin because it's my principal on kerberos. In fact,
> the checksum error was because I didn't have admin/admin principal
> created yet.
>
> Using kadmin.local I did:
>
> kadmin.local: addprinc admin/admin
>
> So I tried the same:
>
> # engine-manage-domains -action=add -domain=gsr.inpe.br -provider=ipa
> -user=admin/admin -interactive
>
> And it returned on the screen um trace of java:
>
> General error has occured[LDAP: error code 80 - SASL(-1): generic
> failure: GSSAPI Error: Unspecified GSS failure. Minor code may
> provide more information (Unknown error)]
> javax.naming.NamingException: [LDAP: error code 80 - SASL(-1): generic
> failure: GSSAPI Error: Unspecified GSS failure. Minor code may
> provide more information (Unknown error)]
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3076)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780)
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
> at
> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
> at
> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
> at javax.naming.InitialContext.init(InitialContext.java:240)
> at javax.naming.InitialContext.<init>(InitialContext.java:214)
> at
> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
> at
> org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:357)
> at
> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:183)
> at
> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:159)
> at
> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:144)
> at
> org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:637)
> at
> org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:787)
> at
> org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:454)
> at
> org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:249)
> at
> org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:174)
> Failure while testing domain gsr.inpe.br. Details: No user information
> was found for user
>
> The engine-manage-domain.log has:
>
> [2013-02-26 16:55:49,736 INFO
> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos
> configuration for domain(s): gsr.inpe.br
> 2013-02-26 16:55:49,740 DEBUG
> [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] loaded template
> kr5.conf file krb5.conf.template
> 2013-02-26 16:55:49,744 DEBUG
> [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting
> default_tkt_enctypes
> 2013-02-26 16:55:49,772 DEBUG
> [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting realms
> 2013-02-26 16:55:49,773 DEBUG
> [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting domain realm
> 2013-02-26 16:55:49,774 INFO
> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
> created kerberos configuration for domain(s): gsr.inpe.br
> 2013-02-26 16:55:49,774 INFO
> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos
> configuration for domain: gsr.inpe.br
> 2013-02-26 16:55:49,827 DEBUG
> [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Check
> authentication finished successfully
>
> And /var/log/messages on the ldap/kerberos server has:
>
> Feb 26 16:49:53 ldap krb5kdc[1446]: AS_REQ (1 etypes {23})
> 150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16
> ses=23}, admin/admin at GSR.INPE.BR for krbtgt/GSR.INPE.BR at GSR.INPE.BR
> Feb 26 16:49:53 ldap krb5kdc[1446]: TGS_REQ (6 etypes {3 1 23 16 17
> 18}) 150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16
> ses=1}, admin/admin at GSR.INPE.BR for ldap/ldap.gsr.inpe.br at GSR.INPE.BR
>
> Thanks for response.
>
> On 02/26/2013 04:35 PM, Yair Zaslavsky wrote:
>> ----- Original Message -----
>>> From: "Eduardo Ramos"<eduardo at freedominterface.org>
>>> To:users at ovirt.org
>>> Sent: Tuesday, February 26, 2013 9:26:42 PM
>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>
>>> Any one has faced that?
>>>
>>> On 02/21/2013 10:59 AM, Yair Zaslavsky wrote:
>>>> Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf
>>>>
>>>>
>>>>
>>>> ----- Original Message -----
>>>>> From: "Eduardo Ramos"<eduardo at freedominterface.org>
>>>>> To: "Yaniv Kaul"<ykaul at redhat.com>
>>>>> Cc:yzaslavs at redhat.com,users at ovirt.org
>>>>> Sent: Thursday, February 21, 2013 3:43:04 PM
>>>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>>>
>>>>> I got new step!
>>>>>
>>>>> I added arcfour-hmac-md5:normal into supported_enctypes and
>>>>> permitted_enctypes directives in kdc.conf.
>>>>> Then I changed password of my principal using the following:
>>>>>
>>>>> change_password -e arcfour-hmac-md5:normal admin/adimin
>> Is "adimin" a typo here?
>> Can I ask why your user name appears like that, with a "/" in it?
>> Can you try to create user - let's say "myadmin" without the "/" ?
>>
>>>>> Now, it's ok, but now I got another error that I didn't understand
>>>>> as
>>>>> follows:
>>>>>
>>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>>>>> -user=admin/admin -interactive -provider=IPA
>>>>> Enter password:
>>>>>
>>>>> Error: exception message: Checksum failed
>>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos error.
>>>>> Please check log for further details.
>>>>>
>>>>> The log of kdc says:
>>>>>
>>>>> Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
>>>>> 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
>>>>> ses=23},admin/admin at GSR.INPE.BR for
>>>>> krbtgt/GSR.INPE.BR at GSR.INPE.BR
>>>>>
>>>>> And the engine-manage-domains.log says:
>>>>> 2013-02-21 10:36:46,722 INFO
>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
>>>>> kerberos
>>>>> configuration for domain(s): gsr.inpe.br
>>>>> 2013-02-21 10:36:46,745 INFO
>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
>>>>> created kerberos configuration for domain(s): gsr.inpe.br
>>>>> 2013-02-21 10:36:46,745 INFO
>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing
>>>>> kerberos
>>>>> configuration for domain: gsr.inpe.br
>>>>> 2013-02-21 10:36:46,819 ERROR
>>>>> [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
>>>>> exception message: Checksum failed
>>>>> 2013-02-21 10:36:46,822 ERROR
>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
>>>>> testing domain gsr.inpe.br. Details: Kerberos error. Please check
>>>>> log
>>>>> for further details.
>>>>>
>>>>>
>>>>> On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
>>>>>> On 21/02/13 13:24, Eduardo Ramos wrote:
>>>>>>> Morning!
>>>>>>>
>>>>>>> That's my log entry. PCAP attached.
>>>>>>>
>>>>>>> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>>>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE:admin/admin at GSR.INPE.BR for
>>>>>>> krbtgt/GSR.INPE.BR at GSR.INPE.BR, KDC has no support for
>>>>>>> encryption
>>>>>>> type
>>>>>> You are using rc4_hmac, which is the right encryption protocol
>>>>>> usually. One can disable it (using 'permitted_enctypes'
>>>>>> directive).
>>>>>>
>>>>>>> My /etc/krb5.conf
>>>>>> This is not the krb5.conf file oVirt is using. Please search your
>>>>>> system for oVirt's krb5.conf (sorry, don't have it from the top
>>>>>> of
>>>>>> my
>>>>>> head).
>>>>>> In any case, I'd check the IPA configuration.
>>>>>> Y.
>>>>>>
>>>>>>> [libdefaults]
>>>>>>> default_realm = GSR.INPE.BR
>>>>>>> allow_weak_crypto = yes
>>>>>>>
>>>>>>> default_tkt_enctypes = rc4-hmac des-cbc-md5
>>>>>>> default_tgs_enctypes = rc4-hmac des-cbc-md5
>>>>>>>
>>>>>>> [realms]
>>>>>>> GSR.INPE.BR = {
>>>>>>> master_kdc = GSR.INPE.BR
>>>>>>> kdc = kerberos.gsr.inpe.br
>>>>>>> default_domain = gsr.inpe.br
>>>>>>> }
>>>>>>>
>>>>>>> [domain_realm]
>>>>>>> .gsr.inpe.br = GSR.INPE.BR
>>>>>>> gsr.inpe.br = GSR.INPE.BR
>>>>>>>
>>>>>>> [logging]
>>>>>>> kdc = SYSLOG:INFO
>>>>>>>
>>>>>>> Is it sufice?
>>>>>>>
>>>>>>> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
>>>>>>>> Please provide info also on the IPA server you are using (use
>>>>>>>> rpm
>>>>>>>> -qa for that)
>>>>>>>>
>>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>>> From: "Yaniv Kaul"<ykaul at redhat.com>
>>>>>>>>> To: "Eduardo Ramos"<eduardo at freedominterface.org>
>>>>>>>>> Cc:users at ovirt.org
>>>>>>>>> Sent: Thursday, February 21, 2013 11:14:41 AM
>>>>>>>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>>>>>>>
>>>>>>>>> ----- Original Message -----
>>>>>>>>>> Hi all!
>>>>>>>>>>
>>>>>>>>>> I'm trying to link a ldap/kerberos to my ovirt without
>>>>>>>>>> success.
>>>>>>>>>> I'm
>>>>>>>>>> stuck with this:
>>>>>>>>>>
>>>>>>>>>> oVirt engine:
>>>>>>>>>>
>>>>>>>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>>>>>>>>>> -user=admin/admin -interactive -provider=IPA
>>>>>>>>>> Enter password:
>>>>>>>>>>
>>>>>>>>>> Error: exception message: KDC has no support for encryption
>>>>>>>>>> type
>>>>>>>>>> (14) -
>>>>>>>>>> BAD_ENCRYPTION_TYPE
>>>>>>>>> Please snoop the connection between the engine and the IPA
>>>>>>>>> server.
>>>>>>>>> Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
>>>>>>>>> /tmp/kerb.pcap' ).
>>>>>>>>> Y.
>>>>>>>>>
>>>>>>>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos
>>>>>>>>>> error.
>>>>>>>>>> Please check log for further details.
>>>>>>>>>>
>>>>>>>>>> kdc log:
>>>>>>>>>>
>>>>>>>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>>>>>>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE:admin/admin at GSR.INPE.BR
>>>>>>>>>> for
>>>>>>>>>> krbtgt/GSR.INPE.BR at GSR.INPE.BR, KDC has no support for
>>>>>>>>>> encryption
>>>>>>>>>> type
>>>>>>>>>>
>>>>>>>>>> Any sugestion?
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Users mailing list
>>>>>>>>>> Users at ovirt.org
>>>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Users mailing list
>>>>>>>>> Users at ovirt.org
>>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20130227/f5c90718/attachment-0001.html>
More information about the Users
mailing list