[Users] ovirt kerberos/ldap
Itamar Heim
iheim at redhat.com
Wed Feb 27 21:52:44 UTC 2013
On 27/02/2013 22:19, Eduardo Ramos wrote:
> Hi!
>
> Is there any chance to use ldap simple authentication?
> What schema should I have?
in the works, hopefully soon (which means several weeks at least)
>
> On 02/26/2013 04:58 PM, Eduardo Ramos wrote:
>> Yair,
>>
>> I'm using admin/admin because it's my principal on kerberos. In fact,
>> the checksum error was because I didn't have admin/admin principal
>> created yet.
>>
>> Using kadmin.local I did:
>>
>> kadmin.local: addprinc admin/admin
>>
>> So I tried the same:
>>
>> # engine-manage-domains -action=add -domain=gsr.inpe.br -provider=ipa
>> -user=admin/admin -interactive
>>
>> And it returned on the screen um trace of java:
>>
>> General error has occured[LDAP: error code 80 - SASL(-1): generic
>> failure: GSSAPI Error: Unspecified GSS failure. Minor code may
>> provide more information (Unknown error)]
>> javax.naming.NamingException: [LDAP: error code 80 - SASL(-1): generic
>> failure: GSSAPI Error: Unspecified GSS failure. Minor code may
>> provide more information (Unknown error)]
>> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3076)
>> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
>> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780)
>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
>> at
>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>> at
>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>> at
>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
>> at
>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
>> at
>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>> at
>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
>> at javax.naming.InitialContext.init(InitialContext.java:240)
>> at javax.naming.InitialContext.<init>(InitialContext.java:214)
>> at
>> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
>> at
>> org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at javax.security.auth.Subject.doAs(Subject.java:357)
>> at
>> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:183)
>> at
>> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:159)
>> at
>> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:144)
>> at
>> org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:637)
>> at
>> org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:787)
>> at
>> org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:454)
>> at
>> org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:249)
>> at
>> org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:174)
>> Failure while testing domain gsr.inpe.br. Details: No user information
>> was found for user
>>
>> The engine-manage-domain.log has:
>>
>> [2013-02-26 16:55:49,736 INFO
>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos
>> configuration for domain(s): gsr.inpe.br
>> 2013-02-26 16:55:49,740 DEBUG
>> [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] loaded template
>> kr5.conf file krb5.conf.template
>> 2013-02-26 16:55:49,744 DEBUG
>> [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting
>> default_tkt_enctypes
>> 2013-02-26 16:55:49,772 DEBUG
>> [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting realms
>> 2013-02-26 16:55:49,773 DEBUG
>> [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting domain realm
>> 2013-02-26 16:55:49,774 INFO
>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
>> created kerberos configuration for domain(s): gsr.inpe.br
>> 2013-02-26 16:55:49,774 INFO
>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos
>> configuration for domain: gsr.inpe.br
>> 2013-02-26 16:55:49,827 DEBUG
>> [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Check
>> authentication finished successfully
>>
>> And /var/log/messages on the ldap/kerberos server has:
>>
>> Feb 26 16:49:53 ldap krb5kdc[1446]: AS_REQ (1 etypes {23})
>> 150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16
>> ses=23}, admin/admin at GSR.INPE.BR for krbtgt/GSR.INPE.BR at GSR.INPE.BR
>> Feb 26 16:49:53 ldap krb5kdc[1446]: TGS_REQ (6 etypes {3 1 23 16 17
>> 18}) 150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16
>> ses=1}, admin/admin at GSR.INPE.BR for ldap/ldap.gsr.inpe.br at GSR.INPE.BR
>>
>> Thanks for response.
>>
>> On 02/26/2013 04:35 PM, Yair Zaslavsky wrote:
>>> ----- Original Message -----
>>>> From: "Eduardo Ramos"<eduardo at freedominterface.org>
>>>> To:users at ovirt.org
>>>> Sent: Tuesday, February 26, 2013 9:26:42 PM
>>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>>
>>>> Any one has faced that?
>>>>
>>>> On 02/21/2013 10:59 AM, Yair Zaslavsky wrote:
>>>>> Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf
>>>>>
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Eduardo Ramos"<eduardo at freedominterface.org>
>>>>>> To: "Yaniv Kaul"<ykaul at redhat.com>
>>>>>> Cc:yzaslavs at redhat.com,users at ovirt.org
>>>>>> Sent: Thursday, February 21, 2013 3:43:04 PM
>>>>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>>>>
>>>>>> I got new step!
>>>>>>
>>>>>> I added arcfour-hmac-md5:normal into supported_enctypes and
>>>>>> permitted_enctypes directives in kdc.conf.
>>>>>> Then I changed password of my principal using the following:
>>>>>>
>>>>>> change_password -e arcfour-hmac-md5:normal admin/adimin
>>> Is "adimin" a typo here?
>>> Can I ask why your user name appears like that, with a "/" in it?
>>> Can you try to create user - let's say "myadmin" without the "/" ?
>>>
>>>>>> Now, it's ok, but now I got another error that I didn't understand
>>>>>> as
>>>>>> follows:
>>>>>>
>>>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>>>>>> -user=admin/admin -interactive -provider=IPA
>>>>>> Enter password:
>>>>>>
>>>>>> Error: exception message: Checksum failed
>>>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos error.
>>>>>> Please check log for further details.
>>>>>>
>>>>>> The log of kdc says:
>>>>>>
>>>>>> Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
>>>>>> 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
>>>>>> ses=23},admin/admin at GSR.INPE.BR for
>>>>>> krbtgt/GSR.INPE.BR at GSR.INPE.BR
>>>>>>
>>>>>> And the engine-manage-domains.log says:
>>>>>> 2013-02-21 10:36:46,722 INFO
>>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
>>>>>> kerberos
>>>>>> configuration for domain(s): gsr.inpe.br
>>>>>> 2013-02-21 10:36:46,745 INFO
>>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
>>>>>> created kerberos configuration for domain(s): gsr.inpe.br
>>>>>> 2013-02-21 10:36:46,745 INFO
>>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing
>>>>>> kerberos
>>>>>> configuration for domain: gsr.inpe.br
>>>>>> 2013-02-21 10:36:46,819 ERROR
>>>>>> [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
>>>>>> exception message: Checksum failed
>>>>>> 2013-02-21 10:36:46,822 ERROR
>>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
>>>>>> testing domain gsr.inpe.br. Details: Kerberos error. Please check
>>>>>> log
>>>>>> for further details.
>>>>>>
>>>>>>
>>>>>> On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
>>>>>>> On 21/02/13 13:24, Eduardo Ramos wrote:
>>>>>>>> Morning!
>>>>>>>>
>>>>>>>> That's my log entry. PCAP attached.
>>>>>>>>
>>>>>>>> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>>>>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE:admin/admin at GSR.INPE.BR for
>>>>>>>> krbtgt/GSR.INPE.BR at GSR.INPE.BR, KDC has no support for
>>>>>>>> encryption
>>>>>>>> type
>>>>>>> You are using rc4_hmac, which is the right encryption protocol
>>>>>>> usually. One can disable it (using 'permitted_enctypes'
>>>>>>> directive).
>>>>>>>
>>>>>>>> My /etc/krb5.conf
>>>>>>> This is not the krb5.conf file oVirt is using. Please search your
>>>>>>> system for oVirt's krb5.conf (sorry, don't have it from the top
>>>>>>> of
>>>>>>> my
>>>>>>> head).
>>>>>>> In any case, I'd check the IPA configuration.
>>>>>>> Y.
>>>>>>>
>>>>>>>> [libdefaults]
>>>>>>>> default_realm = GSR.INPE.BR
>>>>>>>> allow_weak_crypto = yes
>>>>>>>>
>>>>>>>> default_tkt_enctypes = rc4-hmac des-cbc-md5
>>>>>>>> default_tgs_enctypes = rc4-hmac des-cbc-md5
>>>>>>>>
>>>>>>>> [realms]
>>>>>>>> GSR.INPE.BR = {
>>>>>>>> master_kdc = GSR.INPE.BR
>>>>>>>> kdc = kerberos.gsr.inpe.br
>>>>>>>> default_domain = gsr.inpe.br
>>>>>>>> }
>>>>>>>>
>>>>>>>> [domain_realm]
>>>>>>>> .gsr.inpe.br = GSR.INPE.BR
>>>>>>>> gsr.inpe.br = GSR.INPE.BR
>>>>>>>>
>>>>>>>> [logging]
>>>>>>>> kdc = SYSLOG:INFO
>>>>>>>>
>>>>>>>> Is it sufice?
>>>>>>>>
>>>>>>>> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
>>>>>>>>> Please provide info also on the IPA server you are using (use
>>>>>>>>> rpm
>>>>>>>>> -qa for that)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ----- Original Message -----
>>>>>>>>>> From: "Yaniv Kaul"<ykaul at redhat.com>
>>>>>>>>>> To: "Eduardo Ramos"<eduardo at freedominterface.org>
>>>>>>>>>> Cc:users at ovirt.org
>>>>>>>>>> Sent: Thursday, February 21, 2013 11:14:41 AM
>>>>>>>>>> Subject: Re: [Users] ovirt kerberos/ldap
>>>>>>>>>>
>>>>>>>>>> ----- Original Message -----
>>>>>>>>>>> Hi all!
>>>>>>>>>>>
>>>>>>>>>>> I'm trying to link a ldap/kerberos to my ovirt without
>>>>>>>>>>> success.
>>>>>>>>>>> I'm
>>>>>>>>>>> stuck with this:
>>>>>>>>>>>
>>>>>>>>>>> oVirt engine:
>>>>>>>>>>>
>>>>>>>>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br
>>>>>>>>>>> -user=admin/admin -interactive -provider=IPA
>>>>>>>>>>> Enter password:
>>>>>>>>>>>
>>>>>>>>>>> Error: exception message: KDC has no support for encryption
>>>>>>>>>>> type
>>>>>>>>>>> (14) -
>>>>>>>>>>> BAD_ENCRYPTION_TYPE
>>>>>>>>>> Please snoop the connection between the engine and the IPA
>>>>>>>>>> server.
>>>>>>>>>> Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
>>>>>>>>>> /tmp/kerb.pcap' ).
>>>>>>>>>> Y.
>>>>>>>>>>
>>>>>>>>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos
>>>>>>>>>>> error.
>>>>>>>>>>> Please check log for further details.
>>>>>>>>>>>
>>>>>>>>>>> kdc log:
>>>>>>>>>>>
>>>>>>>>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
>>>>>>>>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE:admin/admin at GSR.INPE.BR
>>>>>>>>>>> for
>>>>>>>>>>> krbtgt/GSR.INPE.BR at GSR.INPE.BR, KDC has no support for
>>>>>>>>>>> encryption
>>>>>>>>>>> type
>>>>>>>>>>>
>>>>>>>>>>> Any sugestion?
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Users mailing list
>>>>>>>>>>> Users at ovirt.org
>>>>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Users mailing list
>>>>>>>>>> Users at ovirt.org
>>>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
More information about the Users
mailing list