[Users] engine-manage-domains fails when re-adding a domain

Itamar Heim iheim at redhat.com
Wed Nov 20 13:16:27 EST 2013


On 11/15/2013 08:47 PM, Junk wrote:
> Juan Hernandez <jhernand at redhat.com> wrote:
>
>
>     On 11/13/2013 10:11 PM, Junk wrote:
>
>         Hi I was having odd issues with my IPA domain so rather than
>         troubleshoot it properly I thought it would be a good idea to
>         remove it
>         and then add it again.
>
>         I removed it with
>         engine-manage-domains -action=delete -domain=clarkconnect.lan
>
>         and when I try to add it with
>         engine-manage-domains -action=add -domain=clarkconnect.lan
>         -user=admin
>         -provider=IPA -interactive
>
>         which worked fine the first time I get
>
>         General error has occurednull
>         java.lang.NegativeArraySizeException
>         at
>         sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367)
>         at
>         sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722)
>         at sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200)
>         at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861)
>         at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385)
>         at
>         com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104)
>         at
>         com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89)
>         at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430)
>         at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555)
>         at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
>         at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)
>         at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
>         at
>         com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
>         at
>         com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
>         at
>         com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
>         at
>         javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
>         at
>         org.ovirt.engine.core.ldap.RootDSEData.<init>(RootDSEData.java:52)
>         at
>         org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:257)
>         at
>         org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:356)
>         at
>         org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)
>         at
>         org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150)
>         at
>         org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135)
>         at
>         org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:746)
>         at
>         org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:917)
>         at
>         org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:539)
>         at
>         org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:311)
>         at
>         org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:206)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at
>         sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>         at
>         sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:606)
>         at org.jboss.modules.Module.run(Module.java:260)
>         at org.jboss.modules.Main.main(Main.java:291)
>         Failure while testing domain %1$s. Details: %2$s: One of the
>         parameters
>         for this error is null and no default message to show
>
>
>         in the engine-manage-domains.log I get
>
>         2013-11-13 20:53:41,318 INFO
>         [org.ovirt.engine.core.domains.ManageDomains] Creating kerberos
>         configuration for domain(s): clarkconnect.lan
>         2013-11-13 20:53:41,525 INFO
>         [org.ovirt.engine.core.domains.ManageDomains] Successfully created
>         kerberos configuration for domain(s): clarkconnect.lan
>         2013-11-13 20:53:41,526 INFO
>         [org.ovirt.engine.core.domains.ManageDomains] Testing kerberos
>         configuration for domain: clarkconnect.lan
>         2013-11-13 20:53:48,718 ERROR
>         [org.ovirt.engine.core.domains.ManageDomains] Failure while testing
>         domain %1$s. Details: %2$s: One of the parameters for this error
>         is null
>         and no default message to show
>
>         any ideas?
>
>         Junk
>
>
>
>     We have seen a similar issue with OpenLDAP that required to set the
>     minimum security strength factor (SSF) to 1 instead of the default 0.
>     This default triggers a bug in the Java virtual machine Kerberos support.
>
>     IPA us
>       es the
>     389 directory server, and it also has the possibility to
>     configure this, as described here:
>
>     http://directory.fedoraproject.org/wiki/Minimum_SSF_Setting
>
>     To check that you can run a query like this in your IPA installation:
>
>     # kinit admin
>     # ldapsearch \
>     -H ldap://your_ipa_server \
>     -Y GSSAPI \
>     -LLL \
>     -b 'cn=config' \
>     -s base \
>     nsslapd-minssf
>
>     The output will probably be like this:
>
>     dn: cn=config
>     nsslapd-minssf: 0
>
>     The important thing there is the value 0. You can try to change it to 1,
>     via LDAP or modifying directly the file
>     /etc/dirsrv/slapd-YOUR-REALM/dse.ldif. Do this with the directory server
>     stopped, and remember how to revert it in case things fail.
>
>     Let us know if this helps.
>
>     By the way, for those interested in how to change this in OpenLDAP, it
>     requires
>     something like this:
>
>     # cat > fixssf.ldif <<'.'
>     dn: cn=config
>     replace: olcSaslSecProps
>     olcSaslSecProps: noanonymous,noplain,minssf=1
>     -
>     .
>
>     # ldapmodify -H ldapi:/// -Y EXTERNAL -f fixssf.ldif
>
>
> That did the trick. I edited the file as I had no hope of getting an
> ldapmodify command going on my own. That's why I installed IPA in the
> first place. :)
> --
> Junk.
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

how about wikifyig this under 'troubleshooting manage-domains' or 
something like that?


More information about the Users mailing list