[Users] engine-manage-domains fails when re-adding a domain

Juan Hernandez jhernand at redhat.com
Thu Nov 14 12:42:52 UTC 2013


On 11/13/2013 10:11 PM, Junk wrote:
> Hi I was having odd issues with my IPA domain so rather than
> troubleshoot it properly I thought it would be a good idea to remove it
> and then add it again.
> 
> I removed it with 
> engine-manage-domains -action=delete -domain=clarkconnect.lan
> 
> and when I try to add it with 
> engine-manage-domains -action=add -domain=clarkconnect.lan -user=admin
> -provider=IPA -interactive
> 
> which worked fine the first time I get
> 
> General error has occurednull
> java.lang.NegativeArraySizeException
> 	at
> sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367)
> 	at
> sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722)
> 	at sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200)
> 	at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861)
> 	at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385)
> 	at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104)
> 	at
> com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89)
> 	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430)
> 	at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555)
> 	at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
> 	at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)
> 	at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
> 	at
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
> 	at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
> 	at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
> 	at
> javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
> 	at org.ovirt.engine.core.ldap.RootDSEData.<init>(RootDSEData.java:52)
> 	at
> org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:257)
> 	at
> org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:356)
> 	at
> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)
> 	at
> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150)
> 	at
> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135)
> 	at
> org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:746)
> 	at
> org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:917)
> 	at
> org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:539)
> 	at
> org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:311)
> 	at
> org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:206)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> 	at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at java.lang.reflect.Method.invoke(Method.java:606)
> 	at org.jboss.modules.Module.run(Module.java:260)
> 	at org.jboss.modules.Main.main(Main.java:291)
> Failure while testing domain %1$s. Details: %2$s: One of the parameters
> for this error is null and no default message to show
> 
> 
> in the engine-manage-domains.log I get
> 
> 2013-11-13 20:53:41,318 INFO
> [org.ovirt.engine.core.domains.ManageDomains] Creating kerberos
> configuration for domain(s): clarkconnect.lan
> 2013-11-13 20:53:41,525 INFO
> [org.ovirt.engine.core.domains.ManageDomains] Successfully created
> kerberos configuration for domain(s): clarkconnect.lan
> 2013-11-13 20:53:41,526 INFO
> [org.ovirt.engine.core.domains.ManageDomains] Testing kerberos
> configuration for domain: clarkconnect.lan
> 2013-11-13 20:53:48,718 ERROR
> [org.ovirt.engine.core.domains.ManageDomains] Failure while testing
> domain %1$s. Details: %2$s: One of the parameters for this error is null
> and no default message to show
> 
> any ideas?
> 
> Junk
> 

We have seen a similar issue with OpenLDAP that required to set the
minimum security strength factor (SSF) to 1 instead of the default 0.
This default triggers a bug in the Java virtual machine Kerberos support.

IPA uses the 389 directory server, and it also has the possibility to
configure this, as described here:

http://directory.fedoraproject.org/wiki/Minimum_SSF_Setting

To check that you can run a query like this in your IPA installation:

# kinit admin
# ldapsearch \
-H ldap://your_ipa_server \
-Y GSSAPI \
-LLL \
-b 'cn=config' \
-s base \
nsslapd-minssf

The output will probably be like this:

dn: cn=config
nsslapd-minssf: 0

The important thing there is the value 0. You can try to change it to 1,
via LDAP or modifying directly the file
/etc/dirsrv/slapd-YOUR-REALM/dse.ldif. Do this with the directory server
stopped, and remember how to revert it in case things fail.

Let us know if this helps.

By the way, for those interested in how to change this in OpenLDAP, it
requires something like this:

# cat > fixssf.ldif <<'.'
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,noplain,minssf=1
-
.

# ldapmodify -H ldapi:/// -Y EXTERNAL -f fixssf.ldif

-- 
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.



More information about the Users mailing list