[Users] Free IPA + oVirt setup fails

Juan Hernandez jhernand at redhat.com
Sat Nov 23 18:11:38 UTC 2013 

On 11/23/2013 05:36 PM, i iordanov wrote:
> Hi guys,
> 
> I'm trying to work around the impossibility of adding local users into
> oVirt by setting up a FreeIPA server for my test rig... :(
> 
> Everything is Fedora 19 and whatever package versions come with it.
> 
> 1) I have an A-record, a PTR-record and the necessary SRV records for my
> server in dnsmasq on my OpenWRT router:
> ptr-record=60.2.168.192.in-addr.arpa,"freeipa.iiordanov.com"
> srv-host=_kerberos-master._tcp,freeipa.iiordanov.com,88,0,100
> srv-host=_kerberos-master._udp,freeipa.iiordanov.com,88,0,100
> srv-host=_kerberos._tcp,freeipa.iiordanov.com,88,0,100
> srv-host=_kerberos._udp,freeipa.iiordanov.com,88,0,100
> srv-host=_kpasswd._tcp,freeipa.iiordanov.com,464,0,100
> srv-host=_kpasswd._udp,freeipa.iiordanov.com,464,0,100
> srv-host=_ldap._tcp,freeipa.iiordanov.com,389,0,100
> 
> 2) I have run ipa-server-install and everything completed without error.
> I've disabled the firewall on the server completely and the iptables chains
> are all clean. I've rebooted the server just in case.
> 
> 3) When I try to add the IPA server to oVirt, I get a nasty error!
> 
> # engine-manage-domains -action=add -domain=iiordanov.com -user=admin
> -provider=ipa -interactive
> Enter password:
> 
> General error has occurednull
> java.lang.NegativeArraySizeException
>     at
> sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367)
>     at
> sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722)
>     at sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200)
>     at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861)
>     at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385)
>     at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104)
>     at
> com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89)
>     at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430)
>     at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555)
>     at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
>     at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)
>     at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
>     at
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
>     at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
>     at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
>     at
> javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
>     at org.ovirt.engine.core.ldap.RootDSEData.<init>(RootDSEData.java:52)
>     at
> org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:257)
>     at
> org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87)
>     at java.security.AccessController.doPrivileged(Native Method)
>     at javax.security.auth.Subject.doAs(Subject.java:356)
>     at
> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)
>     at
> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150)
>     at
> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135)
>     at
> org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:746)
>     at
> org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:917)
>     at
> org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:539)
>     at
> org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:311)
>     at
> org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:206)
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>     at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>     at java.lang.reflect.Method.invoke(Method.java:606)
>     at org.jboss.modules.Module.run(Module.java:260)
>     at org.jboss.modules.Main.main(Main.java:291)
> Failure while testing domain %1$s. Details: %2$s: One of the parameters for
> this error is null and no default message to show
> 
> 
> Can anybody spot the trouble here? Any help is appreciated!
> 

This is an issue that we have already detected with OpenLDAP, and it
looks like at least two users (including you) are experiencing it with
IPA as well, maybe something changed in a recent versions of IPA. I
believe this is related to the setting of the "minimum security strength
factor" in the LDAP server.

I have proposed a change to make the error from engine-manage-domains
more explicit:

http://gerrit.ovirt.org/21505

However this doesn't fix the issue, just makes it easier (hopefully) to
detect.

I would really appreciate if you can test to change the minssf parameter
in your LDAP server. Locate the following parameter in the
/etc/dirsrv/slapd-YOUR-REALM/dse.ldif file:

  dn: cn=config
  nsslapd-minssf: 0

The value will probably be 0, as shown. Stop your IPA server, change it
to 1, start the IPA server, and try again to add the domain with
engine-manage-domains. Please report your results.

-- 
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.

More information about the Users mailing list