[Users] Problem adding an IPA server to oVirt

Juan Hernandez jhernand at redhat.com
Tue Jan 21 17:59:33 UTC 2014 

On 01/21/2014 02:26 PM, Adam Litke wrote:
> On 21/01/14 12:49 +0100, Juan Hernandez wrote:
>> On 01/20/2014 11:33 PM, Yair Zaslavsky wrote:
>>> Hi Adam,
>>> Looks like you have problems in running the Root DSE query.
>>> I would like you to try and troubleshoot by comparing this to the execution of -
>>>
>>> ldapsearch -x -h <YOUR_IPA_SERVER_IP_ADDRESS> -s base
>>>
>>
>> I think the problem is that your LDAP server is configured with a
>> minimum security strength factor that triggers a bug in the Kerberos
>> support in the Java virtual machine. This is a know issue. See here for
>> details:
>>
>> http://gerrit.ovirt.org/21505
> 
> Thanks.  Does this affect openIPA as well?
> 

I guess you mean FreeIPA.

Yes, it affects any LDAP server that sets missf to 0 by default,
including the the 389-ds used by FreeIPA.

>>
>>> ----- Original Message -----
>>>> From: "Adam Litke" <alitke at redhat.com>
>>>> To: users at ovirt.org
>>>> Sent: Tuesday, January 21, 2014 12:12:03 AM
>>>> Subject: [Users] Problem adding an IPA server to oVirt
>>>>
>>>> Hi,
>>>>
>>>> I am trying to set up an oVirt environment with an IPA provider and
>>>> am hitting a GeneralException that I am unsure how to debug.  I have
>>>> configured freeIPA in a Fedora VM using the supplied configuration
>>>> script and I can 'kinit admin' from the ovirt-engine machine.  When I
>>>> run the manage-domains command I get the following exception:
>>>>
>>>> I didn't realize it, but I had to add _kerberos srv records to my
>>>> dnsmasq.conf in order for the script to even find my KDC.
>>>>
>>>> ./engine-manage-domains -action=add -provider=IPA -domain=alitke.net
>>>> -user=admin -interactive -ldapServers=directory.alitke.net
>>>> Enter password:
>>>> General error has occurednull
>>>> java.lang.NegativeArraySizeException
>>>> 	at
>>>> sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367)
>>>> 	at
>>>> sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722)
>>>> 	at
>>>> sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200)
>>>> 	at
>>>> sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861)
>>>> 	at
>>>> sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385)
>>>> 	at
>>>> com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104)
>>>> 	at
>>>> com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89)
>>>> 	at
>>>> com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430)
>>>> 	at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555)
>>>> 	at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
>>>> 	at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)
>>>> 	at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
>>>> 	at
>>>> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
>>>> 	at
>>>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
>>>> 	at
>>>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
>>>> 	at
>>>> javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
>>>> 	at
>>>> org.ovirt.engine.core.ldap.RootDSEData.<init>(RootDSEData.java:52)
>>>> 	at
>>>> org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:254)
>>>> 	at
>>>> org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87)
>>>> 	at java.security.AccessController.doPrivileged(Native Method)
>>>> 	at javax.security.auth.Subject.doAs(Subject.java:356)
>>>> 	at
>>>> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)
>>>> 	at
>>>> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150)
>>>> 	at
>>>> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135)
>>>> 	at
>>>> org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:739)
>>>> 	at
>>>> org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:909)
>>>> 	at
>>>> org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:531)
>>>> 	at
>>>> org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:308)
>>>> 	at
>>>> org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:205)
>>>> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>> 	at
>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>>> 	at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>> 	at java.lang.reflect.Method.invoke(Method.java:606)
>>>> 	at org.jboss.modules.Module.run(Module.java:260)
>>>> 	at org.jboss.modules.Main.main(Main.java:291)
>>>> Failure while testing domain %1$s. Details: %2$s: One of the
>>>> parameters for this error is null and no default message to show
>>>>
>>>> Any thoughts on what might be going wrong?
>>>>
>>
>>
>>
>> -- 
>> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
>> 3ºD, 28016 Madrid, Spain
>> Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 


-- 
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.

More information about the Users mailing list