[ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA

Yair Zaslavsky yzaslavs at redhat.com
Wed Nov 19 08:20:29 UTC 2014



----- Original Message -----
> From: "Cameron Christensen" <cameron.christensen at uk2group.com>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: "Yair Zaslavsky" <yzaslavs at redhat.com>, users at ovirt.org
> Sent: Tuesday, November 18, 2014 6:21:18 PM
> Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
> 
> On Mon, 2014-11-17 at 16:48 -0500, Alon Bar-Lev wrote:
> > 
> > ----- Original Message -----
> > > From: "Cameron Christensen" <cameron.christensen at uk2group.com>
> > > To: "Alon Bar-Lev" <alonbl at redhat.com>
> > > Cc: users at ovirt.org
> > > Sent: Monday, November 17, 2014 11:43:34 PM
> > > Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to
> > > IPA
> > > 
> > > 
> > > 
> > > On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote:
> > > > 
> > > > ----- Original Message -----
> > > > > From: "Cameron Christensen" <cameron.christensen at uk2group.com>
> > > > > To: users at ovirt.org
> > > > > Sent: Friday, November 14, 2014 5:39:54 PM
> > > > > Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to
> > > > > IPA
> > > > > 
> > > > > Hello,
> > > > > 
> > > > > I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA.
> > > > > Starting up ovrit-engine the extension manager fails to properly load
> > > > > the service that handles Kerberos/LDAP.
> > > > 
> > > > This is probably a bug, can you please execute the following and paste
> > > > result:
> > > > 
> > > > # PGPASSWORD="@PASSWORD@" psql -U engine -d engine -c "select * from
> > > > vdc_options where option_name='LDAPSecurityAuthentication'"
> > > > 
> > > 
> > >  option_id |        option_name         |   option_value    | version
> > > -----------+----------------------------+-------------------+---------
> > >        165 | LDAPSecurityAuthentication | example.org:GSSAPI | general
> > > 
> > > I replaced my domain name with 'example.org'
> > > 
> > 
> > I thought it will be empty... and it contains valid value. Yair?
> > 
> Looking through the vdc_options table I noticed that many of the LDAP*
> and Ad* settings use two different spellings for the Kerberos/LDAP
> domain. One in all upper case letters, EXAMPLE.ORG and one in all lower
> case, example.org. (I'm guessing this is to handle either spelling of
> the domain?)
> 
> I updated LDAPSecurityAuthentication and set the option_value to use
> both the upper case and lower case domain name,
> 'EXAMPLE.ORG:GSSAPI,example.org:GSSAPI'.
> 
> select * from vdc_options where option_name =
> 'LDAPSecurityAuthentication';
>  option_id |        option_name         |            option_value
> | version
> -----------+----------------------------+-------------------------------------+---------
>        165 | LDAPSecurityAuthentication |
> EXAMPLE.ORG:GSSAPI,example.org:GSSAPI | general

Just so we can continue to investigate -
if u would like to get your ldap and kerberos SRV records , to which domain will you send them in your setup?

dig SRV _ldap._tcp.EXAMPLE.ORG

or

dig SRV _ldap._tcp.example.org?


same goes to

_kerberos._tcp.example.org and _kerberos._tcp.EXAMPLE.ORG

Cheers,
Yair

> 
> Using both domain names I am able to authenticate, authorize and pull
> account information from the IPA server once again.
> 
> Thanks for pointing me at the right location.
> 
> Cameron
> 



More information about the Users mailing list