Re: [Users] ovirt kerberos/ldap
Hi! Is there any chance to use ldap simple authentication? What schema should I have? On 02/26/2013 04:58 PM, Eduardo Ramos wrote: Yair, I'm using admin/admin because it's my principal on kerberos. In fact, the checksum error was because I didn't have admin/admin principal created yet. Using kadmin.local I did: kadmin.local: addprinc admin/admin So I tried the same: # engine-manage-domains -action=add -domain=gsr.inpe.br -provider=ipa -user=admin/admin -interactive And it returned on the screen um trace of java: General error has occured[LDAP: error code 80 - SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error)] javax.naming.NamingException: [LDAP: error code 80 - SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error)] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3076) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694) at com.sun.jndi.ldap.LdapCtx.init(LdapCtx.java:306) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) at javax.naming.InitialContext.init(InitialContext.java:240) at javax.naming.InitialContext.init(InitialContext.java:214) at javax.naming.directory.InitialDirContext.init(InitialDirContext.java:99) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:357) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:183) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:159) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:144) at org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:637) at org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:787) at org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:454) at org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:249) at org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:174) Failure while testing domain gsr.inpe.br. Details: No user information was found for user The engine-manage-domain.log has: [2013-02-26 16:55:49,736 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): gsr.inpe.br 2013-02-26 16:55:49,740 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] loaded template kr5.conf file krb5.conf.template 2013-02-26 16:55:49,744 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting default_tkt_enctypes 2013-02-26 16:55:49,772 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting realms 2013-02-26 16:55:49,773 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting domain realm 2013-02-26 16:55:49,774 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): gsr.inpe.br 2013-02-26 16:55:49,774 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: gsr.inpe.br 2013-02-26 16:55:49,827 DEBUG [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Check authentication finished successfully And /var/log/messages on the ldap/kerberos server has: Feb 26 16:49:53 ldap krb5kdc[1446]: AS_REQ (1 etypes {23}) 150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16 ses=23}, admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br Feb 26 16:49:53 ldap krb5kdc[1446]: TGS_REQ (6 etypes {3 1 23 16 17 18}) 150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16 ses=1}, admin/ad...@gsr.inpe.br for ldap/ldap.gsr.inpe...@gsr.inpe.br Thanks for response. On 02/26/2013 04:35 PM, Yair Zaslavsky wrote: - Original Message - From: Eduardo Ramosedua...@freedominterface.org To:users@ovirt.org Sent: Tuesday, February 26, 2013 9:26:42 PM Subject: Re: [Users] ovirt kerberos/ldap Any one has faced that? On 02/21/2013 10:59 AM, Yair Zaslavsky
Re: [Users] ovirt kerberos/ldap
On 27/02/2013 22:19, Eduardo Ramos wrote: Hi! Is there any chance to use ldap simple authentication? What schema should I have? in the works, hopefully soon (which means several weeks at least) On 02/26/2013 04:58 PM, Eduardo Ramos wrote: Yair, I'm using admin/admin because it's my principal on kerberos. In fact, the checksum error was because I didn't have admin/admin principal created yet. Using kadmin.local I did: kadmin.local: addprinc admin/admin So I tried the same: # engine-manage-domains -action=add -domain=gsr.inpe.br -provider=ipa -user=admin/admin -interactive And it returned on the screen um trace of java: General error has occured[LDAP: error code 80 - SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error)] javax.naming.NamingException: [LDAP: error code 80 - SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error)] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3076) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694) at com.sun.jndi.ldap.LdapCtx.init(LdapCtx.java:306) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) at javax.naming.InitialContext.init(InitialContext.java:240) at javax.naming.InitialContext.init(InitialContext.java:214) at javax.naming.directory.InitialDirContext.init(InitialDirContext.java:99) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:357) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:183) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:159) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:144) at org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:637) at org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:787) at org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:454) at org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:249) at org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:174) Failure while testing domain gsr.inpe.br. Details: No user information was found for user The engine-manage-domain.log has: [2013-02-26 16:55:49,736 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): gsr.inpe.br 2013-02-26 16:55:49,740 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] loaded template kr5.conf file krb5.conf.template 2013-02-26 16:55:49,744 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting default_tkt_enctypes 2013-02-26 16:55:49,772 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting realms 2013-02-26 16:55:49,773 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting domain realm 2013-02-26 16:55:49,774 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): gsr.inpe.br 2013-02-26 16:55:49,774 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: gsr.inpe.br 2013-02-26 16:55:49,827 DEBUG [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Check authentication finished successfully And /var/log/messages on the ldap/kerberos server has: Feb 26 16:49:53 ldap krb5kdc[1446]: AS_REQ (1 etypes {23}) 150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16 ses=23}, admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br Feb 26 16:49:53 ldap krb5kdc[1446]: TGS_REQ (6 etypes {3 1 23 16 17 18}) 150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16 ses=1}, admin/ad...@gsr.inpe.br for ldap/ldap.gsr.inpe...@gsr.inpe.br Thanks for response. On 02/26/2013 04:35 PM, Yair Zaslavsky wrote: - Original Message - From: Eduardo Ramosedua...@freedominterface.org To:users@ovirt.org Sent: Tuesday, February 26, 2013 9:26:42 PM Subject: Re: [Users] ovirt kerberos/ldap
Re: [Users] ovirt kerberos/ldap
Any one has faced that? On 02/21/2013 10:59 AM, Yair Zaslavsky wrote: Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf - Original Message - From: Eduardo Ramos edua...@freedominterface.org To: Yaniv Kaul yk...@redhat.com Cc: yzasl...@redhat.com, users@ovirt.org Sent: Thursday, February 21, 2013 3:43:04 PM Subject: Re: [Users] ovirt kerberos/ldap I got new step! I added arcfour-hmac-md5:normal into supported_enctypes and permitted_enctypes directives in kdc.conf. Then I changed password of my principal using the following: change_password -e arcfour-hmac-md5:normal admin/adimin Now, it's ok, but now I got another error that I didn't understand as follows: # engine-manage-domains -action=add -domain=gsr.inpe.br -user=admin/admin -interactive -provider=IPA Enter password: Error: exception message: Checksum failed Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details. The log of kdc says: Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23}) 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16 ses=23}, admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br And the engine-manage-domains.log says: 2013-02-21 10:36:46,722 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): gsr.inpe.br 2013-02-21 10:36:46,745 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): gsr.inpe.br 2013-02-21 10:36:46,745 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: gsr.inpe.br 2013-02-21 10:36:46,819 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: Checksum failed 2013-02-21 10:36:46,822 ERROR [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details. On 02/21/2013 08:55 AM, Yaniv Kaul wrote: On 21/02/13 13:24, Eduardo Ramos wrote: Morning! That's my log entry. PCAP attached. Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption type You are using rc4_hmac, which is the right encryption protocol usually. One can disable it (using 'permitted_enctypes' directive). My /etc/krb5.conf This is not the krb5.conf file oVirt is using. Please search your system for oVirt's krb5.conf (sorry, don't have it from the top of my head). In any case, I'd check the IPA configuration. Y. [libdefaults] default_realm = GSR.INPE.BR allow_weak_crypto = yes default_tkt_enctypes = rc4-hmac des-cbc-md5 default_tgs_enctypes = rc4-hmac des-cbc-md5 [realms] GSR.INPE.BR = { master_kdc = GSR.INPE.BR kdc = kerberos.gsr.inpe.br default_domain = gsr.inpe.br } [domain_realm] .gsr.inpe.br = GSR.INPE.BR gsr.inpe.br = GSR.INPE.BR [logging] kdc = SYSLOG:INFO Is it sufice? On 02/21/2013 06:48 AM, Yair Zaslavsky wrote: Please provide info also on the IPA server you are using (use rpm -qa for that) - Original Message - From: Yaniv Kaul yk...@redhat.com To: Eduardo Ramos edua...@freedominterface.org Cc: users@ovirt.org Sent: Thursday, February 21, 2013 11:14:41 AM Subject: Re: [Users] ovirt kerberos/ldap - Original Message - Hi all! I'm trying to link a ldap/kerberos to my ovirt without success. I'm stuck with this: oVirt engine: # engine-manage-domains -action=add -domain=gsr.inpe.br -user=admin/admin -interactive -provider=IPA Enter password: Error: exception message: KDC has no support for encryption type (14) - BAD_ENCRYPTION_TYPE Please snoop the connection between the engine and the IPA server. Port 88, full packets ('-s 1500' on tcpdump), into file ('-w /tmp/kerb.pcap' ). Y. Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details. kdc log: Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption type Any sugestion? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] ovirt kerberos/ldap
- Original Message - From: Eduardo Ramos edua...@freedominterface.org To: users@ovirt.org Sent: Tuesday, February 26, 2013 9:26:42 PM Subject: Re: [Users] ovirt kerberos/ldap Any one has faced that? On 02/21/2013 10:59 AM, Yair Zaslavsky wrote: Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf - Original Message - From: Eduardo Ramos edua...@freedominterface.org To: Yaniv Kaul yk...@redhat.com Cc: yzasl...@redhat.com, users@ovirt.org Sent: Thursday, February 21, 2013 3:43:04 PM Subject: Re: [Users] ovirt kerberos/ldap I got new step! I added arcfour-hmac-md5:normal into supported_enctypes and permitted_enctypes directives in kdc.conf. Then I changed password of my principal using the following: change_password -e arcfour-hmac-md5:normal admin/adimin Is adimin a typo here? Can I ask why your user name appears like that, with a / in it? Can you try to create user - let's say myadmin without the / ? Now, it's ok, but now I got another error that I didn't understand as follows: # engine-manage-domains -action=add -domain=gsr.inpe.br -user=admin/admin -interactive -provider=IPA Enter password: Error: exception message: Checksum failed Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details. The log of kdc says: Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23}) 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16 ses=23}, admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br And the engine-manage-domains.log says: 2013-02-21 10:36:46,722 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): gsr.inpe.br 2013-02-21 10:36:46,745 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): gsr.inpe.br 2013-02-21 10:36:46,745 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: gsr.inpe.br 2013-02-21 10:36:46,819 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: Checksum failed 2013-02-21 10:36:46,822 ERROR [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details. On 02/21/2013 08:55 AM, Yaniv Kaul wrote: On 21/02/13 13:24, Eduardo Ramos wrote: Morning! That's my log entry. PCAP attached. Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption type You are using rc4_hmac, which is the right encryption protocol usually. One can disable it (using 'permitted_enctypes' directive). My /etc/krb5.conf This is not the krb5.conf file oVirt is using. Please search your system for oVirt's krb5.conf (sorry, don't have it from the top of my head). In any case, I'd check the IPA configuration. Y. [libdefaults] default_realm = GSR.INPE.BR allow_weak_crypto = yes default_tkt_enctypes = rc4-hmac des-cbc-md5 default_tgs_enctypes = rc4-hmac des-cbc-md5 [realms] GSR.INPE.BR = { master_kdc = GSR.INPE.BR kdc = kerberos.gsr.inpe.br default_domain = gsr.inpe.br } [domain_realm] .gsr.inpe.br = GSR.INPE.BR gsr.inpe.br = GSR.INPE.BR [logging] kdc = SYSLOG:INFO Is it sufice? On 02/21/2013 06:48 AM, Yair Zaslavsky wrote: Please provide info also on the IPA server you are using (use rpm -qa for that) - Original Message - From: Yaniv Kaul yk...@redhat.com To: Eduardo Ramos edua...@freedominterface.org Cc: users@ovirt.org Sent: Thursday, February 21, 2013 11:14:41 AM Subject: Re: [Users] ovirt kerberos/ldap - Original Message - Hi all! I'm trying to link a ldap/kerberos to my ovirt without success. I'm stuck with this: oVirt engine: # engine-manage-domains -action=add -domain=gsr.inpe.br -user=admin/admin -interactive -provider=IPA Enter password: Error: exception message: KDC has no support for encryption type (14) - BAD_ENCRYPTION_TYPE Please snoop the connection between the engine and the IPA server. Port 88, full packets ('-s 1500' on tcpdump), into file ('-w /tmp/kerb.pcap' ). Y. Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details. kdc log: Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption type Any sugestion? ___ Users mailing list Users@ovirt.org http
Re: [Users] ovirt kerberos/ldap
Yair, I'm using admin/admin because it's my principal on kerberos. In fact, the checksum error was because I didn't have admin/admin principal created yet. Using kadmin.local I did: kadmin.local: addprinc admin/admin So I tried the same: # engine-manage-domains -action=add -domain=gsr.inpe.br -provider=ipa -user=admin/admin -interactive And it returned on the screen um trace of java: General error has occured[LDAP: error code 80 - SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error)] javax.naming.NamingException: [LDAP: error code 80 - SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error)] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3076) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694) at com.sun.jndi.ldap.LdapCtx.init(LdapCtx.java:306) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) at javax.naming.InitialContext.init(InitialContext.java:240) at javax.naming.InitialContext.init(InitialContext.java:214) at javax.naming.directory.InitialDirContext.init(InitialDirContext.java:99) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:357) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:183) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:159) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:144) at org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:637) at org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:787) at org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:454) at org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:249) at org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:174) Failure while testing domain gsr.inpe.br. Details: No user information was found for user The engine-manage-domain.log has: [2013-02-26 16:55:49,736 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): gsr.inpe.br 2013-02-26 16:55:49,740 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] loaded template kr5.conf file krb5.conf.template 2013-02-26 16:55:49,744 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting default_tkt_enctypes 2013-02-26 16:55:49,772 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting realms 2013-02-26 16:55:49,773 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting domain realm 2013-02-26 16:55:49,774 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): gsr.inpe.br 2013-02-26 16:55:49,774 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: gsr.inpe.br 2013-02-26 16:55:49,827 DEBUG [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Check authentication finished successfully And /var/log/messages on the ldap/kerberos server has: Feb 26 16:49:53 ldap krb5kdc[1446]: AS_REQ (1 etypes {23}) 150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16 ses=23}, admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br Feb 26 16:49:53 ldap krb5kdc[1446]: TGS_REQ (6 etypes {3 1 23 16 17 18}) 150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16 ses=1}, admin/ad...@gsr.inpe.br for ldap/ldap.gsr.inpe...@gsr.inpe.br Thanks for response. On 02/26/2013 04:35 PM, Yair Zaslavsky wrote: - Original Message - From: Eduardo Ramos edua...@freedominterface.org To: users@ovirt.org Sent: Tuesday, February 26, 2013 9:26:42 PM Subject: Re: [Users] ovirt kerberos/ldap Any one has faced that? On 02/21/2013 10:59 AM, Yair Zaslavsky wrote: Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf - Original Message - From: Eduardo Ramos edua
Re: [Users] ovirt kerberos/ldap
- Original Message - Hi all! I'm trying to link a ldap/kerberos to my ovirt without success. I'm stuck with this: oVirt engine: # engine-manage-domains -action=add -domain=gsr.inpe.br -user=admin/admin -interactive -provider=IPA Enter password: Error: exception message: KDC has no support for encryption type (14) - BAD_ENCRYPTION_TYPE Please snoop the connection between the engine and the IPA server. Port 88, full packets ('-s 1500' on tcpdump), into file ('-w /tmp/kerb.pcap' ). Y. Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details. kdc log: Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption type Any sugestion? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] ovirt kerberos/ldap
Please provide info also on the IPA server you are using (use rpm -qa for that) - Original Message - From: Yaniv Kaul yk...@redhat.com To: Eduardo Ramos edua...@freedominterface.org Cc: users@ovirt.org Sent: Thursday, February 21, 2013 11:14:41 AM Subject: Re: [Users] ovirt kerberos/ldap - Original Message - Hi all! I'm trying to link a ldap/kerberos to my ovirt without success. I'm stuck with this: oVirt engine: # engine-manage-domains -action=add -domain=gsr.inpe.br -user=admin/admin -interactive -provider=IPA Enter password: Error: exception message: KDC has no support for encryption type (14) - BAD_ENCRYPTION_TYPE Please snoop the connection between the engine and the IPA server. Port 88, full packets ('-s 1500' on tcpdump), into file ('-w /tmp/kerb.pcap' ). Y. Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details. kdc log: Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption type Any sugestion? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] ovirt kerberos/ldap
Morning! That's my log entry. PCAP attached. Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption type My /etc/krb5.conf [libdefaults] default_realm = GSR.INPE.BR allow_weak_crypto = yes default_tkt_enctypes = rc4-hmac des-cbc-md5 default_tgs_enctypes = rc4-hmac des-cbc-md5 [realms] GSR.INPE.BR = { master_kdc = GSR.INPE.BR kdc = kerberos.gsr.inpe.br default_domain = gsr.inpe.br } [domain_realm] .gsr.inpe.br = GSR.INPE.BR gsr.inpe.br = GSR.INPE.BR [logging] kdc = SYSLOG:INFO Is it sufice? On 02/21/2013 06:48 AM, Yair Zaslavsky wrote: Please provide info also on the IPA server you are using (use rpm -qa for that) - Original Message - From: Yaniv Kaul yk...@redhat.com To: Eduardo Ramos edua...@freedominterface.org Cc: users@ovirt.org Sent: Thursday, February 21, 2013 11:14:41 AM Subject: Re: [Users] ovirt kerberos/ldap - Original Message - Hi all! I'm trying to link a ldap/kerberos to my ovirt without success. I'm stuck with this: oVirt engine: # engine-manage-domains -action=add -domain=gsr.inpe.br -user=admin/admin -interactive -provider=IPA Enter password: Error: exception message: KDC has no support for encryption type (14) - BAD_ENCRYPTION_TYPE Please snoop the connection between the engine and the IPA server. Port 88, full packets ('-s 1500' on tcpdump), into file ('-w /tmp/kerb.pcap' ). Y. Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details. kdc log: Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption type Any sugestion? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users kerb.pcap Description: Binary data libssh2-1.2.2-11.el6_3.x86_64 setup-2.8.14-16.el6.noarch libxml2-2.7.6-8.el6_3.4.x86_64 basesystem-10.0-4.el6.noarch libtalloc-2.0.1-1.1.el6.x86_64 ca-certificates-2010.63-3.el6_1.5.noarch libtdb-1.2.1-3.el6.x86_64 libcollection-0.6.0-9.el6.x86_64 nss-softokn-freebl-3.12.9-11.el6.x86_64 libldb-0.9.10-23.el6.x86_64 perl-version-0.77-127.el6.x86_64 bash-4.1.2-9.el6_2.x86_64 perl-Pod-Simple-3.13-127.el6.x86_64 libcap-2.16-5.5.el6.x86_64 perl-5.10.1-127.el6.x86_64 info-4.13a-8.el6.x86_64 perl-XML-SAX-0.96-7.el6.noarch chkconfig-1.3.49.3-2.el6.x86_64 perl-Compress-Raw-Zlib-2.020-127.el6.x86_64 libacl-2.2.49-6.el6.x86_64 perl-URI-1.40-2.el6.noarch audit-libs-2.2-2.el6.x86_64 perl-Compress-Zlib-2.020-127.el6.x86_64 db4-4.7.25-17.el6.x86_64 perl-Digest-SHA1-2.12-2.el6.x86_64 readline-6.0-4.el6.x86_64 perl-Convert-ASN1-0.22-1.el6.noarch libselinux-2.0.94-5.3.el6.x86_64 perl-HTML-Parser-3.64-2.el6.x86_64 glib2-2.22.5-7.el6.x86_64 perl-Net-SSLeay-1.35-9.el6.x86_64 shadow-utils-4.1.4.2-13.el6.x86_64 perl-GSSAPI-0.26-5.el6.x86_64 perl-Text-Iconv-1.7-6.el6.x86_64 libstdc++-4.4.6-4.el6.x86_64 libpath_utils-0.2.1-9.el6.x86_64 file-libs-5.04-13.el6.x86_64 perl-libwww-perl-5.833-2.el6.noarch libtool-ltdl-2.2.6-15.5.el6.x86_64 xz-libs-4.999.9-0.3.beta.20091007git.el6.x86_64 make-3.81-20.el6.x86_64 lua-5.1.4-4.1.el6.x86_64 libref_array-0.1.1-9.el6.x86_64 iproute-2.6.32-20.el6.x86_64 c-ares-1.7.0-6.el6.x86_64 elfutils-libelf-0.152-1.el6.x86_64 sssd-1.8.0-32.el6.x86_64 perl-LDAP-0.40-1.el6.noarch libtirpc-0.2.1-5.el6.x86_64 vim-common-7.2.411-1.8.el6.x86_64 pcre-7.8-4.el6.x86_64 vim-enhanced-7.2.411-1.8.el6.x86_64 findutils-4.4.2-6.el6.x86_64 gpg-pubkey-0608b895-4bd22942 libselinux-utils-2.0.94-5.3.el6.x86_64 apr-1.3.9-5.el6_2.x86_64 bzip2-1.0.5-7.el6_0.x86_64 apr-util-ldap-1.3.9-3.el6_0.1.x86_64 pth-2.0.7-9.3.el6.x86_64 httpd-2.2.15-15.el6.centos.1.x86_64 expat-2.0.1-11.el6_2.x86_64 php-cli-5.3.3-14.el6_3.x86_64 dbus-glib-0.86-5.el6.x86_64 lighttpd-1.4.31-1.el6.x86_64 iptables-ipv6-1.4.7-5.1.el6_2.x86_64 upstart-0.6.5-12.el6.x86_64 xinetd-2.3.14-35.el6_3.x86_64 nss-softokn-3.12.9-11.el6.x86_64 krb5-appl-clients-1.0.1-7.el6_2.1.x86_64 libusb-0.1.12-23.el6.x86_64 xz-4.999.9-0.3.beta.20091007git.el6.x86_64 grubby-7.0.15-3.el6.x86_64 man-1.6f-30.el6.x86_64 libutempter-1.1.5-4.1.el6.x86_64 strace-4.5.19-1.11.el6_3.2.x86_64 tar-1.23-7.el6.x86_64 nmap-5.51-2.el6.x86_64 krb5-libs-1.9-33.el6_3.3.x86_64 e2fsprogs-libs-1.41.12-12.el6.x86_64 krb5-appl-servers-1.0.1-7.el6_2.1.x86_64 pinentry-0.7.6-6.el6.x86_64 krb5-workstation-1.9-33.el6_3.3.x86_64 m4-1.4.13-5.el6.x86_64 diffutils-2.8.1-28.el6.x86_64 libedit-2.11-4.20080712cvs.1.el6.x86_64 groff-1.18.1.4-21.el6.x86_64 coreutils-libs-8.4-19.el6.x86_64 cracklib-2.8.16-4.el6.x86_64 coreutils-8.4-19.el6.x86_64 hwdata-0.233-7.8.el6.noarch
Re: [Users] ovirt kerberos/ldap
I got new step! I added arcfour-hmac-md5:normal into supported_enctypes and permitted_enctypes directives in kdc.conf. Then I changed password of my principal using the following: change_password -e arcfour-hmac-md5:normal admin/adimin Now, it's ok, but now I got another error that I didn't understand as follows: # engine-manage-domains -action=add -domain=gsr.inpe.br -user=admin/admin -interactive -provider=IPA Enter password: Error: exception message: Checksum failed Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details. The log of kdc says: Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23}) 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16 ses=23}, admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br And the engine-manage-domains.log says: 2013-02-21 10:36:46,722 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): gsr.inpe.br 2013-02-21 10:36:46,745 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): gsr.inpe.br 2013-02-21 10:36:46,745 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: gsr.inpe.br 2013-02-21 10:36:46,819 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: Checksum failed 2013-02-21 10:36:46,822 ERROR [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details. On 02/21/2013 08:55 AM, Yaniv Kaul wrote: On 21/02/13 13:24, Eduardo Ramos wrote: Morning! That's my log entry. PCAP attached. Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption type You are using rc4_hmac, which is the right encryption protocol usually. One can disable it (using 'permitted_enctypes' directive). My /etc/krb5.conf This is not the krb5.conf file oVirt is using. Please search your system for oVirt's krb5.conf (sorry, don't have it from the top of my head). In any case, I'd check the IPA configuration. Y. [libdefaults] default_realm = GSR.INPE.BR allow_weak_crypto = yes default_tkt_enctypes = rc4-hmac des-cbc-md5 default_tgs_enctypes = rc4-hmac des-cbc-md5 [realms] GSR.INPE.BR = { master_kdc = GSR.INPE.BR kdc = kerberos.gsr.inpe.br default_domain = gsr.inpe.br } [domain_realm] .gsr.inpe.br = GSR.INPE.BR gsr.inpe.br = GSR.INPE.BR [logging] kdc = SYSLOG:INFO Is it sufice? On 02/21/2013 06:48 AM, Yair Zaslavsky wrote: Please provide info also on the IPA server you are using (use rpm -qa for that) - Original Message - From: Yaniv Kaul yk...@redhat.com To: Eduardo Ramos edua...@freedominterface.org Cc: users@ovirt.org Sent: Thursday, February 21, 2013 11:14:41 AM Subject: Re: [Users] ovirt kerberos/ldap - Original Message - Hi all! I'm trying to link a ldap/kerberos to my ovirt without success. I'm stuck with this: oVirt engine: # engine-manage-domains -action=add -domain=gsr.inpe.br -user=admin/admin -interactive -provider=IPA Enter password: Error: exception message: KDC has no support for encryption type (14) - BAD_ENCRYPTION_TYPE Please snoop the connection between the engine and the IPA server. Port 88, full packets ('-s 1500' on tcpdump), into file ('-w /tmp/kerb.pcap' ). Y. Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details. kdc log: Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption type Any sugestion? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] ovirt kerberos/ldap
Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf - Original Message - From: Eduardo Ramos edua...@freedominterface.org To: Yaniv Kaul yk...@redhat.com Cc: yzasl...@redhat.com, users@ovirt.org Sent: Thursday, February 21, 2013 3:43:04 PM Subject: Re: [Users] ovirt kerberos/ldap I got new step! I added arcfour-hmac-md5:normal into supported_enctypes and permitted_enctypes directives in kdc.conf. Then I changed password of my principal using the following: change_password -e arcfour-hmac-md5:normal admin/adimin Now, it's ok, but now I got another error that I didn't understand as follows: # engine-manage-domains -action=add -domain=gsr.inpe.br -user=admin/admin -interactive -provider=IPA Enter password: Error: exception message: Checksum failed Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details. The log of kdc says: Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23}) 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16 ses=23}, admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br And the engine-manage-domains.log says: 2013-02-21 10:36:46,722 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): gsr.inpe.br 2013-02-21 10:36:46,745 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): gsr.inpe.br 2013-02-21 10:36:46,745 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: gsr.inpe.br 2013-02-21 10:36:46,819 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: Checksum failed 2013-02-21 10:36:46,822 ERROR [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details. On 02/21/2013 08:55 AM, Yaniv Kaul wrote: On 21/02/13 13:24, Eduardo Ramos wrote: Morning! That's my log entry. PCAP attached. Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption type You are using rc4_hmac, which is the right encryption protocol usually. One can disable it (using 'permitted_enctypes' directive). My /etc/krb5.conf This is not the krb5.conf file oVirt is using. Please search your system for oVirt's krb5.conf (sorry, don't have it from the top of my head). In any case, I'd check the IPA configuration. Y. [libdefaults] default_realm = GSR.INPE.BR allow_weak_crypto = yes default_tkt_enctypes = rc4-hmac des-cbc-md5 default_tgs_enctypes = rc4-hmac des-cbc-md5 [realms] GSR.INPE.BR = { master_kdc = GSR.INPE.BR kdc = kerberos.gsr.inpe.br default_domain = gsr.inpe.br } [domain_realm] .gsr.inpe.br = GSR.INPE.BR gsr.inpe.br = GSR.INPE.BR [logging] kdc = SYSLOG:INFO Is it sufice? On 02/21/2013 06:48 AM, Yair Zaslavsky wrote: Please provide info also on the IPA server you are using (use rpm -qa for that) - Original Message - From: Yaniv Kaul yk...@redhat.com To: Eduardo Ramos edua...@freedominterface.org Cc: users@ovirt.org Sent: Thursday, February 21, 2013 11:14:41 AM Subject: Re: [Users] ovirt kerberos/ldap - Original Message - Hi all! I'm trying to link a ldap/kerberos to my ovirt without success. I'm stuck with this: oVirt engine: # engine-manage-domains -action=add -domain=gsr.inpe.br -user=admin/admin -interactive -provider=IPA Enter password: Error: exception message: KDC has no support for encryption type (14) - BAD_ENCRYPTION_TYPE Please snoop the connection between the engine and the IPA server. Port 88, full packets ('-s 1500' on tcpdump), into file ('-w /tmp/kerb.pcap' ). Y. Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details. kdc log: Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption type Any sugestion? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] ovirt kerberos/ldap
Hi all! I'm trying to link a ldap/kerberos to my ovirt without success. I'm stuck with this: oVirt engine: # engine-manage-domains -action=add -domain=gsr.inpe.br -user=admin/admin -interactive -provider=IPA Enter password: Error: exception message: KDC has no support for encryption type (14) - BAD_ENCRYPTION_TYPE Failure while testing domain gsr.inpe.br. Details: Kerberos error. Please check log for further details. kdc log: Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption type Any sugestion? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users