Re: [Users] ovirt kerberos/ldap
Hi!
Is there any chance to use ldap simple authentication?
What schema should I have?
On 02/26/2013 04:58 PM, Eduardo Ramos wrote:
Yair,
I'm using admin/admin because it's my principal on kerberos. In fact,
the checksum error was because I didn't have admin/admin principal
created yet.
Using kadmin.local I did:
kadmin.local: addprinc admin/admin
So I tried the same:
# engine-manage-domains -action=add -domain=gsr.inpe.br -provider=ipa
-user=admin/admin -interactive
And it returned on the screen um trace of java:
General error has occured[LDAP: error code 80 - SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Unknown error)]
javax.naming.NamingException: [LDAP: error code 80 - SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Unknown error)]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3076)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
at com.sun.jndi.ldap.LdapCtx.init(LdapCtx.java:306)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at javax.naming.InitialContext.init(InitialContext.java:240)
at javax.naming.InitialContext.init(InitialContext.java:214)
at
javax.naming.directory.InitialDirContext.init(InitialDirContext.java:99)
at
org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:357)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:183)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:159)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:144)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:637)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:787)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:454)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:249)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:174)
Failure while testing domain gsr.inpe.br. Details: No user information
was found for user
The engine-manage-domain.log has:
[2013-02-26 16:55:49,736 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos
configuration for domain(s): gsr.inpe.br
2013-02-26 16:55:49,740 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] loaded template
kr5.conf file krb5.conf.template
2013-02-26 16:55:49,744 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting
default_tkt_enctypes
2013-02-26 16:55:49,772 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting realms
2013-02-26 16:55:49,773 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting domain realm
2013-02-26 16:55:49,774 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
created kerberos configuration for domain(s): gsr.inpe.br
2013-02-26 16:55:49,774 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos
configuration for domain: gsr.inpe.br
2013-02-26 16:55:49,827 DEBUG
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Check
authentication finished successfully
And /var/log/messages on the ldap/kerberos server has:
Feb 26 16:49:53 ldap krb5kdc[1446]: AS_REQ (1 etypes {23})
150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16
ses=23}, admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br
Feb 26 16:49:53 ldap krb5kdc[1446]: TGS_REQ (6 etypes {3 1 23 16 17
18}) 150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16
ses=1}, admin/ad...@gsr.inpe.br for ldap/ldap.gsr.inpe...@gsr.inpe.br
Thanks for response.
On 02/26/2013 04:35 PM, Yair Zaslavsky wrote:
- Original Message -
From: Eduardo Ramosedua...@freedominterface.org
To:users@ovirt.org
Sent: Tuesday, February 26, 2013 9:26:42 PM
Subject: Re: [Users] ovirt kerberos/ldap
Any one has faced that?
On 02/21/2013 10:59 AM, Yair Zaslavsky
Re: [Users] ovirt kerberos/ldap
On 27/02/2013 22:19, Eduardo Ramos wrote:
Hi!
Is there any chance to use ldap simple authentication?
What schema should I have?
in the works, hopefully soon (which means several weeks at least)
On 02/26/2013 04:58 PM, Eduardo Ramos wrote:
Yair,
I'm using admin/admin because it's my principal on kerberos. In fact,
the checksum error was because I didn't have admin/admin principal
created yet.
Using kadmin.local I did:
kadmin.local: addprinc admin/admin
So I tried the same:
# engine-manage-domains -action=add -domain=gsr.inpe.br -provider=ipa
-user=admin/admin -interactive
And it returned on the screen um trace of java:
General error has occured[LDAP: error code 80 - SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Unknown error)]
javax.naming.NamingException: [LDAP: error code 80 - SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Unknown error)]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3076)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
at com.sun.jndi.ldap.LdapCtx.init(LdapCtx.java:306)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at javax.naming.InitialContext.init(InitialContext.java:240)
at javax.naming.InitialContext.init(InitialContext.java:214)
at
javax.naming.directory.InitialDirContext.init(InitialDirContext.java:99)
at
org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:357)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:183)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:159)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:144)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:637)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:787)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:454)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:249)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:174)
Failure while testing domain gsr.inpe.br. Details: No user information
was found for user
The engine-manage-domain.log has:
[2013-02-26 16:55:49,736 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos
configuration for domain(s): gsr.inpe.br
2013-02-26 16:55:49,740 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] loaded template
kr5.conf file krb5.conf.template
2013-02-26 16:55:49,744 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting
default_tkt_enctypes
2013-02-26 16:55:49,772 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting realms
2013-02-26 16:55:49,773 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting domain realm
2013-02-26 16:55:49,774 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
created kerberos configuration for domain(s): gsr.inpe.br
2013-02-26 16:55:49,774 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos
configuration for domain: gsr.inpe.br
2013-02-26 16:55:49,827 DEBUG
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Check
authentication finished successfully
And /var/log/messages on the ldap/kerberos server has:
Feb 26 16:49:53 ldap krb5kdc[1446]: AS_REQ (1 etypes {23})
150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16
ses=23}, admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br
Feb 26 16:49:53 ldap krb5kdc[1446]: TGS_REQ (6 etypes {3 1 23 16 17
18}) 150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16
ses=1}, admin/ad...@gsr.inpe.br for ldap/ldap.gsr.inpe...@gsr.inpe.br
Thanks for response.
On 02/26/2013 04:35 PM, Yair Zaslavsky wrote:
- Original Message -
From: Eduardo Ramosedua...@freedominterface.org
To:users@ovirt.org
Sent: Tuesday, February 26, 2013 9:26:42 PM
Subject: Re: [Users] ovirt kerberos/ldap
Re: [Users] ovirt kerberos/ldap
Any one has faced that?
On 02/21/2013 10:59 AM, Yair Zaslavsky wrote:
Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf
- Original Message -
From: Eduardo Ramos edua...@freedominterface.org
To: Yaniv Kaul yk...@redhat.com
Cc: yzasl...@redhat.com, users@ovirt.org
Sent: Thursday, February 21, 2013 3:43:04 PM
Subject: Re: [Users] ovirt kerberos/ldap
I got new step!
I added arcfour-hmac-md5:normal into supported_enctypes and
permitted_enctypes directives in kdc.conf.
Then I changed password of my principal using the following:
change_password -e arcfour-hmac-md5:normal admin/adimin
Now, it's ok, but now I got another error that I didn't understand as
follows:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: Checksum failed
Failure while testing domain gsr.inpe.br. Details: Kerberos error.
Please check log for further details.
The log of kdc says:
Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
ses=23}, admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br
And the engine-manage-domains.log says:
2013-02-21 10:36:46,722 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
kerberos
configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
created kerberos configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos
configuration for domain: gsr.inpe.br
2013-02-21 10:36:46,819 ERROR
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
exception message: Checksum failed
2013-02-21 10:36:46,822 ERROR
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
testing domain gsr.inpe.br. Details: Kerberos error. Please check log
for further details.
On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
On 21/02/13 13:24, Eduardo Ramos wrote:
Morning!
That's my log entry. PCAP attached.
Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for
krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption
type
You are using rc4_hmac, which is the right encryption protocol
usually. One can disable it (using 'permitted_enctypes' directive).
My /etc/krb5.conf
This is not the krb5.conf file oVirt is using. Please search your
system for oVirt's krb5.conf (sorry, don't have it from the top of
my
head).
In any case, I'd check the IPA configuration.
Y.
[libdefaults]
default_realm = GSR.INPE.BR
allow_weak_crypto = yes
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
[realms]
GSR.INPE.BR = {
master_kdc = GSR.INPE.BR
kdc = kerberos.gsr.inpe.br
default_domain = gsr.inpe.br
}
[domain_realm]
.gsr.inpe.br = GSR.INPE.BR
gsr.inpe.br = GSR.INPE.BR
[logging]
kdc = SYSLOG:INFO
Is it sufice?
On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
Please provide info also on the IPA server you are using (use rpm
-qa for that)
- Original Message -
From: Yaniv Kaul yk...@redhat.com
To: Eduardo Ramos edua...@freedominterface.org
Cc: users@ovirt.org
Sent: Thursday, February 21, 2013 11:14:41 AM
Subject: Re: [Users] ovirt kerberos/ldap
- Original Message -
Hi all!
I'm trying to link a ldap/kerberos to my ovirt without success.
I'm
stuck with this:
oVirt engine:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: KDC has no support for encryption
type
(14) -
BAD_ENCRYPTION_TYPE
Please snoop the connection between the engine and the IPA
server.
Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
/tmp/kerb.pcap' ).
Y.
Failure while testing domain gsr.inpe.br. Details: Kerberos
error.
Please check log for further details.
kdc log:
Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for
krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for
encryption
type
Any sugestion?
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] ovirt kerberos/ldap
- Original Message -
From: Eduardo Ramos edua...@freedominterface.org
To: users@ovirt.org
Sent: Tuesday, February 26, 2013 9:26:42 PM
Subject: Re: [Users] ovirt kerberos/ldap
Any one has faced that?
On 02/21/2013 10:59 AM, Yair Zaslavsky wrote:
Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf
- Original Message -
From: Eduardo Ramos edua...@freedominterface.org
To: Yaniv Kaul yk...@redhat.com
Cc: yzasl...@redhat.com, users@ovirt.org
Sent: Thursday, February 21, 2013 3:43:04 PM
Subject: Re: [Users] ovirt kerberos/ldap
I got new step!
I added arcfour-hmac-md5:normal into supported_enctypes and
permitted_enctypes directives in kdc.conf.
Then I changed password of my principal using the following:
change_password -e arcfour-hmac-md5:normal admin/adimin
Is adimin a typo here?
Can I ask why your user name appears like that, with a / in it?
Can you try to create user - let's say myadmin without the / ?
Now, it's ok, but now I got another error that I didn't understand
as
follows:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: Checksum failed
Failure while testing domain gsr.inpe.br. Details: Kerberos error.
Please check log for further details.
The log of kdc says:
Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
ses=23}, admin/ad...@gsr.inpe.br for
krbtgt/gsr.inpe...@gsr.inpe.br
And the engine-manage-domains.log says:
2013-02-21 10:36:46,722 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
kerberos
configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
created kerberos configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing
kerberos
configuration for domain: gsr.inpe.br
2013-02-21 10:36:46,819 ERROR
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
exception message: Checksum failed
2013-02-21 10:36:46,822 ERROR
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
testing domain gsr.inpe.br. Details: Kerberos error. Please check
log
for further details.
On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
On 21/02/13 13:24, Eduardo Ramos wrote:
Morning!
That's my log entry. PCAP attached.
Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for
krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for
encryption
type
You are using rc4_hmac, which is the right encryption protocol
usually. One can disable it (using 'permitted_enctypes'
directive).
My /etc/krb5.conf
This is not the krb5.conf file oVirt is using. Please search your
system for oVirt's krb5.conf (sorry, don't have it from the top
of
my
head).
In any case, I'd check the IPA configuration.
Y.
[libdefaults]
default_realm = GSR.INPE.BR
allow_weak_crypto = yes
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
[realms]
GSR.INPE.BR = {
master_kdc = GSR.INPE.BR
kdc = kerberos.gsr.inpe.br
default_domain = gsr.inpe.br
}
[domain_realm]
.gsr.inpe.br = GSR.INPE.BR
gsr.inpe.br = GSR.INPE.BR
[logging]
kdc = SYSLOG:INFO
Is it sufice?
On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
Please provide info also on the IPA server you are using (use
rpm
-qa for that)
- Original Message -
From: Yaniv Kaul yk...@redhat.com
To: Eduardo Ramos edua...@freedominterface.org
Cc: users@ovirt.org
Sent: Thursday, February 21, 2013 11:14:41 AM
Subject: Re: [Users] ovirt kerberos/ldap
- Original Message -
Hi all!
I'm trying to link a ldap/kerberos to my ovirt without
success.
I'm
stuck with this:
oVirt engine:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: KDC has no support for encryption
type
(14) -
BAD_ENCRYPTION_TYPE
Please snoop the connection between the engine and the IPA
server.
Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
/tmp/kerb.pcap' ).
Y.
Failure while testing domain gsr.inpe.br. Details: Kerberos
error.
Please check log for further details.
kdc log:
Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br
for
krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for
encryption
type
Any sugestion?
___
Users mailing list
Users@ovirt.org
http
Re: [Users] ovirt kerberos/ldap
Yair,
I'm using admin/admin because it's my principal on kerberos. In fact,
the checksum error was because I didn't have admin/admin principal
created yet.
Using kadmin.local I did:
kadmin.local: addprinc admin/admin
So I tried the same:
# engine-manage-domains -action=add -domain=gsr.inpe.br -provider=ipa
-user=admin/admin -interactive
And it returned on the screen um trace of java:
General error has occured[LDAP: error code 80 - SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more information (Unknown error)]
javax.naming.NamingException: [LDAP: error code 80 - SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more information (Unknown error)]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3076)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
at com.sun.jndi.ldap.LdapCtx.init(LdapCtx.java:306)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at javax.naming.InitialContext.init(InitialContext.java:240)
at javax.naming.InitialContext.init(InitialContext.java:214)
at
javax.naming.directory.InitialDirContext.init(InitialDirContext.java:99)
at
org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:357)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:183)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:159)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:144)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:637)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:787)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:454)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:249)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:174)
Failure while testing domain gsr.inpe.br. Details: No user information
was found for user
The engine-manage-domain.log has:
[2013-02-26 16:55:49,736 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos
configuration for domain(s): gsr.inpe.br
2013-02-26 16:55:49,740 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] loaded template
kr5.conf file krb5.conf.template
2013-02-26 16:55:49,744 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting
default_tkt_enctypes
2013-02-26 16:55:49,772 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting realms
2013-02-26 16:55:49,773 DEBUG
[org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting domain realm
2013-02-26 16:55:49,774 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
created kerberos configuration for domain(s): gsr.inpe.br
2013-02-26 16:55:49,774 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos
configuration for domain: gsr.inpe.br
2013-02-26 16:55:49,827 DEBUG
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Check
authentication finished successfully
And /var/log/messages on the ldap/kerberos server has:
Feb 26 16:49:53 ldap krb5kdc[1446]: AS_REQ (1 etypes {23})
150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16
ses=23}, admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br
Feb 26 16:49:53 ldap krb5kdc[1446]: TGS_REQ (6 etypes {3 1 23 16 17 18})
150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16
ses=1}, admin/ad...@gsr.inpe.br for ldap/ldap.gsr.inpe...@gsr.inpe.br
Thanks for response.
On 02/26/2013 04:35 PM, Yair Zaslavsky wrote:
- Original Message -
From: Eduardo Ramos edua...@freedominterface.org
To: users@ovirt.org
Sent: Tuesday, February 26, 2013 9:26:42 PM
Subject: Re: [Users] ovirt kerberos/ldap
Any one has faced that?
On 02/21/2013 10:59 AM, Yair Zaslavsky wrote:
Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf
- Original Message -
From: Eduardo Ramos edua
Re: [Users] ovirt kerberos/ldap
- Original Message -
Hi all!
I'm trying to link a ldap/kerberos to my ovirt without success. I'm
stuck with this:
oVirt engine:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: KDC has no support for encryption type
(14) -
BAD_ENCRYPTION_TYPE
Please snoop the connection between the engine and the IPA server. Port 88,
full packets ('-s 1500' on tcpdump), into file ('-w /tmp/kerb.pcap' ).
Y.
Failure while testing domain gsr.inpe.br. Details: Kerberos error.
Please check log for further details.
kdc log:
Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for
krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption
type
Any sugestion?
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] ovirt kerberos/ldap
Please provide info also on the IPA server you are using (use rpm -qa for that)
- Original Message -
From: Yaniv Kaul yk...@redhat.com
To: Eduardo Ramos edua...@freedominterface.org
Cc: users@ovirt.org
Sent: Thursday, February 21, 2013 11:14:41 AM
Subject: Re: [Users] ovirt kerberos/ldap
- Original Message -
Hi all!
I'm trying to link a ldap/kerberos to my ovirt without success. I'm
stuck with this:
oVirt engine:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: KDC has no support for encryption type
(14) -
BAD_ENCRYPTION_TYPE
Please snoop the connection between the engine and the IPA server.
Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
/tmp/kerb.pcap' ).
Y.
Failure while testing domain gsr.inpe.br. Details: Kerberos error.
Please check log for further details.
kdc log:
Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for
krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption
type
Any sugestion?
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] ovirt kerberos/ldap
Morning!
That's my log entry. PCAP attached.
Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for
krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption type
My /etc/krb5.conf
[libdefaults]
default_realm = GSR.INPE.BR
allow_weak_crypto = yes
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
[realms]
GSR.INPE.BR = {
master_kdc = GSR.INPE.BR
kdc = kerberos.gsr.inpe.br
default_domain = gsr.inpe.br
}
[domain_realm]
.gsr.inpe.br = GSR.INPE.BR
gsr.inpe.br = GSR.INPE.BR
[logging]
kdc = SYSLOG:INFO
Is it sufice?
On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
Please provide info also on the IPA server you are using (use rpm -qa for that)
- Original Message -
From: Yaniv Kaul yk...@redhat.com
To: Eduardo Ramos edua...@freedominterface.org
Cc: users@ovirt.org
Sent: Thursday, February 21, 2013 11:14:41 AM
Subject: Re: [Users] ovirt kerberos/ldap
- Original Message -
Hi all!
I'm trying to link a ldap/kerberos to my ovirt without success. I'm
stuck with this:
oVirt engine:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: KDC has no support for encryption type
(14) -
BAD_ENCRYPTION_TYPE
Please snoop the connection between the engine and the IPA server.
Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
/tmp/kerb.pcap' ).
Y.
Failure while testing domain gsr.inpe.br. Details: Kerberos error.
Please check log for further details.
kdc log:
Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for
krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption
type
Any sugestion?
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
kerb.pcap
Description: Binary data
libssh2-1.2.2-11.el6_3.x86_64
setup-2.8.14-16.el6.noarch
libxml2-2.7.6-8.el6_3.4.x86_64
basesystem-10.0-4.el6.noarch
libtalloc-2.0.1-1.1.el6.x86_64
ca-certificates-2010.63-3.el6_1.5.noarch
libtdb-1.2.1-3.el6.x86_64
libcollection-0.6.0-9.el6.x86_64
nss-softokn-freebl-3.12.9-11.el6.x86_64
libldb-0.9.10-23.el6.x86_64
perl-version-0.77-127.el6.x86_64
bash-4.1.2-9.el6_2.x86_64
perl-Pod-Simple-3.13-127.el6.x86_64
libcap-2.16-5.5.el6.x86_64
perl-5.10.1-127.el6.x86_64
info-4.13a-8.el6.x86_64
perl-XML-SAX-0.96-7.el6.noarch
chkconfig-1.3.49.3-2.el6.x86_64
perl-Compress-Raw-Zlib-2.020-127.el6.x86_64
libacl-2.2.49-6.el6.x86_64
perl-URI-1.40-2.el6.noarch
audit-libs-2.2-2.el6.x86_64
perl-Compress-Zlib-2.020-127.el6.x86_64
db4-4.7.25-17.el6.x86_64
perl-Digest-SHA1-2.12-2.el6.x86_64
readline-6.0-4.el6.x86_64
perl-Convert-ASN1-0.22-1.el6.noarch
libselinux-2.0.94-5.3.el6.x86_64
perl-HTML-Parser-3.64-2.el6.x86_64
glib2-2.22.5-7.el6.x86_64
perl-Net-SSLeay-1.35-9.el6.x86_64
shadow-utils-4.1.4.2-13.el6.x86_64
perl-GSSAPI-0.26-5.el6.x86_64
perl-Text-Iconv-1.7-6.el6.x86_64
libstdc++-4.4.6-4.el6.x86_64
libpath_utils-0.2.1-9.el6.x86_64
file-libs-5.04-13.el6.x86_64
perl-libwww-perl-5.833-2.el6.noarch
libtool-ltdl-2.2.6-15.5.el6.x86_64
xz-libs-4.999.9-0.3.beta.20091007git.el6.x86_64
make-3.81-20.el6.x86_64
lua-5.1.4-4.1.el6.x86_64
libref_array-0.1.1-9.el6.x86_64
iproute-2.6.32-20.el6.x86_64
c-ares-1.7.0-6.el6.x86_64
elfutils-libelf-0.152-1.el6.x86_64
sssd-1.8.0-32.el6.x86_64
perl-LDAP-0.40-1.el6.noarch
libtirpc-0.2.1-5.el6.x86_64
vim-common-7.2.411-1.8.el6.x86_64
pcre-7.8-4.el6.x86_64
vim-enhanced-7.2.411-1.8.el6.x86_64
findutils-4.4.2-6.el6.x86_64
gpg-pubkey-0608b895-4bd22942
libselinux-utils-2.0.94-5.3.el6.x86_64
apr-1.3.9-5.el6_2.x86_64
bzip2-1.0.5-7.el6_0.x86_64
apr-util-ldap-1.3.9-3.el6_0.1.x86_64
pth-2.0.7-9.3.el6.x86_64
httpd-2.2.15-15.el6.centos.1.x86_64
expat-2.0.1-11.el6_2.x86_64
php-cli-5.3.3-14.el6_3.x86_64
dbus-glib-0.86-5.el6.x86_64
lighttpd-1.4.31-1.el6.x86_64
iptables-ipv6-1.4.7-5.1.el6_2.x86_64
upstart-0.6.5-12.el6.x86_64
xinetd-2.3.14-35.el6_3.x86_64
nss-softokn-3.12.9-11.el6.x86_64
krb5-appl-clients-1.0.1-7.el6_2.1.x86_64
libusb-0.1.12-23.el6.x86_64
xz-4.999.9-0.3.beta.20091007git.el6.x86_64
grubby-7.0.15-3.el6.x86_64
man-1.6f-30.el6.x86_64
libutempter-1.1.5-4.1.el6.x86_64
strace-4.5.19-1.11.el6_3.2.x86_64
tar-1.23-7.el6.x86_64
nmap-5.51-2.el6.x86_64
krb5-libs-1.9-33.el6_3.3.x86_64
e2fsprogs-libs-1.41.12-12.el6.x86_64
krb5-appl-servers-1.0.1-7.el6_2.1.x86_64
pinentry-0.7.6-6.el6.x86_64
krb5-workstation-1.9-33.el6_3.3.x86_64
m4-1.4.13-5.el6.x86_64
diffutils-2.8.1-28.el6.x86_64
libedit-2.11-4.20080712cvs.1.el6.x86_64
groff-1.18.1.4-21.el6.x86_64
coreutils-libs-8.4-19.el6.x86_64
cracklib-2.8.16-4.el6.x86_64
coreutils-8.4-19.el6.x86_64
hwdata-0.233-7.8.el6.noarch
Re: [Users] ovirt kerberos/ldap
I got new step!
I added arcfour-hmac-md5:normal into supported_enctypes and
permitted_enctypes directives in kdc.conf.
Then I changed password of my principal using the following:
change_password -e arcfour-hmac-md5:normal admin/adimin
Now, it's ok, but now I got another error that I didn't understand as
follows:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: Checksum failed
Failure while testing domain gsr.inpe.br. Details: Kerberos error.
Please check log for further details.
The log of kdc says:
Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
ses=23}, admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br
And the engine-manage-domains.log says:
2013-02-21 10:36:46,722 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos
configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
created kerberos configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos
configuration for domain: gsr.inpe.br
2013-02-21 10:36:46,819 ERROR
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
exception message: Checksum failed
2013-02-21 10:36:46,822 ERROR
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
testing domain gsr.inpe.br. Details: Kerberos error. Please check log
for further details.
On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
On 21/02/13 13:24, Eduardo Ramos wrote:
Morning!
That's my log entry. PCAP attached.
Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for
krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption type
You are using rc4_hmac, which is the right encryption protocol
usually. One can disable it (using 'permitted_enctypes' directive).
My /etc/krb5.conf
This is not the krb5.conf file oVirt is using. Please search your
system for oVirt's krb5.conf (sorry, don't have it from the top of my
head).
In any case, I'd check the IPA configuration.
Y.
[libdefaults]
default_realm = GSR.INPE.BR
allow_weak_crypto = yes
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
[realms]
GSR.INPE.BR = {
master_kdc = GSR.INPE.BR
kdc = kerberos.gsr.inpe.br
default_domain = gsr.inpe.br
}
[domain_realm]
.gsr.inpe.br = GSR.INPE.BR
gsr.inpe.br = GSR.INPE.BR
[logging]
kdc = SYSLOG:INFO
Is it sufice?
On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
Please provide info also on the IPA server you are using (use rpm
-qa for that)
- Original Message -
From: Yaniv Kaul yk...@redhat.com
To: Eduardo Ramos edua...@freedominterface.org
Cc: users@ovirt.org
Sent: Thursday, February 21, 2013 11:14:41 AM
Subject: Re: [Users] ovirt kerberos/ldap
- Original Message -
Hi all!
I'm trying to link a ldap/kerberos to my ovirt without success. I'm
stuck with this:
oVirt engine:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: KDC has no support for encryption type
(14) -
BAD_ENCRYPTION_TYPE
Please snoop the connection between the engine and the IPA server.
Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
/tmp/kerb.pcap' ).
Y.
Failure while testing domain gsr.inpe.br. Details: Kerberos error.
Please check log for further details.
kdc log:
Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for
krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption
type
Any sugestion?
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] ovirt kerberos/ldap
Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf
- Original Message -
From: Eduardo Ramos edua...@freedominterface.org
To: Yaniv Kaul yk...@redhat.com
Cc: yzasl...@redhat.com, users@ovirt.org
Sent: Thursday, February 21, 2013 3:43:04 PM
Subject: Re: [Users] ovirt kerberos/ldap
I got new step!
I added arcfour-hmac-md5:normal into supported_enctypes and
permitted_enctypes directives in kdc.conf.
Then I changed password of my principal using the following:
change_password -e arcfour-hmac-md5:normal admin/adimin
Now, it's ok, but now I got another error that I didn't understand as
follows:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: Checksum failed
Failure while testing domain gsr.inpe.br. Details: Kerberos error.
Please check log for further details.
The log of kdc says:
Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
ses=23}, admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br
And the engine-manage-domains.log says:
2013-02-21 10:36:46,722 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
kerberos
configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
created kerberos configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos
configuration for domain: gsr.inpe.br
2013-02-21 10:36:46,819 ERROR
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
exception message: Checksum failed
2013-02-21 10:36:46,822 ERROR
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
testing domain gsr.inpe.br. Details: Kerberos error. Please check log
for further details.
On 02/21/2013 08:55 AM, Yaniv Kaul wrote:
On 21/02/13 13:24, Eduardo Ramos wrote:
Morning!
That's my log entry. PCAP attached.
Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for
krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption
type
You are using rc4_hmac, which is the right encryption protocol
usually. One can disable it (using 'permitted_enctypes' directive).
My /etc/krb5.conf
This is not the krb5.conf file oVirt is using. Please search your
system for oVirt's krb5.conf (sorry, don't have it from the top of
my
head).
In any case, I'd check the IPA configuration.
Y.
[libdefaults]
default_realm = GSR.INPE.BR
allow_weak_crypto = yes
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
[realms]
GSR.INPE.BR = {
master_kdc = GSR.INPE.BR
kdc = kerberos.gsr.inpe.br
default_domain = gsr.inpe.br
}
[domain_realm]
.gsr.inpe.br = GSR.INPE.BR
gsr.inpe.br = GSR.INPE.BR
[logging]
kdc = SYSLOG:INFO
Is it sufice?
On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:
Please provide info also on the IPA server you are using (use rpm
-qa for that)
- Original Message -
From: Yaniv Kaul yk...@redhat.com
To: Eduardo Ramos edua...@freedominterface.org
Cc: users@ovirt.org
Sent: Thursday, February 21, 2013 11:14:41 AM
Subject: Re: [Users] ovirt kerberos/ldap
- Original Message -
Hi all!
I'm trying to link a ldap/kerberos to my ovirt without success.
I'm
stuck with this:
oVirt engine:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: KDC has no support for encryption
type
(14) -
BAD_ENCRYPTION_TYPE
Please snoop the connection between the engine and the IPA
server.
Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
/tmp/kerb.pcap' ).
Y.
Failure while testing domain gsr.inpe.br. Details: Kerberos
error.
Please check log for further details.
kdc log:
Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for
krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for
encryption
type
Any sugestion?
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
[Users] ovirt kerberos/ldap
Hi all!
I'm trying to link a ldap/kerberos to my ovirt without success. I'm
stuck with this:
oVirt engine:
# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:
Error: exception message: KDC has no support for encryption type (14) -
BAD_ENCRYPTION_TYPE
Failure while testing domain gsr.inpe.br. Details: Kerberos error.
Please check log for further details.
kdc log:
Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for
krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption type
Any sugestion?
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
