Re: [Users] Cannot add IPA server to ovirt
Hi, Thank for the responses, the kerberos SRV records sloved this problem. Thx, Demeter Tibor - Eredeti üzenet - One more piece of info - in my case ovirt-engine server is joined to my local domain. During joining procedure FreeIPA creates needed records for this server. I am not sure 100% - but I thing I was successful to join ovirt-engine to FreeIPA server without joining it to FreeIPA domain. I only made needed records in FreeIPA DNS component using its web interface. Best, Latcho -Original Message- From: users-boun...@ovirt.org [mailto:users-boun...@ovirt.org] On Behalf Of Latchezar Filtchev Sent: Friday, March 28, 2014 10:58 AM To: René Koch; Demeter Tibor Cc: users@ovirt.org Subject: Re: [Users] Cannot add IPA server to ovirt You are right! Ovirt-engine server should be recorded in FreeIPA server. Best, Latcho -Original Message- From: users-boun...@ovirt.org [mailto:users-boun...@ovirt.org] On Behalf Of René Koch Sent: Friday, March 28, 2014 10:31 AM To: Demeter Tibor Cc: users@ovirt.org Subject: Re: [Users] Cannot add IPA server to ovirt On 03/28/2014 09:19 AM, Demeter Tibor wrote: Hi, I made an IPA server for testing purposes, but I cannot add to ovirt 3.4. The IPA server seems to be working good. When I add IPA to ovirt, I get this error mesage: [root@ovirttest etc]# engine-manage-domains add --domain=itsmart.local --user=admin --provider=ipa --ldap-servers=ldap1.itsmart.local,ldap2.itsmart.local No KDC can be obtained for domain itsmart.local I guess oVirt isn't able to find the Kerberos server due to missing SRV records? What does mean this? Can me help anyone? Thanks, Tibor ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] Cannot add IPA server to ovirt
Hi, I made an IPA server for testing purposes, but I cannot add to ovirt 3.4. The IPA server seems to be working good. When I add IPA to ovirt, I get this error mesage: [root@ovirttest etc]# engine-manage-domains add --domain=itsmart.local --user=admin --provider=ipa --ldap-servers=ldap1.itsmart.local,ldap2.itsmart.local No KDC can be obtained for domain itsmart.local What does mean this? Can me help anyone? Thanks, Tibor ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Cannot add IPA server to ovirt
On 03/28/2014 09:19 AM, Demeter Tibor wrote: Hi, I made an IPA server for testing purposes, but I cannot add to ovirt 3.4. The IPA server seems to be working good. When I add IPA to ovirt, I get this error mesage: [root@ovirttest etc]# engine-manage-domains add --domain=itsmart.local --user=admin --provider=ipa --ldap-servers=ldap1.itsmart.local,ldap2.itsmart.local No KDC can be obtained for domain itsmart.local I guess oVirt isn't able to find the Kerberos server due to missing SRV records? What does mean this? Can me help anyone? Thanks, Tibor ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Cannot add IPA server to ovirt
KDC should stand for key distribution center which afaik means something is wrong with your kerberos setup. I don't know if it's included in IPA? You need kerberos for authentication. HTH Am 28.03.2014 09:19, schrieb Demeter Tibor: Hi, I made an IPA server for testing purposes, but I cannot add to ovirt 3.4. The IPA server seems to be working good. When I add IPA to ovirt, I get this error mesage: [root@ovirttest etc]# engine-manage-domains add --domain=itsmart.local --user=admin --provider=ipa --ldap-servers=ldap1.itsmart.local,ldap2.itsmart.local No KDC can be obtained for domain itsmart.local What does mean this? Can me help anyone? Thanks, Tibor ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Cannot add IPA server to ovirt
Hi, this error message means, that engine-manage-domains cannot found any KDC (kerberos domain controller) servers registered for your domain. To verify this could you please execute: dig _kerberos._tcp.itsmart.local SRV If you domain is configured correctly (including kerberos support) the output should look similar to (assuming you have configured two kerberos servers: krb1.itsmart.local and krb2.itsmart.local): _kerberos._tcp.itsmart.local. 3600 IN SRV 10 0 88 krb1.itsmart.local _kerberos._tcp.itsmart.local. 3600 IN SRV 10 0 88 krb2.itsmart.local Thanks Martin Perina - Original Message - From: Demeter Tibor tdeme...@itsmart.hu To: users@ovirt.org Sent: Friday, March 28, 2014 9:19:53 AM Subject: [Users] Cannot add IPA server to ovirt Hi, I made an IPA server for testing purposes, but I cannot add to ovirt 3.4. The IPA server seems to be working good. When I add IPA to ovirt, I get this error mesage: [root@ovirttest etc]# engine-manage-domains add --domain=itsmart.local --user=admin --provider=ipa --ldap-servers=ldap1.itsmart.local,ldap2.itsmart.local No KDC can be obtained for domain itsmart.local What does mean this? Can me help anyone? Thanks, Tibor ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Cannot add IPA server to ovirt
On Fri, Mar 28, 2014 at 9:44 AM, Martin Perina mper...@redhat.com wrote: Hi, this error message means, that engine-manage-domains cannot found any KDC (kerberos domain controller) servers registered for your domain. To verify this could you please execute: dig _kerberos._tcp.itsmart.local SRV If you domain is configured correctly (including kerberos support) the output should look similar to (assuming you have configured two kerberos servers: krb1.itsmart.local and krb2.itsmart.local): _kerberos._tcp.itsmart.local. 3600 IN SRV 10 0 88 krb1.itsmart.local _kerberos._tcp.itsmart.local. 3600 IN SRV 10 0 88 krb2.itsmart.local Thanks Martin Perina - Original Message - From: Demeter Tibor tdeme...@itsmart.hu To: users@ovirt.org Sent: Friday, March 28, 2014 9:19:53 AM Subject: [Users] Cannot add IPA server to ovirt Hi, I made an IPA server for testing purposes, but I cannot add to ovirt 3.4. The IPA server seems to be working good. When I add IPA to ovirt, I get this error mesage: [root@ovirttest etc]# engine-manage-domains add --domain=itsmart.local --user=admin --provider=ipa --ldap-servers=ldap1.itsmart.local,ldap2.itsmart.local No KDC can be obtained for domain itsmart.local What does mean this? Can me help anyone? Thanks, Tibor ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users Based on previous documents I read (I don't remember the link now) and the fact I'm using bind on CentOS 6.4 for DNS, I set this in my /var/named/data/forward.zone file (infra is my dns server and localdomain.local is my domain name): ; ldap servers _ldap._tcp IN SRV 0 100 389infra ;kerberos realm _kerberos IN TXT LOCALDOMAIN.LOCAL ; kerberos servers _kerberos._tcp IN SRV 0 100 88 infra _kerberos._udp IN SRV 0 100 88 infra _kerberos-master._tcp IN SRV 0 100 88 infra _kerberos-master._udp IN SRV 0 100 88 infra _kpasswd._tcp IN SRV 0 100 464infra _kpasswd._udp IN SRV 0 100 464infra ;ntp server _ntp._udp IN SRV 0 100 123infra HIH, Gianluca ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Cannot add IPA server to ovirt
Dear Demeter Tibor, My ovirt 3.3 were successfully connected to FreeIPA server. Yesterday updated to ovirt 3.4. It works. My FreeIPA server is installed on 32-bit Fedora 19. Ovirt engine and virtualization nodes are CentOS 6.5. As far as I remember I was able to connect ovirt: 1. without using --ldap-servers= 2. –user=admin@mydoman.localmailto:–user=admin@mydoman.local 3. You can use –interactive to be asked for your FreeIPA server admin password. Hope this helps. Best, Latcho From: users-boun...@ovirt.org [mailto:users-boun...@ovirt.org] On Behalf Of Demeter Tibor Sent: Friday, March 28, 2014 10:20 AM To: users@ovirt.org Subject: [Users] Cannot add IPA server to ovirt Hi, I made an IPA server for testing purposes, but I cannot add to ovirt 3.4. The IPA server seems to be working good. When I add IPA to ovirt, I get this error mesage: [root@ovirttest etc]# engine-manage-domains add --domain=itsmart.local --user=admin --provider=ipa --ldap-servers=ldap1.itsmart.local,ldap2.itsmart.local No KDC can be obtained for domain itsmart.local What does mean this? Can me help anyone? Thanks, Tibor ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Cannot add IPA server to ovirt
You are right! Ovirt-engine server should be recorded in FreeIPA server. Best, Latcho -Original Message- From: users-boun...@ovirt.org [mailto:users-boun...@ovirt.org] On Behalf Of René Koch Sent: Friday, March 28, 2014 10:31 AM To: Demeter Tibor Cc: users@ovirt.org Subject: Re: [Users] Cannot add IPA server to ovirt On 03/28/2014 09:19 AM, Demeter Tibor wrote: Hi, I made an IPA server for testing purposes, but I cannot add to ovirt 3.4. The IPA server seems to be working good. When I add IPA to ovirt, I get this error mesage: [root@ovirttest etc]# engine-manage-domains add --domain=itsmart.local --user=admin --provider=ipa --ldap-servers=ldap1.itsmart.local,ldap2.itsmart.local No KDC can be obtained for domain itsmart.local I guess oVirt isn't able to find the Kerberos server due to missing SRV records? What does mean this? Can me help anyone? Thanks, Tibor ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Cannot add IPA server to ovirt
One more piece of info - in my case ovirt-engine server is joined to my local domain. During joining procedure FreeIPA creates needed records for this server. I am not sure 100% - but I thing I was successful to join ovirt-engine to FreeIPA server without joining it to FreeIPA domain. I only made needed records in FreeIPA DNS component using its web interface. Best, Latcho -Original Message- From: users-boun...@ovirt.org [mailto:users-boun...@ovirt.org] On Behalf Of Latchezar Filtchev Sent: Friday, March 28, 2014 10:58 AM To: René Koch; Demeter Tibor Cc: users@ovirt.org Subject: Re: [Users] Cannot add IPA server to ovirt You are right! Ovirt-engine server should be recorded in FreeIPA server. Best, Latcho -Original Message- From: users-boun...@ovirt.org [mailto:users-boun...@ovirt.org] On Behalf Of René Koch Sent: Friday, March 28, 2014 10:31 AM To: Demeter Tibor Cc: users@ovirt.org Subject: Re: [Users] Cannot add IPA server to ovirt On 03/28/2014 09:19 AM, Demeter Tibor wrote: Hi, I made an IPA server for testing purposes, but I cannot add to ovirt 3.4. The IPA server seems to be working good. When I add IPA to ovirt, I get this error mesage: [root@ovirttest etc]# engine-manage-domains add --domain=itsmart.local --user=admin --provider=ipa --ldap-servers=ldap1.itsmart.local,ldap2.itsmart.local No KDC can be obtained for domain itsmart.local I guess oVirt isn't able to find the Kerberos server due to missing SRV records? What does mean this? Can me help anyone? Thanks, Tibor ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Cannot add IPA server to ovirt
- Original Message - From: René Koch rk...@linuxland.at To: Demeter Tibor tdeme...@itsmart.hu Cc: users@ovirt.org Sent: Friday, March 28, 2014 11:30:44 AM Subject: Re: [Users] Cannot add IPA server to ovirt On 03/28/2014 09:19 AM, Demeter Tibor wrote: Hi, I made an IPA server for testing purposes, but I cannot add to ovirt 3.4. The IPA server seems to be working good. When I add IPA to ovirt, I get this error mesage: [root@ovirttest etc]# engine-manage-domains add --domain=itsmart.local --user=admin --provider=ipa --ldap-servers=ldap1.itsmart.local,ldap2.itsmart.local No KDC can be obtained for domain itsmart.local I guess oVirt isn't able to find the Kerberos server due to missing SRV records? Seems to me this is the reason. Please check by dig SRV _kerberos._tcp.itsmart.local What does mean this? Can me help anyone? Thanks, Tibor ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
