Re: [Users] Problem adding an IPA server to oVirt
On 01/22/2014 10:06 AM, Sven Kieske wrote: Hi, just a little OT: I think it would be awesome if known issues would be documented somewhere else, not just in source code. its not documented in code - its a specific check for this specific error case to give a detailed error feedback to the admin. Am 21.01.2014 12:49, schrieb Juan Hernandez: I think the problem is that your LDAP server is configured with a minimum security strength factor that triggers a bug in the Kerberos support in the Java virtual machine. This is a know issue. See here for details: http://gerrit.ovirt.org/21505 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Problem adding an IPA server to oVirt
Hi, just a little OT: I think it would be awesome if known issues would be documented somewhere else, not just in source code. Am 21.01.2014 12:49, schrieb Juan Hernandez: I think the problem is that your LDAP server is configured with a minimum security strength factor that triggers a bug in the Kerberos support in the Java virtual machine. This is a know issue. See here for details: http://gerrit.ovirt.org/21505 -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Problem adding an IPA server to oVirt
On 20/01/14 17:33 -0500, Yair Zaslavsky wrote: Hi Adam, Looks like you have problems in running the Root DSE query. I would like you to try and troubleshoot by comparing this to the execution of - ldapsearch -x -h YOUR_IPA_SERVER_IP_ADDRESS -s base Thanks for taking a look. Here is the result: [alitke:~] $ ldapsearch -x -h 192.168.2.106 -s base # extended LDIF # # LDAPv3 # base dc=alitke,dc=net (default) with scope baseObject # filter: (objectclass=*) # requesting: ALL # # alitke.net dn: dc=alitke,dc=net objectClass: top objectClass: domain objectClass: pilotObject objectClass: domainRelatedObject objectClass: nisDomainObject dc: alitke info: IPA V2.0 nisDomain: alitke.net associatedDomain: alitke.net # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Problem adding an IPA server to oVirt
On 21/01/14 12:49 +0100, Juan Hernandez wrote: On 01/20/2014 11:33 PM, Yair Zaslavsky wrote: Hi Adam, Looks like you have problems in running the Root DSE query. I would like you to try and troubleshoot by comparing this to the execution of - ldapsearch -x -h YOUR_IPA_SERVER_IP_ADDRESS -s base I think the problem is that your LDAP server is configured with a minimum security strength factor that triggers a bug in the Kerberos support in the Java virtual machine. This is a know issue. See here for details: http://gerrit.ovirt.org/21505 Thanks. Does this affect openIPA as well? - Original Message - From: Adam Litke ali...@redhat.com To: users@ovirt.org Sent: Tuesday, January 21, 2014 12:12:03 AM Subject: [Users] Problem adding an IPA server to oVirt Hi, I am trying to set up an oVirt environment with an IPA provider and am hitting a GeneralException that I am unsure how to debug. I have configured freeIPA in a Fedora VM using the supplied configuration script and I can 'kinit admin' from the ovirt-engine machine. When I run the manage-domains command I get the following exception: I didn't realize it, but I had to add _kerberos srv records to my dnsmasq.conf in order for the script to even find my KDC. ./engine-manage-domains -action=add -provider=IPA -domain=alitke.net -user=admin -interactive -ldapServers=directory.alitke.net Enter password: General error has occurednull java.lang.NegativeArraySizeException at sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367) at sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722) at sun.security.jgss.krb5.WrapToken_v2.init(WrapToken_v2.java:200) at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861) at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385) at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104) at com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.ovirt.engine.core.ldap.RootDSEData.init(RootDSEData.java:52) at org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:254) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:356) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135) at org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:739) at org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:909) at org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:531) at org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:308) at org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:205) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.modules.Module.run(Module.java:260) at org.jboss.modules.Main.main(Main.java:291) Failure while testing domain %1$s. Details: %2$s: One of the parameters for this error is null and no default message to show Any thoughts on what might be going wrong? -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Problem adding an IPA server to oVirt
On 01/21/2014 02:26 PM, Adam Litke wrote: On 21/01/14 12:49 +0100, Juan Hernandez wrote: On 01/20/2014 11:33 PM, Yair Zaslavsky wrote: Hi Adam, Looks like you have problems in running the Root DSE query. I would like you to try and troubleshoot by comparing this to the execution of - ldapsearch -x -h YOUR_IPA_SERVER_IP_ADDRESS -s base I think the problem is that your LDAP server is configured with a minimum security strength factor that triggers a bug in the Kerberos support in the Java virtual machine. This is a know issue. See here for details: http://gerrit.ovirt.org/21505 Thanks. Does this affect openIPA as well? I guess you mean FreeIPA. Yes, it affects any LDAP server that sets missf to 0 by default, including the the 389-ds used by FreeIPA. - Original Message - From: Adam Litke ali...@redhat.com To: users@ovirt.org Sent: Tuesday, January 21, 2014 12:12:03 AM Subject: [Users] Problem adding an IPA server to oVirt Hi, I am trying to set up an oVirt environment with an IPA provider and am hitting a GeneralException that I am unsure how to debug. I have configured freeIPA in a Fedora VM using the supplied configuration script and I can 'kinit admin' from the ovirt-engine machine. When I run the manage-domains command I get the following exception: I didn't realize it, but I had to add _kerberos srv records to my dnsmasq.conf in order for the script to even find my KDC. ./engine-manage-domains -action=add -provider=IPA -domain=alitke.net -user=admin -interactive -ldapServers=directory.alitke.net Enter password: General error has occurednull java.lang.NegativeArraySizeException at sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367) at sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722) at sun.security.jgss.krb5.WrapToken_v2.init(WrapToken_v2.java:200) at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861) at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385) at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104) at com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.ovirt.engine.core.ldap.RootDSEData.init(RootDSEData.java:52) at org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:254) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:356) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135) at org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:739) at org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:909) at org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:531) at org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:308) at org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:205) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.modules.Module.run(Module.java:260) at org.jboss.modules.Main.main(Main.java:291) Failure while testing domain %1$s. Details: %2$s: One of the parameters for this error is null and no default message to show Any thoughts on what might be going wrong? -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users -- Dirección
[Users] Problem adding an IPA server to oVirt
Hi, I am trying to set up an oVirt environment with an IPA provider and am hitting a GeneralException that I am unsure how to debug. I have configured freeIPA in a Fedora VM using the supplied configuration script and I can 'kinit admin' from the ovirt-engine machine. When I run the manage-domains command I get the following exception: I didn't realize it, but I had to add _kerberos srv records to my dnsmasq.conf in order for the script to even find my KDC. ./engine-manage-domains -action=add -provider=IPA -domain=alitke.net -user=admin -interactive -ldapServers=directory.alitke.net Enter password: General error has occurednull java.lang.NegativeArraySizeException at sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367) at sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722) at sun.security.jgss.krb5.WrapToken_v2.init(WrapToken_v2.java:200) at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861) at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385) at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104) at com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.ovirt.engine.core.ldap.RootDSEData.init(RootDSEData.java:52) at org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:254) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:356) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135) at org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:739) at org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:909) at org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:531) at org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:308) at org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:205) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.modules.Module.run(Module.java:260) at org.jboss.modules.Main.main(Main.java:291) Failure while testing domain %1$s. Details: %2$s: One of the parameters for this error is null and no default message to show Any thoughts on what might be going wrong? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Problem adding an IPA server to oVirt
Hi Adam, Looks like you have problems in running the Root DSE query. I would like you to try and troubleshoot by comparing this to the execution of - ldapsearch -x -h YOUR_IPA_SERVER_IP_ADDRESS -s base - Original Message - From: Adam Litke ali...@redhat.com To: users@ovirt.org Sent: Tuesday, January 21, 2014 12:12:03 AM Subject: [Users] Problem adding an IPA server to oVirt Hi, I am trying to set up an oVirt environment with an IPA provider and am hitting a GeneralException that I am unsure how to debug. I have configured freeIPA in a Fedora VM using the supplied configuration script and I can 'kinit admin' from the ovirt-engine machine. When I run the manage-domains command I get the following exception: I didn't realize it, but I had to add _kerberos srv records to my dnsmasq.conf in order for the script to even find my KDC. ./engine-manage-domains -action=add -provider=IPA -domain=alitke.net -user=admin -interactive -ldapServers=directory.alitke.net Enter password: General error has occurednull java.lang.NegativeArraySizeException at sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367) at sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722) at sun.security.jgss.krb5.WrapToken_v2.init(WrapToken_v2.java:200) at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861) at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385) at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104) at com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.ovirt.engine.core.ldap.RootDSEData.init(RootDSEData.java:52) at org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:254) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:356) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135) at org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:739) at org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:909) at org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:531) at org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:308) at org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:205) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.modules.Module.run(Module.java:260) at org.jboss.modules.Main.main(Main.java:291) Failure while testing domain %1$s. Details: %2$s: One of the parameters for this error is null and no default message to show Any thoughts on what might be going wrong? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users