----- Original Message ----- > From: "Nathan Stratton" <[email protected]> > To: "Yaniv Kaul" <[email protected]> > Cc: "Oved Ourfalli" <[email protected]>, [email protected] > Sent: Thursday, February 23, 2012 7:38:42 PM > Subject: Re: [Users] LDAP > > On Thu, 23 Feb 2012, Yaniv Kaul wrote: > > > LDAP cannot be 'just used'. It needs to be connected to (we use > > Kerberos, > > many use SSL/TLS) and it needs the correct schema configuration. > > FreeIPA uses Kerberos and LDAP. > > True, but I use LDAP to auth a bunch of boxes on a private network > and > that seams to work fine. Anyway... Still trying to get this to work. > I now > have freeipa installed with a user setup. I am able to kinit that > user and > everything works fine however I get the following error: > > [root@ovirt-engine log]# engine-manage-domains -action=add > -domain=blinkmind.net -user=nathan -passwordFile=/etc/shadow > -interactive > Error: exception message: Integrity check on decrypted field failed > (31) > - PREAUTH_FAILED > Failure while testing domain blinkmind.net. Details: Kerberos error. > Please check log for further details. > IIRC, we only support using -interactive or using -passwordFile, and not both. The fact that you don't get a warning on that is a bug.
Found this blog with a similar error that is caused due to password expiration (in the engine log, and not while running the manage domains utility, but that might also help): http://blog.rtfm.co.hu/2012/02/rhev-error-from-kerberos-integrity-check-on-decrypted-field-failed/ But the information there doesn't go very well with the fact that kinit is successful. Is the file containing the correct password? Try using only -interactive, and enter the password interactively. Also, attaching the log of the utility might be helpful. Also, try logging in with that user to the IPA machine, that way you'll know if you need to change your password (I saw that sometimes kinit doesn't ask you to change the password, but logging in does). Hope it helps, Oved > > ><> > Nathan Stratton CTO, BlinkMind, Inc. > nathan at robotics.net nathan at > blinkmind.com > http://www.robotics.net > http://www.blinkmind.com > _______________________________________________ > Users mailing list > [email protected] > http://lists.ovirt.org/mailman/listinfo/users > _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
