----- Original Message ----- > From: "Nathan Stratton" <[email protected]> > To: "Oved Ourfalli" <[email protected]> > Cc: [email protected], "Yaniv Kaul" <[email protected]> > Sent: Thursday, February 23, 2012 8:13:33 PM > Subject: Re: [Users] LDAP > > On Thu, 23 Feb 2012, Oved Ourfalli wrote: > > > IIRC, we only support using -interactive or using -passwordFile, > > and not both. > > The fact that you don't get a warning on that is a bug. > > :) Opps. > > > Found this blog with a similar error that is caused due to password > > expiration (in the engine log, and not while running the manage > > domains utility, but that might also help): > > http://blog.rtfm.co.hu/2012/02/rhev-error-from-kerberos-integrity-check-on-decrypted-field-failed/ > > > > But the information there doesn't go very well with the fact that > > kinit is successful. > > Ya, I saw that also, (been doing a lot of googling), but: > > -bash-4.2# kinit nathan > Password for [email protected]: > -bash-4.2# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [email protected] > > Valid starting Expires Service principal > 02/23/12 12:07:21 02/24/12 12:07:16 > krbtgt/[email protected] > renew until 03/01/12 12:07:16 > > > > Is the file containing the correct password? Try using only > > -interactive, and enter the password interactively. > > Yep, the password is correct, I get the same error no matter what > password > I use. However when I try with -interactive I get more debug info > (see > below). > > > Also, attaching the log of the utility might be helpful. > > How would I get that? I don't see anyting anywhere in /var/log/* >
It should be in /var/log/ovirt-engine/engine-manage-domains/engine-manage-domains.log (or in /var/log/engine/engine-manage-domains/engine-manage-domains.log... not sure). > > Also, try logging in with that user to the IPA machine, that way > > you'll know if you need to change your password (I saw that > > sometimes kinit doesn't ask you to change the password, but > > logging in does). > > Yep, that works fine. If I do it with -interactive I get the errors > below. > It seams to have an issue with DNS, but yet it is pulling the two SRV > records AND hitting the right servers. Also both ovirt-engine and > ipa-master have forward and reverse dns and proper /etc/hosts files. > > -bash-4.2# engine-manage-domains -action=add -domain=blinkmind.net > -user=nathan -interactive > Enter password: > > javax.naming.AuthenticationException: GSSAPI [Root exception is > javax.security.sasl.SaslException: GSS initiate failed [Caused by > GSSException: No valid credentials provided (Mechanism level: Server > not > found in Kerberos database (7) - UNKNOWN_SERVER)]] > at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:168) > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:232) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685) > at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306) > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) > at > com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) > at > javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) > at > javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) > at javax.naming.InitialContext.init(InitialContext.java:240) > at javax.naming.InitialContext.<init>(InitialContext.java:214) > at > javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99) > at > org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:357) > at > org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174) > at > org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:154) > at > org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:140) > at > org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:563) > at > org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:709) > at > org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:404) > at > org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:235) > at > org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:163) > Caused by: javax.security.sasl.SaslException: GSS initiate failed > [Caused > by GSSException: No valid credentials provided (Mechanism level: > Server > not found in Kerberos database (7) - UNKNOWN_SERVER)] > at > com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212) > at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:123) > ... 23 more > Caused by: GSSException: No valid credentials provided (Mechanism > level: > Server not found in Kerberos database (7) - UNKNOWN_SERVER) > at > sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679) > at > sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) > at > sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180) > at > com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193) > ... 24 more > Caused by: KrbException: Server not found in Kerberos database (7) - > UNKNOWN_SERVER > at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:72) > at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:193) > at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:205) > at > sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297) > at > sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114) > at > sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555) > at > sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610) > ... 27 more > Caused by: KrbException: Identifier doesn't match expected value > (906) > at sun.security.krb5.internal.KDCRep.init(KDCRep.java:144) > at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65) > at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60) > at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:54) > ... 33 more > Error: LDAP query Failed. Error in DNS configuration. Please verify > the > oVirt Engine host has a valid reverse DNS (PTR) record. > Failure while testing domain blinkmind.net. Details: No user > information > was found for user > Please try doing "dig -x <ip address of IPA server>" Look at the answer section, to make sure it shows a PTR record of it: dig -x 1.2.3.4 ... ... ... ;; ANSWER SECTION: 4.3.2.1.in-addr.arpa. 84063 IN PTR my_server.my_domain. ... ... ... > > > > -bash-4.2# nslookup ipa-master.blinkmind.net > Server: 10.10.0.10 > Address: 10.10.0.10#53 > > Name: ipa-master.blinkmind.net > Address: 10.13.0.105 > > -bash-4.2# nslookup 10.13.0.105 > Server: 10.10.0.10 > Address: 10.10.0.10#53 > > 105.0.13.10.in-addr.arpa name = ipa-master.blinkmind.net. > > -bash-4.2# nslookup ovirt-engine.blinkmind.net > Server: 10.10.0.10 > Address: 10.10.0.10#53 > > Name: ovirt-engine.blinkmind.net > Address: 10.13.0.245 > > -bash-4.2# nslookup 10.13.0.245 > Server: 10.10.0.10 > Address: 10.10.0.10#53 > > 245.0.13.10.in-addr.arpa name = ovirt-engine.blinkmind.net. > > _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
