On 02/23/2012 08:26 PM, Oved Ourfalli wrote: > > > ----- Original Message ----- >> From: "Nathan Stratton" <nat...@robotics.net> >> To: "Oved Ourfalli" <ov...@redhat.com> >> Cc: users@ovirt.org, "Yaniv Kaul" <yk...@redhat.com> >> Sent: Thursday, February 23, 2012 8:13:33 PM >> Subject: Re: [Users] LDAP >> >> On Thu, 23 Feb 2012, Oved Ourfalli wrote: >> >>> IIRC, we only support using -interactive or using -passwordFile, >>> and not both. >>> The fact that you don't get a warning on that is a bug. >> >> :) Opps. >> >>> Found this blog with a similar error that is caused due to password >>> expiration (in the engine log, and not while running the manage >>> domains utility, but that might also help): >>> http://blog.rtfm.co.hu/2012/02/rhev-error-from-kerberos-integrity-check-on-decrypted-field-failed/ >>> >>> But the information there doesn't go very well with the fact that >>> kinit is successful. >> >> Ya, I saw that also, (been doing a lot of googling), but: >> >> -bash-4.2# kinit nathan >> Password for nat...@blinkmind.net: >> -bash-4.2# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: nat...@blinkmind.net >> >> Valid starting Expires Service principal >> 02/23/12 12:07:21 02/24/12 12:07:16 >> krbtgt/blinkmind....@blinkmind.net >> renew until 03/01/12 12:07:16 >> >> >>> Is the file containing the correct password? Try using only >>> -interactive, and enter the password interactively. >> >> Yep, the password is correct, I get the same error no matter what >> password >> I use. However when I try with -interactive I get more debug info >> (see >> below). >> >>> Also, attaching the log of the utility might be helpful. >> >> How would I get that? I don't see anyting anywhere in /var/log/* >> > > It should be in > /var/log/ovirt-engine/engine-manage-domains/engine-manage-domains.log > (or in /var/log/engine/engine-manage-domains/engine-manage-domains.log... not > sure). > >>> Also, try logging in with that user to the IPA machine, that way >>> you'll know if you need to change your password (I saw that >>> sometimes kinit doesn't ask you to change the password, but >>> logging in does). >> >> Yep, that works fine. If I do it with -interactive I get the errors >> below. >> It seams to have an issue with DNS, but yet it is pulling the two SRV >> records AND hitting the right servers. Also both ovirt-engine and >> ipa-master have forward and reverse dns and proper /etc/hosts files. >> >> -bash-4.2# engine-manage-domains -action=add -domain=blinkmind.net >> -user=nathan -interactive >> Enter password: >> >> javax.naming.AuthenticationException: GSSAPI [Root exception is >> javax.security.sasl.SaslException: GSS initiate failed [Caused by >> GSSException: No valid credentials provided (Mechanism level: Server >> not >> found in Kerberos database (7) - UNKNOWN_SERVER)]] >> at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:168) >> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:232) >> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685) >> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306) >> at >> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) >> at >> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) >> at >> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) >> at >> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) >> at >> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) >> at >> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) >> at javax.naming.InitialContext.init(InitialContext.java:240) >> at javax.naming.InitialContext.<init>(InitialContext.java:214) >> at >> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99) >> at >> org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78) >> at java.security.AccessController.doPrivileged(Native Method) >> at javax.security.auth.Subject.doAs(Subject.java:357) >> at >> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174) >> at >> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:154) >> at >> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:140) >> at >> org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:563) >> at >> org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:709) >> at >> org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:404) >> at >> org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:235) >> at >> org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:163) >> Caused by: javax.security.sasl.SaslException: GSS initiate failed >> [Caused >> by GSSException: No valid credentials provided (Mechanism level: >> Server >> not found in Kerberos database (7) - UNKNOWN_SERVER)] Not sure if help is still needed in this issue (krb error code 7 ) - from my experience, this usually happened when DNS was not configured correctly - IMHO - you need to configure a reverse PTR record to the machine that runs engine-core. In addition, make sure that ldap and krb have proper DNS srv records. Oved - do we have a wiki (upstream) explaining these DNS issues?
>> at >> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212) >> at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:123) >> ... 23 more >> Caused by: GSSException: No valid credentials provided (Mechanism >> level: >> Server not found in Kerberos database (7) - UNKNOWN_SERVER) >> at >> sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:679) >> at >> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) >> at >> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180) >> at >> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193) >> ... 24 more >> Caused by: KrbException: Server not found in Kerberos database (7) - >> UNKNOWN_SERVER >> at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:72) >> at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:193) >> at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:205) >> at >> sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:297) >> at >> sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:114) >> at >> sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:555) >> at >> sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:610) >> ... 27 more >> Caused by: KrbException: Identifier doesn't match expected value >> (906) >> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:144) >> at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65) >> at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60) >> at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:54) >> ... 33 more >> Error: LDAP query Failed. Error in DNS configuration. Please verify >> the >> oVirt Engine host has a valid reverse DNS (PTR) record. >> Failure while testing domain blinkmind.net. Details: No user >> information >> was found for user >> > > Please try doing > "dig -x <ip address of IPA server>" > > Look at the answer section, to make sure it shows a PTR record of it: > dig -x 1.2.3.4 > ... > ... > ... > ;; ANSWER SECTION: > 4.3.2.1.in-addr.arpa. 84063 IN PTR my_server.my_domain. > ... > ... > ... >> >> >> >> -bash-4.2# nslookup ipa-master.blinkmind.net >> Server: 10.10.0.10 >> Address: 10.10.0.10#53 >> >> Name: ipa-master.blinkmind.net >> Address: 10.13.0.105 >> >> -bash-4.2# nslookup 10.13.0.105 >> Server: 10.10.0.10 >> Address: 10.10.0.10#53 >> >> 105.0.13.10.in-addr.arpa name = ipa-master.blinkmind.net. >> >> -bash-4.2# nslookup ovirt-engine.blinkmind.net >> Server: 10.10.0.10 >> Address: 10.10.0.10#53 >> >> Name: ovirt-engine.blinkmind.net >> Address: 10.13.0.245 >> >> -bash-4.2# nslookup 10.13.0.245 >> Server: 10.10.0.10 >> Address: 10.10.0.10#53 >> >> 245.0.13.10.in-addr.arpa name = ovirt-engine.blinkmind.net. >> >> > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users