----- Original Message ----- > From: "Eduardo Ramos" <edua...@freedominterface.org> > To: users@ovirt.org > Sent: Tuesday, February 26, 2013 9:26:42 PM > Subject: Re: [Users] ovirt kerberos/ldap > > Any one has faced that? > > On 02/21/2013 10:59 AM, Yair Zaslavsky wrote: > > Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf > > > > > > > > ----- Original Message ----- > >> From: "Eduardo Ramos" <edua...@freedominterface.org> > >> To: "Yaniv Kaul" <yk...@redhat.com> > >> Cc: yzasl...@redhat.com, users@ovirt.org > >> Sent: Thursday, February 21, 2013 3:43:04 PM > >> Subject: Re: [Users] ovirt kerberos/ldap > >> > >> I got new step! > >> > >> I added arcfour-hmac-md5:normal into supported_enctypes and > >> permitted_enctypes directives in kdc.conf. > >> Then I changed password of my principal using the following: > >> > >> change_password -e arcfour-hmac-md5:normal admin/adimin
Is "adimin" a typo here? Can I ask why your user name appears like that, with a "/" in it? Can you try to create user - let's say "myadmin" without the "/" ? > >> > >> Now, it's ok, but now I got another error that I didn't understand > >> as > >> follows: > >> > >> # engine-manage-domains -action=add -domain=gsr.inpe.br > >> -user=admin/admin -interactive -provider=IPA > >> Enter password: > >> > >> Error: exception message: Checksum failed > >> Failure while testing domain gsr.inpe.br. Details: Kerberos error. > >> Please check log for further details. > >> > >> The log of kdc says: > >> > >> Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23}) > >> 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16 > >> ses=23}, admin/ad...@gsr.inpe.br for > >> krbtgt/gsr.inpe...@gsr.inpe.br > >> > >> And the engine-manage-domains.log says: > >> 2013-02-21 10:36:46,722 INFO > >> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating > >> kerberos > >> configuration for domain(s): gsr.inpe.br > >> 2013-02-21 10:36:46,745 INFO > >> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully > >> created kerberos configuration for domain(s): gsr.inpe.br > >> 2013-02-21 10:36:46,745 INFO > >> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing > >> kerberos > >> configuration for domain: gsr.inpe.br > >> 2013-02-21 10:36:46,819 ERROR > >> [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: > >> exception message: Checksum failed > >> 2013-02-21 10:36:46,822 ERROR > >> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while > >> testing domain gsr.inpe.br. Details: Kerberos error. Please check > >> log > >> for further details. > >> > >> > >> On 02/21/2013 08:55 AM, Yaniv Kaul wrote: > >>> On 21/02/13 13:24, Eduardo Ramos wrote: > >>>> Morning! > >>>> > >>>> That's my log entry. PCAP attached. > >>>> > >>>> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) > >>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for > >>>> krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for > >>>> encryption > >>>> type > >>> You are using rc4_hmac, which is the right encryption protocol > >>> usually. One can disable it (using 'permitted_enctypes' > >>> directive). > >>> > >>>> My /etc/krb5.conf > >>> This is not the krb5.conf file oVirt is using. Please search your > >>> system for oVirt's krb5.conf (sorry, don't have it from the top > >>> of > >>> my > >>> head). > >>> In any case, I'd check the IPA configuration. > >>> Y. > >>> > >>>> [libdefaults] > >>>> default_realm = GSR.INPE.BR > >>>> allow_weak_crypto = yes > >>>> > >>>> default_tkt_enctypes = rc4-hmac des-cbc-md5 > >>>> default_tgs_enctypes = rc4-hmac des-cbc-md5 > >>>> > >>>> [realms] > >>>> GSR.INPE.BR = { > >>>> master_kdc = GSR.INPE.BR > >>>> kdc = kerberos.gsr.inpe.br > >>>> default_domain = gsr.inpe.br > >>>> } > >>>> > >>>> [domain_realm] > >>>> .gsr.inpe.br = GSR.INPE.BR > >>>> gsr.inpe.br = GSR.INPE.BR > >>>> > >>>> [logging] > >>>> kdc = SYSLOG:INFO > >>>> > >>>> Is it sufice? > >>>> > >>>> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote: > >>>>> Please provide info also on the IPA server you are using (use > >>>>> rpm > >>>>> -qa for that) > >>>>> > >>>>> > >>>>> ----- Original Message ----- > >>>>>> From: "Yaniv Kaul" <yk...@redhat.com> > >>>>>> To: "Eduardo Ramos" <edua...@freedominterface.org> > >>>>>> Cc: users@ovirt.org > >>>>>> Sent: Thursday, February 21, 2013 11:14:41 AM > >>>>>> Subject: Re: [Users] ovirt kerberos/ldap > >>>>>> > >>>>>> ----- Original Message ----- > >>>>>>> Hi all! > >>>>>>> > >>>>>>> I'm trying to link a ldap/kerberos to my ovirt without > >>>>>>> success. > >>>>>>> I'm > >>>>>>> stuck with this: > >>>>>>> > >>>>>>> oVirt engine: > >>>>>>> > >>>>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br > >>>>>>> -user=admin/admin -interactive -provider=IPA > >>>>>>> Enter password: > >>>>>>> > >>>>>>> Error: exception message: KDC has no support for encryption > >>>>>>> type > >>>>>>> (14) - > >>>>>>> BAD_ENCRYPTION_TYPE > >>>>>> Please snoop the connection between the engine and the IPA > >>>>>> server. > >>>>>> Port 88, full packets ('-s 1500' on tcpdump), into file ('-w > >>>>>> /tmp/kerb.pcap' ). > >>>>>> Y. > >>>>>> > >>>>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos > >>>>>>> error. > >>>>>>> Please check log for further details. > >>>>>>> > >>>>>>> kdc log: > >>>>>>> > >>>>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) > >>>>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br > >>>>>>> for > >>>>>>> krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for > >>>>>>> encryption > >>>>>>> type > >>>>>>> > >>>>>>> Any sugestion? > >>>>>>> _______________________________________________ > >>>>>>> Users mailing list > >>>>>>> Users@ovirt.org > >>>>>>> http://lists.ovirt.org/mailman/listinfo/users > >>>>>>> > >>>>>> _______________________________________________ > >>>>>> Users mailing list > >>>>>> Users@ovirt.org > >>>>>> http://lists.ovirt.org/mailman/listinfo/users > >>>>>> > >> > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users