'/etc/httpd/s-oVirt-Krb.keytab' is apache keytab, you can't try to test
login with it. You should try something like `kinit myuser` and then
curl. And be sure that 'myuser' has appropriate permissions in oVirt.

Do you have properly setup your browser and enabled negotiation (for
example for firefox [1])?

[1] https://docs.fedoraproject.org/en-US/Fedora/11/html/Security_Guide/sect-Security_Guide-Single_Sign_on_SSO-Configuring_Firefox_to_use_Kerberos_for_SSO.html

On 09/30/2016 03:34 PM, aleksey.maksi...@it-kb.ru wrote:
# kinit -V -k -t /etc/httpd/s-oVirt-Krb.keytab 
HTTP/kom-ad01-ovirt1.ad.holding.com

Using existing cache: persistent:0:0
Using principal: HTTP/kom-ad01-ovirt1.ad.holding....@ad.holding.com
Using keytab: /etc/httpd/s-oVirt-Krb.keytab
Authenticated to Kerberos v5

# klist

Ticket cache: KEYRING:persistent:0:0
Default principal: HTTP/kom-ad01-ovirt1.ad.holding....@ad.holding.com

Valid starting       Expires              Service principal
09/30/2016 16:28:02  10/01/2016 02:28:02  krbtgt/ad.holding....@ad.holding.com
        renew until 10/07/2016 16:28:02

# curl --negotiate -u : -X GET -H "Accept: application/xml" -k 
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api

<html><head><title>Error</title></head><body>Unauthorized</body></html>

However, if I open this URL 
(https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api) in browser it opens 
without errors and authorization requests


# tail -f  /var/log/httpd/ssl_error_log
# tail -f  /var/log/ovirt-engine/engine.log

In the logs nothing in that moment when I open the portal in the browser.

30.09.2016, 15:52, "Ondra Machacek" <omach...@redhat.com>:

So if you run kinit and then:

  $ curl --negotiate -u : -X GET -H "Accept: application/xml" -k
https://fqdn/ovirt-engine/api

It's fine?

 Please tell me how to find the cause of the problem. What are the steps to 
troubleshooting to do?

On oVirt engine check:

  /var/log/httpd/ssl_error_log
  /var/log/ovirt-engine/engine.log

On AD check kerberos log.

 _______________________________________________
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Reply via email to