Hi all, I'm trying to add a domain (active directory), but I can't get it to work.
The command I execute is: rhevm-manage-domains -action=add -domain='FPT.LOCAL' -user='fptadmin' -interactive Attached you can find: - Output of the command - Logs from /var/log/rhevm/rhevm-manage-domains/rhevm-manage-domains.log I found a RHEV KB saying: For Error: LDAP query Failed, make sure the Active Directory server and the RHEVM server have the correct PTR records in the DNS reverse lookup zone file And another one says: It's required to create PTR entry into DNS for the following: * Name Server (NS) - Start of Authority (SOA) Example: WIN-TL8JB8JAG8.ad.mydomain.com. * Active Directory Name Example: ad.mydomain.com. * RHEVM machine Example: rhevm.ad.mydomain.com. We are fulfilling this requirement, as nslookup of these 3 machines' IP work. Additional info. These commands work (if you need I can paste the full output): #dig SRV _kerberos._tcp.FPT.LOCAL #dig SRV _kerberos._udp.FPT.LOCAL #dig SRV _ldap._tcp.FPT.LOCAL # kinit [email protected] # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 08/30/12 15:55:46 08/31/12 01:55:51 krbtgt/[email protected] renew until 09/06/12 15:55:46 Thank you very much in advance Alberto Scotto [Blue] Via Cardinal Massaia, 83 10147 - Torino - ITALY phone: +39 011 29100 [email protected] www.reply.it ________________________________ -- The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
<<inline: blue.png>>
[root@pittor06vhxd010 ~]# rhevm-manage-domains -action=add
-domain='fpt.local' -user='fptadmin02' -interactive
Enter password:
javax.naming.AuthenticationException: GSSAPI [Root exception is
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Server not found in Kerberos
database (7))]]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:150)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:212)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2720)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:296)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
at
org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:79)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:154)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:140)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:560)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:706)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:401)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:232)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:160)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Server not found
in Kerberos database (7))]
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
... 23 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server
not found in Kerberos database (7))
at
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
... 24 more
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at
sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at
sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at
sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
at
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
... 27 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 32 more
Error: LDAP query Failed. Error in DNS configuration. Please verify the RHEV
Manager host has a valid reverse DNS (PTR) record.
javax.naming.AuthenticationException: GSSAPI [Root exception is
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Server not found in Kerberos
database (7))]]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:150)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:212)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2720)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:296)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
at
org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:79)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:154)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:140)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:560)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:706)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:401)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:232)
at
org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:160)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Server not found
in Kerberos database (7))]
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
... 23 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server
not found in Kerberos database (7))
at
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
... 24 more
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at
sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at
sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at
sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
at
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
... 27 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 32 more
Error: LDAP query Failed. Error in DNS configuration. Please verify the RHEV
Manager host has a valid reverse DNS (PTR) record.
Failure while testing domain fpt.local. Details: No user information was found
for user
2012-08-31 10:43:05,372 DEBUG [org.apache.commons.configuration.ConfigurationUtils] ConfigurationUtils.locate(): base is null, name is /etc/rhevm/rhevm-manage-domains/rhevm-manage-domains.conf 2012-08-31 10:43:05,373 DEBUG [org.apache.commons.configuration.ConfigurationUtils] Loading configuration from the absolute path /etc/rhevm/rhevm-manage-domains/rhevm-manage-domains.conf 2012-08-31 10:43:05,407 DEBUG [org.apache.commons.configuration.ConfigurationUtils] ConfigurationUtils.locate(): base is null, name is /var/lib/jbossas/server/rhevm-slimmed/deploy/postgres-ds.xml 2012-08-31 10:43:05,407 DEBUG [org.apache.commons.configuration.ConfigurationUtils] Loading configuration from the absolute path /var/lib/jbossas/server/rhevm-slimmed/deploy/postgres-ds.xml 2012-08-31 10:43:05,422 DEBUG [org.apache.commons.configuration.ConfigurationUtils] ConfigurationUtils.locate(): base is null, name is /var/lib/jbossas/server/rhevm-slimmed/conf/login-config.xml 2012-08-31 10:43:05,422 DEBUG [org.apache.commons.configuration.ConfigurationUtils] Loading configuration from the absolute path /var/lib/jbossas/server/rhevm-slimmed/conf/login-config.xml 2012-08-31 10:43:05,686 DEBUG [org.ovirt.engine.core.tools.common.db.JbossConnectionFactory] getConnection: driver class name=org.postgresql.Driver 2012-08-31 10:43:05,701 DEBUG [org.ovirt.engine.core.tools.common.db.JbossConnectionFactory] getConnection: URL=jdbc:postgresql://localhost:5432/rhevm 2012-08-31 10:43:05,701 DEBUG [org.ovirt.engine.core.tools.common.db.JbossConnectionFactory] getConnection: Considering encrypted passord. secDomain=EncryptDBPassword 2012-08-31 10:43:13,812 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): fpt.local 2012-08-31 10:43:13,829 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] loaded template kr5.conf file krb5.conf.template 2012-08-31 10:43:13,832 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting default_tkt_enctypes 2012-08-31 10:43:13,854 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting realms 2012-08-31 10:43:13,855 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting domain realm 2012-08-31 10:43:13,855 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): fpt.local 2012-08-31 10:43:13,856 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: fpt.local 2012-08-31 10:43:13,907 DEBUG [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Check authentication finished successfully
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
