Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf
----- Original Message ----- > From: "Eduardo Ramos" <edua...@freedominterface.org> > To: "Yaniv Kaul" <yk...@redhat.com> > Cc: yzasl...@redhat.com, users@ovirt.org > Sent: Thursday, February 21, 2013 3:43:04 PM > Subject: Re: [Users] ovirt kerberos/ldap > > I got new step! > > I added arcfour-hmac-md5:normal into supported_enctypes and > permitted_enctypes directives in kdc.conf. > Then I changed password of my principal using the following: > > change_password -e arcfour-hmac-md5:normal admin/adimin > > Now, it's ok, but now I got another error that I didn't understand as > follows: > > # engine-manage-domains -action=add -domain=gsr.inpe.br > -user=admin/admin -interactive -provider=IPA > Enter password: > > Error: exception message: Checksum failed > Failure while testing domain gsr.inpe.br. Details: Kerberos error. > Please check log for further details. > > The log of kdc says: > > Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23}) > 150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16 > ses=23}, admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br > > And the engine-manage-domains.log says: > 2013-02-21 10:36:46,722 INFO > [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating > kerberos > configuration for domain(s): gsr.inpe.br > 2013-02-21 10:36:46,745 INFO > [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully > created kerberos configuration for domain(s): gsr.inpe.br > 2013-02-21 10:36:46,745 INFO > [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos > configuration for domain: gsr.inpe.br > 2013-02-21 10:36:46,819 ERROR > [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: > exception message: Checksum failed > 2013-02-21 10:36:46,822 ERROR > [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while > testing domain gsr.inpe.br. Details: Kerberos error. Please check log > for further details. > > > On 02/21/2013 08:55 AM, Yaniv Kaul wrote: > > On 21/02/13 13:24, Eduardo Ramos wrote: > >> Morning! > >> > >> That's my log entry. PCAP attached. > >> > >> Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) > >> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for > >> krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for encryption > >> type > > > > You are using rc4_hmac, which is the right encryption protocol > > usually. One can disable it (using 'permitted_enctypes' directive). > > > >> > >> My /etc/krb5.conf > > > > This is not the krb5.conf file oVirt is using. Please search your > > system for oVirt's krb5.conf (sorry, don't have it from the top of > > my > > head). > > In any case, I'd check the IPA configuration. > > Y. > > > >> [libdefaults] > >> default_realm = GSR.INPE.BR > >> allow_weak_crypto = yes > >> > >> default_tkt_enctypes = rc4-hmac des-cbc-md5 > >> default_tgs_enctypes = rc4-hmac des-cbc-md5 > >> > >> [realms] > >> GSR.INPE.BR = { > >> master_kdc = GSR.INPE.BR > >> kdc = kerberos.gsr.inpe.br > >> default_domain = gsr.inpe.br > >> } > >> > >> [domain_realm] > >> .gsr.inpe.br = GSR.INPE.BR > >> gsr.inpe.br = GSR.INPE.BR > >> > >> [logging] > >> kdc = SYSLOG:INFO > >> > >> Is it sufice? > >> > >> On 02/21/2013 06:48 AM, Yair Zaslavsky wrote: > >>> Please provide info also on the IPA server you are using (use rpm > >>> -qa for that) > >>> > >>> > >>> ----- Original Message ----- > >>>> From: "Yaniv Kaul" <yk...@redhat.com> > >>>> To: "Eduardo Ramos" <edua...@freedominterface.org> > >>>> Cc: users@ovirt.org > >>>> Sent: Thursday, February 21, 2013 11:14:41 AM > >>>> Subject: Re: [Users] ovirt kerberos/ldap > >>>> > >>>> ----- Original Message ----- > >>>>> Hi all! > >>>>> > >>>>> I'm trying to link a ldap/kerberos to my ovirt without success. > >>>>> I'm > >>>>> stuck with this: > >>>>> > >>>>> oVirt engine: > >>>>> > >>>>> # engine-manage-domains -action=add -domain=gsr.inpe.br > >>>>> -user=admin/admin -interactive -provider=IPA > >>>>> Enter password: > >>>>> > >>>>> Error: exception message: KDC has no support for encryption > >>>>> type > >>>>> (14) - > >>>>> BAD_ENCRYPTION_TYPE > >>>> Please snoop the connection between the engine and the IPA > >>>> server. > >>>> Port 88, full packets ('-s 1500' on tcpdump), into file ('-w > >>>> /tmp/kerb.pcap' ). > >>>> Y. > >>>> > >>>>> Failure while testing domain gsr.inpe.br. Details: Kerberos > >>>>> error. > >>>>> Please check log for further details. > >>>>> > >>>>> kdc log: > >>>>> > >>>>> Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23}) > >>>>> 150.163.73.78: BAD_ENCRYPTION_TYPE: admin/ad...@gsr.inpe.br for > >>>>> krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for > >>>>> encryption > >>>>> type > >>>>> > >>>>> Any sugestion? > >>>>> _______________________________________________ > >>>>> Users mailing list > >>>>> Users@ovirt.org > >>>>> http://lists.ovirt.org/mailman/listinfo/users > >>>>> > >>>> _______________________________________________ > >>>> Users mailing list > >>>> Users@ovirt.org > >>>> http://lists.ovirt.org/mailman/listinfo/users > >>>> > >> > > > > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users