Re: [Users] ovirt kerberos/ldap

Wed, 27 Feb 2013 12:20:13 -0800 

Hi!

Is there any chance to use ldap simple authentication?
What schema should I have?

On 02/26/2013 04:58 PM, Eduardo Ramos wrote:

Yair,
I'm using admin/admin because it's my principal on kerberos. In fact, the checksum error was because I didn't have admin/admin principal created yet. 

Using kadmin.local I did:

kadmin.local: addprinc admin/admin

So I tried the same:
# engine-manage-domains -action=add -domain=gsr.inpe.br -provider=ipa -user=admin/admin -interactive 

And it returned on the screen um trace of java:
General error has occured[LDAP: error code 80 - SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error)] javax.naming.NamingException: [LDAP: error code 80 - SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error)] 
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3076)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2978)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2780)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) 
        at javax.naming.InitialContext.init(InitialContext.java:240)
        at javax.naming.InitialContext.<init>(InitialContext.java:214)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78) 
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:357)
at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:183) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:159) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:144) at org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:637) at org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:787) at org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:454) at org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:249) at org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:174) Failure while testing domain gsr.inpe.br. Details: No user information was found for user 

The engine-manage-domain.log has:
[2013-02-26 16:55:49,736 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): gsr.inpe.br 2013-02-26 16:55:49,740 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] loaded template kr5.conf file krb5.conf.template 2013-02-26 16:55:49,744 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting default_tkt_enctypes 2013-02-26 16:55:49,772 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting realms 2013-02-26 16:55:49,773 DEBUG [org.ovirt.engine.core.utils.kerberos.KrbConfCreator] setting domain realm 2013-02-26 16:55:49,774 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): gsr.inpe.br 2013-02-26 16:55:49,774 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: gsr.inpe.br 2013-02-26 16:55:49,827 DEBUG [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Check authentication finished successfully 

And /var/log/messages on the ldap/kerberos server has:
Feb 26 16:49:53 ldap krb5kdc[1446]: AS_REQ (1 etypes {23}) 150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16 ses=23}, admin/ad...@gsr.inpe.br for krbtgt/gsr.inpe...@gsr.inpe.br Feb 26 16:49:53 ldap krb5kdc[1446]: TGS_REQ (6 etypes {3 1 23 16 17 18}) 150.163.73.211: ISSUE: authtime 1361908193, etypes {rep=23 tkt=16 ses=1}, admin/ad...@gsr.inpe.br for ldap/ldap.gsr.inpe...@gsr.inpe.br 

Thanks for response.

On 02/26/2013 04:35 PM, Yair Zaslavsky wrote:

----- Original Message -----

From: "Eduardo Ramos"<edua...@freedominterface.org>
To:users@ovirt.org
Sent: Tuesday, February 26, 2013 9:26:42 PM
Subject: Re: [Users] ovirt kerberos/ldap

Any one has faced that?

On 02/21/2013 10:59 AM, Yair Zaslavsky wrote:

Path to ovirt krb5.conf file - /etc/ovirt-engine/krb5.conf



----- Original Message -----

From: "Eduardo Ramos"<edua...@freedominterface.org>
To: "Yaniv Kaul"<yk...@redhat.com>
Cc:yzasl...@redhat.com,users@ovirt.org
Sent: Thursday, February 21, 2013 3:43:04 PM
Subject: Re: [Users] ovirt kerberos/ldap

I got new step!

I added arcfour-hmac-md5:normal into supported_enctypes and
permitted_enctypes directives in kdc.conf.
Then I changed password of my principal using the following:

change_password -e arcfour-hmac-md5:normal admin/adimin

Is "adimin" a typo here?
Can I ask why your user name appears like that, with a "/" in it?
Can you try to create user  - let's say "myadmin" without the "/" ?


Now, it's ok, but now I got another error that I didn't understand
as
follows:

# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:

Error:  exception message: Checksum failed
Failure while testing domain gsr.inpe.br. Details: Kerberos error.
Please check log for further details.

The log of kdc says:

Feb 21 10:36:45 ldap krb5kdc[5386]: AS_REQ (1 etypes {23})
150.163.73.78: ISSUE: authtime 1361453805, etypes {rep=23 tkt=16
ses=23},admin/ad...@gsr.inpe.br  for
krbtgt/gsr.inpe...@gsr.inpe.br

And the engine-manage-domains.log says:
2013-02-21 10:36:46,722 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
kerberos
configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
created kerberos configuration for domain(s): gsr.inpe.br
2013-02-21 10:36:46,745 INFO
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing
kerberos
configuration for domain: gsr.inpe.br
2013-02-21 10:36:46,819 ERROR
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
exception message: Checksum failed
2013-02-21 10:36:46,822 ERROR
[org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
testing domain gsr.inpe.br. Details: Kerberos error. Please check
log
for further details.


On 02/21/2013 08:55 AM, Yaniv Kaul wrote:

On 21/02/13 13:24, Eduardo Ramos wrote:

Morning!

That's my log entry. PCAP attached.

Feb 21 08:12:57 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE:admin/ad...@gsr.inpe.br  for
krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for
encryption
type

You are using rc4_hmac, which is the right encryption protocol
usually. One can disable it (using 'permitted_enctypes'
directive).


My /etc/krb5.conf

This is not the krb5.conf file oVirt is using. Please search your
system for oVirt's krb5.conf (sorry, don't have it from the top
of
my
head).
In any case, I'd check the IPA configuration.
Y.


[libdefaults]
        default_realm = GSR.INPE.BR
        allow_weak_crypto = yes

          default_tkt_enctypes = rc4-hmac des-cbc-md5
          default_tgs_enctypes = rc4-hmac des-cbc-md5

[realms]
        GSR.INPE.BR = {
        master_kdc =  GSR.INPE.BR
        kdc = kerberos.gsr.inpe.br
        default_domain = gsr.inpe.br
        }

[domain_realm]
        .gsr.inpe.br = GSR.INPE.BR
        gsr.inpe.br = GSR.INPE.BR

[logging]
     kdc = SYSLOG:INFO

Is it sufice?

On 02/21/2013 06:48 AM, Yair Zaslavsky wrote:

Please provide info also on the IPA server you are using (use
rpm
-qa for that)


----- Original Message -----

From: "Yaniv Kaul"<yk...@redhat.com>
To: "Eduardo Ramos"<edua...@freedominterface.org>
Cc:users@ovirt.org
Sent: Thursday, February 21, 2013 11:14:41 AM
Subject: Re: [Users] ovirt kerberos/ldap

----- Original Message -----

Hi all!

I'm trying to link a ldap/kerberos to my ovirt without
success.
I'm
stuck with this:

oVirt engine:

# engine-manage-domains -action=add -domain=gsr.inpe.br
-user=admin/admin -interactive -provider=IPA
Enter password:

Error:  exception message: KDC has no support for encryption
type
(14) -
BAD_ENCRYPTION_TYPE

Please snoop the connection between the engine and the IPA
server.
Port 88, full packets ('-s 1500' on tcpdump), into file ('-w
/tmp/kerb.pcap' ).
Y.


Failure while testing domain gsr.inpe.br. Details: Kerberos
error.
Please check log for further details.

kdc log:

Feb 20 18:02:55 ldap krb5kdc[4314]: AS_REQ (1 etypes {23})
150.163.73.78: BAD_ENCRYPTION_TYPE:admin/ad...@gsr.inpe.br
for
krbtgt/gsr.inpe...@gsr.inpe.br, KDC has no support for
encryption
type

Any sugestion?
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users





_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users



_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Reply via email to