rhevm-manage-domains: Failure while testing domain Details: Authentication Failed

Latest response

Hi @all

 

We tried to add the rhev manager 3.0 to our IPA server according to the Evaluation and Identity Management Guide. We created the necessary SRV entries in the DNS and validated the entries with the dig tool.

 

We always get the error message "Failure while testing domain <ourdomain>. Details: Authentication Failed. Please verify the username and password." while invoking "rhevm-manage-domains -action=add -domain=<ourdomain> -user=admin -interactive". We also tried other username / password added to the IPA directory before but this didn't work either and didn't change the error message.

 

Could you please provide further information about the error message and its source?

 

Many thanks in advance

rh
Log in to join the conversation

Responses

Sadique Puthen's picture Red Hat Guru 4679 points
11 June 2012 9:56 AM

First thing  do "kinit admin" after configuring /etc/krb5.conf and make sure that you can get a ticket with the password you provide. This proves the password provided is correct. If this is successful, I used to check the below details one by one.

 

Output of the below commands from RHEVM.

# nslookup <IP of RHEVM>
# nslookup <FQDN of RHEVM>

# nslookup <fqdn of IPA>
# nslookup <ip of IPA>

# nslookup -type=SRV _ldap._tcp
# nslookup -type=SRV _kerberos._tcp
# nslookup -type=SRV _kerberos._udp
 

If all the above are perfect, I used to take a tcpdump by running "tcpdump -s0 -w /tmp/ad.dump -i ethx" from a different root console while running rhevm-manage-domains and looking at the packet flow for DNS, Kerberos and ldap queries.

rh Active Contributor 234 points
11 June 2012 2:16 PM

Hi Sadique

 

Thanks for your advise. The tests you supposed worked fine (nslookup, etc.). By digging into the TCP dumps we encountered the kerberos error sent by the IPA server:

1765328378 | KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN | Client not found in Kerberos database.

 

Do we need to add the rhevm to the kerberos database in advance? If yes, can we do it with ipa tools?

 

Thanks and kind regards

 

Update:

We manually added the rhevm host via the IPA UI to the hosts and used the One Time Password (OTP) Option. Again, we tried to add the rhevm with the rhevm-manage-domains command. Still the same error. In the /var/log/krb5kdc.log file we found CLIENT_NOT_FOUND.

 

Update 2 (resolved):

We decided to reinstall the IPA server and set the realm's name to the domain name. Now it works fine. I've read several times that it is recommended but not required to do it like this?

 

For us it is resolved with this setup.

Sadique Puthen's picture Red Hat Guru 4679 points
11 June 2012 2:11 PM

Wasn't this error in the output of or TGS-REP?

 

If you expand TGS-REQ and look under "Server Name" what do you see after "ldap/"? Is it the proper fqdn of the IPA server as per the output of the "hostname" command from IPA server and output from the below command from rhevm?

 

# nslookup <ip of IPA>

 

Are they same or different?

rh Active Contributor 234 points
11 June 2012 2:40 PM

Hi Sadique,

 

We didn't had any TGS-REQs. But in the AS-REQ, service and instance was set to: "krbtgt/IPAREALM"

 

Please have a look at our latest update (Update 2 (resolved) in previous post), where we resolved it so far. Do you have any idea about it?

 

Greetings and thanks for your investigation

Sadique Puthen's picture Red Hat Guru 4679 points
11 June 2012 4:32 PM

Looks like realm need to be the upper case dns domain name for rhevm-manage-domains to work. rhevm-manage-domains does not consult /etc/krb5.conf to to read domain_realm mapping.