Ovirt devel - Apr 2008 - Authentication problem with ovirt

Hello,
 
I've been trying unsuccessfully for some time to get ovirt to work , and
I was hoping someone in this forum could help.  My problem seems to be
in the freeipa kerberos authentication.
 
I've downloaded the ovirt pre-built image, started it via kvm,  logged
in and set up the network.   I've setup a dns server along with the
required reverse-lookup zone.  I also successfully completed the the
ipa-server-install,  and created the default principals.
 
When I perform the freeipa troubleshooting, 'kinit admin', klist, and
'ldpasearch -Y GSSAPI -b "dc=site" uid=admin' all work fine. 
However,
the ipa -finduser  utility test  fails  - 'ipa-finduser admin' returns:
Unable to connect to IPA server: Not Found.  Also, i get an
authentication error when trying to access the appliance from firefox
(after making the required about:config changes).
 
Any suggestions about where/how to debug? Thanks.
 

brian carb
unisys corporation - malvern, pa 
brian.carb at unisys.com   

 

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://listman.redhat.com/archives/ovirt-devel/attachments/20080416/c204d518/attachment.htm>

Carb, Brian A wrote:
> Hello,
>  
> I've been trying unsuccessfully for some time to get ovirt to work ,
and
> I was hoping someone in this forum could help.  My problem seems to be
> in the freeipa kerberos authentication.
>  
> I've downloaded the ovirt pre-built image, started it via kvm,  logged
> in and set up the network.   I've setup a dns server along with the
> required reverse-lookup zone.  I also successfully completed the the
> ipa-server-install,  and created the default principals.
>  
> When I perform the freeipa troubleshooting, 'kinit admin', klist,
and
> 'ldpasearch -Y GSSAPI -b "dc=site" uid=admin' all work
fine.  However,
> the ipa -finduser  utility test  fails  - 'ipa-finduser admin'
returns:
> Unable to connect to IPA server: Not Found.  Also, i get an
> authentication error when trying to access the appliance from firefox
> (after making the required about:config changes).
>  
> Any suggestions about where/how to debug? Thanks.
OK, it seems you have most of the right things setup.  In all honesty, I
haven't
tried the ipa-finduser command before, so I can't speak to that; I'll
concentrate on firefox for now.  What kind of authentication error do you get,
exactly?  The way it works is that apache handles the initial request, checks
some of the kerberos header stuff, changes a few things, and then passes that
request onto the Rails UI.  So there are two places you can fail authentication
there: either on the initial connection to the apache web server, or on the
pass-off between apache and the Rails UI.  You can tell which is failing by the
authentication error you get, which might give us some further clues.

Also, just in terms of debugging, you'll probably want to watch 2 things:

1)  /var/log/krb5kdc.log on the freeipa server; that will tell you who is trying
to authenticate with which credentials, and whether they succeeded or not.

2)  Start firefox like:

$ NSPR_LOG_FILE=/tmp/firefox.log NSPR_LOG_MODULES=negotiateauth:5 firefox

Which will dump a little bit of additional information about what the failure
was to /tmp/firefox.log.

If this doesn't seem to help, you can hop on #ovirt on Freenode, and we
might be
able to do a little more interactive debugging.

Chris Lalancette