1)ipa user-xxx命令报错
ipa: ERROR: did not receive Kerberos credentials
解决方案:重新执行kinit admin
2)ipa-client-install时报错
LDAP Error: Connect error: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
解决办法:删除/etc/ipa/ca.crt,重新执行
3)ovirt-engine web上普通用户登录时,报错:未授权执行该行为
解决办法:要先用admin用户为普通用户分配虚拟机,才能登录。
4)在ovirt-engine的管理界面上,添加用户时,搜索指定域内的用户没有反应(或已有用户无法登录,提示“登录失败”
engine日志中提示
2015-01-10 17:55:14,864 ERROR [org.ovirt.engine.core.bll.adbroker.GetRootDSE] (ajp--127.0.0.1-8702-9) Failed to query rootDSE for LDAP server ldap://test.com:389 due to test.com:389 2015-01-10 17:55:14,865 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--127.0.0.1-8702-9) Failed ldap search server ldap://test.com:389 using user user1@TEST.COM due to javax.naming.CommunicationException: test.com:389 [Root exception is java.net.UnknownHostException: test.com]. We should try the next server 2015-01-10 17:55:14,865 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (ajp--127.0.0.1-8702-9) Failed authenticating user: user1 to domain test.com. Ldap Query Type is getUserByName 2015-01-10 17:55:14,866 INFO [org.ovirt.engine.core.bll.LoginBaseCommand] (ajp--127.0.0.1-8702-9) Cant login user "user1" with authentication profile "test.com" because the authentication failed. 2015-01-10 17:55:14,878 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-9) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User user1 failed to log in. |
5)执行ipa-client-install时报错
User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Password for admin@TEST.COM: Joining realm failed: HTTP response code is 500, not 200 Installation failed. Rolling back changes. IPA client is not configured on this system. |
解决办法:重新安装ipa server后,此问题消失。不知道怎么回事。
另外,根据文档,还有两个办法:
1)禁止ldap的sasl协议,在ldap.conf或者全局变量中修改选项——经测试,无效。
2)可以在ipa-web-ui上配置client的dns反向解析,也可解决此问题。注意,不是直接写named的zone文件,而是通过ipa的web或cli来添加zone和record(到ldap),
named会周期性地(30s)轮训ldap数据,更新自己的zone数据。——这个方法还没有测试。
6)安装ipaserver后,web登录提示“unknown error”
安装时报错
Restarting the web server
Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain test.com --server ihost.test.com --realm TEST.COM --hostname ihost.test.com' returned non-zero exit status 1
kinit: Generic error (see e-text) while getting initial credentials
重启ipa服务,依然是这个错误。
http/error中报错为
[Mon Jan 12 12:56:00 2015] [error] ipa: INFO: *** PROCESS START *** [Mon Jan 12 12:56:00 2015] [error] ipa: INFO: *** PROCESS START *** [Mon Jan 12 12:57:17 2015] [error] ipa: INFO: *** PROCESS START *** [Mon Jan 12 12:57:18 2015] [error] ipa: INFO: *** PROCESS START *** [Mon Jan 12 12:57:18 2015] [error] [client 192.168.1.200] Failed to initialize ccache for HTTP/ihost.test.com: Credentials cache permissions incorrect (-1765328190), referer: https://ihost.test.com/ipa/xml [Mon Jan 12 12:57:18 2015] [error] [client 192.168.1.200] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, ), referer: https://ihost.test.com/ipa/xml [Mon Jan 12 12:57:29 2015] [error] ipa: INFO: *** PROCESS START *** [Mon Jan 12 12:57:29 2015] [error] ipa: INFO: *** PROCESS START *** [Mon Jan 12 13:01:33 2015] [error] SSL Library Error: -12271 SSL client cannot verify your certificate [Mon Jan 12 13:01:36 2015] [error] SSL Library Error: -12271 SSL client cannot verify your certificate [Mon Jan 12 13:01:39 2015] [error] SSL Library Error: -12271 SSL client cannot verify your certificate [Mon Jan 12 13:01:43 2015] [error] SSL Library Error: -12271 SSL client cannot verify your certificate [Mon Jan 12 13:04:00 2015] [error] SSL Library Error: -12271 SSL client cannot verify your certificate [Mon Jan 12 13:04:05 2015] [error] SSL Library Error: -12271 SSL client cannot verify your certificate [Mon Jan 12 13:04:25 2015] [error] ipa: INFO: *** PROCESS START *** [Mon Jan 12 13:04:25 2015] [error] ipa: INFO: *** PROCESS START *** [Mon Jan 12 13:05:43 2015] [error] SSL Library Error: -12271 SSL client cannot verify your certificate [Mon Jan 12 13:05:45 2015] [error] SSL Library Error: -12271 SSL client cannot verify your certificate |
解决办法:换了一个浏览器,就ok了。可能是原浏览器残留证书有问题。https://ihost.test.com/ipa/xml中的内容为:
Please make sure that you have valid Kerberos tickets (obtainable via kinit), and that you have configured your browser correctly
这个错误在ipaserver-install.log中的报错为
CRYPTO INIT WITH CERTDB:/tmp/tmp-YDjaN_ 2015-01-12T07:15:49Z DEBUG stderr=certutil: Could not find cert: TEST.COM IPA CA 2015-01-12T07:16:26Z DEBUG stderr=certutil: Could not find cert: TEST.COM IPA CA |
其中真正导致此问题的错误是ipalib.errors.NetworkError: cannot connect to u'https://ihost.test.com/ipa/xml': Internal Server Error。
上面两种错误没有影响。具体原因待继续分析。估计是关闭了某些后台服务导致的。
7)web ui登录不上去
解决办法1,不是用kerbores,使用密码登录:
(1)/etc/httpd/conf.d/ipa.conf中的passwd选项,修改为on
(2)service httpd restart或ipactl restart
这个方法在linux下用opera登录是ok的,但在windows下一开始什么浏览器都不行,后来将网卡的dns1设为ipaserver,保证其域名能解析就ok了,和windows的防火墙无关。
解决办法2,使用kerbores登录
(1)将登录用的机器,ipa-client-install,join到ipa server的domain
(2)修改firefox 的about:config中的negotiate选项为域名
(3)然后登录——这个方法一开诗测试有问题,firefox一直报错“unknown error”,清楚所有历史数据和历史证书后,重启firefox即可。