[Users] can't add domain with rhevm-manage-domains

Roy Golan rgolan at redhat.com
Tue Sep 4 05:44:08 UTC 2012 


----- Original Message -----
> From: "Scotto Alberto" <al.scotto at reply.it>
> To: "Oved Ourfalli" <ovedo at redhat.com>
> Cc: users at ovirt.org
> Sent: Monday, September 3, 2012 4:21:27 PM
> Subject: Re: [Users] can't add domain with rhevm-manage-domains
> 
> Oved,
> Thank you for your try!
> 
> > The query you pasted below shows "DOMAIN.LOCAL".
> That was just an example. The command I ran was correct (FPT.LOCAL)
> 
> The issue seems solved. This morning I tried logging in with my
> domain user and it succeeded.
> Then a colleague of mine stopped again the reverse zone for the AD
> server, and now I can't login again, even after reactivating the
> zone..
> I suppose there must be some cache delay... :S

If you'll use openjdk 1.7 this problem will not surface. out of curiosity, what is the output of java -version?
> 
> 
> 
> 
> Alberto Scotto
> 
> Blue Reply
> Via Cardinal Massaia, 83
> 10147 - Torino - ITALY
> phone: +39 011 29100
> al.scotto at reply.it
> www.reply.it
> 
> -----Original Message-----
> From: Oved Ourfalli [mailto:ovedo at redhat.com]
> Sent: domenica 2 settembre 2012 15:53
> To: Scotto Alberto
> Cc: users at ovirt.org
> Subject: Re: [Users] can't add domain with rhevm-manage-domains
> 
> Hey,
> 
> What's the name of your domain?
> The query you pasted below shows "DOMAIN.LOCAL".
> However, in the log I see:
> "Failed authenticating user: f35191a to domain fpt.local".
> 
> Did some reading, and looks like this error happens when the kerberos
> ticket is requested to the wrong REALM.
> 
> What version are you working with?
> Is there anything else in the logs besides what you have put in
> pastebin?
> 
> Oved
> 
> ----- Original Message -----
> > From: "Scotto Alberto" <al.scotto at reply.it>
> > To: users at ovirt.org
> > Sent: Friday, August 31, 2012 6:45:15 PM
> > Subject: Re: [Users] can't add domain with rhevm-manage-domains
> >
> >
> >
> >
> >
> > Ok, now it works.
> >
> >
> >
> > Thanks to tcpdump/wireshark I could undesrstand that:
> >
> > - Rhevm-manage-domains sends DNS queries asking for PTR of RHEV-H
> > and
> > another redundant domain server, so I
> >
> > - The LDAP query it sends is
> > (&(sAMAccountType=805306368)(userPrincipalName=
> > fptadmin02 at DOMAIN.LOCAL) ) but the account “fptadmin02” I was using
> > had a different userPrincipalName
> >
> >
> >
> > So here is how I solved:
> >
> > - adding the missing PTRs in the reverse zone of the DNS server
> >
> > - logging in with another username that has a correct
> > userPrincipalName
> >
> >
> >
> > Anyhow, after restarting jbossas, still I can’t log in the console
> > with a domain username.
> >
> > From wireshark I see it doesn’t even send an LDAP query; it breaks
> > at
> > KRB5 packets with “error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)”
> >
> >
> >
> > Here are the logs from rhevm.log
> >
> > http://pastebin.com/kZqn3kzz
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Alberto Scotto
> >
> > Blue
> > Via Cardinal Massaia, 83
> > 10147 - Torino - ITALY
> > phone: +39 011 29100
> > al.scotto at reply.it
> > www.reply.it
> >
> >
> >
> > From: users-bounces at ovirt.org [mailto:users-bounces at ovirt.org] On
> > Behalf Of Scotto Alberto
> > Sent: venerdì 31 agosto 2012 11:35
> > To: users at ovirt.org
> > Subject: [Users] can't add domain with rhevm-manage-domains
> >
> >
> >
> >
> > Hi all,
> >
> > I’m trying to add a domain (active directory), but I can’t get it
> > to
> > work.
> >
> >
> >
> > The command I execute is:
> >
> > rhevm-manage-domains -action=add -domain='FPT.LOCAL'
> > -user='fptadmin'
> > –interactive
> >
> >
> >
> > Attached you can find:
> >
> > - Output of the command
> >
> > - Logs from
> > /var/log/rhevm/rhevm-manage-domains/rhevm-manage-domains.log
> >
> >
> >
> >
> >
> > I found a RHEV KB saying:
> >
> >
> >
> > For Error: LDAP query Failed , make sure the Active Directory
> > server
> > and the RHEVM server have the correct PTR records in the DNS
> > reverse
> > lookup zone file
> >
> >
> >
> > And another one says:
> >
> > It's required to create PTR entry into DNS for the following:
> >
> > · Name Server (NS) - Start of Authority (SOA)
> > Example: WIN-TL8JB8JAG8.ad.mydomain.com.
> >
> > · Active Directory Name
> > Example: ad.mydomain.com.
> >
> > · RHEVM machine
> > Example: rhevm.ad.mydomain.com.
> >
> > We are fulfilling this requirement, as nslookup of these 3
> > machines’
> > IP work.
> >
> >
> >
> > Additional info.
> >
> >
> >
> > These commands work (if you need I can paste the full output):
> >
> > #dig SRV _kerberos._tcp.FPT.LOCAL #dig SRV _kerberos._udp.FPT.LOCAL
> > #dig SRV _ldap._tcp.FPT.LOCAL
> >
> >
> >
> > # kinit fptadmin02 at FPT.LOCAL
> >
> > # klist
> >
> > Ticket cache: FILE:/tmp/krb5cc_0
> >
> > Default principal: fptadmin02 at FPT.LOCAL
> >
> >
> >
> > Valid starting Expires Service principal
> >
> > 08/30/12 15:55:46 08/31/12 01:55:51 krbtgt/FPT.LOCAL at FPT.LOCAL
> >
> > renew until 09/06/12 15:55:46
> >
> >
> >
> >
> >
> > Thank you very much in advance
> >
> >
> >
> > Alberto Scotto
> >
> > Blue
> > Via Cardinal Massaia, 83
> > 10147 - Torino - ITALY
> > phone: +39 011 29100
> > al.scotto at reply.it
> > www.reply.it
> >
> >
> >
> >
> >
> >
> >
> > --
> > The information transmitted is intended for the person or entity to
> > which it is addressed and may contain confidential and/or
> > privileged
> > material. Any review, retransmission, dissemination or other use
> > of,
> > or taking of any action in reliance upon, this information by
> > persons
> > or entities other than the intended recipient is prohibited.
> > If you received this in error, please contact the sender and delete
> > the material from any computer.
> >
> >
> > --
> > The information transmitted is intended for the person or entity to
> > which it is addressed and may contain confidential and/or
> > privileged
> > material. Any review, retransmission, dissemination or other use
> > of,
> > or taking of any action in reliance upon, this information by
> > persons
> > or entities other than the intended recipient is prohibited.
> > If you received this in error, please contact the sender and delete
> > the material from any computer.
> >
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
> 
> 
> 
> ________________________________
> 
> --
> The information transmitted is intended for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of,
> or taking of any action in reliance upon, this information by
> persons or entities other than the intended recipient is prohibited.
> If you received this in error, please contact the sender and delete
> the material from any computer.
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list