<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style>
<!--
@font-face
{font-family:Wingdings}
@font-face
{font-family:Wingdings}
@font-face
{font-family:Calibri}
@font-face
{font-family:Tahoma}
@font-face
{font-family:Consolas}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif"}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline}
p
{margin-right:0cm;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif"}
code
{font-family:"Courier New"}
pre
{margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New"}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif"}
span.HTMLPreformattedChar
{font-family:"Consolas","serif"}
span.emailstyle17
{font-family:"Calibri","sans-serif";
color:windowtext}
span.htmlpreformattedchar0
{font-family:"Courier New"}
span.EmailStyle25
{font-family:"Calibri","sans-serif";
color:#1F497D}
.MsoChpDefault
{font-size:10.0pt}
@page WordSection1
{margin:70.85pt 2.0cm 2.0cm 2.0cm}
div.WordSection1
{}
ol
{margin-bottom:0cm}
ul
{margin-bottom:0cm}
-->
</style>
</head>
<body lang="IT" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Ok, now it works.</span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Thanks to tcpdump/wireshark I could undesrstand that:</span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span lang="EN-US" style="color:#1F497D"><span style="">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><span lang="EN-US" style="color:#1F497D">Rhevm-manage-domains sends DNS queries asking for PTR of RHEV-H and another redundant domain server, so I
</span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span lang="EN-US" style="color:#1F497D"><span style="">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><span lang="EN-US" style="color:#1F497D">The LDAP query it sends is (&(sAMAccountType=805306368)(userPrincipalName=
<a href="mailto:fptadmin02@DOMAIN.LOCAL)">fptadmin02@DOMAIN.LOCAL)</a>) but the account “fptadmin02” I was using had a different userPrincipalName</span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">So here is how I solved:</span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span lang="EN-US" style="color:#1F497D"><span style="">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><span lang="EN-US" style="color:#1F497D">adding the missing PTRs in the reverse zone of the DNS server</span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span lang="EN-US" style="color:#1F497D"><span style="">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><span lang="EN-US" style="color:#1F497D">logging in with another username that has a correct userPrincipalName</span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Anyhow, after restarting jbossas, still I can’t log in the console with a domain username.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">From wireshark I see it doesn’t even send an LDAP query; it breaks at KRB5 packets with “error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)”</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">Here are the logs from rhevm.log</span></p>
<p class="MsoNormal"><a href="http://pastebin.com/kZqn3kzz">http://pastebin.com/kZqn3kzz</a></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span></p>
<div><br>
<br>
<div align="left">
<p style="font-family:Calibri,Sans-Serif; font-size:10pt"><span style="color:#000000; font-weight:bold">Alberto Scotto</span>
<span style="color:#808080"></span><br>
<br>
<span style="color:#000000"><img border="0" alt="Blue" src="cid:ad1501dec7304928a9bdaa5a4ec912e3" style="margin:0px">
</span><br>
<span style="color:#808080">Via Cardinal Massaia, 83<br>
10147 - Torino - ITALY <br>
phone: +39 011 29100 <br>
<a href="al.scotto@reply.it" target="" style="color:blue; text-decoration:underline">al.scotto@reply.it</a>
<br>
<a title="" href="www.reply.it" target="" style="color:blue; text-decoration:underline">www.reply.it</a>
</span><br>
</p>
</div>
<div style="border:none; border-top:solid #B5C4DF 1.0pt; padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-left:35.4pt"><b><span lang="EN-US" style="font-size:10.0pt; font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt; font-family:"Tahoma","sans-serif""> users-bounces@ovirt.org [mailto:users-bounces@ovirt.org]
<b>On Behalf Of </b>Scotto Alberto<br>
<b>Sent:</b> venerd́ 31 agosto 2012 11:35<br>
<b>To:</b> users@ovirt.org<br>
<b>Subject:</b> [Users] can't add domain with rhevm-manage-domains</span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:35.4pt"> </p>
<div>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US">Hi all,</span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US">I’m trying to add a domain (active directory), but I can’t get it to work.</span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US"> </span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US">The command I execute is:</span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US">rhevm-manage-domains -action=add -domain='FPT.LOCAL' -user='fptadmin' –interactive</span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US"> </span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US">Attached you can find:</span></p>
<p class="MsoListParagraph" style="margin-left:71.4pt; text-indent:-18.0pt"><span lang="EN-US">-</span><span lang="EN-US" style="font-size:7.0pt; font-family:"Times New Roman","serif"">
</span><span lang="EN-US">Output of the command</span></p>
<p class="MsoListParagraph" style="margin-left:71.4pt; text-indent:-18.0pt"><span lang="EN-US">-</span><span lang="EN-US" style="font-size:7.0pt; font-family:"Times New Roman","serif"">
</span><span lang="EN-US">Logs from /var/log/rhevm/rhevm-manage-domains/rhevm-manage-domains.log</span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US"> </span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US"> </span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US">I found a RHEV KB saying:
</span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US"> </span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US">For <strong><span style="font-family:"Calibri","sans-serif"">Error: LDAP query Failed</span></strong>, make sure the Active Directory server
<strong><span style="font-family:"Calibri","sans-serif"">and</span></strong> the RHEVM server have the correct PTR records in the DNS reverse lookup zone file</span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US"> </span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US">And another one says:</span></p>
<p style="margin-left:35.4pt"><span lang="EN-US">It's required to create PTR entry into DNS for the following:</span></p>
<p style="margin-left:71.4pt; text-indent:-18.0pt"><span lang="EN-US" style="font-size:10.0pt; font-family:Symbol">·</span><span lang="EN-US" style="font-size:7.0pt">
</span><span lang="EN-US">Name Server (NS) - Start of Authority (SOA)<br>
Example: WIN-TL8JB8JAG8.ad.mydomain.com.</span></p>
<p style="margin-left:71.4pt; text-indent:-18.0pt"><span lang="EN-US" style="font-size:10.0pt; font-family:Symbol">·</span><span lang="EN-US" style="font-size:7.0pt">
</span><span lang="EN-US">Active Directory Name<br>
Example: ad.mydomain.com.</span></p>
<p style="margin-left:71.4pt; text-indent:-18.0pt"><span lang="EN-US" style="font-size:10.0pt; font-family:Symbol">·</span><span lang="EN-US" style="font-size:7.0pt">
</span><span lang="EN-US">RHEVM machine<br>
Example: rhevm.ad.mydomain.com.</span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US">We are fulfilling this requirement, as nslookup of these 3 machines’ IP work.</span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US"> </span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US">Additional info.</span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US"> </span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US">These commands work (if you need I can paste the full output):</span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US"> </span></p>
<pre style="margin-left:35.4pt"><code><span lang="EN-US">#dig SRV _kerberos._tcp.FPT.LOCAL</span></code></pre>
<pre style="margin-left:35.4pt"><code><span lang="EN-US">#dig SRV _kerberos._udp.FPT.LOCAL</span></code></pre>
<pre style="margin-left:35.4pt"><code><span lang="EN-US">#dig SRV _ldap._tcp.FPT.LOCAL</span></code></pre>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US"> </span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New""># kinit
<a href="mailto:fptadmin02@FPT.LOCAL">fptadmin02@FPT.LOCAL</a></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New""># klist</span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">Ticket cache: FILE:/tmp/krb5cc_0</span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">Default principal:
<a href="mailto:fptadmin02@FPT.LOCAL">fptadmin02@FPT.LOCAL</a></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New""> </span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">Valid starting Expires Service principal</span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">08/30/12 15:55:46 08/31/12 01:55:51
<a href="mailto:krbtgt/FPT.LOCAL@FPT.LOCAL">krbtgt/FPT.LOCAL@FPT.LOCAL</a></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New""> renew until 09/06/12 15:55:46</span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New""> </span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New""> </span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US">Thank you very much in advance</span></p>
</div>
<p class="MsoNormal" style="margin-right:0cm; margin-bottom:12.0pt; margin-left:35.4pt">
<span style="font-size:12.0pt; font-family:"Times New Roman","serif""> </span></p>
<p style="margin-left:35.4pt"><b><span style="font-size:10.0pt; font-family:"Calibri","sans-serif"; color:black">Alberto Scotto</span></b><span style="font-size:10.0pt; font-family:"Calibri","sans-serif"">
<br>
<br>
<span style="color:black"><img border="0" width="140" height="50" id="_x0000_i1025" src="cid:image001.png@01CD87A0.E9EB6E10" alt="Blue"></span><br>
<span style="color:gray">Via Cardinal Massaia, 83<br>
10147 - Torino - ITALY <br>
phone: +39 011 29100 <br>
<a href="al.scotto@reply.it">al.scotto@reply.it</a> <br>
<a href="www.reply.it" title="">www.reply.it</a> </span><br>
</span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span style="font-size:12.0pt; font-family:"Times New Roman","serif""> </span></p>
<div class="MsoNormal" align="center" style="margin-left:35.4pt; text-align:center">
<span style="font-size:12.0pt; font-family:"Times New Roman","serif"">
<hr size="2" width="100%" align="center">
</span></div>
<p class="MsoNormal" style="margin-left:35.4pt"><span style="font-size:7.5pt; font-family:"Arial","sans-serif"; color:gray"><br>
--<br>
The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information
by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.</span><span style="font-size:12.0pt; font-family:"Times New Roman","serif""></span></p>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1"><br>
--<br>
The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information
by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.<br>
</font>
</body>
</html>