<div dir="ltr"><div>Thanks Yair, </div><div> </div><div>I made the changes to the engine-manage-domains script as suggested in the gerrit link - that now works just fine, and also confirms what I thought the problem was all along - namely that the configured username returned on a `engine-manage-domains --action=list` is that of the previous admin. </div>
<div> </div><div>The problem being that their account is no longer valid within the active directory, hence validation fails.</div><div> </div><div>I've trawled the various ovirt config directories but can't find a resource that holds the username to use on the LDAP query. Presumably this is something that gets setup at install time? </div>
<div> </div><div>Is there a way to re-configure the underlying username? </div><div> </div><div>Many thanks,</div><div>Trevor</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 25 July 2013 22:29, Yair Zaslavsky <span dir="ltr"><<a href="mailto:yzaslavs@redhat.com" target="_blank">yzaslavs@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"><br>
<br>
----- Original Message -----<br>
> From: "Trevor Galloway" <<a href="mailto:trevgall@googlemail.com">trevgall@googlemail.com</a>><br>
> To: <a href="mailto:users@ovirt.org">users@ovirt.org</a><br>
> Sent: Thursday, July 25, 2013 7:51:56 PM<br>
> Subject: [Users] Problem running engine-manage-domain on oVirt 3.1.0-4<br>
><br>
> Hello oVirt Users,<br>
><br>
><br>
><br>
> Just signed up to the user mailing list and have a question regarding an<br>
> error being reported to stdout when running engine-manage-domains.<br>
><br>
><br>
><br>
> When running the `engine-manage-domains` utility from the command line I<br>
> see the following error reported:<br>
><br>
><br>
><br>
</div>> *[root@hive ovirt-engine]# engine-manage-domains -action=list*<br>
><br>
> *Failed reading current configuration. Details: Error "Key for add<br>
> operation must be defined!" while reading configuration value AdUserName.*<br>
<div class="im">><br>
><br>
><br>
> A quick Google on this leads directly to Bugzilla – Bug 883846 – which<br>
> looks like it’s fixed in the 3.2 version. Can anyone confirm that? I’ve<br>
> inherited a DL580 running oVirt Manager and a bunch of VM’s, and don’t<br>
> really want to undertake an upgrade just now if I don’t have to.<br>
<br>
</div>This is indeed the issue.<br>
<div class="im"><br>
><br>
><br>
><br>
><br>
><br>
> The real problem seems to be that I can’t assign a user with any roles<br>
> since the ldap lookup to the active server fails – due, I think, to the<br>
> fact that the query is configured to authenticate with the previous admins<br>
> credentials – they left and the account is now disabled. J<br>
><br>
><br>
><br>
> From the /var/log/ovirt-engine/engine.log<br>
><br>
</div>> *2013-07-25 11:32:15,574 ERROR<br>
<div class="im">> [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy]<br>
> (ajp--0.0.0.0-8009-1) Authentication failed. The user is either locked or<br>
</div>> disabled*<br>
><br>
> *2013-07-25 11:32:15,575 ERROR<br>
<div class="im">> [org.ovirt.engine.core.bll.adbroker.DirectorySearcher]<br>
> (ajp--0.0.0.0-8009-1) Failed ldap search server<br>
> LDAP://<my_active_directory>:389 due to<br>
> org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We<br>
> should not try the next server:<br>
</div>> org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException*<br>
><br>
> * *<br>
<div class="im">><br>
> The above gets written out as soon as I hit the Go button in the Add System<br>
> Permission to User dialogue window.<br>
<br>
</div>engine-manage-domains uses engine-config and provides its a configuration (after the above bug fix) with keys in form of "key=".<br>
If you really don't want to upgrade, maybe you should consider editing the engine-manage-domains script, as in<br>
<br>
<a href="http://gerrit.ovirt.org/#/c/9743/3/backend/manager/conf/kerberos/engine-manage-domains" target="_blank">http://gerrit.ovirt.org/#/c/9743/3/backend/manager/conf/kerberos/engine-manage-domains</a> ?<br>
<br>
You will have to do that for any altering operations on domains and their associated users.<br>
<br>
Please let us know if it worked for you<br>
<br>
Many thanks,<br>
Yair<br>
<div class="im"><br>
<br>
><br>
><br>
><br>
> Thanks in advance for any advice!<br>
><br>
</div>> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
> <a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
><br>
</blockquote></div><br></div>