<div dir="ltr">Yes We have:<br><br>[root@ovirtmgmt01prod ~]# dig @<a href="http://srvdc03.mydomain.com">srvdc03.mydomain.com</a> SRV  _gc._<a href="http://tcp.mydomain.com">tcp.mydomain.com</a><br><br>; &lt;&lt;&gt;&gt; DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 &lt;&lt;&gt;&gt; @<a href="http://srvdc03.mydomain.com">srvdc03.mydomain.com</a> SRV _gc._<a href="http://tcp.mydomain.com">tcp.mydomain.com</a><br>; (1 server found) <br>;; global options: +cmd<br>;; Got answer:<br>;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NXDOMAIN, id: 33340<br>;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0<br><br>;; QUESTION SECTION:<br>;_gc._<a href="http://tcp.mydomain.com">tcp.mydomain.com</a>. IN      SRV<br><br>;; AUTHORITY SECTION:   <br><a href="http://mydomain.com">mydomain.com</a>.   3600    IN      SOA     <a href="http://srvdc03.mydomain.com">srvdc03.mydomain.com</a>. hostmaster.airport. 1398582 900 600 86400 3600<br><br>;; Query time: 12 msec<br>;; SERVER: 10.110.3.123#53(10.110.3.123)<br>;; WHEN: Thu Jan 29 13:40:41 2015<br>;; MSG SIZE  rcvd: 98<br><br><br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-01-29 13:33 GMT+01:00 Alon Bar-Lev <span dir="ltr">&lt;<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>&gt;</span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
----- Original Message -----<br>
&gt; From: &quot;Koen Vanoppen&quot; &lt;<a href="mailto:vanoppen.koen@gmail.com">vanoppen.koen@gmail.com</a>&gt;<br>
&gt; To: &quot;Alon Bar-Lev&quot; &lt;<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>&gt;, <a href="mailto:users@ovirt.org">users@ovirt.org</a><br>
&gt; Sent: Thursday, January 29, 2015 2:19:32 PM<br>
&gt; Subject: Re: [ovirt-users] AAA<br>
&gt;<br>
</span><div><div class="h5">&gt; Big thanks for your help, but still the same:<br>
&gt;<br>
&gt; #<br>
&gt; # Active directory domain name.<br>
&gt; #<br>
&gt; vars.domain = <a href="http://mydomain.com" target="_blank">mydomain.com</a><br>
&gt;<br>
&gt; #<br>
&gt; # Search user and its password.<br>
&gt; #<br>
&gt; vars.user = admin@${global:vars.domain}<br>
&gt; vars.password = *****<br>
&gt;<br>
&gt; #<br>
&gt; # Optional DNS servers, if enterprise<br>
&gt; # DNS server cannot resolve the domain srvrecord.<br>
&gt; #<br>
&gt; vars.dns = dns://srvdc03.${global:vars.domain}<br>
&gt; dns://srvdc04.${global:vars.domain}<br>
&gt;<br>
&gt; pool.default.serverset.type = srvrecord<br>
&gt; pool.default.serverset.srvrecord.domain = ${global:vars.domain}<br>
&gt; pool.default.auth.simple.bindDN = ${global:vars.user}<br>
&gt; pool.default.auth.simple.password = ${global:vars.password}<br>
&gt;<br>
&gt; # Uncomment if using custom DNS<br>
&gt; pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url =<br>
&gt; ${global:vars.dns}<br>
&gt; pool.default.socketfactory.resolver.uRL = ${global:vars.dns}<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;  [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize<br>
&gt; LDAP framework, deferring initialization. Error: No DNS SRV records were<br>
&gt; found with record name &#39;_gc._tcp.brussels.airport&#39;.<br>
&gt;<br>
&gt; And I can&#39;t put &#39;_gc._<a href="http://tcp.mydomain.com" target="_blank">tcp.mydomain.com</a> in the dns... Isn&#39;t there another<br>
&gt; way it just resolves the dns servers I gave him?<br>
&gt;<br>
<br>
</div></div>Microsoft Domain controller must have gc service entry within DNS to work properly.<br>
1. Are you sure you have Microsoft DNS installed on <a href="http://srvdc03.mydomain.com" target="_blank">srvdc03.mydomain.com</a> ?<br>
2. Can you please execute:<br>
$ dig @<a href="http://srvdc03.mydomain.com" target="_blank">srvdc03.mydomain.com</a> SRV _gc._<a href="http://tcp.mydomain.com" target="_blank">tcp.mydomain.com</a><br>
3. Can you please open the DNS manager within your domain and search for srv records? Maybe you have DNS installed only on few servers, using the DNS manager you can also see which.<br>
<div class="HOEnZb"><div class="h5"><br>
&gt;<br>
&gt; 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev &lt;<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>&gt;:<br>
&gt;<br>
&gt; &gt;<br>
&gt; &gt;<br>
&gt; &gt; ----- Original Message -----<br>
&gt; &gt; &gt; From: &quot;Ondra Machacek&quot; &lt;<a href="mailto:omachace@redhat.com">omachace@redhat.com</a>&gt;<br>
&gt; &gt; &gt; To: &quot;Koen Vanoppen&quot; &lt;<a href="mailto:vanoppen.koen@gmail.com">vanoppen.koen@gmail.com</a>&gt;, <a href="mailto:users@ovirt.org">users@ovirt.org</a><br>
&gt; &gt; &gt; Sent: Thursday, January 29, 2015 1:49:00 PM<br>
&gt; &gt; &gt; Subject: Re: [ovirt-users] AAA<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; On 01/29/2015 12:30 PM, Koen Vanoppen wrote:<br>
&gt; &gt; &gt; &gt; No, I don&#39;t. and I wouldn&#39;t know how he got to this name...<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; Well, then you have to, if you want to use &#39;pool.default.serverset.type<br>
&gt; &gt; &gt; = srvrecord&#39;.<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; It just need to know where your global catalog is running, since it&#39;s<br>
&gt; &gt; &gt; needed for new provider.<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; It searches for global catalog like this:<br>
&gt; &gt; &gt; dig @${vars.dns} -t SRV _gc._tcp.${vars.domain}<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; So you need to have this SRV record in DNS, if you want to use srvrecord<br>
&gt; &gt; &gt; serverset type. Or you don&#39;t have to if you use single server type.<br>
&gt; &gt;<br>
&gt; &gt; active directory will not work without access to global catalog.<br>
&gt; &gt; please set one or more of the domain controllers as dns server, for<br>
&gt; &gt; example:<br>
&gt; &gt;<br>
&gt; &gt; vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}<br>
&gt; &gt;<br>
&gt; &gt; please also uncomment/add these lines to make vars.dns effective.<br>
&gt; &gt;<br>
&gt; &gt; pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url<br>
&gt; &gt; = ${global:vars.dns}<br>
&gt; &gt; pool.default.socketfactory.resolver.uRL = ${global:vars.dns}<br>
&gt; &gt;<br>
&gt; &gt; Thanks!<br>
&gt; &gt;<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; Thanks for the reply!<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; 2015-01-29 11:53 GMT+01:00 Ondra Machacek &lt;<a href="mailto:omachace@redhat.com">omachace@redhat.com</a><br>
&gt; &gt; &gt; &gt; &lt;mailto:<a href="mailto:omachace@redhat.com">omachace@redhat.com</a>&gt;&gt;:<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;     On 01/29/2015 11:41 AM, Koen Vanoppen wrote:<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;         Can somebody help me setting up AAA for ovirt 3.5.1?<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;         I&#39;m getting this now:<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;         2015-01-29 11:35:36,889 WARN<br>
&gt; &gt; &gt; &gt;         [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC<br>
&gt; &gt; &gt; &gt;         service thread<br>
&gt; &gt; &gt; &gt;         1-1) [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz]<br>
&gt; &gt; &gt; &gt;         Cannot<br>
&gt; &gt; &gt; &gt;         initialize LDAP framework, deferring initialization. Error: An<br>
&gt; &gt; &gt; &gt;         error<br>
&gt; &gt; &gt; &gt;         occurred while attempting to query DNS in order to retrieve SRV<br>
&gt; &gt; &gt; &gt;         records<br>
&gt; &gt; &gt; &gt;         with name &#39;_gc._tcp.brussels.airport&#39;:<br>
&gt; &gt; &gt; &gt;         javax.naming.__NameNotFoundException: DNS name not found<br>
&gt; &gt; &gt; &gt;         [response code<br>
&gt; &gt; &gt; &gt;         3]; remaining name &#39;_gc._tcp.brussels.airport&#39;<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;     Do you have this &#39;_gc._tcp.brussels.airport&#39; SRV record in DNS ?<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;         my 3 configs:<br>
&gt; &gt; &gt; &gt;         _*BRU_AIR-authn.properties*_<br>
&gt; &gt; &gt; &gt;         <a href="http://ovirt.engine.extension.name" target="_blank">ovirt.engine.extension.name</a> &lt;<br>
&gt; &gt; <a href="http://ovirt.engine.extension.name" target="_blank">http://ovirt.engine.extension.name</a>&gt;<br>
&gt; &gt; &gt; &gt;         &lt;<a href="http://ovirt.engine." target="_blank">http://ovirt.engine.</a>__<a href="http://extension.name" target="_blank">extension.name</a><br>
&gt; &gt; &gt; &gt;         &lt;<a href="http://ovirt.engine.extension.name" target="_blank">http://ovirt.engine.extension.name</a>&gt;&gt; =<br>
&gt; &gt; &gt; &gt;         BRU_AIR-authn<br>
&gt; &gt; &gt; &gt;         ovirt.engine.extension.__bindings.method = jbossmodule<br>
&gt; &gt; &gt; &gt;         ovirt.engine.extension.__binding.jbossmodule.module =<br>
&gt; &gt; &gt; &gt;         org.ovirt.engine-extensions.__aaa.ldap<br>
&gt; &gt; &gt; &gt;         ovirt.engine.extension.__binding.jbossmodule.class =<br>
&gt; &gt; &gt; &gt;         org.ovirt.engineextensions.__aaa.ldap.AuthnExtension<br>
&gt; &gt; &gt; &gt;         ovirt.engine.extension.__provides =<br>
&gt; &gt; &gt; &gt;         org.ovirt.engine.api.__extensions.aaa.Authn<br>
&gt; &gt; &gt; &gt;         ovirt.engine.aaa.authn.__<a href="http://profile.name" target="_blank">profile.name</a><br>
&gt; &gt; &gt; &gt;         &lt;<a href="http://ovirt.engine.aaa.authn.profile.name" target="_blank">http://ovirt.engine.aaa.authn.profile.name</a>&gt;<br>
&gt; &gt; &gt; &gt;         &lt;<a href="http://ovirt.engine.aaa." target="_blank">http://ovirt.engine.aaa.</a>__<a href="http://authn.profile.name" target="_blank">authn.profile.name</a><br>
&gt; &gt; &gt; &gt;         &lt;<a href="http://ovirt.engine.aaa.authn.profile.name" target="_blank">http://ovirt.engine.aaa.authn.profile.name</a>&gt;&gt; = BRU-AIR<br>
&gt; &gt; &gt; &gt;         ovirt.engine.aaa.authn.authz.__plugin = BRU_AIR-authz<br>
&gt; &gt; &gt; &gt;         config.profile.file.1 =<br>
&gt; &gt; /etc/ovirt-engine/aaa/BRU_AIR.__properties<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;         _*BRU_AIR-authz.properties*_<br>
&gt; &gt; &gt; &gt;         <a href="http://ovirt.engine.extension.name" target="_blank">ovirt.engine.extension.name</a> &lt;<br>
&gt; &gt; <a href="http://ovirt.engine.extension.name" target="_blank">http://ovirt.engine.extension.name</a>&gt;<br>
&gt; &gt; &gt; &gt;         &lt;<a href="http://ovirt.engine." target="_blank">http://ovirt.engine.</a>__<a href="http://extension.name" target="_blank">extension.name</a><br>
&gt; &gt; &gt; &gt;         &lt;<a href="http://ovirt.engine.extension.name" target="_blank">http://ovirt.engine.extension.name</a>&gt;&gt; =<br>
&gt; &gt; &gt; &gt;         BRU_AIR-authz<br>
&gt; &gt; &gt; &gt;         ovirt.engine.extension.__bindings.method = jbossmodule<br>
&gt; &gt; &gt; &gt;         ovirt.engine.extension.__binding.jbossmodule.module =<br>
&gt; &gt; &gt; &gt;         org.ovirt.engine-extensions.__aaa.ldap<br>
&gt; &gt; &gt; &gt;         ovirt.engine.extension.__binding.jbossmodule.class =<br>
&gt; &gt; &gt; &gt;         org.ovirt.engineextensions.__aaa.ldap.AuthzExtension<br>
&gt; &gt; &gt; &gt;         ovirt.engine.extension.__provides =<br>
&gt; &gt; &gt; &gt;         org.ovirt.engine.api.__extensions.aaa.Authz<br>
&gt; &gt; &gt; &gt;         config.profile.file.1 =<br>
&gt; &gt; /etc/ovirt-engine/aaa/BRU_AIR.__properties<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;         _*BRU_AIR.properties*_<br>
&gt; &gt; &gt; &gt;         include = &lt;ad.properties&gt;<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;         #<br>
&gt; &gt; &gt; &gt;         # Active directory domain name.<br>
&gt; &gt; &gt; &gt;         #<br>
&gt; &gt; &gt; &gt;         vars.domain = <a href="http://mydomain.com" target="_blank">mydomain.com</a> &lt;<a href="http://mydomain.com" target="_blank">http://mydomain.com</a>&gt;<br>
&gt; &gt; &gt; &gt;         &lt;<a href="http://mydomain.com" target="_blank">http://mydomain.com</a>&gt;<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;         #<br>
&gt; &gt; &gt; &gt;         # Search user and its password.<br>
&gt; &gt; &gt; &gt;         #<br>
&gt; &gt; &gt; &gt;         vars.user = admin@${global:vars.domain}<br>
&gt; &gt; &gt; &gt;         vars.password = ***********<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;         #<br>
&gt; &gt; &gt; &gt;         # Optional DNS servers, if enterprise<br>
&gt; &gt; &gt; &gt;         # DNS server cannot resolve the domain srvrecord.<br>
&gt; &gt; &gt; &gt;         #<br>
&gt; &gt; &gt; &gt;         vars.dns = dns://<a href="http://dc01.mydomain.com" target="_blank">dc01.mydomain.com</a> &lt;<a href="http://dc01.mydomain.com" target="_blank">http://dc01.mydomain.com</a>&gt;<br>
&gt; &gt; &gt; &gt;         &lt;<a href="http://dc01.mydomain.com" target="_blank">http://dc01.mydomain.com</a>&gt;<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;         pool.default.serverset.type = srvrecord<br>
&gt; &gt; &gt; &gt;         pool.default.serverset.__srvrecord.domain =<br>
&gt; &gt; ${global:vars.domain}<br>
&gt; &gt; &gt; &gt;         pool.default.auth.simple.__bindDN = ${global:vars.user}<br>
&gt; &gt; &gt; &gt;         pool.default.auth.simple.__password = ${global:vars.password<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;         In the GUI for adding user I get this:<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;         An error occurred while attempting to query DNS in order to<br>
&gt; &gt; &gt; &gt;         retrieve SRV<br>
&gt; &gt; &gt; &gt;         records with name &#39;_gc__tcp_brussels_airport&#39;:<br>
&gt; &gt; &gt; &gt;         javax_naming___NameNotFoundException: DNS name not found<br>
&gt; &gt; &gt; &gt;         [response code<br>
&gt; &gt; &gt; &gt;         3]; remaining name &#39;_gc__tcp_brussels_airport&#39;<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;         Any ideas? I ran out...<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;         Kind regards,<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;         Koen<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;         _________________________________________________<br>
&gt; &gt; &gt; &gt;         Users mailing list<br>
&gt; &gt; &gt; &gt;         <a href="mailto:Users@ovirt.org">Users@ovirt.org</a> &lt;mailto:<a href="mailto:Users@ovirt.org">Users@ovirt.org</a>&gt;<br>
&gt; &gt; &gt; &gt;         <a href="http://lists.ovirt.org/__mailman/listinfo/users" target="_blank">http://lists.ovirt.org/__mailman/listinfo/users</a><br>
&gt; &gt; &gt; &gt;         &lt;<a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a>&gt;<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; _______________________________________________<br>
&gt; &gt; &gt; Users mailing list<br>
&gt; &gt; &gt; <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
&gt; &gt; &gt; <a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
&gt; &gt; &gt;<br>
&gt; &gt;<br>
&gt;<br>
</div></div></blockquote></div><br></div>