On 09/16/2012 09:01 AM, Oved Ourfalli wrote:
<top posting>
Hey,
According to the call stack, it looks like something is wrong in the root DSE attributes
(whether due to a bug in the engine, or some configuration that can be done in AD).
Please provide us this information by using the following commands:
ldapsearch -LLL -D user(a)example.com -h <AD-SERVER> -b "" -s base
objectClass=*
Oved
In addition to Oved's words -
When looking at history of ADRootDSE I see it's probably something with
the domainControllerFunctionality attribute (the attributes that we're
checking are domainControllerFunctionality, domainFunctionality and
defaultNamingContext)
However - the best approach is indeed to run the ldapsearch and provide
its output
Yair
----- Original Message -----
> From: "Joop" <jvdwege(a)xs4all.nl>
> To: "<users(a)ovirt.org>" <users(a)ovirt.org>
> Sent: Saturday, September 15, 2012 1:07:06 AM
> Subject: [Users] ActiveDirectory problems
>
> Hi List,
>
> I have been reading the list for quite sometime and I have a question
> because I can't find the problem myself.
> I have an oVirt-3.1 setup with 3 nodes (Fed17 install from LiveCD +
> vdsm) and an engine install. Sofar this all works. Can create VM's,
> can
> migrate them, no problems ( well one but thats for another post,
> vdsmd
> doesn't start at system start).
> Version of oVirt thats installed:
> Installed Packages
> ovirt-engine.noarch 3.1.0-2.fc17 @ovirt-beta
> ovirt-engine-backend.noarch 3.1.0-2.fc17
> @ovirt-beta
> ovirt-engine-cli.noarch 3.1.0.6-1.fc17
> @ovirt-beta
> ovirt-engine-config.noarch 3.1.0-2.fc17
> @ovirt-beta
> ovirt-engine-dbscripts.noarch 3.1.0-2.fc17
> @ovirt-beta
> ovirt-engine-genericapi.noarch 3.1.0-2.fc17
> @ovirt-beta
> ovirt-engine-notification-service.noarch
> 3.1.0-2.fc17 @ovirt-beta
> ovirt-engine-restapi.noarch 3.1.0-2.fc17
> @ovirt-beta
> ovirt-engine-sdk.noarch 3.1.0.4-1.fc17
> @ovirt-beta
> ovirt-engine-setup.noarch 3.1.0-2.fc17
> @ovirt-beta
> ovirt-engine-tools-common.noarch 3.1.0-2.fc17
> @ovirt-beta
> ovirt-engine-userportal.noarch 3.1.0-2.fc17
> @ovirt-beta
> ovirt-engine-webadmin-portal.noarch
> 3.1.0-2.fc17 @ovirt-beta
> ovirt-image-uploader.noarch 3.1.0-0.git9c42c8.fc17
> @ovirt-beta
> ovirt-iso-uploader.noarch 3.1.0-0.git1841d9.fc17
> @ovirt-beta
> ovirt-log-collector.noarch 3.1.0-0.git10d719.fc17
> @ovirt-beta
>
> Next step is integrating with our AD setup. Ran engine-manage-domains
> -action=add -provider=ActiveDirectory -domain=nieuwland.local
> -user=admin -interactive
> Message is:
> WARNING: No permissions were added to the Engine. Login either with
> the
> internal admin user or with another configured user
> Successfully added domain nieuwland.local. oVirt Engine restart is
> required in order for the changes to take place (service
> Manage Domains completed successfully
>
> The specified admin is an DomainAdministrator.
>
> The logfile in /var/log/engine/engine-manage-domains also says OK.
> The
> resulting krb5.conf in /etc/ovirt-engine looks also OK. The AD
> servers
> are resolvable forward and backward.
> Then I'm lost because when I log into the Admin portal with the
> internal
> admin account and goto the Users tab and want to add a user from the
> nieuwland.local, myself (jvandewege) realm it won't work and I get
> the
> following in engine.log
>
> 2012-09-14 12:55:26,104 ERROR
> [org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
> (ajp--0.0.0.0-8009-12) Failed ldap search server
> LDAP://digit.nieuwland.local:389 due to
> java.lang.NullPointerException.
> We should try the next server: java.lang.NullPointerException
> at
> org.ovirt.engine.core.bll.adbroker.ADRootDSE.<init>(ADRootDSE.java:26)
> [engine-bll.jar:]
> at
> org.ovirt.engine.core.bll.adbroker.RootDSEFactory.get(RootDSEFactory.java:14)
> [engine-bll.jar:]
> at
> org.ovirt.engine.core.bll.adbroker.GetRootDSETask.setRootDSE(GetRootDSETask.java:97)
> [engine-bll.jar:]
> at
> org.ovirt.engine.core.bll.adbroker.GetRootDSETask.call(GetRootDSETask.java:68)
> [engine-bll.jar:]
> at
> org.ovirt.engine.core.bll.adbroker.DirectorySearcher.find(DirectorySearcher.java:91)
> [engine-bll.jar:]
> at
>
org.ovirt.engine.core.bll.adbroker.DirectorySearcher.FindOne(DirectorySearcher.java:39)
> [engine-bll.jar:]
> at
>
org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand.executeQuery(LdapAuthenticateUserCommand.java:44)
> [engine-bll.jar:]
> at
>
org.ovirt.engine.core.bll.adbroker.LdapBrokerCommandBase.Execute(LdapBrokerCommandBase.java:68)
> [engine-bll.jar:]
> at
>
org.ovirt.engine.core.bll.adbroker.LdapBrokerBase.RunAdAction(LdapBrokerBase.java:18)
> [engine-bll.jar:]
> at
>
org.ovirt.engine.core.bll.LoginUserCommand.authenticateUser(LoginUserCommand.java:30)
> [engine-bll.jar:]
> at
>
org.ovirt.engine.core.bll.LoginBaseCommand.isUserCanBeAuthenticated(LoginBaseCommand.java:177)
> [engine-bll.jar:]
> at
>
org.ovirt.engine.core.bll.LoginAdminUserCommand.canDoAction(LoginAdminUserCommand.java:14)
> [engine-bll.jar:]
> at
> org.ovirt.engine.core.bll.CommandBase.InternalCanDoAction(CommandBase.java:486)
> [engine-bll.jar:]
> at
> org.ovirt.engine.core.bll.CommandBase.ExecuteAction(CommandBase.java:261)
> [engine-bll.jar:]
> at org.ovirt.engine.core.bll.Backend.Login(Backend.java:481)
> [engine-bll.jar:]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [rt.jar:1.7.0_05-icedtea]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> [rt.jar:1.7.0_05-icedtea]
> at
>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [rt.jar:1.7.0_05-icedtea]
> at java.lang.reflect.Method.invoke(Method.java:601)
> [rt.jar:1.7.0_05-icedtea]
> at
>
org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation.jar:1.1.1.Final]
> at
>
org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:374)
> [jboss-invocation.jar:1.1.1.Final]
> at
>
org.ovirt.engine.core.utils.ThreadLocalSessionCleanerInterceptor.injectWebContextToThreadLocal(ThreadLocalSessionCleanerInterceptor.java:11)
> [engine-utils.jar:]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [rt.jar:1.7.0_05-icedtea]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> [rt.jar:1.7.0_05-icedtea]
> at
>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [rt.jar:1.7.0_05-icedtea]
> at java.lang.reflect.Method.invoke(Method.java:601)
> [rt.jar:1.7.0_05-icedtea]
> at
>
org.jboss.as.ee.component.ManagedReferenceLifecycleMethodInterceptorFactory$ManagedReferenceLifecycleMethodInterceptor.processInvocation(ManagedReferenceLifecycleMethodInterceptorFactory.java:123)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation.jar:1.1.1.Final]
> at
> org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53)
> [jboss-invocation.jar:1.1.1.Final]
> at
>
org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation.jar:1.1.1.Final]
> at
>
org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21)
> [jboss-invocation.jar:1.1.1.Final]
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation.jar:1.1.1.Final]
> at
>
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
> [jboss-invocation.jar:1.1.1.Final]
> at
>
org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation.jar:1.1.1.Final]
> at
>
org.jboss.as.ejb3.component.singleton.SingletonComponentInstanceAssociationInterceptor.processInvocation(SingletonComponentInstanceAssociationInterceptor.java:53)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation.jar:1.1.1.Final]
> at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInNoTx(CMTTxInterceptor.java:211)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.supports(CMTTxInterceptor.java:363)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:194)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation.jar:1.1.1.Final]
> at
>
org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation.jar:1.1.1.Final]
> at
>
org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation.jar:1.1.1.Final]
> at
>
org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation.jar:1.1.1.Final]
> at
> org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation.jar:1.1.1.Final]
> at
>
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
> [jboss-invocation.jar:1.1.1.Final]
> at
> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> at
>
org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation.jar:1.1.1.Final]
> at
>
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
> [jboss-invocation.jar:1.1.1.Final]
> at
>
org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> at
> org.ovirt.engine.core.common.interfaces.BackendLocal$$$view9.Login(Unknown
> Source) [engine-common.jar:]
> at
>
org.ovirt.engine.ui.frontend.server.gwt.GenericApiGWTServiceImpl.Login(GenericApiGWTServiceImpl.java:157)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [rt.jar:1.7.0_05-icedtea]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> [rt.jar:1.7.0_05-icedtea]
> at
>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [rt.jar:1.7.0_05-icedtea]
> at java.lang.reflect.Method.invoke(Method.java:601)
> [rt.jar:1.7.0_05-icedtea]
> at
> com.google.gwt.rpc.server.RPC.invokeAndStreamResponse(RPC.java:196)
> at
> com.google.gwt.rpc.server.RpcServlet.processCall(RpcServlet.java:161)
> at
> com.google.gwt.rpc.server.RpcServlet.processPost(RpcServlet.java:222)
> at
>
com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
> [jboss-servlet-3.0-api.jar:1.0.1.Final]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> [jboss-servlet-3.0-api.jar:1.0.1.Final]
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329)
>
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
>
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
>
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)
>
> at
>
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
>
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>
> at
> org.jboss.web.rewrite.RewriteValve.invoke(RewriteValve.java:466)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
> at
> org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:505)
> at
> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:445)
>
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
> at java.lang.Thread.run(Thread.java:722)
> [rt.jar:1.7.0_05-icedtea]
>
> 2012-09-14 12:55:26,124 ERROR
> [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand]
> (ajp--0.0.0.0-8009-12) Failed authenticating user: admin to domain
> nieuwland.local. Ldap Query Type is getUserByName
> 2012-09-14 12:55:26,125 ERROR
> [org.ovirt.engine.core.bll.LoginAdminUserCommand]
> (ajp--0.0.0.0-8009-12)
> USER_FAILED_TO_AUTHENTICATE : admin
> 2012-09-14 12:55:26,125 WARN
> [org.ovirt.engine.core.bll.LoginAdminUserCommand]
> (ajp--0.0.0.0-8009-12)
> CanDoAction of action LoginAdminUser failed.
> Reasons:USER_FAILED_TO_AUTHENTICATE
> 2012-09-14 12:57:07,027 INFO
> [org.ovirt.engine.core.bll.LoginAdminUserCommand]
> (ajp--0.0.0.0-8009-5)
> Checking if user admin@internal is an admin, result true
> 2012-09-14 12:57:07,029 INFO
> [org.ovirt.engine.core.bll.LoginAdminUserCommand]
> (ajp--0.0.0.0-8009-5)
> Running command: LoginAdminUserCommand internal: false.
>
> Using Wireshark I don't see what I expected namely a well formed ldap
> search and a result. Can provide the dmp if needed.
>
> Anyone had any luck and is willing to help me out?
>
> Thanks in advance,
>
> Joop
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
>
http://lists.ovirt.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users