Re: [Users] I don't know how to add AD users

------------------------------ *From: *"Cristian Falcas" <cristi.falcas(a)gmail.com&gt; *To: *"Itamar Heim" <iheim(a)redhat.com&gt; *Cc: *"Yair Zaslavsky" <yzaslavs(a)redhat.com&gt;, users(a)ovirt.org *Sent: *Tuesday, November 20, 2012 7:33:39 PM *Subject: *Re: [Users] I don't know how to add AD users On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim <iheim(a)redhat.com&gt; wrote: > On 11/20/2012 03:00 PM, Cristian Falcas wrote: > >> Hi, >> >> So there is no way to use the domain I have at work, right? >> >> I will need to make a freeipa installation in order to add new users. >> > > there is no reason this shouldn't work with active directory 2003 > (assuming its forest level isn't still in AD 2000 compatibility mode?). > tcpdump for the traffic during engine-manage-domains should help > diagnosing why. > > >> Cristian >> >> >> On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas >> <cristi.falcas(a)gmail.com <mailto:cristi.falcas@gmail.**com<cristi.falcas@gmail.com>>> >> wrote: >> >> >> >> >> On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <iheim(a)redhat.com >> <mailto:iheim@redhat.com>> wrote: >> >> On 11/20/2012 09:56 AM, Cristian Falcas wrote: >> >> >> >> >> On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky >> <yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> >> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>> >> wrote: >> >> >> >> On 11/20/2012 09:05 AM, Cristian Falcas wrote: >> >> >> >> >> On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky >> <yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> >> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>> >> <mailto:yzaslavs@redhat.com >> <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com >> <mailto:yzaslavs@redhat.com>>>**> wrote: >> >> >> >> On 11/20/2012 12:39 AM, Cristian Falcas wrote: >> >> >> >> On Mon, Nov 19, 2012 at 10:53 PM, Itamar >> Heim >> <iheim(a)redhat.com <mailto:iheim@redhat.com> >> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>> >> <mailto:iheim@redhat.com >> <mailto:iheim@redhat.com> <mailto:iheim@redhat.com >> <mailto:iheim@redhat.com>>> >> <mailto:iheim@redhat.com >> <mailto:iheim@redhat.com> <mailto:iheim@redhat.com >> <mailto:iheim@redhat.com>> >> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> >> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>>>> >> wrote: >> >> On 11/19/2012 11:29 AM, Vinzenz >> Feenstra wrote: >> >> On 11/19/2012 10:01 AM, Cristian >> Falcas wrote: >> >> Hi, >> >> I'm trying to add some users >> to ovirt >> using an AD. >> >> This is the configuration I >> used for a >> mediawiki >> site, which is >> working correctly: >> $wgAuth = new >> LdapAuthenticationPlugin(); >> $wgLDAPUseLocal = true; >> $wgLDAPDomainNames = array( >> "a_domain"); >> $wgLDAPServerNames = array( >> "a_domain"=>"site.example.com >> <http://site.example.com> <http://site.example.com> >> <http://site.example.com> >> <http://site.example.com> >> <http://site.example.com>"); >> >> $wgLDAPEncryptionType = array( >> "a_domain"=>"clear"); >> $wgLDAPSearchStrings = array( >> >> "a_domain"=>"rom_domain\\USER-**________NAME"); >> $wgLDAPBaseDNs = array( >> "a_domain"=>"dc=company,dc=___** >> _____com"); >> >> >> >> >> >> Those are the commands I >> tried using: >> engine-manage-domains >> -action=add >> -domain=site.example.com >> <http://site.example.com> <http://site.example.com> >> <http://site.example.com> >> <http://site.example.com> >> <http://site.example.com> >> -provider=ActiveDirectory >> -user=user.name >> <http://user.name> <http://user.name> >> <http://user.name> <http://user.name> >> <http://user.name> >> -interactive >> >> >> engine-manage-domains >> -action=add >> -domain=a_domain >> -provider=ActiveDirectory >> -user=user.name(a)company.com >> <mailto:user.name@company.com> >> <mailto:user.name@company.com >> <mailto:user.name@company.com>**> >> <mailto:user.name@company.com <mailto:user.name@company.com> >> <mailto:user.name@company.com >> <mailto:user.name@company.com>**>__> >> <mailto:user.name@company.com >> <mailto:user.name@company.com> >> <mailto:user.name@company.com >> <mailto:user.name@company.com>**> >> <mailto:user.name@company.com >> <mailto:user.name@company.com> >> <mailto:user.name@company.com >> <mailto:user.name@company.com>**>__>__> >> <mailto:user.name@company.com >> <mailto:user.name@company.com> >> <mailto:user.name@company.com >> <mailto:user.name@company.com>**> >> <mailto:user.name@company.com >> <mailto:user.name@company.com> >> <mailto:user.name@company.com >> <mailto:user.name@company.com>**>__> >> >> <mailto:user.name@company.com >> <mailto:user.name@company.com> >> <mailto:user.name@company.com >> <mailto:user.name@company.com>**> >> <mailto:user.name@company.com >> <mailto:user.name@company.com> >> <mailto:user.name@company.com >> <mailto:user.name@company.com>**>__>__>__> -interactive >> >> >> engine-manage-domains >> -action=add >> -domain=a_domain >> -provider=ActiveDirectory >> -user=user.name(a)site.example._**_______com >> >> >> <mailto:user.name@site >> <mailto:user.name@site>. >> <mailto:user.name@site >> <mailto:user.name@site>.>__exa**m__p__le.com<http://exam__p__le.com> >> <http://examp__le.com> <http://example.com> >> <mailto:user.name@site. >> <mailto:user.name@site.>__exam**p__le.com<http://examp__le.com>< >> http://example.com> >> <mailto:user.name@site.__examp**le.com<http://example.com> >> <mailto:user.name@site.**example.com<user.name@site.example.com> >> >>>> >> <mailto:user.name@site >> <mailto:user.name@site> >> >> <mailto:user.name@site <mailto:user.name@site>>. >> <mailto:user.name@site <mailto: >> user.name@site> >> <mailto:user.name@site >> <mailto:user.name@site>>.>__ex**a__m__p__le.com<http://exa__m__p__le.com> >> <http://exam__p__le.com> >> >> <http://examp__le.com> <http://example.com> >> >> >> >> <mailto:user.name@site >> <mailto:user.name@site>. >> <mailto:user.name@site >> <mailto:user.name@site>.>__exa**m__p__le.com<http://exam__p__le.com> >> <http://examp__le.com> <http://example.com> >> <mailto:user.name@site. >> <mailto:user.name@site.>__exam**p__le.com<http://examp__le.com>< >> http://example.com> >> <mailto:user.name@site.__examp**le.com<http://example.com> >> <mailto:user.name@site.**example.com<user.name@site.example.com>>>>>> >> -interactive >> >> >> You don't add an user this way. >> You add the >> domain. You >> have to >> pass the >> domain admin user and the domain >> admin password. >> >> >> any domain user will do, doesn't have >> to be an admin. >> what does the log say? >> >> >> Then you can use the domain >> within the engine. >> e.g. search >> users, add >> access rights for vms etc. >> Even login to the engine and >> assigning rights >> within >> the engine >> you can >> handle from the engine itself. >> >> Regards, >> >> And the output on all tries: >> Enter password: >> >> Error: Authentication Failed. >> Please >> verify the fully >> qualified domain >> name that is used for >> authentication is >> correct.. >> Problematic domain >> is: domain_used_in_command >> Failure while applying >> Kerberos >> configuration. Details: >> Authentication >> Failed. Please verify the >> fully qualified >> domain >> name that >> is used for >> authentication is correct. >> >> Can someone help me with the >> correct >> parameters? >> >> >> Best regards, >> Cristian Falcas >> >> >> >> >> ______________________________**_________________________ >> >> >> Users mailing list >> Users(a)ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> >> <mailto:Users@ovirt.org >> <mailto:Users@ovirt.org> <mailto:Users@ovirt.org >> <mailto:Users@ovirt.org>>>> >> http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.o... >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> > >> >> >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> >> >> >> >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> > >> <http://lists.ovirt.org/____** >> mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/use... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> >>> >> >> >> >> >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> > >> <http://lists.ovirt.org/____** >> mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/use... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> >> >> >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> > >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... >> >>>> >> >> >> >> -- >> Regards, >> >> Vinzenz Feenstra | Senior >> Software Engineer >> RedHat Engineering Virtualization >> R & D >> Phone: +420 532 294 625 >> <tel:%2B420%20532%20294%20625> >> <tel:%2B420%20532%20294%20625> >> <tel:%2B420%20532%20294%20625> >> <tel:%2B420%20532%20294%20625> >> >> IRC: vfeenstr or evilissimo >> >> Better technology. Faster >> innovation. Powered >> by community >> collaboration. >> See how it works at redhat.com >> <http://redhat.com> >> <http://redhat.com> <http://redhat.com> >> <http://redhat.com> >> >> >> >> >> >> ______________________________**_________________________ >> >> >> Users mailing list >> Users(a)ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> >> <mailto:Users@ovirt.org >> <mailto:Users@ovirt.org> <mailto:Users@ovirt.org >> <mailto:Users@ovirt.org>>>> >> http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.o... >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> > >> >> >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> >> >> >> >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> > >> <http://lists.ovirt.org/____** >> mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/use... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> >>> >> >> >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> > >> <http://lists.ovirt.org/____** >> mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/use... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> >> >> >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> > >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... >> >>>> >> >> >> >> >> ______________________________**_________________________ >> >> >> Users mailing list >> Users(a)ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> >> <mailto:Users@ovirt.org >> <mailto:Users@ovirt.org> <mailto:Users@ovirt.org >> <mailto:Users@ovirt.org>>>> >> http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.o... >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> > >> >> >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> >> >> >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> > >> <http://lists.ovirt.org/____** >> mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/use... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> >>> >> >> >> >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> > >> <http://lists.ovirt.org/____** >> mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/use... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> >> >> >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> > >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... >> >>>> >> >> >> >> >> Hi, >> >> This is the command I used (the same error >> is with >> -interactive >> parameter): >> >> engine-manage-domains -action=add >> -domain=example.com <http://example.com> >> <http://example.com> >> <http://example.com> >> <http://example.com> >> -provider=ActiveDirectory >> -user=user.name@a_domain >> >> -passwordFile=/tmp/pass >> >> [root@localhost ~]# cat /tmp/pass >> qwerty[root@localhost ~]# >> >> This is the log: >> >> 2012-11-20 00:30:40,443 INFO >> >> >> [org.ovirt.engine.core.utils._**_____kerberos.ManageDomains] >> >> Creating >> >> >> kerberos >> configuration for domain(s): example.com >> <http://example.com> >> <http://example.com> <http://example.com> >> <http://example.com> >> >> 2012-11-20 00:30:40,525 INFO >> >> >> [org.ovirt.engine.core.utils._**_____kerberos.ManageDomains] >> >> >> Successfully >> >> created kerberos configuration for >> domain(s): >> example.com <http://example.com> <http://example.com> >> <http://example.com> >> <http://example.com> >> >> 2012-11-20 00:30:40,526 INFO >> >> >> [org.ovirt.engine.core.utils._**_____kerberos.ManageDomains] >> >> Testing >> >> >> kerberos >> configuration for domain: example.com >> <http://example.com> >> <http://example.com> <http://example.com> >> <http://example.com> >> >> 2012-11-20 00:30:40,830 ERROR >> >> >> [org.ovirt.engine.core.utils._**_____kerberos.__** >> KerberosConfigCheck] >> >> >> Error: >> >> exception message: Cannot locate KDC >> 2012-11-20 00:30:40,851 ERROR >> >> >> [org.ovirt.engine.core.utils._**_____kerberos.ManageDomains] >> >> Failure >> >> while >> >> testing domain example.com >> <http://example.com> <http://example.com> >> <http://example.com> >> <http://example.com>;. Details: Kerberos >> >> error. Please check log for further >> details. >> >> >> Hi, the error indicates you don't have >> kerberos configured. >> manage-domains validates by default using >> GSSAPI/Kerberos (if I >> understand correctly, this is equivalent to >> run ldapsearch >> with -Y >> gssapi option). >> I wonder if -x (simple authentication) will >> work for you as >> well (as >> manage-domains contains code for simple >> authentication as >> well). >> >> >> >> This is the ldapsearch command that works >> (it retrieves >> users) >> from the >> same machine: >> >> >> >> ldapsearch -H ldap://example.com >> <http://example.com> <http://example.com> >> <http://example.com> >> <http://example.com> -b >> >> dc=example,dc=com -D user.name@a_domain -w >> qwerty >> >> >> Best regards, >> Cristian Falcas >> >> >> >> >> ______________________________**_______________________ >> Users mailing list >> Users(a)ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> >> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> > >> <http://lists.ovirt.org/____** >> mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/use... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> >> >> >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> > >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... >> >>> >> >> >> >> >> Hi, >> >> I used "-x" for ldapsearch and the result is the >> same: list >> retrieved. >> Is there any equivalent for engine-manage-domains? >> >> Cristian >> >> Hi Christian, there is no code allowing to add >> simple-authentication >> domains to Manage-Domains. >> In the past we did have the ability to do that, but >> there are >> several problematic issues. >> What ldap server are you working against? Maybe I >> missed that >> >> >> >> >> Hi, >> >> The server is a Microfost AD 2003. >> >> Best regards, >> Cristian Falcas >> >> >> this should work, is the AD also the DNS server for the ovirt >> engine machine? >> >> >> >> yes >> >> >> > > Could you take a look at the tcp dump? There are only 2 messages relevant to this (let me know if you want the full dump): - 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV _kerberos._tcp.EXAMPLE.COM - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response SRV 0 100 88 site1.example.com SRV 0 100 88 site2.example.com SRV 0 100 88 site3.example.com Also, I tries to run ldapsearch with -Y gssapi: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found Best regards, Cristian Falcas The SRV records look fine. If I remember correctly, your DNS should have a reverse-resolve PTR record to your engine machine. Does it exists?