Re: [Users] I don't know how to add AD users

On 11/21/2012 09:40 PM, Cristian Falcas wrote: > > > > On Wed, Nov 21, 2012 at 9:37 PM, Cristian Falcas > <cristi.falcas(a)gmail.com <mailto:cristi.falcas@gmail.**com<cristi.falcas@gmail.com>>> > wrote: > > > > > On Wed, Nov 21, 2012 at 8:10 AM, Itamar Heim <iheim(a)redhat.com > <mailto:iheim@redhat.com>> wrote: > > On 11/21/2012 08:09 AM, Oved Ourfalli wrote: > > > > ----- Original Message ----- > > From: "Cristian Falcas" <cristi.falcas(a)gmail.com > <mailto:cristi.falcas@gmail.**com<cristi.falcas@gmail.com> > >> > To: "Yair Zaslavsky" <yzaslavs(a)redhat.com > <mailto:yzaslavs@redhat.com>> > Cc: users(a)ovirt.org <mailto:users@ovirt.org> > > Sent: Wednesday, November 21, 2012 6:40:34 AM > Subject: Re: [Users] I don't know how to add AD users > > > > > > > > On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky < > yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> > > > wrote: > > > > > > > > > > > From: "Cristian Falcas" < cristi.falcas(a)gmail.com > <mailto:cristi.falcas@gmail.**com<cristi.falcas@gmail.com>> > > > To: "Itamar Heim" < iheim(a)redhat.com > <mailto:iheim@redhat.com> > > Cc: "Yair Zaslavsky" < yzaslavs(a)redhat.com > <mailto:yzaslavs@redhat.com> >, users(a)ovirt.org > <mailto:users@ovirt.org> > > Sent: Tuesday, November 20, 2012 7:33:39 PM > > Subject: Re: [Users] I don't know how to add AD users > > > > > > > > > On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim < > iheim(a)redhat.com <mailto:iheim@redhat.com> > > > wrote: > > > > On 11/20/2012 03:00 PM, Cristian Falcas wrote: > > > Hi, > > So there is no way to use the domain I have at work, > right? > > I will need to make a freeipa installation in order to > add new users. > > there is no reason this shouldn't work with active > directory 2003 > (assuming its forest level isn't still in AD 2000 > compatibility > mode?). > tcpdump for the traffic during engine-manage-domains > should help > diagnosing why. > > > > > > Cristian > > > On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas > > < cristi.falcas(a)gmail.com > <mailto:cristi.falcas@gmail.**com<cristi.falcas@gmail.com>> > <mailto: > > cristi.falcas@gmail. com >> wrote: > > > > > On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim < > iheim(a)redhat.com <mailto:iheim@redhat.com> > > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> >> > wrote: > > On 11/20/2012 09:56 AM, Cristian Falcas wrote: > > > > > On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky > < yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> > <mailto: yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> > > > > > <mailto: yzaslavs(a)redhat.com > <mailto:yzaslavs@redhat.com> <mailto: > yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> >>> > wrote: > > > > On 11/20/2012 09:05 AM, Cristian Falcas wrote: > > > > > On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky > < yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> > <mailto: yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> > > > <mailto: yzaslavs(a)redhat.com > <mailto:yzaslavs@redhat.com> <mailto: > yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> >> > <mailto: yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> > <mailto: yzaslavs(a)redhat.com > <mailto:yzaslavs@redhat.com> > <mailto: > yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> > <mailto: yzaslavs(a)redhat.com > <mailto:yzaslavs@redhat.com> >>> > wrote: > > > > On 11/20/2012 12:39 AM, Cristian Falcas wrote: > > > > On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim > < iheim(a)redhat.com <mailto:iheim@redhat.com> <mailto: > iheim(a)redhat.com <mailto:iheim@redhat.com> > > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> >> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> >>> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> >> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > >>>>> wrote: > > On 11/19/2012 11:29 AM, Vinzenz > Feenstra wrote: > > On 11/19/2012 10:01 AM, Cristian > Falcas wrote: > > Hi, > > I'm trying to add some users > to ovirt > using an AD. > > This is the configuration I > used for a > mediawiki > site, which is > working correctly: > $wgAuth = new > LdapAuthenticationPlugin(); > $wgLDAPUseLocal = true; > $wgLDAPDomainNames = array( > "a_domain"); > $wgLDAPServerNames = array( > "a_domain"=>" site.example.com <http://site.example.com> > < http://site.example.com > < http://site.example.com > > < http://site.example.com > > < http://site.example.com > > < http://site.example.com >"); > > $wgLDAPEncryptionType = array( > "a_domain"=>"clear"); > $wgLDAPSearchStrings = array( > > "a_domain"=>"rom_domain\\USER- ________NAME"); > $wgLDAPBaseDNs = array( > "a_domain"=>"dc=company,dc=___ _____com"); > > > > > > > Those are the commands I > tried using: > engine-manage-domains -action=add > -domain= site.example.com <http://site.example.com> > < http://site.example.com > < http://site.example.com > > < http://site.example.com > > < http://site.example.com > > < http://site.example.com > > -provider=ActiveDirectory > -user= user.name <http://user.name> > < http://user.name > < http://user.name > > < http://user.name > < http://user.name > > < http://user.name > -interactive > > > engine-manage-domains -action=add > -domain=a_domain > -provider=ActiveDirectory > -user= user.name(a)company.com <mailto: > user.name(a)company.com&gt; > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> <mailto: > user.name(a)company.com <mailto:user.name@company.com> > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > >__> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > >__>__> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > >__> > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > >__>__>__> -interactive > > > engine-manage-domains -action=add > -domain=a_domain > -provider=ActiveDirectory > -user=user.name(a)site.example._ _______com > > > <mailto: user.name@site > <mailto: user.name@site >. > <mailto: user.name@site > <mailto: user.name@site >.>__ exa m__p__le.com > <http://m__p__le.com> > > < http://examp__le.com > < http://example.com > > <mailto: user.name@site . > <mailto: user.name@site .>__ exam p__le.com > <http://p__le.com> < http://example.com > > <mailto: user.name@site. __ examp le.com <http://le.com> > <mailto: user.name@site. example.com > > <http://example.com> >>>> > <mailto: user.name@site > <mailto: user.name@site > > > <mailto: user.name@site <mailto: user.name@site >>. > <mailto: user.name@site <mailto: user.name@site > > <mailto: user.name@site > <mailto: user.name@site >>.>__ ex a__m__p__le.com > <http://a__m__p__le.com> > > < http://exam__p__le.com > > > > < http://examp__le.com > < http://example.com > > > > > <mailto: user.name@site > <mailto: user.name@site >. > <mailto: user.name@site > <mailto: user.name@site >.>__ exa m__p__le.com > <http://m__p__le.com> > > < http://examp__le.com > < http://example.com > > <mailto: user.name@site . > <mailto: user.name@site .>__ exam p__le.com > <http://p__le.com> < http://example.com > > <mailto: user.name@site. __ examp le.com <http://le.com> > <mailto: user.name@site. example.com > <http://example.com> >>>>> -interactive > > > > You don't add an user this way. > You add the > domain. You > have to > pass the > domain admin user and the domain > admin password. > > > any domain user will do, doesn't have > to be an admin. > what does the log say? > > > Then you can use the domain > within the engine. > e.g. search > users, add > access rights for vms etc. > Even login to the engine and > assigning rights > within > the engine > you can > handle from the engine itself. > > Regards, > > And the output on all tries: > Enter password: > > Error: Authentication Failed. > Please > verify the fully > qualified domain > name that is used for > authentication is > correct.. > Problematic domain > is: domain_used_in_command > Failure while applying Kerberos > configuration. Details: > Authentication > Failed. Please verify the > fully qualified > domain > name that > is used for > authentication is correct. > > Can someone help me with the > correct > parameters? > > > Best regards, > Cristian Falcas > > > > > ______________________________ _________________________ > > > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: > Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>>> > > http://lists.ovirt.org/_______ _mailman/listinfo/users > < http://lists.ovirt.org/______ mailman/listinfo/users > > > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users >> > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >>> > > > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >> > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users > > < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/ mailman/listinfo/users >>>> > > > > -- > Regards, > > Vinzenz Feenstra | Senior > Software Engineer > RedHat Engineering Virtualization > R & D > Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> > <tel:%2B420%20532%20294%20625> > <tel:%2B420%20532%20294%20625> > <tel:%2B420%20532%20294%20625> > <tel:%2B420%20532%20294%20625> > > IRC: vfeenstr or evilissimo > > Better technology. Faster > innovation. Powered > by community > collaboration. > See how it works at redhat.com <http://redhat.com> > < http://redhat.com > > < http://redhat.com > < http://redhat.com > > < http://redhat.com > > > > > > > ______________________________ _________________________ > > > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: > Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>>> > > http://lists.ovirt.org/_______ _mailman/listinfo/users > < http://lists.ovirt.org/______ mailman/listinfo/users > > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users >> > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >>> > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >> > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users > > < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/ mailman/listinfo/users >>>> > > > > > ______________________________ _________________________ > > > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: > Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>>> > > http://lists.ovirt.org/_______ _mailman/listinfo/users > < http://lists.ovirt.org/______ mailman/listinfo/users > > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users >> > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >>> > > > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >> > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users > > < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/ mailman/listinfo/users >>>> > > > > > Hi, > > This is the command I used (the same error > is with > -interactive > parameter): > > engine-manage-domains -action=add > -domain= example.com <http://example.com> < > http://example.com > > < http://example.com > > < http://example.com > > < http://example.com > -provider=ActiveDirectory > -user=user.name@a_domain > > -passwordFile=/tmp/pass > > [root@localhost ~]# cat /tmp/pass > qwerty[root@localhost ~]# > > This is the log: > > 2012-11-20 00:30:40,443 INFO > > > [org.ovirt.engine.core.utils._ > _____kerberos.ManageDomains] > > Creating > > > kerberos > configuration for domain(s): example.com > <http://example.com> > < http://example.com > > < http://example.com > < http://example.com > > < http://example.com > > > 2012-11-20 00:30:40,525 INFO > > > [org.ovirt.engine.core.utils._ > _____kerberos.ManageDomains] > > > Successfully > > created kerberos configuration for domain(s): > example.com <http://example.com> < http://example.com > > < http://example.com > > < http://example.com > > < http://example.com > > > 2012-11-20 00:30:40,526 INFO > > > [org.ovirt.engine.core.utils._ > _____kerberos.ManageDomains] > > Testing > > > kerberos > configuration for domain: example.com <http://example.com > > > < http://example.com > > < http://example.com > < http://example.com > > < http://example.com > > > 2012-11-20 00:30:40,830 ERROR > > > [org.ovirt.engine.core.utils._ _____kerberos.__ > KerberosConfigCheck] > > > Error: > > exception message: Cannot locate KDC > 2012-11-20 00:30:40,851 ERROR > > > [org.ovirt.engine.core.utils._ > _____kerberos.ManageDomains] > > > Failure > > while > > testing domain example.com <http://example.com> > < http://example.com > < http://example.com > > < http://example.com > > < http://example.com >. Details: Kerberos > > error. Please check log for further details. > > > Hi, the error indicates you don't have > kerberos configured. > manage-domains validates by default using > GSSAPI/Kerberos (if I > understand correctly, this is equivalent to > run ldapsearch > with -Y > gssapi option). > I wonder if -x (simple authentication) will > work for you as > well (as > manage-domains contains code for simple > authentication as > well). > > > > This is the ldapsearch command that works > (it retrieves > users) > from the > same machine: > > > > ldapsearch -H ldap:// example.com <http://example.com> > < http://example.com > < http://example.com > > < http://example.com > > < http://example.com > -b > > dc=example,dc=com -D user.name@a_domain -w > qwerty > > > Best regards, > Cristian Falcas > > > > > > ______________________________ _______________________ > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: > Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>> > http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >> > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users > > < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/ mailman/listinfo/users >>> > > > > > Hi, > > > I used "-x" for ldapsearch and the result is the > same: list > retrieved. > Is there any equivalent for engine-manage-domains? > > Cristian > > Hi Christian, there is no code allowing to add > simple-authentication > domains to Manage-Domains. > In the past we did have the ability to do that, but > there are > several problematic issues. > What ldap server are you working against? Maybe I > missed that > > > > > Hi, > > The server is a Microfost AD 2003. > > Best regards, > Cristian Falcas > > > this should work, is the AD also the DNS server for the > ovirt > engine machine? > > > > yes > > > > > > Could you take a look at the tcp dump? There are only 2 > messages > relevant to this (let me know if you want the full dump): > > - 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard > query SRV > _kerberos._ tcp.EXAMPLE.COM <http://tcp.EXAMPLE.COM> > > - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard > query response > SRV 0 100 88 site1.example.com > <http://site1.example.com> SRV 0 100 88 > site2.example.com <http://site2.example.com> SRV 0 > 100 88 site3.example.com <http://site3.example.com> > > > Also, I tries to run ldapsearch with -Y gssapi: > ldap_sasl_interactive_bind_s: Unknown authentication > method (-6) > additional info: SASL(-4): no mechanism available: No > worthy mechs > found > > Best regards, > Cristian Falcas > The SRV records look fine. > If I remember correctly, your DNS should have a > reverse-resolve PTR > record to your engine machine. Does it exists? > > > > I don't think so (10.0.0.xx is engine machine, > 10.0.0.yyy is dns): > > [root@localhost ~]# nslookup 10.0.0.xx > Server: 10.0.0.yyy > Address: 10.0.0.yyy#53 > > ** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN > > [root@localhost ~]# host 10.0.0.xx > Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN) > > I will ask them to add a DNS record for the machine. > > Indeed do that. > In the engine we require both reverse-resolve PTR record, > Kerberos SRV record and LDAP SRV record. > Make sure you have all three in the DNS. > The PTR + Kerberos records are used for the kerberos > authentication (and constructing the krb5.conf file in the > engine-manage-domains utility). > The LDAP SRV record is used for the directory queries (it is > used in the utility + the ovirt engine, to look for LDAP > servers). > > > > Yair - sounds like we need a how to troubleshoot AD issues? > > > > > Hi, > > So, after all, I was using the wrong domain. In my company we use > everywhere (web, email, etc) as the domain "a_domain" instead of the > usual company.com <http://company.com>;. So it worked with: > > engine-manage-domains -action=add -domain=company.com > <http://company.com> -provider=ActiveDirectory -user=user.name > <http://user.name> -passwordFile=/tmp/pass > > > Some steps I did for my investigation: > > 1. test if the domain has a kerberos service: > > host -t srv _kerberos._tcp.company.com <http://tcp.company.com> > > > 2. use kinit instead of engine-manage-domains (mush faster) > cp /etc/ovirt-engine/krb5.conf /etc/ > > 3. test with: > kinit user.name(a)company.com <mailto:user.name@company.com> -V > > > > Just to let others know what errors I had and how I fixed them: > > 1. Client not found in Kerberos database while getting initial > credentials: wrong user name > > 2. Cannot find KDC for requested realm: the realm you are using in > the command line is not define in krb5.conf file. > > - at the beginning I was using kinit user.name@a_domain -V, but > there was no a_domain realm defined. > - check the file and try to update it or correct your kinit command > in order to use the correct realm > > [realms] > COMPANY.COM <http://COMPANY.COM> = { > > kdc = site1.company.com.:88 > kdc = site2.company.com.:88 > kdc = site3.company.com.:88 > } > > > > 3. KDC reply did not match expectations while getting initial > credentials: you may have the same realm in your command line and in > the krb5.conf file, but the server thinks this is not correct. > - use wireshark to see what realm the server has: protocol KRB5, > messages AS-REQ and AS-REP > > Thank you for all your help. > > Cristian > > > > I forgot. Use this kinit command for tests instead: > > kinit user.name <http://user.name> > > > Because I was using the realm in the command line I had all of the above > problems > do you mind adding these to a wiki for steps to troubleshoot for the next one to tackle this? thanks, Itamar