On 11/20/2012 09:56 AM, Cristian Falcas wrote:
>
>
>
> On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky <yzaslavs(a)redhat.com
> <mailto:yzaslavs@redhat.com>> wrote:
>
>
>
> On 11/20/2012 09:05 AM, Cristian Falcas wrote:
>
>
>
>
> On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky
> <yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com>
> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>>
wrote:
>
>
>
> On 11/20/2012 12:39 AM, Cristian Falcas wrote:
>
>
>
> On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim
> <iheim(a)redhat.com <mailto:iheim@redhat.com>
> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>
> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>
> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>>>
wrote:
>
> On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
>
> On 11/19/2012 10:01 AM, Cristian Falcas wrote:
>
> Hi,
>
> I'm trying to add some users to ovirt
> using an AD.
>
> This is the configuration I used for a
> mediawiki
> site, which is
> working correctly:
> $wgAuth = new LdapAuthenticationPlugin();
> $wgLDAPUseLocal = true;
> $wgLDAPDomainNames = array( "a_domain");
> $wgLDAPServerNames = array(
> "a_domain"=>"site.example.com
<
http://site.example.com>
> <
http://site.example.com>
> <
http://site.example.com>
> <
http://site.example.com>");
>
> $wgLDAPEncryptionType = array(
> "a_domain"=>"clear");
> $wgLDAPSearchStrings = array(
> "a_domain"=>"rom_domain\\USER-**
> ______NAME");
> $wgLDAPBaseDNs = array(
> "a_domain"=>"dc=company,dc=___**___com");
>
>
>
>
> Those are the commands I tried using:
> engine-manage-domains -action=add
> -domain=site.example.com <
http://site.example.com>
> <
http://site.example.com>
> <
http://site.example.com>
> <
http://site.example.com>
> -provider=ActiveDirectory
> -user=user.name <
http://user.name>
> <
http://user.name> <
http://user.name>
> <
http://user.name> -interactive
>
>
> engine-manage-domains -action=add
> -domain=a_domain
> -provider=ActiveDirectory
> -user=user.name(a)company.com
> <mailto:user.name@company.com> <mailto:user.name@company.com
> <mailto:user.name@company.com>**>
> <mailto:user.name@company.com
> <mailto:user.name@company.com>
> <mailto:user.name@company.com
> <mailto:user.name@company.com>**>__>
> <mailto:user.name@company.com
> <mailto:user.name@company.com>
> <mailto:user.name@company.com
> <mailto:user.name@company.com>**>
>
> <mailto:user.name@company.com
> <mailto:user.name@company.com>
> <mailto:user.name@company.com
> <mailto:user.name@company.com>**>__>__> -interactive
>
>
> engine-manage-domains -action=add
> -domain=a_domain
> -provider=ActiveDirectory
> -user=user.name(a)site.example._**_____com
>
> <mailto:user.name@site.
> <mailto:user.name@site.>__exam**p__le.com
<
http://examp__le.com><
>
http://example.com>
> <mailto:user.name@site.__examp**le.com<http://example.com>
> <mailto:user.name@site.**example.com <user.name(a)site.example.com>
> >>>
> <mailto:user.name@site
> <mailto:user.name@site>.
> <mailto:user.name@site
>
<mailto:user.name@site>.>__exa**m__p__le.com<http://exam__p__le.com>
> <
http://examp__le.com> <
http://example.com>
>
>
>
> <mailto:user.name@site.
> <mailto:user.name@site.>__exam**p__le.com
<
http://examp__le.com><
>
http://example.com>
> <mailto:user.name@site.__examp**le.com<http://example.com>
> <mailto:user.name@site.**example.com
<user.name(a)site.example.com>>>>>
> -interactive
>
>
> You don't add an user this way. You add the
> domain. You
> have to
> pass the
> domain admin user and the domain admin password.
>
>
> any domain user will do, doesn't have to be an
> admin.
> what does the log say?
>
>
> Then you can use the domain within the engine.
> e.g. search
> users, add
> access rights for vms etc.
> Even login to the engine and assigning rights
> within
> the engine
> you can
> handle from the engine itself.
>
> Regards,
>
> And the output on all tries:
> Enter password:
>
> Error: Authentication Failed. Please
> verify the fully
> qualified domain
> name that is used for authentication is
> correct..
> Problematic domain
> is: domain_used_in_command
> Failure while applying Kerberos
> configuration. Details:
> Authentication
> Failed. Please verify the fully qualified
> domain
> name that
> is used for
> authentication is correct.
>
> Can someone help me with the correct
> parameters?
>
>
> Best regards,
> Cristian Falcas
>
>
>
> ______________________________**_______________________
>
> Users mailing list
> Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org
> <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org
> <mailto:Users@ovirt.org>
> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>
>
http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi...
>
<
http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt...
> >
>
>
<
http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt...
>
<
http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o...
> >>
>
>
>
>
<
http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt...
>
<
http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o...
> >
>
<
http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o...
>
<
http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org...
> >>>
>
>
>
> --
> Regards,
>
> Vinzenz Feenstra | Senior Software Engineer
> RedHat Engineering Virtualization R & D
> Phone: +420 532 294 625
> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625>
> <tel:%2B420%20532%20294%20625>
>
> IRC: vfeenstr or evilissimo
>
> Better technology. Faster innovation. Powered
> by community
> collaboration.
> See how it works at
redhat.com
> <
http://redhat.com> <
http://redhat.com>
> <
http://redhat.com>
>
>
>
>
> ______________________________**_______________________
>
> Users mailing list
> Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org
> <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org
> <mailto:Users@ovirt.org>
> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>
>
http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi...
>
<
http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt...
> >
>
>
<
http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt...
>
<
http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o...
> >>
>
>
<
http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt...
>
<
http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o...
> >
>
<
http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o...
>
<
http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org...
> >>>
>
>
>
> ______________________________**
> _______________________
>
> Users mailing list
> Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org
> <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org
> <mailto:Users@ovirt.org>
> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>
>
http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi...
>
<
http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt...
> >
>
<
http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt...
>
<
http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o...
> >>
>
>
> <
http://lists.ovirt.org/____**
>
mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/use...
>
<
http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o...
> >
>
<
http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o...
>
<
http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org...
> >>>
>
>
>
>
> Hi,
>
> This is the command I used (the same error is with
> -interactive
> parameter):
>
> engine-manage-domains -action=add -domain=example.com
> <
http://example.com>
> <
http://example.com>
> <
http://example.com> -provider=ActiveDirectory
> -user=user.name@a_domain
>
> -passwordFile=/tmp/pass
>
> [root@localhost ~]# cat /tmp/pass
> qwerty[root@localhost ~]#
>
> This is the log:
>
> 2012-11-20 00:30:40,443 INFO
>
> [org.ovirt.engine.core.utils._**___kerberos.ManageDomains]
> Creating
>
>
> kerberos
> configuration for domain(s):
example.com
> <
http://example.com> <
http://example.com>
> <
http://example.com>
>
> 2012-11-20 00:30:40,525 INFO
>
> [org.ovirt.engine.core.utils._**___kerberos.ManageDomains]
>
> Successfully
>
> created kerberos configuration for domain(s):
>
example.com <
http://example.com>
> <
http://example.com>
> <
http://example.com>
>
> 2012-11-20 00:30:40,526 INFO
>
> [org.ovirt.engine.core.utils._**___kerberos.ManageDomains]
> Testing
>
>
> kerberos
> configuration for domain:
example.com
> <
http://example.com> <
http://example.com>
> <
http://example.com>
>
> 2012-11-20 00:30:40,830 ERROR
>
> [org.ovirt.engine.core.utils._**___kerberos.**
> KerberosConfigCheck]
>
> Error:
>
> exception message: Cannot locate KDC
> 2012-11-20 00:30:40,851 ERROR
>
> [org.ovirt.engine.core.utils._**___kerberos.ManageDomains]
> Failure
>
> while
>
> testing domain
example.com <
http://example.com>
> <
http://example.com>
> <
http://example.com>. Details: Kerberos
>
> error. Please check log for further details.
>
>
> Hi, the error indicates you don't have kerberos configured.
> manage-domains validates by default using GSSAPI/Kerberos
> (if I
> understand correctly, this is equivalent to run ldapsearch
> with -Y
> gssapi option).
> I wonder if -x (simple authentication) will work for you as
> well (as
> manage-domains contains code for simple authentication as
> well).
>
>
>
> This is the ldapsearch command that works (it retrieves
> users)
> from the
> same machine:
>
>
>
> ldapsearch -H
ldap://example.com <
http://example.com>
> <
http://example.com>
> <
http://example.com> -b
>
> dc=example,dc=com -D user.name@a_domain -w qwerty
>
>
> Best regards,
> Cristian Falcas
>
>
>
> ______________________________**_____________________
> Users mailing list
> Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org
> <mailto:Users@ovirt.org>>
>
http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt...
>
<
http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o...
> >
>
<
http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o...
>
<
http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org...
> >>
>
>
>
>
> Hi,
>
> I used "-x" for ldapsearch and the result is the same: list
> retrieved.
> Is there any equivalent for engine-manage-domains?
>
> Cristian
>
> Hi Christian, there is no code allowing to add simple-authentication
> domains to Manage-Domains.
> In the past we did have the ability to do that, but there are
> several problematic issues.
> What ldap server are you working against? Maybe I missed that
>
>
>
>
> Hi,
>
> The server is a Microfost AD 2003.
>
> Best regards,
> Cristian Falcas
>
this should work, is the AD also the DNS server for the ovirt engine
machine?