On Wed, Nov 21, 2012 at 9:37 PM, Cristian Falcas <cristi.falcas(a)gmail.com>wrote:
On Wed, Nov 21, 2012 at 8:10 AM, Itamar Heim <iheim(a)redhat.com> wrote:
> On 11/21/2012 08:09 AM, Oved Ourfalli wrote:
>
>>
>>
>> ----- Original Message -----
>>
>>> From: "Cristian Falcas" <cristi.falcas(a)gmail.com>
>>> To: "Yair Zaslavsky" <yzaslavs(a)redhat.com>
>>> Cc: users(a)ovirt.org
>>> Sent: Wednesday, November 21, 2012 6:40:34 AM
>>> Subject: Re: [Users] I don't know how to add AD users
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky < yzaslavs(a)redhat.com
>>>
>>>> wrote:
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> From: "Cristian Falcas" < cristi.falcas(a)gmail.com >
>>> To: "Itamar Heim" < iheim(a)redhat.com >
>>> Cc: "Yair Zaslavsky" < yzaslavs(a)redhat.com >,
users(a)ovirt.org
>>> Sent: Tuesday, November 20, 2012 7:33:39 PM
>>>
>>> Subject: Re: [Users] I don't know how to add AD users
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim < iheim(a)redhat.com >
>>> wrote:
>>>
>>>
>>>
>>> On 11/20/2012 03:00 PM, Cristian Falcas wrote:
>>>
>>>
>>> Hi,
>>>
>>> So there is no way to use the domain I have at work, right?
>>>
>>> I will need to make a freeipa installation in order to add new users.
>>>
>>> there is no reason this shouldn't work with active directory 2003
>>> (assuming its forest level isn't still in AD 2000 compatibility
>>> mode?).
>>> tcpdump for the traffic during engine-manage-domains should help
>>> diagnosing why.
>>>
>>>
>>>
>>>
>>>
>>> Cristian
>>>
>>>
>>> On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas
>>>
>>> < cristi.falcas(a)gmail.com <mailto: cristi.falcas@gmail. com >>
wrote:
>>>
>>>
>>>
>>>
>>> On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim < iheim(a)redhat.com
>>>
>>> <mailto: iheim(a)redhat.com >> wrote:
>>>
>>> On 11/20/2012 09:56 AM, Cristian Falcas wrote:
>>>
>>>
>>>
>>>
>>> On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky
>>> < yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com >
>>>
>>>
>>> <mailto: yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com >>>
>>> wrote:
>>>
>>>
>>>
>>> On 11/20/2012 09:05 AM, Cristian Falcas wrote:
>>>
>>>
>>>
>>>
>>> On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky
>>> < yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com >
>>> <mailto: yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com >>
>>> <mailto: yzaslavs(a)redhat.com
>>> <mailto: yzaslavs(a)redhat.com > <mailto: yzaslavs(a)redhat.com
>>> <mailto: yzaslavs(a)redhat.com >>> > wrote:
>>>
>>>
>>>
>>> On 11/20/2012 12:39 AM, Cristian Falcas wrote:
>>>
>>>
>>>
>>> On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim
>>> < iheim(a)redhat.com <mailto: iheim(a)redhat.com >
>>> <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com >>
>>> <mailto: iheim(a)redhat.com
>>> <mailto: iheim(a)redhat.com > <mailto: iheim(a)redhat.com
>>> <mailto: iheim(a)redhat.com >>>
>>> <mailto: iheim(a)redhat.com
>>> <mailto: iheim(a)redhat.com > <mailto: iheim(a)redhat.com
>>> <mailto: iheim(a)redhat.com >>
>>> <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com >
>>> <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com
>>>>> wrote:
>>>
>>> On 11/19/2012 11:29 AM, Vinzenz
>>> Feenstra wrote:
>>>
>>> On 11/19/2012 10:01 AM, Cristian
>>> Falcas wrote:
>>>
>>> Hi,
>>>
>>> I'm trying to add some users
>>> to ovirt
>>> using an AD.
>>>
>>> This is the configuration I
>>> used for a
>>> mediawiki
>>> site, which is
>>> working correctly:
>>> $wgAuth = new
>>> LdapAuthenticationPlugin();
>>> $wgLDAPUseLocal = true;
>>> $wgLDAPDomainNames = array(
>>> "a_domain");
>>> $wgLDAPServerNames = array(
>>> "a_domain"=>"
site.example.com
>>> <
http://site.example.com > <
http://site.example.com >
>>> <
http://site.example.com >
>>> <
http://site.example.com >
>>> <
http://site.example.com >");
>>>
>>> $wgLDAPEncryptionType = array(
>>> "a_domain"=>"clear");
>>> $wgLDAPSearchStrings = array(
>>>
>>> "a_domain"=>"rom_domain\\USER- ________NAME");
>>> $wgLDAPBaseDNs = array(
>>> "a_domain"=>"dc=company,dc=___ _____com");
>>>
>>>
>>>
>>>
>>>
>>>
>>> Those are the commands I
>>> tried using:
>>> engine-manage-domains -action=add
>>> -domain=
site.example.com
>>> <
http://site.example.com > <
http://site.example.com >
>>> <
http://site.example.com >
>>> <
http://site.example.com >
>>> <
http://site.example.com >
>>> -provider=ActiveDirectory
>>> -user= user.name
>>> <
http://user.name > <
http://user.name >
>>> <
http://user.name > <
http://user.name >
>>> <
http://user.name > -interactive
>>>
>>>
>>> engine-manage-domains -action=add
>>> -domain=a_domain
>>> -provider=ActiveDirectory
>>> -user= user.name(a)company.com
>>> <mailto: user.name(a)company.com >
>>> <mailto: user.name(a)company.com
>>> <mailto: user.name(a)company.com > >
>>> <mailto: user.name(a)company.com <mailto: user.name(a)company.com >
>>> <mailto: user.name(a)company.com
>>> <mailto: user.name(a)company.com > >__>
>>> <mailto: user.name(a)company.com
>>> <mailto: user.name(a)company.com >
>>> <mailto: user.name(a)company.com
>>> <mailto: user.name(a)company.com > >
>>> <mailto: user.name(a)company.com
>>> <mailto: user.name(a)company.com >
>>> <mailto: user.name(a)company.com
>>> <mailto: user.name(a)company.com > >__>__>
>>> <mailto: user.name(a)company.com
>>> <mailto: user.name(a)company.com >
>>> <mailto: user.name(a)company.com
>>> <mailto: user.name(a)company.com > >
>>> <mailto: user.name(a)company.com
>>> <mailto: user.name(a)company.com >
>>> <mailto: user.name(a)company.com
>>> <mailto: user.name(a)company.com > >__>
>>>
>>> <mailto: user.name(a)company.com
>>> <mailto: user.name(a)company.com >
>>> <mailto: user.name(a)company.com
>>> <mailto: user.name(a)company.com > >
>>> <mailto: user.name(a)company.com
>>> <mailto: user.name(a)company.com >
>>> <mailto: user.name(a)company.com
>>> <mailto: user.name(a)company.com > >__>__>__> -interactive
>>>
>>>
>>> engine-manage-domains -action=add
>>> -domain=a_domain
>>> -provider=ActiveDirectory
>>> -user=user.name(a)site.example._ _______com
>>>
>>>
>>> <mailto: user.name@site
>>> <mailto: user.name@site >.
>>> <mailto: user.name@site
>>> <mailto: user.name@site >.>__ exa
m__p__le.com
>>> <
http://examp__le.com > <
http://example.com >
>>> <mailto: user.name@site .
>>> <mailto: user.name@site .>__ exam
p__le.com <
http://example.com
>
>>> <mailto: user.name@site. __ examp
le.com
>>> <mailto: user.name@site.
example.com >>>>
>>> <mailto: user.name@site
>>> <mailto: user.name@site >
>>>
>>> <mailto: user.name@site <mailto: user.name@site >>.
>>> <mailto: user.name@site <mailto: user.name@site >
>>> <mailto: user.name@site
>>> <mailto: user.name@site >>.>__ ex
a__m__p__le.com
>>> <
http://exam__p__le.com >
>>>
>>>
>>> <
http://examp__le.com > <
http://example.com >
>>>
>>>
>>>
>>> <mailto: user.name@site
>>> <mailto: user.name@site >.
>>> <mailto: user.name@site
>>> <mailto: user.name@site >.>__ exa
m__p__le.com
>>> <
http://examp__le.com > <
http://example.com >
>>> <mailto: user.name@site .
>>> <mailto: user.name@site .>__ exam
p__le.com <
http://example.com
>
>>> <mailto: user.name@site. __ examp
le.com
>>> <mailto: user.name@site.
example.com >>>>> -interactive
>>>
>>>
>>> You don't add an user this way.
>>> You add the
>>> domain. You
>>> have to
>>> pass the
>>> domain admin user and the domain
>>> admin password.
>>>
>>>
>>> any domain user will do, doesn't have
>>> to be an admin.
>>> what does the log say?
>>>
>>>
>>> Then you can use the domain
>>> within the engine.
>>> e.g. search
>>> users, add
>>> access rights for vms etc.
>>> Even login to the engine and
>>> assigning rights
>>> within
>>> the engine
>>> you can
>>> handle from the engine itself.
>>>
>>> Regards,
>>>
>>> And the output on all tries:
>>> Enter password:
>>>
>>> Error: Authentication Failed.
>>> Please
>>> verify the fully
>>> qualified domain
>>> name that is used for
>>> authentication is
>>> correct..
>>> Problematic domain
>>> is: domain_used_in_command
>>> Failure while applying Kerberos
>>> configuration. Details:
>>> Authentication
>>> Failed. Please verify the
>>> fully qualified
>>> domain
>>> name that
>>> is used for
>>> authentication is correct.
>>>
>>> Can someone help me with the
>>> correct
>>> parameters?
>>>
>>>
>>> Best regards,
>>> Cristian Falcas
>>>
>>>
>>>
>>>
>>> ______________________________ _________________________
>>>
>>>
>>> Users mailing list
>>> Users(a)ovirt.org <mailto: Users(a)ovirt.org >
>>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>
>>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >
>>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>>
>>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >
>>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>
>>> <mailto: Users(a)ovirt.org
>>> <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org
>>> <mailto: Users(a)ovirt.org >>>>
>>>
http://lists.ovirt.org/_______ _mailman/listinfo/users
>>> <
http://lists.ovirt.org/______ mailman/listinfo/users >
>>>
>>>
>>>
>>> <
http://lists.ovirt.org/______ mailman/listinfo/users
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users >>
>>>
>>>
>>> <
http://lists.ovirt.org/______ mailman/listinfo/users
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users >
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users
>>> <
http://lists.ovirt.org/__ mailman/listinfo/users >>>
>>>
>>>
>>>
>>>
>>> <
http://lists.ovirt.org/______ mailman/listinfo/users
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users >
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users
>>> <
http://lists.ovirt.org/__ mailman/listinfo/users >>
>>>
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users
>>> <
http://lists.ovirt.org/__ mailman/listinfo/users >
>>> <
http://lists.ovirt.org/__ mailman/listinfo/users
>>> <
http://lists.ovirt.org/ mailman/listinfo/users >>>>
>>>
>>>
>>>
>>> --
>>> Regards,
>>>
>>> Vinzenz Feenstra | Senior
>>> Software Engineer
>>> RedHat Engineering Virtualization
>>> R & D
>>> Phone: +420 532 294 625
>>> <tel:%2B420%20532%20294%20625>
>>> <tel:%2B420%20532%20294%20625>
>>> <tel:%2B420%20532%20294%20625>
>>> <tel:%2B420%20532%20294%20625>
>>>
>>> IRC: vfeenstr or evilissimo
>>>
>>> Better technology. Faster
>>> innovation. Powered
>>> by community
>>> collaboration.
>>> See how it works at
redhat.com
>>> <
http://redhat.com >
>>> <
http://redhat.com > <
http://redhat.com >
>>> <
http://redhat.com >
>>>
>>>
>>>
>>>
>>>
>>> ______________________________ _________________________
>>>
>>>
>>> Users mailing list
>>> Users(a)ovirt.org <mailto: Users(a)ovirt.org >
>>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>
>>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >
>>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>>
>>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >
>>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>
>>> <mailto: Users(a)ovirt.org
>>> <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org
>>> <mailto: Users(a)ovirt.org >>>>
>>>
http://lists.ovirt.org/_______ _mailman/listinfo/users
>>> <
http://lists.ovirt.org/______ mailman/listinfo/users >
>>>
>>>
>>> <
http://lists.ovirt.org/______ mailman/listinfo/users
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users >>
>>>
>>>
>>> <
http://lists.ovirt.org/______ mailman/listinfo/users
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users >
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users
>>> <
http://lists.ovirt.org/__ mailman/listinfo/users >>>
>>>
>>>
>>> <
http://lists.ovirt.org/______ mailman/listinfo/users
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users >
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users
>>> <
http://lists.ovirt.org/__ mailman/listinfo/users >>
>>>
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users
>>> <
http://lists.ovirt.org/__ mailman/listinfo/users >
>>> <
http://lists.ovirt.org/__ mailman/listinfo/users
>>> <
http://lists.ovirt.org/ mailman/listinfo/users >>>>
>>>
>>>
>>>
>>>
>>> ______________________________ _________________________
>>>
>>>
>>> Users mailing list
>>> Users(a)ovirt.org <mailto: Users(a)ovirt.org >
>>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>
>>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >
>>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>>
>>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >
>>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>
>>> <mailto: Users(a)ovirt.org
>>> <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org
>>> <mailto: Users(a)ovirt.org >>>>
>>>
http://lists.ovirt.org/_______ _mailman/listinfo/users
>>> <
http://lists.ovirt.org/______ mailman/listinfo/users >
>>>
>>>
>>> <
http://lists.ovirt.org/______ mailman/listinfo/users
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users >>
>>>
>>> <
http://lists.ovirt.org/______ mailman/listinfo/users
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users >
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users
>>> <
http://lists.ovirt.org/__ mailman/listinfo/users >>>
>>>
>>>
>>>
>>>
>>> <
http://lists.ovirt.org/______ mailman/listinfo/users
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users >
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users
>>> <
http://lists.ovirt.org/__ mailman/listinfo/users >>
>>>
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users
>>> <
http://lists.ovirt.org/__ mailman/listinfo/users >
>>> <
http://lists.ovirt.org/__ mailman/listinfo/users
>>> <
http://lists.ovirt.org/ mailman/listinfo/users >>>>
>>>
>>>
>>>
>>>
>>> Hi,
>>>
>>> This is the command I used (the same error
>>> is with
>>> -interactive
>>> parameter):
>>>
>>> engine-manage-domains -action=add
>>> -domain=
example.com <
http://example.com >
>>> <
http://example.com >
>>> <
http://example.com >
>>> <
http://example.com > -provider=ActiveDirectory
>>> -user=user.name@a_domain
>>>
>>> -passwordFile=/tmp/pass
>>>
>>> [root@localhost ~]# cat /tmp/pass
>>> qwerty[root@localhost ~]#
>>>
>>> This is the log:
>>>
>>> 2012-11-20 00:30:40,443 INFO
>>>
>>>
>>> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
>>>
>>> Creating
>>>
>>>
>>> kerberos
>>> configuration for domain(s):
example.com
>>> <
http://example.com >
>>> <
http://example.com > <
http://example.com >
>>> <
http://example.com >
>>>
>>> 2012-11-20 00:30:40,525 INFO
>>>
>>>
>>> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
>>>
>>>
>>> Successfully
>>>
>>> created kerberos configuration for domain(s):
>>>
example.com <
http://example.com > <
http://example.com >
>>> <
http://example.com >
>>> <
http://example.com >
>>>
>>> 2012-11-20 00:30:40,526 INFO
>>>
>>>
>>> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
>>>
>>> Testing
>>>
>>>
>>> kerberos
>>> configuration for domain:
example.com
>>> <
http://example.com >
>>> <
http://example.com > <
http://example.com >
>>> <
http://example.com >
>>>
>>> 2012-11-20 00:30:40,830 ERROR
>>>
>>>
>>> [org.ovirt.engine.core.utils._ _____kerberos.__ KerberosConfigCheck]
>>>
>>>
>>> Error:
>>>
>>> exception message: Cannot locate KDC
>>> 2012-11-20 00:30:40,851 ERROR
>>>
>>>
>>> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
>>>
>>>
>>> Failure
>>>
>>> while
>>>
>>> testing domain
example.com
>>> <
http://example.com > <
http://example.com >
>>> <
http://example.com >
>>> <
http://example.com >. Details: Kerberos
>>>
>>> error. Please check log for further details.
>>>
>>>
>>> Hi, the error indicates you don't have
>>> kerberos configured.
>>> manage-domains validates by default using
>>> GSSAPI/Kerberos (if I
>>> understand correctly, this is equivalent to
>>> run ldapsearch
>>> with -Y
>>> gssapi option).
>>> I wonder if -x (simple authentication) will
>>> work for you as
>>> well (as
>>> manage-domains contains code for simple
>>> authentication as
>>> well).
>>>
>>>
>>>
>>> This is the ldapsearch command that works
>>> (it retrieves
>>> users)
>>> from the
>>> same machine:
>>>
>>>
>>>
>>> ldapsearch -H ldap://
example.com
>>> <
http://example.com > <
http://example.com >
>>> <
http://example.com >
>>> <
http://example.com > -b
>>>
>>> dc=example,dc=com -D user.name@a_domain -w
>>> qwerty
>>>
>>>
>>> Best regards,
>>> Cristian Falcas
>>>
>>>
>>>
>>>
>>>
>>> ______________________________ _______________________
>>> Users mailing list
>>> Users(a)ovirt.org <mailto: Users(a)ovirt.org >
>>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>
>>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >
>>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>>
>>>
http://lists.ovirt.org/______ mailman/listinfo/users
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users >
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users
>>> <
http://lists.ovirt.org/__ mailman/listinfo/users >>
>>>
>>> <
http://lists.ovirt.org/____ mailman/listinfo/users
>>> <
http://lists.ovirt.org/__ mailman/listinfo/users >
>>> <
http://lists.ovirt.org/__ mailman/listinfo/users
>>> <
http://lists.ovirt.org/ mailman/listinfo/users >>>
>>>
>>>
>>>
>>>
>>> Hi,
>>>
>>>
>>> I used "-x" for ldapsearch and the result is the
>>> same: list
>>> retrieved.
>>> Is there any equivalent for engine-manage-domains?
>>>
>>> Cristian
>>>
>>> Hi Christian, there is no code allowing to add
>>> simple-authentication
>>> domains to Manage-Domains.
>>> In the past we did have the ability to do that, but
>>> there are
>>> several problematic issues.
>>> What ldap server are you working against? Maybe I
>>> missed that
>>>
>>>
>>>
>>>
>>> Hi,
>>>
>>> The server is a Microfost AD 2003.
>>>
>>> Best regards,
>>> Cristian Falcas
>>>
>>>
>>> this should work, is the AD also the DNS server for the ovirt
>>> engine machine?
>>>
>>>
>>>
>>> yes
>>>
>>>
>>>
>>>
>>>
>>> Could you take a look at the tcp dump? There are only 2 messages
>>> relevant to this (let me know if you want the full dump):
>>>
>>> - 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV
>>> _kerberos._
tcp.EXAMPLE.COM
>>> - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response
>>> SRV 0 100 88
site1.example.com SRV 0 100 88
site2.example.com SRV 0
>>> 100 88
site3.example.com
>>>
>>> Also, I tries to run ldapsearch with -Y gssapi:
>>> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>>> additional info: SASL(-4): no mechanism available: No worthy mechs
>>> found
>>>
>>> Best regards,
>>> Cristian Falcas
>>> The SRV records look fine.
>>> If I remember correctly, your DNS should have a reverse-resolve PTR
>>> record to your engine machine. Does it exists?
>>>
>>>
>>>
>>> I don't think so (10.0.0.xx is engine machine, 10.0.0.yyy is dns):
>>>
>>> [root@localhost ~]# nslookup 10.0.0.xx
>>> Server: 10.0.0.yyy
>>> Address: 10.0.0.yyy#53
>>>
>>> ** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN
>>>
>>> [root@localhost ~]# host 10.0.0.xx
>>> Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN)
>>>
>>> I will ask them to add a DNS record for the machine.
>>>
>>> Indeed do that.
>> In the engine we require both reverse-resolve PTR record, Kerberos SRV
>> record and LDAP SRV record.
>> Make sure you have all three in the DNS.
>> The PTR + Kerberos records are used for the kerberos authentication (and
>> constructing the krb5.conf file in the engine-manage-domains utility).
>> The LDAP SRV record is used for the directory queries (it is used in the
>> utility + the ovirt engine, to look for LDAP servers).
>>
>
>
> Yair - sounds like we need a how to troubleshoot AD issues?
>
>
>
Hi,
So, after all, I was using the wrong domain. In my company we use
everywhere (web, email, etc) as the domain "a_domain" instead of the usual
company.com. So it worked with:
engine-manage-domains -action=add -domain=company.com-provider=ActiveDirectory -user=
user.name -passwordFile=/tmp/pass
Some steps I did for my investigation:
1. test if the domain has a kerberos service:
host -t srv
_kerberos._tcp.company.com
2. use kinit instead of engine-manage-domains (mush faster)
cp /etc/ovirt-engine/krb5.conf /etc/
3. test with:
kinit user.name(a)company.com -V
Just to let others know what errors I had and how I fixed them:
1. Client not found in Kerberos database while getting initial
credentials: wrong user name
2. Cannot find KDC for requested realm: the realm you are using in the
command line is not define in krb5.conf file.
- at the beginning I was using kinit user.name@a_domain -V, but there was
no a_domain realm defined.
- check the file and try to update it or correct your kinit command in
order to use the correct realm
[realms]
COMPANY.COM = {
kdc = site1.company.com.:88
kdc = site2.company.com.:88
kdc = site3.company.com.:88
}
3. KDC reply did not match expectations while getting initial credentials:
you may have the same realm in your command line and in the krb5.conf file,
but the server thinks this is not correct.
- use wireshark to see what realm the server has: protocol KRB5, messages
AS-REQ and AS-REP
Thank you for all your help.
Cristian
I forgot. Use this kinit command for tests instead:
kinit user.name
Because I was using the realm in the command line I had all of the above
problems