Re: [Users] ActiveDirectory problems

16 Sep 2012


      On 09/16/2012 09:01 AM, Oved Ourfalli wrote:
...
<top posting>
Hey,
According to the call stack, it looks like something is wrong in the root DSE attributes (whether due to a bug in the engine, or some configuration that can be done in AD).
Please provide us this information by using the following commands:
ldapsearch -LLL -D user@example.com -h <AD-SERVER> -b "" -s base objectClass=*
Oved
In addition to Oved's words -
When looking at history of ADRootDSE I see it's probably something with 
the domainControllerFunctionality attribute (the attributes that we're 
checking are domainControllerFunctionality, domainFunctionality and 
defaultNamingContext)

However - the best approach is indeed to run the ldapsearch and provide 
its output

Yair
...
----- Original Message -----
...
From: "Joop" <jvdwege@xs4all.nl>
To: "<users@ovirt.org>" <users@ovirt.org>
Sent: Saturday, September 15, 2012 1:07:06 AM
Subject: [Users] ActiveDirectory problems
Hi List,
I have been reading the list for quite sometime and I have a question
because I can't find the problem myself.
I have an oVirt-3.1 setup with 3 nodes (Fed17 install from LiveCD +
vdsm) and an engine install. Sofar this all works. Can create VM's,
can
migrate them, no problems ( well one but thats for another post,
vdsmd
doesn't start at system start).
Version of oVirt thats installed:
Installed Packages
ovirt-engine.noarch 3.1.0-2.fc17                          @ovirt-beta
ovirt-engine-backend.noarch 3.1.0-2.fc17
@ovirt-beta
ovirt-engine-cli.noarch 3.1.0.6-1.fc17
                        @ovirt-beta
ovirt-engine-config.noarch 3.1.0-2.fc17
@ovirt-beta
ovirt-engine-dbscripts.noarch 3.1.0-2.fc17
@ovirt-beta
ovirt-engine-genericapi.noarch 3.1.0-2.fc17
@ovirt-beta
ovirt-engine-notification-service.noarch
3.1.0-2.fc17                          @ovirt-beta
ovirt-engine-restapi.noarch 3.1.0-2.fc17
@ovirt-beta
ovirt-engine-sdk.noarch 3.1.0.4-1.fc17
                        @ovirt-beta
ovirt-engine-setup.noarch 3.1.0-2.fc17
                          @ovirt-beta
ovirt-engine-tools-common.noarch 3.1.0-2.fc17
@ovirt-beta
ovirt-engine-userportal.noarch 3.1.0-2.fc17
@ovirt-beta
ovirt-engine-webadmin-portal.noarch
3.1.0-2.fc17                          @ovirt-beta
ovirt-image-uploader.noarch 3.1.0-0.git9c42c8.fc17
@ovirt-beta
ovirt-iso-uploader.noarch 3.1.0-0.git1841d9.fc17
                @ovirt-beta
ovirt-log-collector.noarch 3.1.0-0.git10d719.fc17
@ovirt-beta
Next step is integrating with our AD setup. Ran engine-manage-domains
-action=add -provider=ActiveDirectory -domain=nieuwland.local
-user=admin -interactive
Message is:
WARNING: No permissions were added to the Engine. Login either with
the
internal admin user or with another configured user
Successfully added domain nieuwland.local. oVirt Engine restart is
required in order for the changes to take place (service
Manage Domains completed successfully
The specified admin is an DomainAdministrator.
The logfile in /var/log/engine/engine-manage-domains also says OK.
The
resulting krb5.conf in /etc/ovirt-engine looks also OK. The AD
servers
are resolvable forward and backward.
Then I'm lost because when I log into the Admin portal with the
internal
admin account and goto the Users tab and want to add a user from the
nieuwland.local, myself (jvandewege) realm it won't work and I get
the
following in engine.log
2012-09-14 12:55:26,104 ERROR
[org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
(ajp--0.0.0.0-8009-12) Failed ldap search server
LDAP://digit.nieuwland.local:389 due to
java.lang.NullPointerException.
We should try the next server: java.lang.NullPointerException
     at
org.ovirt.engine.core.bll.adbroker.ADRootDSE.<init>(ADRootDSE.java:26)
[engine-bll.jar:]
     at
org.ovirt.engine.core.bll.adbroker.RootDSEFactory.get(RootDSEFactory.java:14)
[engine-bll.jar:]
     at
org.ovirt.engine.core.bll.adbroker.GetRootDSETask.setRootDSE(GetRootDSETask.java:97)
[engine-bll.jar:]
     at
org.ovirt.engine.core.bll.adbroker.GetRootDSETask.call(GetRootDSETask.java:68)
[engine-bll.jar:]
     at
org.ovirt.engine.core.bll.adbroker.DirectorySearcher.find(DirectorySearcher.java:91)
[engine-bll.jar:]
     at
org.ovirt.engine.core.bll.adbroker.DirectorySearcher.FindOne(DirectorySearcher.java:39)
[engine-bll.jar:]
     at
org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand.executeQuery(LdapAuthenticateUserCommand.java:44)
[engine-bll.jar:]
     at
org.ovirt.engine.core.bll.adbroker.LdapBrokerCommandBase.Execute(LdapBrokerCommandBase.java:68)
[engine-bll.jar:]
     at
org.ovirt.engine.core.bll.adbroker.LdapBrokerBase.RunAdAction(LdapBrokerBase.java:18)
[engine-bll.jar:]
     at
org.ovirt.engine.core.bll.LoginUserCommand.authenticateUser(LoginUserCommand.java:30)
[engine-bll.jar:]
     at
org.ovirt.engine.core.bll.LoginBaseCommand.isUserCanBeAuthenticated(LoginBaseCommand.java:177)
[engine-bll.jar:]
     at
org.ovirt.engine.core.bll.LoginAdminUserCommand.canDoAction(LoginAdminUserCommand.java:14)
[engine-bll.jar:]
     at
org.ovirt.engine.core.bll.CommandBase.InternalCanDoAction(CommandBase.java:486)
[engine-bll.jar:]
     at
org.ovirt.engine.core.bll.CommandBase.ExecuteAction(CommandBase.java:261)
[engine-bll.jar:]
     at org.ovirt.engine.core.bll.Backend.Login(Backend.java:481)
[engine-bll.jar:]
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[rt.jar:1.7.0_05-icedtea]
     at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
[rt.jar:1.7.0_05-icedtea]
     at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_05-icedtea]
     at java.lang.reflect.Method.invoke(Method.java:601)
[rt.jar:1.7.0_05-icedtea]
     at
org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72)
[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
     at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation.jar:1.1.1.Final]
     at
org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:374)
[jboss-invocation.jar:1.1.1.Final]
     at
org.ovirt.engine.core.utils.ThreadLocalSessionCleanerInterceptor.injectWebContextToThreadLocal(ThreadLocalSessionCleanerInterceptor.java:11)
[engine-utils.jar:]
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[rt.jar:1.7.0_05-icedtea]
     at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
[rt.jar:1.7.0_05-icedtea]
     at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_05-icedtea]
     at java.lang.reflect.Method.invoke(Method.java:601)
[rt.jar:1.7.0_05-icedtea]
     at
org.jboss.as.ee.component.ManagedReferenceLifecycleMethodInterceptorFactory$ManagedReferenceLifecycleMethodInterceptor.processInvocation(ManagedReferenceLifecycleMethodInterceptorFactory.java:123)
[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
     at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation.jar:1.1.1.Final]
     at
org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53)
[jboss-invocation.jar:1.1.1.Final]
     at
org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36)
[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
     at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation.jar:1.1.1.Final]
     at
org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21)
[jboss-invocation.jar:1.1.1.Final]
     at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation.jar:1.1.1.Final]
     at
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
[jboss-invocation.jar:1.1.1.Final]
     at
org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53)
[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
     at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation.jar:1.1.1.Final]
     at
org.jboss.as.ejb3.component.singleton.SingletonComponentInstanceAssociationInterceptor.processInvocation(SingletonComponentInstanceAssociationInterceptor.java:53)
[jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
     at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation.jar:1.1.1.Final]
     at
org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInNoTx(CMTTxInterceptor.java:211)
[jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
     at
org.jboss.as.ejb3.tx.CMTTxInterceptor.supports(CMTTxInterceptor.java:363)
[jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
     at
org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:194)
[jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
     at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation.jar:1.1.1.Final]
     at
org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
[jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
     at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation.jar:1.1.1.Final]
     at
org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
[jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
     at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation.jar:1.1.1.Final]
     at
org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
     at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation.jar:1.1.1.Final]
     at
org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)
[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
     at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation.jar:1.1.1.Final]
     at
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
[jboss-invocation.jar:1.1.1.Final]
     at
org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165)
[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
     at
org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173)
[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
     at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
[jboss-invocation.jar:1.1.1.Final]
     at
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
[jboss-invocation.jar:1.1.1.Final]
     at
org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72)
[jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
     at
org.ovirt.engine.core.common.interfaces.BackendLocal$$$view9.Login(Unknown
Source) [engine-common.jar:]
     at
org.ovirt.engine.ui.frontend.server.gwt.GenericApiGWTServiceImpl.Login(GenericApiGWTServiceImpl.java:157)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[rt.jar:1.7.0_05-icedtea]
     at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
[rt.jar:1.7.0_05-icedtea]
     at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_05-icedtea]
     at java.lang.reflect.Method.invoke(Method.java:601)
[rt.jar:1.7.0_05-icedtea]
     at
     com.google.gwt.rpc.server.RPC.invokeAndStreamResponse(RPC.java:196)
     at
com.google.gwt.rpc.server.RpcServlet.processCall(RpcServlet.java:161)
     at
com.google.gwt.rpc.server.RpcServlet.processPost(RpcServlet.java:222)
     at
com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
[jboss-servlet-3.0-api.jar:1.0.1.Final]
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
[jboss-servlet-3.0-api.jar:1.0.1.Final]
     at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
     org.jboss.web.rewrite.RewriteValve.invoke(RewriteValve.java:466)
     at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
     at
     org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:505)
     at
org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:445)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
     at java.lang.Thread.run(Thread.java:722)
     [rt.jar:1.7.0_05-icedtea]
2012-09-14 12:55:26,124 ERROR
[org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand]
(ajp--0.0.0.0-8009-12) Failed authenticating user: admin to domain
nieuwland.local. Ldap Query Type is getUserByName
2012-09-14 12:55:26,125 ERROR
[org.ovirt.engine.core.bll.LoginAdminUserCommand]
(ajp--0.0.0.0-8009-12)
USER_FAILED_TO_AUTHENTICATE : admin
2012-09-14 12:55:26,125 WARN
[org.ovirt.engine.core.bll.LoginAdminUserCommand]
(ajp--0.0.0.0-8009-12)
CanDoAction of action LoginAdminUser failed.
Reasons:USER_FAILED_TO_AUTHENTICATE
2012-09-14 12:57:07,027 INFO
[org.ovirt.engine.core.bll.LoginAdminUserCommand]
(ajp--0.0.0.0-8009-5)
Checking if user admin@internal is an admin, result true
2012-09-14 12:57:07,029 INFO
[org.ovirt.engine.core.bll.LoginAdminUserCommand]
(ajp--0.0.0.0-8009-5)
Running command: LoginAdminUserCommand internal: false.
Using Wireshark I don't see what I expected namely a well formed ldap
search and a result. Can provide the dmp if needed.
Anyone had any luck and is willing to help me out?
Thanks in advance,
Joop
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] ActiveDirectory problems

Yair Zaslavsky