[ovirt-users] failed to attach a samba active directory

Hello ovirt developers. I have attached a samba ad dc successfully more then 10 times before via this link https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html but this time, when I try to attach a samba ad dc, I got some certificate error. my test engine version: 4.2.7 or 4.2.8 (both have been tested) full procedure like below: # ovirt-engine-extension-aaa-ldap-setup [ INFO  ] Stage: Initializing [ INFO  ] Stage: Environment setup           Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']           Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20190122102450-0b1sjq.log           Version: otopi-1.7.8 (otopi-1.7.8-1.el7) [ INFO  ] Stage: Environment packages setup [ INFO  ] Stage: Programs detection [ INFO  ] Stage: Environment customization           Welcome to LDAP extension configuration program           Available LDAP implementations:            1 - 389ds            2 - 389ds RFC-2307 Schema            3 - Active Directory            4 - IBM Security Directory Server            5 - IBM Security Directory Server RFC-2307 Schema            6 - IPA            7 - Novell eDirectory RFC-2307 Schema            8 - OpenLDAP RFC-2307 Schema            9 - OpenLDAP Standard Schema           10 - Oracle Unified Directory RFC-2307 Schema           11 - RFC-2307 Schema (Generic)           12 - RHDS           13 - RHDS RFC-2307 Schema           14 - iPlanet           Please select: 3           Please enter Active Directory Forest name: ntbaobei.com [ INFO  ] Resolving Global Catalog SRV record for ntbaobei.com                       NOTE:           It is highly recommended to use secure protocol to access the LDAP server.           Protocol startTLS is the standard recommended method to do so.           Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.           Use plain for test environments only.                       Please select protocol to use (startTLS, ldaps, plain) [startTLS]:            Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): File           File path: /etc/pki/ca-trust/extracted/pem/ca.pem [ INFO  ] Resolving SRV record 'ntbaobei.com' [ INFO  ] Connecting to LDAP using 'ldap://dc1.ntbaobei.com:389' [ INFO  ] Executing startTLS [ INFO  ] Connection succeeded           Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous): vmail@ntbaobei.com           Enter search user password:  [ INFO  ] Attempting to bind using 'vmail@ntbaobei.com'           Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]:                        NOTE:           Profile name has to match domain name, otherwise Single Sign-On for Virtual Machines will not work.                       Please specify profile name that will be visible to users [ntbaobei.com]:  [ INFO  ] Stage: Setup validation                       NOTE:           It is highly recommended to test drive the configuration before applying it into engine.           Login sequence is executed automatically, but it is recommended to also execute Search sequence manually after successful Login sequence.                       Please provide credentials to test login flow:           Enter user name: xingya_xu           Enter user password:  [ INFO  ] Executing login sequence...           Login output:           2019-01-22 10:26:06,777+08 INFO    ========================================================================           2019-01-22 10:26:06,800+08 INFO    ============================ Initialization ============================           2019-01-22 10:26:06,801+08 INFO    ========================================================================           2019-01-22 10:26:06,841+08 INFO    Loading extension 'ntbaobei.com-authn'           2019-01-22 10:26:06,911+08 INFO    Extension 'ntbaobei.com-authn' loaded           2019-01-22 10:26:06,917+08 INFO    Loading extension 'ntbaobei.com'           2019-01-22 10:26:06,953+08 INFO    Extension 'ntbaobei.com' loaded           2019-01-22 10:26:06,954+08 INFO    Initializing extension 'ntbaobei.com-authn'           2019-01-22 10:26:06,960+08 INFO    [ovirt-engine-extension-aaa-ldap.authn::ntbaobei.com-authn] Creating LDAP pool 'authz'           2019-01-22 10:26:07,324+08 WARNING Exception: The connection reader was unable to successfully complete TLS negotiation:  SSLHandshakeException(sun.security.validator.ValidatorException: No trusted certificate found), ldapSDKVersion=4.0.5, revision=b28fb50058dfe2864171df2448ad2ad2b4c2ad58           2019-01-22 10:26:07,325+08 INFO    [ovirt-engine-extension-aaa-ldap.authn::ntbaobei.com-authn] Creating LDAP pool 'authn'           2019-01-22 10:26:08,748+08 WARNING Exception: The connection reader was unable to successfully complete TLS negotiation:  SSLHandshakeException(sun.security.validator.ValidatorException: No trusted certificate found), ldapSDKVersion=4.0.5, revision=b28fb50058dfe2864171df2448ad2ad2b4c2ad58           2019-01-22 10:26:08,773+08 WARNING Ignoring records from pool: 'authz'           2019-01-22 10:26:08,774+08 WARNING Ignoring records from pool: 'authz'           2019-01-22 10:26:08,775+08 INFO    Extension 'ntbaobei.com-authn' initialized           2019-01-22 10:26:08,776+08 INFO    Initializing extension 'ntbaobei.com'           2019-01-22 10:26:08,776+08 INFO    [ovirt-engine-extension-aaa-ldap.authz::ntbaobei.com] Creating LDAP pool 'authz'           2019-01-22 10:26:09,414+08 INFO    [ovirt-engine-extension-aaa-ldap.authz::ntbaobei.com] LDAP pool 'authz' information: vendor='Samba Team (https://www.samba.org)' version='4.8.8-SerNet-RedHat-18.el7'           2019-01-22 10:26:09,415+08 INFO    [ovirt-engine-extension-aaa-ldap.authz::ntbaobei.com] Creating LDAP pool 'gc'           2019-01-22 10:26:10,148+08 WARNING Exception: The connection reader was unable to successfully complete TLS negotiation:  SSLHandshakeException(sun.security.validator.ValidatorException: No trusted certificate found), ldapSDKVersion=4.0.5, revision=b28fb50058dfe2864171df2448ad2ad2b4c2ad58           2019-01-22 10:26:10,179+08 INFO    [ovirt-engine-extension-aaa-ldap.authz::ntbaobei.com] Creating LDAP pool 'authz@ntbaobei.com'           2019-01-22 10:26:10,269+08 WARNING Exception: The connection reader was unable to successfully complete TLS negotiation:  SSLHandshakeException(sun.security.validator.ValidatorException: No trusted certificate found), ldapSDKVersion=4.0.5, revision=b28fb50058dfe2864171df2448ad2ad2b4c2ad58           2019-01-22 10:26:10,270+08 WARNING Ignoring records from pool: 'authz@ntbaobei.com'           2019-01-22 10:26:10,282+08 WARNING Ignoring records from pool: 'authz@ntbaobei.com'           2019-01-22 10:26:10,283+08 INFO    [ovirt-engine-extension-aaa-ldap.authz::ntbaobei.com] Available Namespaces: []           2019-01-22 10:26:10,283+08 INFO    Extension 'ntbaobei.com' initialized           2019-01-22 10:26:10,284+08 INFO    Start of enabled extensions list           2019-01-22 10:26:10,284+08 INFO    Instance name: 'ntbaobei.com', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.8', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.8-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/tmp/tmp01ChKj/extensions.d/ntbaobei.com.properties', Initialized: 'true'           2019-01-22 10:26:10,285+08 INFO    Instance name: 'ntbaobei.com-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.8', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.8-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/tmp/tmp01ChKj/extensions.d/ntbaobei.com-authn.properties', Initialized: 'true'           2019-01-22 10:26:10,285+08 INFO    End of enabled extensions list           2019-01-22 10:26:10,285+08 INFO    ========================================================================           2019-01-22 10:26:10,285+08 INFO    ============================== Execution ===============================           2019-01-22 10:26:10,286+08 INFO    ========================================================================           2019-01-22 10:26:10,286+08 INFO    Iteration: 0           2019-01-22 10:26:10,287+08 INFO    Profile='ntbaobei.com' authn='ntbaobei.com-authn' authz='ntbaobei.com' mapping='null'           2019-01-22 10:26:10,287+08 INFO    API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='ntbaobei.com' user='testusernamehere'           2019-01-22 10:26:10,290+08 INFO    API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='ntbaobei.com' result=GENERAL_ERROR           2019-01-22 10:26:10,296+08 SEVERE  Authn.Result code is: GENERAL_ERROR [ ERROR ] Login sequence failed           Please investigate details of the failure (search for lines containing SEVERE log level).           Select test sequence to execute (Done, Abort, Login, Search) [Abort]:  [ ERROR ] Failed to execute stage 'Setup validation': Aborted by user [ INFO  ] Stage: Clean up           Log file is available at /tmp/ovirt-engine-extension-aaa-ldap-setup-20190122102450-0b1sjq.log: [ INFO  ] Stage: Pre-termination [ INFO  ] Stage: Termination I have copy the  CA certificate file from samba ad dc to /etc/pki/ca-trust/extracted/pem/ca.pem in the engine server. I think the warning "SSLHandshakeException(sun.security.validator.ValidatorException: No trusted certificate found), " is the reason why I can not pass user login test? I once passed the user login test in some older version such as 4.2.6. I can still pass the user login test using startTLS Insecure way. full log has been attached to this mail. thanks. yours Adam