Re: [Users] engine-manage-domains can't add user , domain

----- Original Message ----- > From: "Yair Zaslavsky" <yzaslavs(a)redhat.com&gt; > To: "Oved Ourfalli" <ovedo(a)redhat.com&gt; > Cc: "T-Sinjon" <tscbj1989(a)gmail.com&gt;, users(a)ovirt.org > Sent: Tuesday, May 15, 2012 8:48:26 AM > Subject: Re: [Users] engine-manage-domains can't add user , domain > > On 05/15/2012 08:35 AM, Oved Ourfalli wrote: >> >> >> ----- Original Message ----- >>> From: "T-Sinjon" <tscbj1989(a)gmail.com&gt; >>> To: "Oved Ourfalli" <ovedo(a)redhat.com&gt; >>> Cc: users(a)ovirt.org >>> Sent: Tuesday, May 15, 2012 5:53:16 AM >>> Subject: Re: [Users] engine-manage-domains can't add user , domain >>> >>> after use kinit login tsinjon , the error changes to , why this >>> happened? >>> >>> [root@ovirt-engine ~]# engine-manage-domains -action=add >>> -domain='local' -user='tsinjon' -interactive >>> Enter password: >>> >>> No user in Directory was found for tsinjon@LOCAL. Trying next LDAP >>> server in list >>> Failure while testing domain local. Details: No user information >>> was >>> found for user >>> >> Can't see why kinit matters here, but looking at your command I >> noticed you used single quotes for the user and domain name. >> I'm not sure it knows to handle this correctly. >> Did you try without the quotes? >> >> Also, what version are you working with? >> We had a problem a few weeks ago, of identifying the correct ldap >> provider. To fix that we added an option to specify the ldap >> provider type. It determines which query will be used in order to >> get the user details. >> >> cc-ing Roy, which added this. iirc it is mandatory to provide this >> option, so you probably don't have this option in your >> environment. >> Roy - is there an upstream release with this fix? > > Oved - this was merged upstream. > T-Sinjon - have you cloned the git repo and compiled or are you using > RPMs? > Yair - he is probably using the RPMs, as it is harder to run the utility from the git repo. > >> >> Regards, >> Oved >>> On 15 May, 2012, at 10:47 AM, T-Sinjon wrote: >>> >>>> >>>> I have added those SRV info into my zone file , and it did go , >>>> the log looks fine , but engine-manage-domains still return >>>> error >>>> >>>> 2012-05-15 10:45:19,222 INFO >>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating >>>> kerberos configuration for domain(s): local >>>> 2012-05-15 10:45:19,258 INFO >>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] >>>> Successfully >>>> created kerberos configuration for domain(s): local >>>> 2012-05-15 10:45:19,259 INFO >>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing >>>> kerberos configuration for domain: local >>>> >>>> [root@ovirt-engine ~]# engine-manage-domains -action=add >>>> -domain='local' -user='tsinjon' -interactive >>>> Enter password: >>>> >>>> Error: exception message: Integrity check on decrypted field >>>> failed (31) - PREAUTH_FAILED >>>> Failure while testing domain local. Details: Kerberos error. >>>> Please >>>> check log for further details. >>>> >>>> >>>> On 14 May, 2012, at 10:12 PM, Oved Ourfalli wrote: >>>> >>>>> >>>>> >>>>> ----- Original Message ----- >>>>>> From: "T-Sinjon" <tscbj1989(a)gmail.com&gt; >>>>>> To: users(a)ovirt.org >>>>>> Sent: Monday, May 14, 2012 5:07:46 PM >>>>>> Subject: [Users] engine-manage-domains can't add user , domain >>>>>> >>>>>> >>>>>> I use FreeIPA to authenticate users, ipa user-add has no >>>>>> problem, >>>>>> but when i do : >>>>>> >>>>>> [root@ovirt-engine ~]# engine-manage-domains -action=add >>>>>> -domain='local' -user='tsinjon' -interactive >>>>>> >>>>>> Error: Authentication Failed. Please verify the fully qualified >>>>>> domain name that is used for authentication is correct.. >>>>>> Problematic >>>>>> domain is: local >>>>>> Failure while applying Kerberos configuration. Details: >>>>>> Authentication Failed. Please verify the fully qualified domain >>>>>> name >>>>>> that is used for authentication is correct. >>>>>> >>>>>> and log from engine-manage-domains.log : >>>>>> >>>>>> 2012-05-14 21:58:47,892 INFO >>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating >>>>>> kerberos configuration for domain(s): local >>>>>> 2012-05-14 21:58:47,923 ERROR >>>>>> [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting SRV >>>>>> list >>>>>> for protocol _tcp and domain LOCAL Exception message is DNS >>>>>> name >>>>>> not >>>>>> found [response code 3] >>>>>> >>>>>> my domain is 'local' , like ovirt-engine.local >>>>>> 、ovirt-node-1.local >>>>>> …etc >>>>>> >>>>>> What can i do to get through it? >>>>>> >>>>> The utility (and also the ovirt engine) are relying on DNS SRV >>>>> records in order to find LDAP and kerberos servers (supporting >>>>> Active directory, IPA or RHDS). >>>>> So, in order to work with it you must have the following in the >>>>> DNS >>>>> 1. PTR record for your LDAP server >>>>> 2. LDAP SRV record for your LDAP server >>>>> 3. LDAP kerberos record for your LDAP server >>>>> >>>>> If you don't really have access to the DNS you can install a >>>>> package called "dnsmasq", and perform this changes by yourself >>>>> in >>>>> its config file. >>>>> >>>>> Oved >>>>>> >>>>>> _______________________________________________ >>>>>> Users mailing list >>>>>> Users(a)ovirt.org >>>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>>> >>>> >>> >>> >> _______________________________________________ >> Users mailing list >> Users(a)ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users > > _______________________________________________ > Users mailing list > Users(a)ovirt.org > http://lists.ovirt.org/mailman/listinfo/users >