Re: [Users] engine-manage-domains can't add user , domain

On 05/15/2012 09:17 AM, T-Sinjon wrote: > Oved: > 1,Yes , I used RPMs > > ovirt-engine-restapi-3.0.0_0001-1.6.fc16.x86_64 > ovirt-engine-dbscripts-3.0.0_0001-1.6.fc16.x86_64 > ovirt-engine-notification-service-3.0.0_0001-1.6.fc16.x86_64 > ovirt-engine-backend-3.0.0_0001-1.6.fc16.x86_64 > ovirt-engine-jboss-deps-3.0.0_0001-1.6.fc16.x86_64 > ovirt-engine-config-3.0.0_0001-1.6.fc16.x86_64 > ovirt-engine-webadmin-portal-3.0.0_0001-1.6.fc16.x86_64 > ovirt-engine-sdk-1.3-1.fc16.noarch > ovirt-engine-jbossas-1.2-2.fc16.x86_64 > ovirt-engine-iso-uploader-3.0.0_0001-1.6.fc16.x86_64 > ovirt-engine-setup-3.0.0_0001-1.6.fc16.x86_64 > ovirt-engine-userportal-3.0.0_0001-1.6.fc16.x86_64 > ovirt-node-2.2.2-2.fc16.noarch > ovirt-engine-genericapi-3.0.0_0001-1.6.fc16.x86_64 > ovirt-engine-tools-common-3.0.0_0001-1.6.fc16.x86_64 > ovirt-node-tools-2.2.2-2.fc16.noarch > ovirt-engine-log-collector-3.0.0_0001-1.6.fc16.x86_64 > ovirt-engine-3.0.0_0001-1.6.fc16.x86_64 > > 2,they are same whether use single quota or not > > [root@ovirt-engine ~]# engine-manage-domains -action=add -domain=local -user=tsinjon -passwordFile=/root/tsinjon > No user in Directory was found for tsinjon@LOCAL. Trying next LDAP server in list > Failure while testing domain local. Details: No user information was found for user When you run engine-manage-domains without parameters, what do you get? > > On 15 May, 2012, at 1:47 PM, Oved Ourfalli wrote: > >> >> >> ----- Original Message ----- >>> From: "Yair Zaslavsky" <yzaslavs(a)redhat.com&gt; >>> To: "Oved Ourfalli" <ovedo(a)redhat.com&gt; >>> Cc: "T-Sinjon" <tscbj1989(a)gmail.com&gt;, users(a)ovirt.org >>> Sent: Tuesday, May 15, 2012 8:48:26 AM >>> Subject: Re: [Users] engine-manage-domains can't add user , domain >>> >>> On 05/15/2012 08:35 AM, Oved Ourfalli wrote: >>>> >>>> >>>> ----- Original Message ----- >>>>> From: "T-Sinjon" <tscbj1989(a)gmail.com&gt; >>>>> To: "Oved Ourfalli" <ovedo(a)redhat.com&gt; >>>>> Cc: users(a)ovirt.org >>>>> Sent: Tuesday, May 15, 2012 5:53:16 AM >>>>> Subject: Re: [Users] engine-manage-domains can't add user , domain >>>>> >>>>> after use kinit login tsinjon , the error changes to , why this >>>>> happened? >>>>> >>>>> [root@ovirt-engine ~]# engine-manage-domains -action=add >>>>> -domain='local' -user='tsinjon' -interactive >>>>> Enter password: >>>>> >>>>> No user in Directory was found for tsinjon@LOCAL. Trying next LDAP >>>>> server in list >>>>> Failure while testing domain local. Details: No user information >>>>> was >>>>> found for user >>>>> >>>> Can't see why kinit matters here, but looking at your command I >>>> noticed you used single quotes for the user and domain name. >>>> I'm not sure it knows to handle this correctly. >>>> Did you try without the quotes? >>>> >>>> Also, what version are you working with? >>>> We had a problem a few weeks ago, of identifying the correct ldap >>>> provider. To fix that we added an option to specify the ldap >>>> provider type. It determines which query will be used in order to >>>> get the user details. >>>> >>>> cc-ing Roy, which added this. iirc it is mandatory to provide this >>>> option, so you probably don't have this option in your >>>> environment. >>>> Roy - is there an upstream release with this fix? >>> >>> Oved - this was merged upstream. >>> T-Sinjon - have you cloned the git repo and compiled or are you using >>> RPMs? >>> >> Yair - he is probably using the RPMs, as it is harder to run the utility from the git repo. >>> >>>> >>>> Regards, >>>> Oved >>>>> On 15 May, 2012, at 10:47 AM, T-Sinjon wrote: >>>>> >>>>>> >>>>>> I have added those SRV info into my zone file , and it did go , >>>>>> the log looks fine , but engine-manage-domains still return >>>>>> error >>>>>> >>>>>> 2012-05-15 10:45:19,222 INFO >>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating >>>>>> kerberos configuration for domain(s): local >>>>>> 2012-05-15 10:45:19,258 INFO >>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] >>>>>> Successfully >>>>>> created kerberos configuration for domain(s): local >>>>>> 2012-05-15 10:45:19,259 INFO >>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing >>>>>> kerberos configuration for domain: local >>>>>> >>>>>> [root@ovirt-engine ~]# engine-manage-domains -action=add >>>>>> -domain='local' -user='tsinjon' -interactive >>>>>> Enter password: >>>>>> >>>>>> Error: exception message: Integrity check on decrypted field >>>>>> failed (31) - PREAUTH_FAILED >>>>>> Failure while testing domain local. Details: Kerberos error. >>>>>> Please >>>>>> check log for further details. >>>>>> >>>>>> >>>>>> On 14 May, 2012, at 10:12 PM, Oved Ourfalli wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> ----- Original Message ----- >>>>>>>> From: "T-Sinjon" <tscbj1989(a)gmail.com&gt; >>>>>>>> To: users(a)ovirt.org >>>>>>>> Sent: Monday, May 14, 2012 5:07:46 PM >>>>>>>> Subject: [Users] engine-manage-domains can't add user , domain >>>>>>>> >>>>>>>> >>>>>>>> I use FreeIPA to authenticate users, ipa user-add has no >>>>>>>> problem, >>>>>>>> but when i do : >>>>>>>> >>>>>>>> [root@ovirt-engine ~]# engine-manage-domains -action=add >>>>>>>> -domain='local' -user='tsinjon' -interactive >>>>>>>> >>>>>>>> Error: Authentication Failed. Please verify the fully qualified >>>>>>>> domain name that is used for authentication is correct.. >>>>>>>> Problematic >>>>>>>> domain is: local >>>>>>>> Failure while applying Kerberos configuration. Details: >>>>>>>> Authentication Failed. Please verify the fully qualified domain >>>>>>>> name >>>>>>>> that is used for authentication is correct. >>>>>>>> >>>>>>>> and log from engine-manage-domains.log : >>>>>>>> >>>>>>>> 2012-05-14 21:58:47,892 INFO >>>>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating >>>>>>>> kerberos configuration for domain(s): local >>>>>>>> 2012-05-14 21:58:47,923 ERROR >>>>>>>> [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting SRV >>>>>>>> list >>>>>>>> for protocol _tcp and domain LOCAL Exception message is DNS >>>>>>>> name >>>>>>>> not >>>>>>>> found [response code 3] >>>>>>>> >>>>>>>> my domain is 'local' , like ovirt-engine.local >>>>>>>> 、ovirt-node-1.local >>>>>>>> …etc >>>>>>>> >>>>>>>> What can i do to get through it? >>>>>>>> >>>>>>> The utility (and also the ovirt engine) are relying on DNS SRV >>>>>>> records in order to find LDAP and kerberos servers (supporting >>>>>>> Active directory, IPA or RHDS). >>>>>>> So, in order to work with it you must have the following in the >>>>>>> DNS >>>>>>> 1. PTR record for your LDAP server >>>>>>> 2. LDAP SRV record for your LDAP server >>>>>>> 3. LDAP kerberos record for your LDAP server >>>>>>> >>>>>>> If you don't really have access to the DNS you can install a >>>>>>> package called "dnsmasq", and perform this changes by yourself >>>>>>> in >>>>>>> its config file. >>>>>>> >>>>>>> Oved >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Users mailing list >>>>>>>> Users(a)ovirt.org >>>>>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>>>>> >>>>>> >>>>> >>>>> >>>> _______________________________________________ >>>> Users mailing list >>>> Users(a)ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>> >>> _______________________________________________ >>> Users mailing list >>> Users(a)ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users >>> >