Re: [ovirt-users] Extension aaa: No search for principal

----- Original Message ----- > From: "Daniel Helgenberger" <daniel.helgenberger(a)m-box.de&gt; > To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; > Cc: Users(a)ovirt.org > Sent: Tuesday, September 15, 2015 2:41:02 PM > Subject: Re: [ovirt-users] Extension aaa: No search for principal > > > > On 11.09.2015 17:00, Alon Bar-Lev wrote: >> >> >> ----- Original Message ----- >>> From: "Daniel Helgenberger" <daniel.helgenberger(a)m-box.de&gt; >>> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>> Cc: Users(a)ovirt.org >>> Sent: Friday, September 11, 2015 5:33:21 PM >>> Subject: Re: [ovirt-users] Extension aaa: No search for principal >>> >>> sorry, forgot one: >>> >>> On 11.09.2015 12:48, Alon Bar-Lev wrote: >>>> Hi! >>>> >>>> Thank you for the information, for some reason the administrator user >>>> cannot be resolved to userPrincipalName during login, is it specific for >>>> Administrator or any user? >>> This is the default domain administrator account witch exits in any >>> forest. But just in case I created a new domain user just for the >>> purpose; same outcome >> > Sorry for the delay, Alon. > >> I am unsure what actually happens... > I might have an idea, at least from the commands you supplied. > >> Something in global catalog is out of sync. >> Usually - you do not add domain administrator to external application... >> there is no need to expose it. >> By default Administrator does not have "login from network" and "user >> principal suffix". >> >> Also in my environment I do not get result for administrator, but I do get >> one for regular user that has upn suffix in user record, you can see these >> fields in user and domain manager. >> >> So please use regular unprivileged users which belongs to "Domain Users" >> from now on. >> >> To test if user has userPrincipalName use the following command (assuming >> we search for user(a)int.corp.de): >> >> $ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H >> ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D &#39;bind(a)int.corp.de&#39; -w >> PASSWORD -b '' &#39;(userPrincipalName=user(a)int.corp.de)&#39; cn userPrincipalName > It seams with Active Directory (at least) the search base cannot be > empty (-b '') but needs to be provided. > > In my case, the above command fails with: >> # search result >> search: 2 >> result: 32 No such object >> text: 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, >> best match of: > > While adding the most basic search path it succeeds: > > $ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H > ldap://int.corp.de:389/ -x -D &#39;bind(a)int.corp.de&#39; -w PASSWORD -b > 'dc=int,dc=corp,dc=de' &#39;(userPrincipalName=administrator(a)int.corp.de)&#39; > cn userPrincipalName >> # search reference >> ref: >> ldap://ForestDnsZones.int.corp.de/DC=ForestDnsZones,DC=int,DC=corp,DC=de >> >> # search reference >> ref: >> ldap://DomainDnsZones.int.corp.de/DC=DomainDnsZones,DC=int,DC=corp,DC=de >> >> # search reference >> ref: ldap://int.corp.de/CN=Configuration,DC=int,DC=corp,DC=de >> >> # search result >> search: 2 >> result: 0 Success >> control: 1.2.840.113556.1.4.319 false DDDDDDDSSSDDMM= >> pagedresults: cookie= >> >> # numResponses: 4 >> # numReferences: 3 But I asked to query a specific port... the global catalog, port 3268, see my command above. > > It succeeds with every user I tried. what we see is not a success... :( I also asked not to use administrator as a reference user, please create a standard non privileged user for these tests, so skip oddness of builtin administrator for now.

> I would set the search base; but i am not sure where to do so. > >> >> This should find the user (return one result), if not, please checkout user >> in Users and Domains manager for the domain suffix, maybe it is empty. >> >> To find user without userPrincipalName such as Administrator use the >> following command: >> >> $ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H >> ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D &#39;bind(a)int.corp.de&#39; -w >> PASSWORD -b '' '(sAMAccountName=user)' cn userPrincipalName >> >> For example, the above will work for Administrator, but for kerberos to >> work properly user principal name must be defined, so these users will not >> work. >> >> You can dump entire GC and send me a user record if no result so I can >> determine what is different from expectations: >> >> $ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H >> ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D &#39;bind(a)int.corp.de&#39; -w >> PASSWORD -b '' > /tmp/dump.out > > If you still require a dump (its even a small one..) please drop a mail. I will be happy to receive a complete dump of your gc, please send me privately, so we can progress. Please use this exact command just replace qa1.qa.lab.tlv.redhat.com with your dc, bind(a)int.corp.de with your bind user and PASSWORD with bind user password.

Thanks! >> >> Regards, >> Alon >> > > -- > Daniel Helgenberger > m box bewegtbild GmbH > > P: +49/30/2408781-22 > F: +49/30/2408781-10 > > ACKERSTR. 19 > D-10115 BERLIN > > > www.m-box.de www.monkeymen.tv > > Geschäftsführer: Martin Retschitzegger / Michaela Göllner > Handeslregister: Amtsgericht Charlottenburg / HRB 112767 >