------=_Part_7528046_1477693076.1346594005732
Content-Type: multipart/related;
boundary="----=_Part_7528047_2086634424.1346594005732"
------=_Part_7528047_2086634424.1346594005732
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hey,
What's the name of your domain?
The query you pasted below shows "DOMAIN.LOCAL".
However, in the log I see:
"Failed authenticating user: f35191a to domain fpt.local".
Did some reading, and looks like this error happens when the kerberos ticke=
t is requested to the wrong REALM.
What version are you working with?
Is there anything else in the logs besides what you have put in pastebin?
Oved
----- Original Message -----
From: "Scotto Alberto" <al.scotto(a)reply.it>
To: users(a)ovirt.org
Sent: Friday, August 31, 2012 6:45:15 PM
Subject: Re: [Users] can't add domain with rhevm-manage-domains
=20
=20
=20
=20
=20
Ok, now it works.
=20
=20
=20
Thanks to tcpdump/wireshark I could undesrstand that:
=20
- Rhevm-manage-domains sends DNS queries asking for PTR of RHEV-H and
another redundant domain server, so I
=20
- The LDAP query it sends is
(&(sAMAccountType=3D805306368)(userPrincipalName=3D
fptadmin02(a)DOMAIN.LOCAL) ) but the account =E2=80=9Cfptadmin02=E2=80=9D I=
was
using
had a different userPrincipalName
=20
=20
=20
So here is how I solved:
=20
- adding the missing PTRs in the reverse zone of the DNS server
=20
- logging in with another username that has a correct
userPrincipalName
=20
=20
=20
Anyhow, after restarting jbossas, still I can=E2=80=99t log in the consol=
e
with a domain username.
=20
From wireshark I see it doesn=E2=80=99t even send an LDAP query; it break=
s at
KRB5 packets with =E2=80=9Cerror_code:
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7=
)=E2=80=9D
=20
=20
=20
Here are the logs from rhevm.log
=20
http://pastebin.com/kZqn3kzz
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
Alberto Scotto
=20
Blue
Via Cardinal Massaia, 83
10147 - Torino - ITALY
phone: +39 011 29100
al.scotto(a)reply.it
www.reply.it
=20
=20
=20
From: users-bounces(a)ovirt.org [mailto:users-bounces@ovirt.org] On
Behalf Of Scotto Alberto
Sent: venerd=C3=AC 31 agosto 2012 11:35
To: users(a)ovirt.org
Subject: [Users] can't add domain with rhevm-manage-domains
=20
=20
=20
=20
Hi all,
=20
I=E2=80=99m trying to add a domain (active directory), but I can=E2=80=99=
t get it
to
work.
=20
=20
=20
The command I execute is:
=20
rhevm-manage-domains -action=3Dadd -domain=3D'FPT.LOCAL' -user=3D'fptadmi=
n'
=E2=80=93interactive
=20
=20
=20
Attached you can find:
=20
- Output of the command
=20
- Logs from
/var/log/rhevm/rhevm-manage-domains/rhevm-manage-domains.log
=20
=20
=20
=20
=20
I found a RHEV KB saying:
=20
=20
=20
For Error: LDAP query Failed , make sure the Active Directory server
and the RHEVM server have the correct PTR records in the DNS reverse
lookup zone file
=20
=20
=20
And another one says:
=20
It's required to create PTR entry into DNS for the following:
=20
=C2=B7 Name Server (NS) - Start of Authority (SOA)
Example:
WIN-TL8JB8JAG8.ad.mydomain.com.
=20
=C2=B7 Active Directory Name
Example:
ad.mydomain.com.
=20
=C2=B7 RHEVM machine
Example:
rhevm.ad.mydomain.com.
=20
We are fulfilling this requirement, as nslookup of these 3 machines=E2=80=
=99
IP work.
=20
=20
=20
Additional info.
=20
=20
=20
These commands work (if you need I can paste the full output):
=20
#dig SRV _kerberos._tcp.FPT.LOCAL #dig SRV _kerberos._udp.FPT.LOCAL
#dig SRV _ldap._tcp.FPT.LOCAL
=20
=20
=20
# kinit fptadmin02(a)FPT.LOCAL
=20
# klist
=20
Ticket cache: FILE:/tmp/krb5cc_0
=20
Default principal: fptadmin02(a)FPT.LOCAL
=20
=20
=20
Valid starting Expires Service principal
=20
08/30/12 15:55:46 08/31/12 01:55:51 krbtgt/FPT.LOCAL(a)FPT.LOCAL
=20
renew until 09/06/12 15:55:46
=20
=20
=20
=20
=20
Thank you very much in advance
=20
=20
=20
Alberto Scotto
=20
Blue
Via Cardinal Massaia, 83
10147 - Torino - ITALY
phone: +39 011 29100
al.scotto(a)reply.it
www.reply.it
=20
=20
=20
=20
=20
=20
=20
--
The information transmitted is intended for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of,
or taking of any action in reliance upon, this information by
persons or entities other than the intended recipient is prohibited.
If you received this in error, please contact the sender and delete
the material from any computer.
=20
=20
--
The information transmitted is intended for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of,
or taking of any action in reliance upon, this information by
persons or entities other than the intended recipient is prohibited.
If you received this in error, please contact the sender and delete
the material from any computer.
=20
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
=20
------=_Part_7528047_2086634424.1346594005732--
------=_Part_7528046_1477693076.1346594005732--