Re: [Users] can't add domain with rhevm-manage-domains

------=_Part_7528046_1477693076.1346594005732 Content-Type: multipart/related; boundary="----=_Part_7528047_2086634424.1346594005732" ------=_Part_7528047_2086634424.1346594005732 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hey, What's the name of your domain? The query you pasted below shows "DOMAIN.LOCAL". However, in the log I see: "Failed authenticating user: f35191a to domain fpt.local". Did some reading, and looks like this error happens when the kerberos ticke= t is requested to the wrong REALM. What version are you working with? Is there anything else in the logs besides what you have put in pastebin? Oved ----- Original Message -----

From: "Scotto Alberto" <al.scotto@reply.it> To: users@ovirt.org Sent: Friday, August 31, 2012 6:45:15 PM Subject: Re: [Users] can't add domain with rhevm-manage-domains =20 =20 =20 =20 =20 Ok, now it works. =20 =20 =20 Thanks to tcpdump/wireshark I could undesrstand that: =20 - Rhevm-manage-domains sends DNS queries asking for PTR of RHEV-H and another redundant domain server, so I =20 - The LDAP query it sends is (&(sAMAccountType=3D805306368)(userPrincipalName=3D fptadmin02@DOMAIN.LOCAL) ) but the account =E2=80=9Cfptadmin02=E2=80=9D I= was using had a different userPrincipalName =20 =20 =20 So here is how I solved: =20 - adding the missing PTRs in the reverse zone of the DNS server =20 - logging in with another username that has a correct userPrincipalName =20 =20 =20 Anyhow, after restarting jbossas, still I can=E2=80=99t log in the consol= e with a domain username. =20 From wireshark I see it doesn=E2=80=99t even send an LDAP query; it break= s at KRB5 packets with =E2=80=9Cerror_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7= )=E2=80=9D =20 =20 =20 Here are the logs from rhevm.log =20 http://pastebin.com/kZqn3kzz =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 =20 Alberto Scotto =20 Blue Via Cardinal Massaia, 83 10147 - Torino - ITALY phone: +39 011 29100 al.scotto@reply.it www.reply.it =20 =20 =20 From: users-bounces@ovirt.org [mailto:users-bounces@ovirt.org] On Behalf Of Scotto Alberto Sent: venerd=C3=AC 31 agosto 2012 11:35 To: users@ovirt.org Subject: [Users] can't add domain with rhevm-manage-domains =20 =20 =20 =20 Hi all, =20 I=E2=80=99m trying to add a domain (active directory), but I can=E2=80=99= t get it to work. =20 =20 =20 The command I execute is: =20 rhevm-manage-domains -action=3Dadd -domain=3D'FPT.LOCAL' -user=3D'fptadmi= n' =E2=80=93interactive =20 =20 =20 Attached you can find: =20 - Output of the command =20 - Logs from /var/log/rhevm/rhevm-manage-domains/rhevm-manage-domains.log =20 =20 =20 =20 =20 I found a RHEV KB saying: =20 =20 =20 For Error: LDAP query Failed , make sure the Active Directory server and the RHEVM server have the correct PTR records in the DNS reverse lookup zone file =20 =20 =20 And another one says: =20 It's required to create PTR entry into DNS for the following: =20 =C2=B7 Name Server (NS) - Start of Authority (SOA) Example: WIN-TL8JB8JAG8.ad.mydomain.com. =20 =C2=B7 Active Directory Name Example: ad.mydomain.com. =20 =C2=B7 RHEVM machine Example: rhevm.ad.mydomain.com. =20 We are fulfilling this requirement, as nslookup of these 3 machines=E2=80= =99 IP work. =20 =20 =20 Additional info. =20 =20 =20 These commands work (if you need I can paste the full output): =20 #dig SRV _kerberos._tcp.FPT.LOCAL #dig SRV _kerberos._udp.FPT.LOCAL #dig SRV _ldap._tcp.FPT.LOCAL =20 =20 =20 # kinit fptadmin02@FPT.LOCAL =20 # klist =20 Ticket cache: FILE:/tmp/krb5cc_0 =20 Default principal: fptadmin02@FPT.LOCAL =20 =20 =20 Valid starting Expires Service principal =20 08/30/12 15:55:46 08/31/12 01:55:51 krbtgt/FPT.LOCAL@FPT.LOCAL =20 renew until 09/06/12 15:55:46 =20 =20 =20 =20 =20 Thank you very much in advance =20 =20 =20 Alberto Scotto =20 Blue Via Cardinal Massaia, 83 10147 - Torino - ITALY phone: +39 011 29100 al.scotto@reply.it www.reply.it =20 =20 =20 =20 =20 =20 =20 -- The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. =20 =20 -- The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. =20 _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users =20

------=_Part_7528047_2086634424.1346594005732-- ------=_Part_7528046_1477693076.1346594005732--