[Users] Problem running engine-manage-domain on oVirt 3.1.0-4
Hello oVirt Users, Just signed up to the user mailing list and have a question regarding an error being reported to stdout when running engine-manage-domains. When running the `engine-manage-domains` utility from the command line I see the following error reported: *[root@hive ovirt-engine]# engine-manage-domains -action=list* *Failed reading current configuration. Details: Error "Key for add operation must be defined!" while reading configuration value AdUserName.* A quick Google on this leads directly to Bugzilla – Bug 883846 – which looks like it’s fixed in the 3.2 version. Can anyone confirm that? I’ve inherited a DL580 running oVirt Manager and a bunch of VM’s, and don’t really want to undertake an upgrade just now if I don’t have to. The real problem seems to be that I can’t assign a user with any roles since the ldap lookup to the active server fails – due, I think, to the fact that the query is configured to authenticate with the previous admins credentials – they left and the account is now disabled. J
From the /var/log/ovirt-engine/engine.log
*2013-07-25 11:32:15,574 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp--0.0.0.0-8009-1) Authentication failed. The user is either locked or disabled* *2013-07-25 11:32:15,575 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--0.0.0.0-8009-1) Failed ldap search server LDAP://<my_active_directory>:389 due to org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We should not try the next server: org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException* * * The above gets written out as soon as I hit the Go button in the Add System Permission to User dialogue window. Thanks in advance for any advice!
----- Original Message -----
From: "Trevor Galloway" <trevgall@googlemail.com> To: users@ovirt.org Sent: Thursday, July 25, 2013 7:51:56 PM Subject: [Users] Problem running engine-manage-domain on oVirt 3.1.0-4
Hello oVirt Users,
Just signed up to the user mailing list and have a question regarding an error being reported to stdout when running engine-manage-domains.
When running the `engine-manage-domains` utility from the command line I see the following error reported:
*[root@hive ovirt-engine]# engine-manage-domains -action=list*
*Failed reading current configuration. Details: Error "Key for add operation must be defined!" while reading configuration value AdUserName.*
A quick Google on this leads directly to Bugzilla – Bug 883846 – which looks like it’s fixed in the 3.2 version. Can anyone confirm that? I’ve inherited a DL580 running oVirt Manager and a bunch of VM’s, and don’t really want to undertake an upgrade just now if I don’t have to.
This is indeed the issue.
The real problem seems to be that I can’t assign a user with any roles since the ldap lookup to the active server fails – due, I think, to the fact that the query is configured to authenticate with the previous admins credentials – they left and the account is now disabled. J
From the /var/log/ovirt-engine/engine.log
*2013-07-25 11:32:15,574 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp--0.0.0.0-8009-1) Authentication failed. The user is either locked or disabled*
*2013-07-25 11:32:15,575 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--0.0.0.0-8009-1) Failed ldap search server LDAP://<my_active_directory>:389 due to org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We should not try the next server: org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException*
* *
The above gets written out as soon as I hit the Go button in the Add System Permission to User dialogue window.
engine-manage-domains uses engine-config and provides its a configuration (after the above bug fix) with keys in form of "key=". If you really don't want to upgrade, maybe you should consider editing the engine-manage-domains script, as in http://gerrit.ovirt.org/#/c/9743/3/backend/manager/conf/kerberos/engine-mana... ? You will have to do that for any altering operations on domains and their associated users. Please let us know if it worked for you Many thanks, Yair
Thanks in advance for any advice!
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Thanks Yair, I made the changes to the engine-manage-domains script as suggested in the gerrit link - that now works just fine, and also confirms what I thought the problem was all along - namely that the configured username returned on a `engine-manage-domains --action=list` is that of the previous admin. The problem being that their account is no longer valid within the active directory, hence validation fails. I've trawled the various ovirt config directories but can't find a resource that holds the username to use on the LDAP query. Presumably this is something that gets setup at install time? Is there a way to re-configure the underlying username? Many thanks, Trevor On 25 July 2013 22:29, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Trevor Galloway" <trevgall@googlemail.com> To: users@ovirt.org Sent: Thursday, July 25, 2013 7:51:56 PM Subject: [Users] Problem running engine-manage-domain on oVirt 3.1.0-4
Hello oVirt Users,
Just signed up to the user mailing list and have a question regarding an error being reported to stdout when running engine-manage-domains.
When running the `engine-manage-domains` utility from the command line I see the following error reported:
*[root@hive ovirt-engine]# engine-manage-domains -action=list*
*Failed reading current configuration. Details: Error "Key for add operation must be defined!" while reading configuration value AdUserName.*
A quick Google on this leads directly to Bugzilla – Bug 883846 – which looks like it’s fixed in the 3.2 version. Can anyone confirm that? I’ve inherited a DL580 running oVirt Manager and a bunch of VM’s, and don’t really want to undertake an upgrade just now if I don’t have to.
This is indeed the issue.
The real problem seems to be that I can’t assign a user with any roles since the ldap lookup to the active server fails – due, I think, to the fact that the query is configured to authenticate with the previous
admins
credentials – they left and the account is now disabled. J
From the /var/log/ovirt-engine/engine.log
*2013-07-25 11:32:15,574 ERROR
[org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy]
(ajp--0.0.0.0-8009-1) Authentication failed. The user is either locked or disabled*
*2013-07-25 11:32:15,575 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--0.0.0.0-8009-1) Failed ldap search server LDAP://<my_active_directory>:389 due to org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We should not try the next server: org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException*
* *
The above gets written out as soon as I hit the Go button in the Add System Permission to User dialogue window.
engine-manage-domains uses engine-config and provides its a configuration (after the above bug fix) with keys in form of "key=". If you really don't want to upgrade, maybe you should consider editing the engine-manage-domains script, as in
http://gerrit.ovirt.org/#/c/9743/3/backend/manager/conf/kerberos/engine-mana...
You will have to do that for any altering operations on domains and their associated users.
Please let us know if it worked for you
Many thanks, Yair
Thanks in advance for any advice!
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 07/26/2013 01:55 PM, Trevor Galloway wrote:
Thanks Yair, I made the changes to the engine-manage-domains script as suggested in the gerrit link - that now works just fine, and also confirms what I thought the problem was all along - namely that the configured username returned on a `engine-manage-domains --action=list` is that of the previous admin. The problem being that their account is no longer valid within the active directory, hence validation fails. I've trawled the various ovirt config directories but can't find a resource that holds the username to use on the LDAP query. Presumably this is something that gets setup at install time? Is there a way to re-configure the underlying username?
engine-manage-domains should allow you to set the user used in the ldap query via -action=list. then you can use -action=edit to update it
Many thanks, Trevor
On 25 July 2013 22:29, Yair Zaslavsky <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>> wrote:
----- Original Message ----- > From: "Trevor Galloway" <trevgall@googlemail.com <mailto:trevgall@googlemail.com>> > To: users@ovirt.org <mailto:users@ovirt.org> > Sent: Thursday, July 25, 2013 7:51:56 PM > Subject: [Users] Problem running engine-manage-domain on oVirt 3.1.0-4 > > Hello oVirt Users, > > > > Just signed up to the user mailing list and have a question regarding an > error being reported to stdout when running engine-manage-domains. > > > > When running the `engine-manage-domains` utility from the command line I > see the following error reported: > > > > *[root@hive ovirt-engine]# engine-manage-domains -action=list* > > *Failed reading current configuration. Details: Error "Key for add > operation must be defined!" while reading configuration value AdUserName.* > > > > A quick Google on this leads directly to Bugzilla – Bug 883846 – which > looks like it’s fixed in the 3.2 version. Can anyone confirm that? I’ve > inherited a DL580 running oVirt Manager and a bunch of VM’s, and don’t > really want to undertake an upgrade just now if I don’t have to.
This is indeed the issue.
> > > > > > The real problem seems to be that I can’t assign a user with any roles > since the ldap lookup to the active server fails – due, I think, to the > fact that the query is configured to authenticate with the previous admins > credentials – they left and the account is now disabled. J > > > > From the /var/log/ovirt-engine/engine.log > > *2013-07-25 11:32:15,574 ERROR > [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] > (ajp--0.0.0.0-8009-1) Authentication failed. The user is either locked or > disabled* > > *2013-07-25 11:32:15,575 ERROR > [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] > (ajp--0.0.0.0-8009-1) Failed ldap search server > LDAP://<my_active_directory>:389 due to > org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We > should not try the next server: > org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException* > > * * > > The above gets written out as soon as I hit the Go button in the Add System > Permission to User dialogue window.
engine-manage-domains uses engine-config and provides its a configuration (after the above bug fix) with keys in form of "key=". If you really don't want to upgrade, maybe you should consider editing the engine-manage-domains script, as in
http://gerrit.ovirt.org/#/c/9743/3/backend/manager/conf/kerberos/engine-mana... ?
You will have to do that for any altering operations on domains and their associated users.
Please let us know if it worked for you
Many thanks, Yair
> > > > Thanks in advance for any advice! > > _______________________________________________ > Users mailing list > Users@ovirt.org <mailto:Users@ovirt.org> > http://lists.ovirt.org/mailman/listinfo/users >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Thanks Itamar for the suggestion - however the `-action=edit` fails since the currently configured user account is inactive within the active directory - it looks as if there is an initial authentication that needs to validate before the edit can proceed ... :( Hence my query about being able to reset the underlying username that engine-manage-domains uses? Thanks Trevor On 26 July 2013 12:01, Itamar Heim <iheim@redhat.com> wrote:
On 07/26/2013 01:55 PM, Trevor Galloway wrote:
Thanks Yair, I made the changes to the engine-manage-domains script as suggested in the gerrit link - that now works just fine, and also confirms what I thought the problem was all along - namely that the configured username returned on a `engine-manage-domains --action=list` is that of the previous admin. The problem being that their account is no longer valid within the active directory, hence validation fails. I've trawled the various ovirt config directories but can't find a resource that holds the username to use on the LDAP query. Presumably this is something that gets setup at install time? Is there a way to re-configure the underlying username?
engine-manage-domains should allow you to set the user used in the ldap query via -action=list. then you can use -action=edit to update it
Many thanks,
Trevor
On 25 July 2013 22:29, Yair Zaslavsky <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>> wrote:
----- Original Message ----- > From: "Trevor Galloway" <trevgall@googlemail.com <mailto:trevgall@googlemail.**com <trevgall@googlemail.com>>> > To: users@ovirt.org <mailto:users@ovirt.org> > Sent: Thursday, July 25, 2013 7:51:56 PM > Subject: [Users] Problem running engine-manage-domain on oVirt 3.1.0-4 > > Hello oVirt Users, > > > > Just signed up to the user mailing list and have a question regarding an > error being reported to stdout when running engine-manage-domains. > > > > When running the `engine-manage-domains` utility from the command line I > see the following error reported: > > > > *[root@hive ovirt-engine]# engine-manage-domains -action=list* > > *Failed reading current configuration. Details: Error "Key for add > operation must be defined!" while reading configuration value AdUserName.* > > > > A quick Google on this leads directly to Bugzilla – Bug 883846 – which > looks like it’s fixed in the 3.2 version. Can anyone confirm that? I’ve > inherited a DL580 running oVirt Manager and a bunch of VM’s, and don’t > really want to undertake an upgrade just now if I don’t have to.
This is indeed the issue.
> > > > > > The real problem seems to be that I can’t assign a user with any roles > since the ldap lookup to the active server fails – due, I think, to the > fact that the query is configured to authenticate with the previous admins > credentials – they left and the account is now disabled. J > > > > From the /var/log/ovirt-engine/engine.**log > > *2013-07-25 11:32:15,574 ERROR > [org.ovirt.engine.core.bll.**adbroker.** GSSAPIDirContextAuthentication**Strategy] > (ajp--0.0.0.0-8009-1) Authentication failed. The user is either locked or > disabled* > > *2013-07-25 11:32:15,575 ERROR > [org.ovirt.engine.core.bll.**adbroker.DirectorySearcher] > (ajp--0.0.0.0-8009-1) Failed ldap search server > LDAP://<my_active_directory>:**389 due to > org.ovirt.engine.core.bll.**adbroker.**EngineDirectoryServiceExceptio **n. We > should not try the next server: > org.ovirt.engine.core.bll.**adbroker.** EngineDirectoryServiceExceptio**n* > > * * > > The above gets written out as soon as I hit the Go button in the Add System > Permission to User dialogue window.
engine-manage-domains uses engine-config and provides its a configuration (after the above bug fix) with keys in form of "key=". If you really don't want to upgrade, maybe you should consider editing the engine-manage-domains script, as in
http://gerrit.ovirt.org/#/c/**9743/3/backend/manager/conf/** kerberos/engine-manage-domains<http://gerrit.ovirt.org/#/c/9743/3/backend/manager/conf/kerberos/engine-manage-domains> ?
You will have to do that for any altering operations on domains and their associated users.
Please let us know if it worked for you
Many thanks, Yair
> > > > Thanks in advance for any advice! > > ______________________________**_________________ > Users mailing list > Users@ovirt.org <mailto:Users@ovirt.org> > http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>
______________________________**_________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
On 07/26/2013 03:54 PM, Trevor Galloway wrote:
Thanks Itamar for the suggestion - however the `-action=edit` fails since the currently configured user account is inactive within the active directory - it looks as if there is an initial authentication that needs to validate before the edit can proceed ... :( Hence my query about being able to reset the underlying username that engine-manage-domains uses?
you can delete the domain, then add it. (and i'd expect edit allows you to set the new user and use it, strange it will fail you)
Thanks Trevor
On 26 July 2013 12:01, Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com>> wrote:
On 07/26/2013 01:55 PM, Trevor Galloway wrote:
Thanks Yair, I made the changes to the engine-manage-domains script as suggested in the gerrit link - that now works just fine, and also confirms what I thought the problem was all along - namely that the configured username returned on a `engine-manage-domains --action=list` is that of the previous admin. The problem being that their account is no longer valid within the active directory, hence validation fails. I've trawled the various ovirt config directories but can't find a resource that holds the username to use on the LDAP query. Presumably this is something that gets setup at install time? Is there a way to re-configure the underlying username?
engine-manage-domains should allow you to set the user used in the ldap query via -action=list. then you can use -action=edit to update it
Many thanks, Trevor
On 25 July 2013 22:29, Yair Zaslavsky <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>> wrote:
----- Original Message ----- > From: "Trevor Galloway" <trevgall@googlemail.com <mailto:trevgall@googlemail.com> <mailto:trevgall@googlemail.__com <mailto:trevgall@googlemail.com>>> > To: users@ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> > Sent: Thursday, July 25, 2013 7:51:56 PM > Subject: [Users] Problem running engine-manage-domain on oVirt 3.1.0-4 > > Hello oVirt Users, > > > > Just signed up to the user mailing list and have a question regarding an > error being reported to stdout when running engine-manage-domains. > > > > When running the `engine-manage-domains` utility from the command line I > see the following error reported: > > > > *[root@hive ovirt-engine]# engine-manage-domains -action=list* > > *Failed reading current configuration. Details: Error "Key for add > operation must be defined!" while reading configuration value AdUserName.* > > > > A quick Google on this leads directly to Bugzilla – Bug 883846 – which > looks like it’s fixed in the 3.2 version. Can anyone confirm that? I’ve > inherited a DL580 running oVirt Manager and a bunch of VM’s, and don’t > really want to undertake an upgrade just now if I don’t have to.
This is indeed the issue.
> > > > > > The real problem seems to be that I can’t assign a user with any roles > since the ldap lookup to the active server fails – due, I think, to the > fact that the query is configured to authenticate with the previous admins > credentials – they left and the account is now disabled. J > > > > From the /var/log/ovirt-engine/engine.__log > > *2013-07-25 11:32:15,574 ERROR >
[org.ovirt.engine.core.bll.__adbroker.__GSSAPIDirContextAuthentication__Strategy] > (ajp--0.0.0.0-8009-1) Authentication failed. The user is either locked or > disabled* > > *2013-07-25 11:32:15,575 ERROR > [org.ovirt.engine.core.bll.__adbroker.DirectorySearcher] > (ajp--0.0.0.0-8009-1) Failed ldap search server > LDAP://<my_active_directory>:__389 due to >
org.ovirt.engine.core.bll.__adbroker.__EngineDirectoryServiceExceptio__n. We > should not try the next server: > org.ovirt.engine.core.bll.__adbroker.__EngineDirectoryServiceExceptio__n* > > * * > > The above gets written out as soon as I hit the Go button in the Add System > Permission to User dialogue window.
engine-manage-domains uses engine-config and provides its a configuration (after the above bug fix) with keys in form of "key=". If you really don't want to upgrade, maybe you should consider editing the engine-manage-domains script, as in
http://gerrit.ovirt.org/#/c/__9743/3/backend/manager/conf/__kerberos/engine-... <http://gerrit.ovirt.org/#/c/9743/3/backend/manager/conf/kerberos/engine-manage-domains> ?
You will have to do that for any altering operations on domains and their associated users.
Please let us know if it worked for you
Many thanks, Yair
> > > > Thanks in advance for any advice! > > _________________________________________________ > Users mailing list > Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> > http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>
>
_________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>
participants (3)
-
Itamar Heim -
Trevor Galloway -
Yair Zaslavsky