7:51 p.m.
Hello oVirt Users,
Just signed up to the user mailing list and have a question regarding an
error being reported to stdout when running engine-manage-domains.
When running the `engine-manage-domains` utility from the command line I
see the following error reported:
*[root@hive ovirt-engine]# engine-manage-domains -action=list*
*Failed reading current configuration. Details: Error "Key for add
operation must be defined!" while reading configuration value AdUserName.*
A quick Google on this leads directly to Bugzilla – Bug 883846 – which
looks like it’s fixed in the 3.2 version. Can anyone confirm that? I’ve
inherited a DL580 running oVirt Manager and a bunch of VM’s, and don’t
really want to undertake an upgrade just now if I don’t have to.
The real problem seems to be that I can’t assign a user with any roles
since the ldap lookup to the active server fails – due, I think, to the
fact that the query is configured to authenticate with the previous admins
credentials – they left and the account is now disabled. J
From the /var/log/ovirt-engine/engine.log
*2013-07-25 11:32:15,574 ERROR
[org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy]
(ajp--0.0.0.0-8009-1) Authentication failed. The user is either locked or
disabled*
*2013-07-25 11:32:15,575 ERROR
[org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
(ajp--0.0.0.0-8009-1) Failed ldap search server
LDAP://<my_active_directory>:389 due to
org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We
should not try the next server:
org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException*
* *
The above gets written out as soon as I hit the Go button in the Add System
Permission to User dialogue window.
Thanks in advance for any advice!
12:29 a.m.
----- Original Message -----
From: "Trevor Galloway" <trevgall(a)googlemail.com>
To: users(a)ovirt.org
Sent: Thursday, July 25, 2013 7:51:56 PM
Subject: [Users] Problem running engine-manage-domain on oVirt 3.1.0-4
Hello oVirt Users,
Just signed up to the user mailing list and have a question regarding an
error being reported to stdout when running engine-manage-domains.
When running the `engine-manage-domains` utility from the command line I
see the following error reported:
*[root@hive ovirt-engine]# engine-manage-domains -action=list*
*Failed reading current configuration. Details: Error "Key for add
operation must be defined!" while reading configuration value AdUserName.*
A quick Google on this leads directly to Bugzilla – Bug 883846 – which
looks like it’s fixed in the 3.2 version. Can anyone confirm that? I’ve
inherited a DL580 running oVirt Manager and a bunch of VM’s, and don’t
really want to undertake an upgrade just now if I don’t have to.
This is indeed the issue.
The real problem seems to be that I can’t assign a user with any roles
since the ldap lookup to the active server fails – due, I think, to the
fact that the query is configured to authenticate with the previous admins
credentials – they left and the account is now disabled. J
From the /var/log/ovirt-engine/engine.log
*2013-07-25 11:32:15,574 ERROR
[org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy]
(ajp--0.0.0.0-8009-1) Authentication failed. The user is either locked or
disabled*
*2013-07-25 11:32:15,575 ERROR
[org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
(ajp--0.0.0.0-8009-1) Failed ldap search server
LDAP://<my_active_directory>:389 due to
org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We
should not try the next server:
org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException*
* *
The above gets written out as soon as I hit the Go button in the Add System
Permission to User dialogue window.
engine-manage-domains uses engine-config and provides its a configuration (after the above
bug fix) with keys in form of "key=".
If you really don't want to upgrade, maybe you should consider editing the
engine-manage-domains script, as in
http://gerrit.ovirt.org/#/c/9743/3/backend/manager/conf/kerberos/engine-m... ?
You will have to do that for any altering operations on domains and their associated
users.
Please let us know if it worked for you
Many thanks,
Yair
Thanks in advance for any advice!
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
1:55 p.m.
Thanks Yair,
I made the changes to the engine-manage-domains script as suggested in the
gerrit link - that now works just fine, and also confirms what I thought
the problem was all along - namely that the configured username returned on
a `engine-manage-domains --action=list` is that of the previous admin.
The problem being that their account is no longer valid within the active
directory, hence validation fails.
I've trawled the various ovirt config directories but can't find a resource
that holds the username to use on the LDAP query. Presumably this is
something that gets setup at install time?
Is there a way to re-configure the underlying username?
Many thanks,
Trevor
On 25 July 2013 22:29, Yair Zaslavsky <yzaslavs(a)redhat.com> wrote:
----- Original Message -----
> From: "Trevor Galloway" <trevgall(a)googlemail.com>
> To: users(a)ovirt.org
> Sent: Thursday, July 25, 2013 7:51:56 PM
> Subject: [Users] Problem running engine-manage-domain on oVirt 3.1.0-4
>
> Hello oVirt Users,
>
>
>
> Just signed up to the user mailing list and have a question regarding an
> error being reported to stdout when running engine-manage-domains.
>
>
>
> When running the `engine-manage-domains` utility from the command line I
> see the following error reported:
>
>
>
> *[root@hive ovirt-engine]# engine-manage-domains -action=list*
>
> *Failed reading current configuration. Details: Error "Key for add
> operation must be defined!" while reading configuration value
AdUserName.*
>
>
>
> A quick Google on this leads directly to Bugzilla – Bug 883846 – which
> looks like it’s fixed in the 3.2 version. Can anyone confirm that? I’ve
> inherited a DL580 running oVirt Manager and a bunch of VM’s, and don’t
> really want to undertake an upgrade just now if I don’t have to.
This is indeed the issue.
>
>
>
>
>
> The real problem seems to be that I can’t assign a user with any roles
> since the ldap lookup to the active server fails – due, I think, to the
> fact that the query is configured to authenticate with the previous
admins
> credentials – they left and the account is now disabled. J
>
>
>
> From the /var/log/ovirt-engine/engine.log
>
> *2013-07-25 11:32:15,574 ERROR
>
[org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy]
> (ajp--0.0.0.0-8009-1) Authentication failed. The user is either locked or
> disabled*
>
> *2013-07-25 11:32:15,575 ERROR
> [org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
> (ajp--0.0.0.0-8009-1) Failed ldap search server
> LDAP://<my_active_directory>:389 due to
> org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We
> should not try the next server:
> org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException*
>
> * *
>
> The above gets written out as soon as I hit the Go button in the Add
System
> Permission to User dialogue window.
engine-manage-domains uses engine-config and provides its a configuration
(after the above bug fix) with keys in form of "key=".
If you really don't want to upgrade, maybe you should consider editing the
engine-manage-domains script, as in
http://gerrit.ovirt.org/#/c/9743/3/backend/manager/conf/kerberos/engine-m...
You will have to do that for any altering operations on domains and their
associated users.
Please let us know if it worked for you
Many thanks,
Yair
>
>
>
> Thanks in advance for any advice!
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
2:01 p.m.
On 07/26/2013 01:55 PM, Trevor Galloway wrote:
Thanks Yair,
I made the changes to the engine-manage-domains script as suggested in
the gerrit link - that now works just fine, and also confirms what I
thought the problem was all along - namely that the configured username
returned on a `engine-manage-domains --action=list` is that of the
previous admin.
The problem being that their account is no longer valid within the
active directory, hence validation fails.
I've trawled the various ovirt config directories but can't find a
resource that holds the username to use on the LDAP query. Presumably
this is something that gets setup at install time?
Is there a way to re-configure the underlying username?
engine-manage-domains should allow you to set the user used in the ldap
query via -action=list.
then you can use -action=edit to update it
Many thanks,
Trevor
On 25 July 2013 22:29, Yair Zaslavsky <yzaslavs(a)redhat.com
<mailto:yzaslavs@redhat.com>> wrote:
----- Original Message -----
> From: "Trevor Galloway" <trevgall(a)googlemail.com
<mailto:trevgall@googlemail.com>>
> To: users(a)ovirt.org <mailto:users@ovirt.org>
> Sent: Thursday, July 25, 2013 7:51:56 PM
> Subject: [Users] Problem running engine-manage-domain on oVirt
3.1.0-4
>
> Hello oVirt Users,
>
>
>
> Just signed up to the user mailing list and have a question
regarding an
> error being reported to stdout when running engine-manage-domains.
>
>
>
> When running the `engine-manage-domains` utility from the command
line I
> see the following error reported:
>
>
>
> *[root@hive ovirt-engine]# engine-manage-domains -action=list*
>
> *Failed reading current configuration. Details: Error "Key for add
> operation must be defined!" while reading configuration value
AdUserName.*
>
>
>
> A quick Google on this leads directly to Bugzilla – Bug 883846 –
which
> looks like it’s fixed in the 3.2 version. Can anyone confirm
that? I’ve
> inherited a DL580 running oVirt Manager and a bunch of VM’s, and
don’t
> really want to undertake an upgrade just now if I don’t have to.
This is indeed the issue.
>
>
>
>
>
> The real problem seems to be that I can’t assign a user with any
roles
> since the ldap lookup to the active server fails – due, I think,
to the
> fact that the query is configured to authenticate with the
previous admins
> credentials – they left and the account is now disabled. J
>
>
>
> From the /var/log/ovirt-engine/engine.log
>
> *2013-07-25 11:32:15,574 ERROR
>
[org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy]
> (ajp--0.0.0.0-8009-1) Authentication failed. The user is either
locked or
> disabled*
>
> *2013-07-25 11:32:15,575 ERROR
> [org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
> (ajp--0.0.0.0-8009-1) Failed ldap search server
> LDAP://<my_active_directory>:389 due to
>
org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We
> should not try the next server:
> org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException*
>
> * *
>
> The above gets written out as soon as I hit the Go button in the
Add System
> Permission to User dialogue window.
engine-manage-domains uses engine-config and provides its a
configuration (after the above bug fix) with keys in form of "key=".
If you really don't want to upgrade, maybe you should consider
editing the engine-manage-domains script, as in
http://gerrit.ovirt.org/#/c/9743/3/backend/manager/conf/kerberos/engine-m...
?
You will have to do that for any altering operations on domains and
their associated users.
Please let us know if it worked for you
Many thanks,
Yair
>
>
>
> Thanks in advance for any advice!
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org <mailto:Users@ovirt.org>
> http://lists.ovirt.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
3:54 p.m.
Thanks Itamar for the suggestion - however the `-action=edit` fails since
the currently configured user account is inactive within the active
directory - it looks as if there is an initial authentication that needs to
validate before the edit can proceed ... :(
Hence my query about being able to reset the underlying username that
engine-manage-domains uses?
Thanks
Trevor
On 26 July 2013 12:01, Itamar Heim <iheim(a)redhat.com> wrote:
On 07/26/2013 01:55 PM, Trevor Galloway wrote:
> Thanks Yair,
> I made the changes to the engine-manage-domains script as suggested in
> the gerrit link - that now works just fine, and also confirms what I
> thought the problem was all along - namely that the configured username
> returned on a `engine-manage-domains --action=list` is that of the
> previous admin.
> The problem being that their account is no longer valid within the
> active directory, hence validation fails.
> I've trawled the various ovirt config directories but can't find a
> resource that holds the username to use on the LDAP query. Presumably
> this is something that gets setup at install time?
> Is there a way to re-configure the underlying username?
>
engine-manage-domains should allow you to set the user used in the ldap
query via -action=list.
then you can use -action=edit to update it
Many thanks,
> Trevor
>
>
> On 25 July 2013 22:29, Yair Zaslavsky <yzaslavs(a)redhat.com
> <mailto:yzaslavs@redhat.com>> wrote:
>
>
>
> ----- Original Message -----
> > From: "Trevor Galloway" <trevgall(a)googlemail.com
> <mailto:trevgall@googlemail.**com <trevgall(a)googlemail.com>>>
> > To: users(a)ovirt.org <mailto:users@ovirt.org>
> > Sent: Thursday, July 25, 2013 7:51:56 PM
> > Subject: [Users] Problem running engine-manage-domain on oVirt
> 3.1.0-4
> >
> > Hello oVirt Users,
> >
> >
> >
> > Just signed up to the user mailing list and have a question
> regarding an
> > error being reported to stdout when running engine-manage-domains.
> >
> >
> >
> > When running the `engine-manage-domains` utility from the command
> line I
> > see the following error reported:
> >
> >
> >
> > *[root@hive ovirt-engine]# engine-manage-domains -action=list*
> >
> > *Failed reading current configuration. Details: Error "Key for add
> > operation must be defined!" while reading configuration value
> AdUserName.*
> >
> >
> >
> > A quick Google on this leads directly to Bugzilla – Bug 883846 –
> which
> > looks like it’s fixed in the 3.2 version. Can anyone confirm
> that? I’ve
> > inherited a DL580 running oVirt Manager and a bunch of VM’s, and
> don’t
> > really want to undertake an upgrade just now if I don’t have to.
>
> This is indeed the issue.
>
> >
> >
> >
> >
> >
> > The real problem seems to be that I can’t assign a user with any
> roles
> > since the ldap lookup to the active server fails – due, I think,
> to the
> > fact that the query is configured to authenticate with the
> previous admins
> > credentials – they left and the account is now disabled. J
> >
> >
> >
> > From the /var/log/ovirt-engine/engine.**log
> >
> > *2013-07-25 11:32:15,574 ERROR
> >
> [org.ovirt.engine.core.bll.**adbroker.**
> GSSAPIDirContextAuthentication**Strategy]
> > (ajp--0.0.0.0-8009-1) Authentication failed. The user is either
> locked or
> > disabled*
> >
> > *2013-07-25 11:32:15,575 ERROR
> > [org.ovirt.engine.core.bll.**adbroker.DirectorySearcher]
> > (ajp--0.0.0.0-8009-1) Failed ldap search server
> > LDAP://<my_active_directory>:**389 due to
> >
> org.ovirt.engine.core.bll.**adbroker.**EngineDirectoryServiceExceptio
> **n. We
> > should not try the next server:
> > org.ovirt.engine.core.bll.**adbroker.**
> EngineDirectoryServiceExceptio**n*
> >
> > * *
> >
> > The above gets written out as soon as I hit the Go button in the
> Add System
> > Permission to User dialogue window.
>
> engine-manage-domains uses engine-config and provides its a
> configuration (after the above bug fix) with keys in form of "key=".
> If you really don't want to upgrade, maybe you should consider
> editing the engine-manage-domains script, as in
>
> http://gerrit.ovirt.org/#/c/**9743/3/backend/manager/conf/**
>
kerberos/engine-manage-domains<http://gerrit.ovirt.org/#/c/9743/3/back...
> ?
>
> You will have to do that for any altering operations on domains and
> their associated users.
>
> Please let us know if it worked for you
>
> Many thanks,
> Yair
>
>
> >
> >
> >
> > Thanks in advance for any advice!
> >
> > ______________________________**_________________
> > Users mailing list
> > Users(a)ovirt.org <mailto:Users@ovirt.org>
> >
http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org...
>
> >
>
>
>
>
> ______________________________**_________________
> Users mailing list
> Users(a)ovirt.org
>
http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org...
>
>
4:29 p.m.
On 07/26/2013 03:54 PM, Trevor Galloway wrote:
Thanks Itamar for the suggestion - however the `-action=edit` fails
since the currently configured user account is inactive within the
active directory - it looks as if there is an initial authentication
that needs to validate before the edit can proceed ... :(
Hence my query about being able to reset the underlying username that
engine-manage-domains uses?
you can delete the domain, then add it.
(and i'd expect edit allows you to set the new user and use it, strange
it will fail you)
Thanks
Trevor
On 26 July 2013 12:01, Itamar Heim <iheim(a)redhat.com
<mailto:iheim@redhat.com>> wrote:
On 07/26/2013 01:55 PM, Trevor Galloway wrote:
Thanks Yair,
I made the changes to the engine-manage-domains script as
suggested in
the gerrit link - that now works just fine, and also confirms what I
thought the problem was all along - namely that the configured
username
returned on a `engine-manage-domains --action=list` is that of the
previous admin.
The problem being that their account is no longer valid within the
active directory, hence validation fails.
I've trawled the various ovirt config directories but can't find a
resource that holds the username to use on the LDAP query.
Presumably
this is something that gets setup at install time?
Is there a way to re-configure the underlying username?
engine-manage-domains should allow you to set the user used in the
ldap query via -action=list.
then you can use -action=edit to update it
Many thanks,
Trevor
On 25 July 2013 22:29, Yair Zaslavsky <yzaslavs(a)redhat.com
<mailto:yzaslavs@redhat.com>
<mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>> wrote:
----- Original Message -----
> From: "Trevor Galloway" <trevgall(a)googlemail.com
<mailto:trevgall@googlemail.com>
<mailto:trevgall@googlemail.__com
<mailto:trevgall@googlemail.com>>>
> To: users(a)ovirt.org <mailto:users@ovirt.org>
<mailto:users@ovirt.org <mailto:users@ovirt.org>>
> Sent: Thursday, July 25, 2013 7:51:56 PM
> Subject: [Users] Problem running engine-manage-domain on
oVirt
3.1.0-4
>
> Hello oVirt Users,
>
>
>
> Just signed up to the user mailing list and have a question
regarding an
> error being reported to stdout when running
engine-manage-domains.
>
>
>
> When running the `engine-manage-domains` utility from
the command
line I
> see the following error reported:
>
>
>
> *[root@hive ovirt-engine]# engine-manage-domains
-action=list*
>
> *Failed reading current configuration. Details: Error
"Key for add
> operation must be defined!" while reading configuration
value
AdUserName.*
>
>
>
> A quick Google on this leads directly to Bugzilla – Bug
883846 –
which
> looks like it’s fixed in the 3.2 version. Can anyone confirm
that? I’ve
> inherited a DL580 running oVirt Manager and a bunch of
VM’s, and
don’t
> really want to undertake an upgrade just now if I don’t
have to.
This is indeed the issue.
>
>
>
>
>
> The real problem seems to be that I can’t assign a user
with any
roles
> since the ldap lookup to the active server fails – due,
I think,
to the
> fact that the query is configured to authenticate with the
previous admins
> credentials – they left and the account is now disabled. J
>
>
>
> From the /var/log/ovirt-engine/engine.__log
>
> *2013-07-25 11:32:15,574 ERROR
>
[org.ovirt.engine.core.bll.__adbroker.__GSSAPIDirContextAuthentication__Strategy]
> (ajp--0.0.0.0-8009-1) Authentication failed. The user is
either
locked or
> disabled*
>
> *2013-07-25 11:32:15,575 ERROR
> [org.ovirt.engine.core.bll.__adbroker.DirectorySearcher]
> (ajp--0.0.0.0-8009-1) Failed ldap search server
> LDAP://<my_active_directory>:__389 due to
>
org.ovirt.engine.core.bll.__adbroker.__EngineDirectoryServiceExceptio__n.
We
> should not try the next server:
>
org.ovirt.engine.core.bll.__adbroker.__EngineDirectoryServiceExceptio__n*
>
> * *
>
> The above gets written out as soon as I hit the Go
button in the
Add System
> Permission to User dialogue window.
engine-manage-domains uses engine-config and provides its a
configuration (after the above bug fix) with keys in form
of "key=".
If you really don't want to upgrade, maybe you should consider
editing the engine-manage-domains script, as in
http://gerrit.ovirt.org/#/c/__9743/3/backend/manager/conf/__kerberos/engi...
<http://gerrit.ovirt.org/#/c/9743/3/backend/manager/conf/kerberos/engine-m...
?
You will have to do that for any altering operations on
domains and
their associated users.
Please let us know if it worked for you
Many thanks,
Yair
>
>
>
> Thanks in advance for any advice!
>
> _________________________________________________
> Users mailing list
> Users(a)ovirt.org <mailto:Users@ovirt.org>
<mailto:Users@ovirt.org <mailto:Users@ovirt.org>>
> http://lists.ovirt.org/__mailman/listinfo/users
<http://lists.ovirt.org/mailman/listinfo/users>
>
_________________________________________________
Users mailing list
Users(a)ovirt.org <mailto:Users@ovirt.org>
http://lists.ovirt.org/__mailman/listinfo/users
<http://lists.ovirt.org/mailman/listinfo/users>
4149
days inactive
4150
days old
5 comments
3 participants
participants (3)
-
Itamar Heim -
Trevor Galloway -
Yair Zaslavsky