[Users] I don't know how to add AD users

[Users] prevent VMs from sharing...

[Users] help me validate my design

Cristian Falcas

Monday, 19 November 2012 Mon, 19 Nov '12

11:01 a.m.

Hi, I'm trying to add some users to ovirt using an AD. This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com"); $wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=com"); Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com-provider=ActiveDirectory -user= user.name -interactive engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name(a)company.com -interactive engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name(a)site.example.com -interactive And the output on all tries: Enter password: Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct. Can someone help me with the correct parameters? Best regards, Cristian Falcas

Attachments:

attachment.html (text/html — 1.7 KB)

Show replies by date

Vinzenz Feenstra

Monday, 19 November Mon, 19 Nov

11:29 a.m.

This is a multi-part message in MIME format. --------------060405070304010603070504 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 11/19/2012 10:01 AM, Cristian Falcas wrote:

...

Hi, I'm trying to add some users to ovirt using an AD. This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com <http://site.example.com>"); $wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=com"); Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com <http://site.example.com> -provider=ActiveDirectory -user=user.name <http://user.name> -interactive engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name(a)company.com <mailto:user.name@company.com> -interactive engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name(a)site.example.com <mailto:user.name@site.example.com> -interactive

You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password. Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself. Regards,

...

And the output on all tries: Enter password: Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct. Can someone help me with the correct parameters? Best regards, Cristian Falcas _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users

-- Regards, Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 IRC: vfeenstr or evilissimo Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com --------------060405070304010603070504 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 11/19/2012 10:01 AM, Cristian Falcas wrote:<br> </div> <blockquote cite="mid:CAMo7R_cgPTu7Qv5uuDHLeHqA8JO2xcRrGeT0g7VXk6DFz3riww@mail.gmail.com" type="cite">Hi,<br> <br> I'm trying to add some users to ovirt using an AD.<br> <br> This is the configuration I used for a mediawiki site, which is working correctly:<br> $wgAuth = new LdapAuthenticationPlugin();<br> $wgLDAPUseLocal = true;<br> $wgLDAPDomainNames = array( "a_domain");<br> $wgLDAPServerNames = array( "a_domain"=>"<a moz-do-not-send="true" href="http://site.example.com">site.example.com</a>");<br> $wgLDAPEncryptionType = array( "a_domain"=>"clear");<br> $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-NAME");<br> $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=com");<br> <br> Those are the commands I tried using:<br> engine-manage-domains -action=add -domain=<a moz-do-not-send="true" href="http://site.example.com">site.example.com</a> -provider=ActiveDirectory -user=<a moz-do-not-send="true" href="http://user.name">user.name</a> -interactive<br> <br> engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=<a moz-do-not-send="true" href="mailto:user.name@company.com">user.name@company.com</a> -interactive<br> <br> engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=<a moz-do-not-send="true" href="mailto:user.name@site.example.com">user.name@site.example.com</a> -interactive<br> <br> <br> </blockquote> You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.<br> Then you can use the domain within the engine. e.g. search users, add access rights for vms etc.<br> Even login to the engine and assigning rights within the engine you can handle from the engine itself.<br> <br> Regards,<br> <blockquote cite="mid:CAMo7R_cgPTu7Qv5uuDHLeHqA8JO2xcRrGeT0g7VXk6DFz3riww@mail.gmail.com" type="cite">And the output on all tries:<br> Enter password:<br> <br> Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command<br> Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.<br> <br> Can someone help me with the correct parameters?<br> <br> <br> Best regards,<br> Cristian Falcas<br> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a> <a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://... </pre> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Regards, Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 IRC: vfeenstr or evilissimo Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com</pre> </body> </html> --------------060405070304010603070504--

Yair Zaslavsky

12:15 p.m.

------=_Part_33148007_2049661839.1353320129416 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit + LdapEncryptionType clear is not understandable. What did you mean by that? ----- Original Message -----

...

From: "Vinzenz Feenstra" <vfeenstr(a)redhat.com> To: users(a)ovirt.org Sent: Monday, November 19, 2012 11:29:42 AM Subject: Re: [Users] I don't know how to add AD users

...

On 11/19/2012 10:01 AM, Cristian Falcas wrote:

...

> Hi,

...

> I'm trying to add some users to ovirt using an AD.

...

> This is the configuration I used for a mediawiki site, which is > working correctly: > $wgAuth = new LdapAuthenticationPlugin(); > $wgLDAPUseLocal = true; > $wgLDAPDomainNames = array( "a_domain"); > $wgLDAPServerNames = array( "a_domain"=>" site.example.com "); > $wgLDAPEncryptionType = array( "a_domain"=>"clear"); > $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-NAME"); > $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=com");

...

> Those are the commands I tried using: > engine-manage-domains -action=add -domain= site.example.com > -provider=ActiveDirectory -user= user.name -interactive

...

> engine-manage-domains -action=add -domain=a_domain > -provider=ActiveDirectory -user= user.name(a)company.com -interactive

...

> engine-manage-domains -action=add -domain=a_domain > -provider=ActiveDirectory -user= user.name(a)site.example.com > -interactive

...

Regards,

...

> And the output on all tries: > Enter password:

...

> Error: Authentication Failed. Please verify the fully qualified > domain name that is used for authentication is correct.. > Problematic > domain is: domain_used_in_command > Failure while applying Kerberos configuration. Details: > Authentication Failed. Please verify the fully qualified domain > name > that is used for authentication is correct.

...

> Can someone help me with the correct parameters?

...

> Best regards, > Cristian Falcas

> > _______________________________________________ > > > Users mailing list Users(a)ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > --

...

Regards,

...

Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 IRC: vfeenstr or evilissimo

...

Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users

------=_Part_33148007_2049661839.1353320129416 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit <html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: times new roman,new york,times,serif; font-size: 12pt; color: #000000'>+ LdapEncryptionType clear is not understandable.<br>What did you mean by that?<br><br><br><hr id="zwchr"><blockquote style="border-left:2px solid rgb(16, 16, 255);margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Vinzenz Feenstra" &lt;vfeenstr(a)redhat.com&gt;<br><b>To: </b>users(a)ovirt.org<br><b>Sent: </b>Monday, November 19, 2012 11:29:42 AM<br><b>Subject: </b>Re: [Users] I don't know how to add AD users<br><br> <div class="moz-cite-prefix">On 11/19/2012 10:01 AM, Cristian Falcas wrote:<br> </div> <blockquote cite="mid:CAMo7R_cgPTu7Qv5uuDHLeHqA8JO2xcRrGeT0g7VXk6DFz3riww@mail.gmail.com">Hi,<br> <br> I'm trying to add some users to ovirt using an AD.<br> <br> This is the configuration I used for a mediawiki site, which is working correctly:<br> $wgAuth = new LdapAuthenticationPlugin();<br> $wgLDAPUseLocal = true;<br> $wgLDAPDomainNames = array( "a_domain");<br> $wgLDAPServerNames = array( "a_domain"=>"<a href="http://site.example.com" target="_blank">site.example.com</a>");<br> $wgLDAPEncryptionType = array( "a_domain"=>"clear");<br> $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-NAME");<br> $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=com");<br> <br> Those are the commands I tried using:<br> engine-manage-domains -action=add -domain=<a href="http://site.example.com" target="_blank">site.example.com</a> -provider=ActiveDirectory -user=<a href="http://user.name" target="_blank">user.name</a> -interactive<br> <br> engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=<a href="mailto:user.name@company.com" target="_blank">user.name(a)company.com</a> -interactive<br> <br> engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=<a href="mailto:user.name@site.example.com" target="_blank">user.name(a)site.example.com</a> -interactive<br> <br> <br> </blockquote> You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.<br> Then you can use the domain within the engine. e.g. search users, add access rights for vms etc.<br> Even login to the engine and assigning rights within the engine you can handle from the engine itself.<br> <br> Regards,<br> <blockquote cite="mid:CAMo7R_cgPTu7Qv5uuDHLeHqA8JO2xcRrGeT0g7VXk6DFz3riww@mail.gmail.com">And the output on all tries:<br> Enter password:<br> <br> Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command<br> Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.<br> <br> Can someone help me with the correct parameters?<br> <br> <br> Best regards,<br> Cristian Falcas<br> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre>_______________________________________________ Users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org" target="_blank">Users(a)ovirt.org</a> <a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/user... </pre> </blockquote> <br> <br> <pre class="moz-signature">-- Regards, Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 IRC: vfeenstr or evilissimo Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com</pre> <br>_______________________________________________<br>Users mailing list<br>Users@ovirt.org<br>http://lists.ovirt.org/mailman/listinfo/users<br></blockquote><br></div></body></html> ------=_Part_33148007_2049661839.1353320129416--

Cristian Falcas

12:52 p.m.

On Mon, Nov 19, 2012 at 12:15 PM, Yair Zaslavsky <yzaslavs(a)redhat.com>wrote:

...

+ LdapEncryptionType clear is not understandable. What did you mean by that? ------------------------------ *From: *"Vinzenz Feenstra" <vfeenstr(a)redhat.com> *To: *users(a)ovirt.org *Sent: *Monday, November 19, 2012 11:29:42 AM *Subject: *Re: [Users] I don't know how to add AD users On 11/19/2012 10:01 AM, Cristian Falcas wrote: Hi, I'm trying to add some users to ovirt using an AD. This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com"); $wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=com"); Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com-provider=ActiveDirectory -user= user.name -interactive engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name(a)company.com -interactive engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name(a)site.example.com -interactive You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password. Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself. Regards, And the output on all tries: Enter password: Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct. Can someone help me with the correct parameters? Best regards, Cristian Falcas _______________________________________________ Users mailing listUsers@ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users -- Regards, Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 IRC: vfeenstr or evilissimo Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users

That was the configuration needed for the wiki extension used for ldap authentication. So the admin users is needed in order to retrieve the list of users only? Can someone recommend the simplest ldap server installation I could use for this? I was thinking first at freeipa, but it's not compatible with mod_ssl, which is required by ovirt. Best regards, Cristian Falcas

Itamar Heim

10:53 p.m.

On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:

...

On 11/19/2012 10:01 AM, Cristian Falcas wrote: > Hi, > > I'm trying to add some users to ovirt using an AD. > > This is the configuration I used for a mediawiki site, which is > working correctly: > $wgAuth = new LdapAuthenticationPlugin(); > $wgLDAPUseLocal = true; > $wgLDAPDomainNames = array( "a_domain"); > $wgLDAPServerNames = array( "a_domain"=>"site.example.com > <http://site.example.com>"); > $wgLDAPEncryptionType = array( "a_domain"=>"clear"); > $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-NAME"); > $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=com"); > > Those are the commands I tried using: > engine-manage-domains -action=add -domain=site.example.com > <http://site.example.com> -provider=ActiveDirectory -user=user.name > <http://user.name> -interactive > > engine-manage-domains -action=add -domain=a_domain > -provider=ActiveDirectory -user=user.name(a)company.com > <mailto:user.name@company.com> -interactive > > engine-manage-domains -action=add -domain=a_domain > -provider=ActiveDirectory -user=user.name(a)site.example.com > <mailto:user.name@site.example.com> -interactive > > You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.

any domain user will do, doesn't have to be an admin. what does the log say?

...

Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself. Regards, > And the output on all tries: > Enter password: > > Error: Authentication Failed. Please verify the fully qualified domain > name that is used for authentication is correct.. Problematic domain > is: domain_used_in_command > Failure while applying Kerberos configuration. Details: Authentication > Failed. Please verify the fully qualified domain name that is used for > authentication is correct. > > Can someone help me with the correct parameters? > > > Best regards, > Cristian Falcas > > > _______________________________________________ > Users mailing list > Users(a)ovirt.org > http://lists.ovirt.org/mailman/listinfo/users -- Regards, Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 IRC: vfeenstr or evilissimo Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users

Cristian Falcas

Tuesday, 20 November Tue, 20 Nov

12:39 a.m.

On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim(a)redhat.com> wrote:

...

On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote: > On 11/19/2012 10:01 AM, Cristian Falcas wrote: > >> Hi, >> >> I'm trying to add some users to ovirt using an AD. >> >> This is the configuration I used for a mediawiki site, which is >> working correctly: >> $wgAuth = new LdapAuthenticationPlugin(); >> $wgLDAPUseLocal = true; >> $wgLDAPDomainNames = array( "a_domain"); >> $wgLDAPServerNames = array( "a_domain"=>"site.example.com >> <http://site.example.com>"); >> >> $wgLDAPEncryptionType = array( "a_domain"=>"clear"); >> $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-**NAME"); >> $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=**com"); >> >> Those are the commands I tried using: >> engine-manage-domains -action=add -domain=site.example.com >> <http://site.example.com> -provider=ActiveDirectory -user=user.name >> <http://user.name> -interactive >> >> >> engine-manage-domains -action=add -domain=a_domain >> -provider=ActiveDirectory -user=user.name(a)company.com >> <mailto:user.name@company.com> -interactive >> >> >> engine-manage-domains -action=add -domain=a_domain >> -provider=ActiveDirectory -user=user.name@site.example.**com<user.name(a)site.example.com> >> <mailto:user.name@site.**example.com <user.name(a)site.example.com>> >> -interactive >> >> >> You don't add an user this way. You add the domain. You have to pass the > domain admin user and the domain admin password. > any domain user will do, doesn't have to be an admin. what does the log say? Then you can use the domain within the engine. e.g. search users, add > access rights for vms etc. > Even login to the engine and assigning rights within the engine you can > handle from the engine itself. > > Regards, > >> And the output on all tries: >> Enter password: >> >> Error: Authentication Failed. Please verify the fully qualified domain >> name that is used for authentication is correct.. Problematic domain >> is: domain_used_in_command >> Failure while applying Kerberos configuration. Details: Authentication >> Failed. Please verify the fully qualified domain name that is used for >> authentication is correct. >> >> Can someone help me with the correct parameters? >> >> >> Best regards, >> Cristian Falcas >> >> >> ______________________________**_________________ >> Users mailing list >> Users(a)ovirt.org >> http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... >> > > > -- > Regards, > > Vinzenz Feenstra | Senior Software Engineer > RedHat Engineering Virtualization R & D > Phone: +420 532 294 625 > IRC: vfeenstr or evilissimo > > Better technology. Faster innovation. Powered by community collaboration. > See how it works at redhat.com > > > > ______________________________**_________________ > Users mailing list > Users(a)ovirt.org > http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... > > ______________________________**_________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org...

Hi, This is the command I used (the same error is with -interactive parameter): engine-manage-domains -action=add -domain=example.com-provider=ActiveDirectory -user=user.name@a_domain-passwordFile=/tmp/pass [root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]# This is the log: 2012-11-20 00:30:40,443 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): example.com 2012-11-20 00:30:40,525 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): example.com 2012-11-20 00:30:40,526 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: example.com 2012-11-20 00:30:40,830 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while testing domain example.com. Details: Kerberos error. Please check log for further details. This is the ldapsearch command that works (it retrieves users) from the same machine: ldapsearch -H ldap://example.com -b dc=example,dc=com -D user.name@a_domain-w qwerty Best regards, Cristian Falcas

Yair Zaslavsky

8:36 a.m.

On 11/20/2012 12:39 AM, Cristian Falcas wrote:

...

On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim(a)redhat.com <mailto:iheim@redhat.com>> wrote: On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote: On 11/19/2012 10:01 AM, Cristian Falcas wrote: Hi, I'm trying to add some users to ovirt using an AD. This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com <http://site.example.com> <http://site.example.com>"); $wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-__NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=__com"); Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com <http://site.example.com> <http://site.example.com> -provider=ActiveDirectory -user=user.name <http://user.name> <http://user.name> -interactive engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name(a)company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>> -interactive engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name(a)site.example.__com <mailto:user.name@site.example.com> <mailto:user.name@site.__example.com <mailto:user.name@site.example.com>> -interactive You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password. any domain user will do, doesn't have to be an admin. what does the log say? Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself. Regards, And the output on all tries: Enter password: Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct. Can someone help me with the correct parameters? Best regards, Cristian Falcas _________________________________________________ Users mailing list Users(a)ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users> -- Regards, Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> IRC: vfeenstr or evilissimo Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com <http://redhat.com> _________________________________________________ Users mailing list Users(a)ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users> _________________________________________________ Users mailing list Users(a)ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users> Hi, This is the command I used (the same error is with -interactive parameter): engine-manage-domains -action=add -domain=example.com <http://example.com> -provider=ActiveDirectory -user=user.name@a_domain -passwordFile=/tmp/pass [root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]# This is the log: 2012-11-20 00:30:40,443 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): example.com <http://example.com> 2012-11-20 00:30:40,525 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): example.com <http://example.com> 2012-11-20 00:30:40,526 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: example.com <http://example.com> 2012-11-20 00:30:40,830 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while testing domain example.com <http://example.com>;. Details: Kerberos error. Please check log for further details.

Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well).

...

This is the ldapsearch command that works (it retrieves users) from the same machine:

...

ldapsearch -H ldap://example.com <http://example.com> -b dc=example,dc=com -D user.name@a_domain -w qwerty Best regards, Cristian Falcas _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users

Cristian Falcas

9:05 a.m.

On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky <yzaslavs(a)redhat.com> wrote:

...

On 11/20/2012 12:39 AM, Cristian Falcas wrote: > > > On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim(a)redhat.com > <mailto:iheim@redhat.com>> wrote: > > On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote: > > On 11/19/2012 10:01 AM, Cristian Falcas wrote: > > Hi, > > I'm trying to add some users to ovirt using an AD. > > This is the configuration I used for a mediawiki site, which > is > working correctly: > $wgAuth = new LdapAuthenticationPlugin(); > $wgLDAPUseLocal = true; > $wgLDAPDomainNames = array( "a_domain"); > $wgLDAPServerNames = array( "a_domain"=>"site.example.com > <http://site.example.com> > <http://site.example.com>"); > > $wgLDAPEncryptionType = array( "a_domain"=>"clear"); > $wgLDAPSearchStrings = array( > "a_domain"=>"rom_domain\\USER-**__NAME"); > $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=__**com"); > > > Those are the commands I tried using: > engine-manage-domains -action=add -domain=site.example.com > <http://site.example.com> > <http://site.example.com> -provider=ActiveDirectory > -user=user.name <http://user.name> > <http://user.name> -interactive > > > engine-manage-domains -action=add -domain=a_domain > -provider=ActiveDirectory -user=user.name(a)company.com > <mailto:user.name@company.com> > <mailto:user.name@company.com > > <mailto:user.name@company.com>**> -interactive > > > engine-manage-domains -action=add -domain=a_domain > -provider=ActiveDirectory -user=user.name(a)site.example._** > _com > <mailto:user.name@site.**example.com<user.name@site.example.com> > > > <mailto:user.name@site.__examp**le.com <http://example.com> > > <mailto:user.name@site.**example.com<user.name@site.example.com>>> > -interactive > > > You don't add an user this way. You add the domain. You have to > pass the > domain admin user and the domain admin password. > > > any domain user will do, doesn't have to be an admin. > what does the log say? > > > Then you can use the domain within the engine. e.g. search > users, add > access rights for vms etc. > Even login to the engine and assigning rights within the engine > you can > handle from the engine itself. > > Regards, > > And the output on all tries: > Enter password: > > Error: Authentication Failed. Please verify the fully > qualified domain > name that is used for authentication is correct.. > Problematic domain > is: domain_used_in_command > Failure while applying Kerberos configuration. Details: > Authentication > Failed. Please verify the fully qualified domain name that > is used for > authentication is correct. > > Can someone help me with the correct parameters? > > > Best regards, > Cristian Falcas > > > ______________________________**___________________ > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> > http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > > <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... > > > > > > -- > Regards, > > Vinzenz Feenstra | Senior Software Engineer > RedHat Engineering Virtualization R & D > Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> > > IRC: vfeenstr or evilissimo > > Better technology. Faster innovation. Powered by community > collaboration. > See how it works at redhat.com <http://redhat.com> > > > > ______________________________**___________________ > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> > http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... > > > > > > ______________________________**___________________ > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> > http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > > <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... > > > > > > > Hi, > > This is the command I used (the same error is with -interactive > parameter): > > engine-manage-domains -action=add -domain=example.com > <http://example.com> -provider=ActiveDirectory -user=user.name@a_domain > > -passwordFile=/tmp/pass > > [root@localhost ~]# cat /tmp/pass > qwerty[root@localhost ~]# > > This is the log: > > 2012-11-20 00:30:40,443 INFO > [org.ovirt.engine.core.utils.**kerberos.ManageDomains] Creating kerberos > configuration for domain(s): example.com <http://example.com> > > 2012-11-20 00:30:40,525 INFO > [org.ovirt.engine.core.utils.**kerberos.ManageDomains] Successfully > created kerberos configuration for domain(s): example.com > <http://example.com> > > 2012-11-20 00:30:40,526 INFO > [org.ovirt.engine.core.utils.**kerberos.ManageDomains] Testing kerberos > configuration for domain: example.com <http://example.com> > > 2012-11-20 00:30:40,830 ERROR > [org.ovirt.engine.core.utils.**kerberos.KerberosConfigCheck] Error: > exception message: Cannot locate KDC > 2012-11-20 00:30:40,851 ERROR > [org.ovirt.engine.core.utils.**kerberos.ManageDomains] Failure while > testing domain example.com <http://example.com>;. Details: Kerberos > > error. Please check log for further details. > > Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well). This is the ldapsearch command that works (it retrieves users) from the > same machine: > > ldapsearch -H ldap://example.com <http://example.com> -b > > dc=example,dc=com -D user.name@a_domain -w qwerty > > > Best regards, > Cristian Falcas > > > > ______________________________**_________________ > Users mailing list > Users(a)ovirt.org > http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... > >

Hi, I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains? Cristian.

Yair Zaslavsky

9:42 a.m.

On 11/20/2012 09:05 AM, Cristian Falcas wrote:

...

On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky <yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com>> wrote: On 11/20/2012 12:39 AM, Cristian Falcas wrote: On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim(a)redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>> wrote: On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote: On 11/19/2012 10:01 AM, Cristian Falcas wrote: Hi, I'm trying to add some users to ovirt using an AD. This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com>"); $wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-____NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=____com"); Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> -provider=ActiveDirectory -user=user.name <http://user.name> <http://user.name> <http://user.name> -interactive engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name(a)company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>>__> -interactive engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name(a)site.example.____com <mailto:user.name@site.__example.com <mailto:user.name@site.example.com>> <mailto:user.name@site. <mailto:user.name@site.>__examp__le.com <http://example.com> <mailto:user.name@site.__example.com <mailto:user.name@site.example.com>>> -interactive You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password. any domain user will do, doesn't have to be an admin. what does the log say? Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself. Regards, And the output on all tries: Enter password: Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct. Can someone help me with the correct parameters? Best regards, Cristian Falcas ___________________________________________________ Users mailing list Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>> -- Regards, Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> IRC: vfeenstr or evilissimo Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com <http://redhat.com> <http://redhat.com> ___________________________________________________ Users mailing list Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>> ___________________________________________________ Users mailing list Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>> Hi, This is the command I used (the same error is with -interactive parameter): engine-manage-domains -action=add -domain=example.com <http://example.com> <http://example.com> -provider=ActiveDirectory -user=user.name@a_domain -passwordFile=/tmp/pass [root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]# This is the log: 2012-11-20 00:30:40,443 INFO [org.ovirt.engine.core.utils.__kerberos.ManageDomains] Creating kerberos configuration for domain(s): example.com <http://example.com> <http://example.com> 2012-11-20 00:30:40,525 INFO [org.ovirt.engine.core.utils.__kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): example.com <http://example.com> <http://example.com> 2012-11-20 00:30:40,526 INFO [org.ovirt.engine.core.utils.__kerberos.ManageDomains] Testing kerberos configuration for domain: example.com <http://example.com> <http://example.com> 2012-11-20 00:30:40,830 ERROR [org.ovirt.engine.core.utils.__kerberos.KerberosConfigCheck] Error: exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR [org.ovirt.engine.core.utils.__kerberos.ManageDomains] Failure while testing domain example.com <http://example.com> <http://example.com>;. Details: Kerberos error. Please check log for further details. Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well). This is the ldapsearch command that works (it retrieves users) from the same machine: ldapsearch -H ldap://example.com <http://example.com> <http://example.com> -b dc=example,dc=com -D user.name@a_domain -w qwerty Best regards, Cristian Falcas _________________________________________________ Users mailing list Users(a)ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users> Hi, I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains? Cristian

Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that

Cristian Falcas

9:56 a.m.

On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky <yzaslavs(a)redhat.com> wrote:

...

On 11/20/2012 09:05 AM, Cristian Falcas wrote: > > > > On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky <yzaslavs(a)redhat.com > <mailto:yzaslavs@redhat.com>> wrote: > > > > On 11/20/2012 12:39 AM, Cristian Falcas wrote: > > > > On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim(a)redhat.com > <mailto:iheim@redhat.com> > <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>> wrote: > > On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote: > > On 11/19/2012 10:01 AM, Cristian Falcas wrote: > > Hi, > > I'm trying to add some users to ovirt using an AD. > > This is the configuration I used for a mediawiki > site, which is > working correctly: > $wgAuth = new LdapAuthenticationPlugin(); > $wgLDAPUseLocal = true; > $wgLDAPDomainNames = array( "a_domain"); > $wgLDAPServerNames = array( > "a_domain"=>"site.example.com <http://site.example.com> > <http://site.example.com> > <http://site.example.com>"); > > $wgLDAPEncryptionType = array( "a_domain"=>"clear"); > $wgLDAPSearchStrings = array( > "a_domain"=>"rom_domain\\USER-**____NAME"); > $wgLDAPBaseDNs = array( > "a_domain"=>"dc=company,dc=___**_com"); > > > > Those are the commands I tried using: > engine-manage-domains -action=add > -domain=site.example.com <http://site.example.com> > <http://site.example.com> > <http://site.example.com> -provider=ActiveDirectory > -user=user.name <http://user.name> <http://user.name > > > <http://user.name> -interactive > > > engine-manage-domains -action=add -domain=a_domain > -provider=ActiveDirectory > -user=user.name(a)company.com <mailto:user.name@company.com> > <mailto:user.name@company.com > <mailto:user.name@company.com>**> > <mailto:user.name@company.com > <mailto:user.name@company.com> > > <mailto:user.name@company.com > <mailto:user.name@company.com>**>__> -interactive > > > engine-manage-domains -action=add -domain=a_domain > -provider=ActiveDirectory > -user=user.name(a)site.example._**___com > <mailto:user.name@site.__examp**le.com<http://example.com> > <mailto:user.name@site.**example.com <user.name(a)site.example.com> > >> > <mailto:user.name@site. > <mailto:user.name@site.>__exam**p__le.com <http://examp__le.com>< > http://example.com> > > > <mailto:user.name@site.__examp**le.com<http://example.com> > <mailto:user.name@site.**example.com <user.name(a)site.example.com>>>> > -interactive > > > You don't add an user this way. You add the domain. You > have to > pass the > domain admin user and the domain admin password. > > > any domain user will do, doesn't have to be an admin. > what does the log say? > > > Then you can use the domain within the engine. e.g. > search > users, add > access rights for vms etc. > Even login to the engine and assigning rights within > the engine > you can > handle from the engine itself. > > Regards, > > And the output on all tries: > Enter password: > > Error: Authentication Failed. Please verify the fully > qualified domain > name that is used for authentication is correct.. > Problematic domain > is: domain_used_in_command > Failure while applying Kerberos configuration. > Details: > Authentication > Failed. Please verify the fully qualified domain > name that > is used for > authentication is correct. > > Can someone help me with the correct parameters? > > > Best regards, > Cristian Falcas > > > ______________________________** > _____________________ > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org > <mailto:Users@ovirt.org>> > http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > > > > > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... > >> > > > > -- > Regards, > > Vinzenz Feenstra | Senior Software Engineer > RedHat Engineering Virtualization R & D > Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> > <tel:%2B420%20532%20294%20625> > > IRC: vfeenstr or evilissimo > > Better technology. Faster innovation. Powered by > community > collaboration. > See how it works at redhat.com <http://redhat.com> > <http://redhat.com> > > > > ______________________________**_____________________ > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org > <mailto:Users@ovirt.org>> > http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > > > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... > >> > > > > ______________________________**_____________________ > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org > <mailto:Users@ovirt.org>> > http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > > > > > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... > >> > > > > > Hi, > > This is the command I used (the same error is with -interactive > parameter): > > engine-manage-domains -action=add -domain=example.com > <http://example.com> > <http://example.com> -provider=ActiveDirectory > -user=user.name@a_domain > > -passwordFile=/tmp/pass > > [root@localhost ~]# cat /tmp/pass > qwerty[root@localhost ~]# > > This is the log: > > 2012-11-20 00:30:40,443 INFO > [org.ovirt.engine.core.utils._**_kerberos.ManageDomains] Creating > > kerberos > configuration for domain(s): example.com <http://example.com> > <http://example.com> > > 2012-11-20 00:30:40,525 INFO > [org.ovirt.engine.core.utils._**_kerberos.ManageDomains] > Successfully > > created kerberos configuration for domain(s): example.com > <http://example.com> > <http://example.com> > > 2012-11-20 00:30:40,526 INFO > [org.ovirt.engine.core.utils._**_kerberos.ManageDomains] Testing > > kerberos > configuration for domain: example.com <http://example.com> > <http://example.com> > > 2012-11-20 00:30:40,830 ERROR > [org.ovirt.engine.core.utils._**_kerberos.KerberosConfigCheck] > Error: > > exception message: Cannot locate KDC > 2012-11-20 00:30:40,851 ERROR > [org.ovirt.engine.core.utils._**_kerberos.ManageDomains] Failure > while > > testing domain example.com <http://example.com> > <http://example.com>;. Details: Kerberos > > error. Please check log for further details. > > > Hi, the error indicates you don't have kerberos configured. > manage-domains validates by default using GSSAPI/Kerberos (if I > understand correctly, this is equivalent to run ldapsearch with -Y > gssapi option). > I wonder if -x (simple authentication) will work for you as well (as > manage-domains contains code for simple authentication as well). > > > > This is the ldapsearch command that works (it retrieves users) > from the > same machine: > > > > ldapsearch -H ldap://example.com <http://example.com> > <http://example.com> -b > > dc=example,dc=com -D user.name@a_domain -w qwerty > > > Best regards, > Cristian Falcas > > > > ______________________________**___________________ > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> > http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... > > > > > > > Hi, > > I used "-x" for ldapsearch and the result is the same: list retrieved. > Is there any equivalent for engine-manage-domains? > > Cristian > Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that

Hi, The server is a Microfost AD 2003. Best regards, Cristian Falcas

Itamar Heim

9:58 a.m.

On 11/20/2012 09:56 AM, Cristian Falcas wrote:

...

On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky <yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com>> wrote: On 11/20/2012 09:05 AM, Cristian Falcas wrote: On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky <yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>> wrote: On 11/20/2012 12:39 AM, Cristian Falcas wrote: On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim(a)redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>>> wrote: On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote: On 11/19/2012 10:01 AM, Cristian Falcas wrote: Hi, I'm trying to add some users to ovirt using an AD. This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com>"); $wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-______NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=______com"); Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com> -provider=ActiveDirectory -user=user.name <http://user.name> <http://user.name> <http://user.name> <http://user.name> -interactive engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name(a)company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>>__> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>>__>__> -interactive engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name(a)site.example.______com <mailto:user.name@site. <mailto:user.name@site.>__examp__le.com <http://example.com> <mailto:user.name@site.__example.com <mailto:user.name@site.example.com>>> <mailto:user.name@site <mailto:user.name@site>. <mailto:user.name@site <mailto:user.name@site>.>__exam__p__le.com <http://examp__le.com> <http://example.com> <mailto:user.name@site. <mailto:user.name@site.>__examp__le.com <http://example.com> <mailto:user.name@site.__example.com <mailto:user.name@site.example.com>>>> -interactive You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password. any domain user will do, doesn't have to be an admin. what does the log say? Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself. Regards, And the output on all tries: Enter password: Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct. Can someone help me with the correct parameters? Best regards, Cristian Falcas _____________________________________________________ Users mailing list Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>> -- Regards, Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> IRC: vfeenstr or evilissimo Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com <http://redhat.com> <http://redhat.com> <http://redhat.com> _____________________________________________________ Users mailing list Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>> _____________________________________________________ Users mailing list Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>> Hi, This is the command I used (the same error is with -interactive parameter): engine-manage-domains -action=add -domain=example.com <http://example.com> <http://example.com> <http://example.com> -provider=ActiveDirectory -user=user.name@a_domain -passwordFile=/tmp/pass [root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]# This is the log: 2012-11-20 00:30:40,443 INFO [org.ovirt.engine.core.utils.____kerberos.ManageDomains] Creating kerberos configuration for domain(s): example.com <http://example.com> <http://example.com> <http://example.com> 2012-11-20 00:30:40,525 INFO [org.ovirt.engine.core.utils.____kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): example.com <http://example.com> <http://example.com> <http://example.com> 2012-11-20 00:30:40,526 INFO [org.ovirt.engine.core.utils.____kerberos.ManageDomains] Testing kerberos configuration for domain: example.com <http://example.com> <http://example.com> <http://example.com> 2012-11-20 00:30:40,830 ERROR [org.ovirt.engine.core.utils.____kerberos.KerberosConfigCheck] Error: exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR [org.ovirt.engine.core.utils.____kerberos.ManageDomains] Failure while testing domain example.com <http://example.com> <http://example.com> <http://example.com>;. Details: Kerberos error. Please check log for further details. Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well). This is the ldapsearch command that works (it retrieves users) from the same machine: ldapsearch -H ldap://example.com <http://example.com> <http://example.com> <http://example.com> -b dc=example,dc=com -D user.name@a_domain -w qwerty Best regards, Cristian Falcas ___________________________________________________ Users mailing list Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>> Hi, I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains? Cristian Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that Hi, The server is a Microfost AD 2003. Best regards, Cristian Falcas

this should work, is the AD also the DNS server for the ovirt engine machine?

Cristian Falcas

10:11 a.m.

On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <iheim(a)redhat.com> wrote:

...

On 11/20/2012 09:56 AM, Cristian Falcas wrote: > > > > On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky <yzaslavs(a)redhat.com > <mailto:yzaslavs@redhat.com>> wrote: > > > > On 11/20/2012 09:05 AM, Cristian Falcas wrote: > > > > > On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky > <yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> > <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>> wrote: > > > > On 11/20/2012 12:39 AM, Cristian Falcas wrote: > > > > On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim > <iheim(a)redhat.com <mailto:iheim@redhat.com> > <mailto:iheim@redhat.com <mailto:iheim@redhat.com>> > <mailto:iheim@redhat.com <mailto:iheim@redhat.com> > <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>>> wrote: > > On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote: > > On 11/19/2012 10:01 AM, Cristian Falcas wrote: > > Hi, > > I'm trying to add some users to ovirt > using an AD. > > This is the configuration I used for a > mediawiki > site, which is > working correctly: > $wgAuth = new LdapAuthenticationPlugin(); > $wgLDAPUseLocal = true; > $wgLDAPDomainNames = array( "a_domain"); > $wgLDAPServerNames = array( > "a_domain"=>"site.example.com <http://site.example.com> > <http://site.example.com> > <http://site.example.com> > <http://site.example.com>"); > > $wgLDAPEncryptionType = array( > "a_domain"=>"clear"); > $wgLDAPSearchStrings = array( > "a_domain"=>"rom_domain\\USER-** > ______NAME"); > $wgLDAPBaseDNs = array( > "a_domain"=>"dc=company,dc=___**___com"); > > > > > Those are the commands I tried using: > engine-manage-domains -action=add > -domain=site.example.com <http://site.example.com> > <http://site.example.com> > <http://site.example.com> > <http://site.example.com> > -provider=ActiveDirectory > -user=user.name <http://user.name> > <http://user.name> <http://user.name> > <http://user.name> -interactive > > > engine-manage-domains -action=add > -domain=a_domain > -provider=ActiveDirectory > -user=user.name(a)company.com > <mailto:user.name@company.com> <mailto:user.name@company.com > <mailto:user.name@company.com>**> > <mailto:user.name@company.com > <mailto:user.name@company.com> > <mailto:user.name@company.com > <mailto:user.name@company.com>**>__> > <mailto:user.name@company.com > <mailto:user.name@company.com> > <mailto:user.name@company.com > <mailto:user.name@company.com>**> > > <mailto:user.name@company.com > <mailto:user.name@company.com> > <mailto:user.name@company.com > <mailto:user.name@company.com>**>__>__> -interactive > > > engine-manage-domains -action=add > -domain=a_domain > -provider=ActiveDirectory > -user=user.name(a)site.example._**_____com > > <mailto:user.name@site. > <mailto:user.name@site.>__exam**p__le.com <http://examp__le.com>< > http://example.com> > <mailto:user.name@site.__examp**le.com<http://example.com> > <mailto:user.name@site.**example.com <user.name(a)site.example.com> > >>> > <mailto:user.name@site > <mailto:user.name@site>. > <mailto:user.name@site > <mailto:user.name@site>.>__exa**m__p__le.com<http://exam__p__le.com> > <http://examp__le.com> <http://example.com> > > > > <mailto:user.name@site. > <mailto:user.name@site.>__exam**p__le.com <http://examp__le.com>< > http://example.com> > <mailto:user.name@site.__examp**le.com<http://example.com> > <mailto:user.name@site.**example.com <user.name(a)site.example.com>>>>> > -interactive > > > You don't add an user this way. You add the > domain. You > have to > pass the > domain admin user and the domain admin password. > > > any domain user will do, doesn't have to be an > admin. > what does the log say? > > > Then you can use the domain within the engine. > e.g. search > users, add > access rights for vms etc. > Even login to the engine and assigning rights > within > the engine > you can > handle from the engine itself. > > Regards, > > And the output on all tries: > Enter password: > > Error: Authentication Failed. Please > verify the fully > qualified domain > name that is used for authentication is > correct.. > Problematic domain > is: domain_used_in_command > Failure while applying Kerberos > configuration. Details: > Authentication > Failed. Please verify the fully qualified > domain > name that > is used for > authentication is correct. > > Can someone help me with the correct > parameters? > > > Best regards, > Cristian Falcas > > > > ______________________________**_______________________ > > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org > <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org > <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> > http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > > > > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > >> > > > > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > > > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... > >>> > > > > -- > Regards, > > Vinzenz Feenstra | Senior Software Engineer > RedHat Engineering Virtualization R & D > Phone: +420 532 294 625 > <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> > <tel:%2B420%20532%20294%20625> > > IRC: vfeenstr or evilissimo > > Better technology. Faster innovation. Powered > by community > collaboration. > See how it works at redhat.com > <http://redhat.com> <http://redhat.com> > <http://redhat.com> > > > > > ______________________________**_______________________ > > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org > <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org > <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> > http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > > > > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > >> > > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > > > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... > >>> > > > > ______________________________** > _______________________ > > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org > <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org > <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> > http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > > > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > >> > > > <http://lists.ovirt.org/____** > mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/use... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > > > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... > >>> > > > > > Hi, > > This is the command I used (the same error is with > -interactive > parameter): > > engine-manage-domains -action=add -domain=example.com > <http://example.com> > <http://example.com> > <http://example.com> -provider=ActiveDirectory > -user=user.name@a_domain > > -passwordFile=/tmp/pass > > [root@localhost ~]# cat /tmp/pass > qwerty[root@localhost ~]# > > This is the log: > > 2012-11-20 00:30:40,443 INFO > > [org.ovirt.engine.core.utils._**___kerberos.ManageDomains] > Creating > > > kerberos > configuration for domain(s): example.com > <http://example.com> <http://example.com> > <http://example.com> > > 2012-11-20 00:30:40,525 INFO > > [org.ovirt.engine.core.utils._**___kerberos.ManageDomains] > > Successfully > > created kerberos configuration for domain(s): > example.com <http://example.com> > <http://example.com> > <http://example.com> > > 2012-11-20 00:30:40,526 INFO > > [org.ovirt.engine.core.utils._**___kerberos.ManageDomains] > Testing > > > kerberos > configuration for domain: example.com > <http://example.com> <http://example.com> > <http://example.com> > > 2012-11-20 00:30:40,830 ERROR > > [org.ovirt.engine.core.utils._**___kerberos.** > KerberosConfigCheck] > > Error: > > exception message: Cannot locate KDC > 2012-11-20 00:30:40,851 ERROR > > [org.ovirt.engine.core.utils._**___kerberos.ManageDomains] > Failure > > while > > testing domain example.com <http://example.com> > <http://example.com> > <http://example.com>;. Details: Kerberos > > error. Please check log for further details. > > > Hi, the error indicates you don't have kerberos configured. > manage-domains validates by default using GSSAPI/Kerberos > (if I > understand correctly, this is equivalent to run ldapsearch > with -Y > gssapi option). > I wonder if -x (simple authentication) will work for you as > well (as > manage-domains contains code for simple authentication as > well). > > > > This is the ldapsearch command that works (it retrieves > users) > from the > same machine: > > > > ldapsearch -H ldap://example.com <http://example.com> > <http://example.com> > <http://example.com> -b > > dc=example,dc=com -D user.name@a_domain -w qwerty > > > Best regards, > Cristian Falcas > > > > ______________________________**_____________________ > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org > <mailto:Users@ovirt.org>> > http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > > > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... > >> > > > > > Hi, > > I used "-x" for ldapsearch and the result is the same: list > retrieved. > Is there any equivalent for engine-manage-domains? > > Cristian > > Hi Christian, there is no code allowing to add simple-authentication > domains to Manage-Domains. > In the past we did have the ability to do that, but there are > several problematic issues. > What ldap server are you working against? Maybe I missed that > > > > > Hi, > > The server is a Microfost AD 2003. > > Best regards, > Cristian Falcas > this should work, is the AD also the DNS server for the ovirt engine machine?

yes

Cristian Falcas

3 p.m.

Hi, So there is no way to use the domain I have at work, right? I will need to make a freeipa installation in order to add new users. Cristian On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas <cristi.falcas(a)gmail.com>wrote:

...

On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <iheim(a)redhat.com> wrote: > On 11/20/2012 09:56 AM, Cristian Falcas wrote: > >> >> >> >> On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky <yzaslavs(a)redhat.com >> <mailto:yzaslavs@redhat.com>> wrote: >> >> >> >> On 11/20/2012 09:05 AM, Cristian Falcas wrote: >> >> >> >> >> On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky >> <yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> >> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>> >> wrote: >> >> >> >> On 11/20/2012 12:39 AM, Cristian Falcas wrote: >> >> >> >> On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim >> <iheim(a)redhat.com <mailto:iheim@redhat.com> >> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>> >> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> >> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>>> wrote: >> >> On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote: >> >> On 11/19/2012 10:01 AM, Cristian Falcas wrote: >> >> Hi, >> >> I'm trying to add some users to ovirt >> using an AD. >> >> This is the configuration I used for a >> mediawiki >> site, which is >> working correctly: >> $wgAuth = new LdapAuthenticationPlugin(); >> $wgLDAPUseLocal = true; >> $wgLDAPDomainNames = array( "a_domain"); >> $wgLDAPServerNames = array( >> "a_domain"=>"site.example.com <http://site.example.com> >> <http://site.example.com> >> <http://site.example.com> >> <http://site.example.com>"); >> >> $wgLDAPEncryptionType = array( >> "a_domain"=>"clear"); >> $wgLDAPSearchStrings = array( >> "a_domain"=>"rom_domain\\USER-** >> ______NAME"); >> $wgLDAPBaseDNs = array( >> "a_domain"=>"dc=company,dc=___**___com"); >> >> >> >> >> Those are the commands I tried using: >> engine-manage-domains -action=add >> -domain=site.example.com <http://site.example.com> >> <http://site.example.com> >> <http://site.example.com> >> <http://site.example.com> >> -provider=ActiveDirectory >> -user=user.name <http://user.name> >> <http://user.name> <http://user.name> >> <http://user.name> -interactive >> >> >> engine-manage-domains -action=add >> -domain=a_domain >> -provider=ActiveDirectory >> -user=user.name(a)company.com >> <mailto:user.name@company.com> <mailto:user.name@company.com >> <mailto:user.name@company.com>**> >> <mailto:user.name@company.com >> <mailto:user.name@company.com> >> <mailto:user.name@company.com >> <mailto:user.name@company.com>**>__> >> <mailto:user.name@company.com >> <mailto:user.name@company.com> >> <mailto:user.name@company.com >> <mailto:user.name@company.com>**> >> >> <mailto:user.name@company.com >> <mailto:user.name@company.com> >> <mailto:user.name@company.com >> <mailto:user.name@company.com>**>__>__> -interactive >> >> >> engine-manage-domains -action=add >> -domain=a_domain >> -provider=ActiveDirectory >> -user=user.name(a)site.example._**_____com >> >> <mailto:user.name@site. >> <mailto:user.name@site.>__exam**p__le.com <http://examp__le.com>< >> http://example.com> >> <mailto:user.name@site.__examp**le.com<http://example.com> >> <mailto:user.name@site.**example.com<user.name@site.example.com> >> >>> >> <mailto:user.name@site >> <mailto:user.name@site>. >> <mailto:user.name@site >> <mailto:user.name@site>.>__exa**m__p__le.com<http://exam__p__le.com> >> <http://examp__le.com> <http://example.com> >> >> >> >> <mailto:user.name@site. >> <mailto:user.name@site.>__exam**p__le.com <http://examp__le.com>< >> http://example.com> >> <mailto:user.name@site.__examp**le.com<http://example.com> >> <mailto:user.name@site.**example.com<user.name@site.example.com>>>>> >> -interactive >> >> >> You don't add an user this way. You add the >> domain. You >> have to >> pass the >> domain admin user and the domain admin >> password. >> >> >> any domain user will do, doesn't have to be an >> admin. >> what does the log say? >> >> >> Then you can use the domain within the engine. >> e.g. search >> users, add >> access rights for vms etc. >> Even login to the engine and assigning rights >> within >> the engine >> you can >> handle from the engine itself. >> >> Regards, >> >> And the output on all tries: >> Enter password: >> >> Error: Authentication Failed. Please >> verify the fully >> qualified domain >> name that is used for authentication is >> correct.. >> Problematic domain >> is: domain_used_in_command >> Failure while applying Kerberos >> configuration. Details: >> Authentication >> Failed. Please verify the fully qualified >> domain >> name that >> is used for >> authentication is correct. >> >> Can someone help me with the correct >> parameters? >> >> >> Best regards, >> Cristian Falcas >> >> >> >> ______________________________**_______________________ >> >> Users mailing list >> Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org >> <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org >> <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> >> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> > >> >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> >> >> >> >> >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> > >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... >> >>> >> >> >> >> -- >> Regards, >> >> Vinzenz Feenstra | Senior Software Engineer >> RedHat Engineering Virtualization R & D >> Phone: +420 532 294 625 >> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> >> <tel:%2B420%20532%20294%20625> >> >> IRC: vfeenstr or evilissimo >> >> Better technology. Faster innovation. Powered >> by community >> collaboration. >> See how it works at redhat.com >> <http://redhat.com> <http://redhat.com> >> <http://redhat.com> >> >> >> >> >> ______________________________**_______________________ >> >> Users mailing list >> Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org >> <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org >> <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> >> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> > >> >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> >> >> >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> > >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... >> >>> >> >> >> >> ______________________________** >> _______________________ >> >> Users mailing list >> Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org >> <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org >> <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> >> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> > >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> >> >> >> >> <http://lists.ovirt.org/____** >> mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/use... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> > >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... >> >>> >> >> >> >> >> Hi, >> >> This is the command I used (the same error is with >> -interactive >> parameter): >> >> engine-manage-domains -action=add -domain=example.com >> <http://example.com> >> <http://example.com> >> <http://example.com> -provider=ActiveDirectory >> -user=user.name@a_domain >> >> -passwordFile=/tmp/pass >> >> [root@localhost ~]# cat /tmp/pass >> qwerty[root@localhost ~]# >> >> This is the log: >> >> 2012-11-20 00:30:40,443 INFO >> >> [org.ovirt.engine.core.utils._**___kerberos.ManageDomains] >> Creating >> >> >> kerberos >> configuration for domain(s): example.com >> <http://example.com> <http://example.com> >> <http://example.com> >> >> 2012-11-20 00:30:40,525 INFO >> >> [org.ovirt.engine.core.utils._**___kerberos.ManageDomains] >> >> Successfully >> >> created kerberos configuration for domain(s): >> example.com <http://example.com> >> <http://example.com> >> <http://example.com> >> >> 2012-11-20 00:30:40,526 INFO >> >> [org.ovirt.engine.core.utils._**___kerberos.ManageDomains] >> Testing >> >> >> kerberos >> configuration for domain: example.com >> <http://example.com> <http://example.com> >> <http://example.com> >> >> 2012-11-20 00:30:40,830 ERROR >> >> [org.ovirt.engine.core.utils._**___kerberos.** >> KerberosConfigCheck] >> >> Error: >> >> exception message: Cannot locate KDC >> 2012-11-20 00:30:40,851 ERROR >> >> [org.ovirt.engine.core.utils._**___kerberos.ManageDomains] >> Failure >> >> while >> >> testing domain example.com <http://example.com> >> <http://example.com> >> <http://example.com>;. Details: Kerberos >> >> error. Please check log for further details. >> >> >> Hi, the error indicates you don't have kerberos configured. >> manage-domains validates by default using GSSAPI/Kerberos >> (if I >> understand correctly, this is equivalent to run ldapsearch >> with -Y >> gssapi option). >> I wonder if -x (simple authentication) will work for you as >> well (as >> manage-domains contains code for simple authentication as >> well). >> >> >> >> This is the ldapsearch command that works (it retrieves >> users) >> from the >> same machine: >> >> >> >> ldapsearch -H ldap://example.com <http://example.com> >> <http://example.com> >> <http://example.com> -b >> >> dc=example,dc=com -D user.name@a_domain -w qwerty >> >> >> Best regards, >> Cristian Falcas >> >> >> >> ______________________________**_____________________ >> Users mailing list >> Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org >> <mailto:Users@ovirt.org>> >> http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> > >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... >> >> >> >> >> >> >> Hi, >> >> I used "-x" for ldapsearch and the result is the same: list >> retrieved. >> Is there any equivalent for engine-manage-domains? >> >> Cristian >> >> Hi Christian, there is no code allowing to add simple-authentication >> domains to Manage-Domains. >> In the past we did have the ability to do that, but there are >> several problematic issues. >> What ldap server are you working against? Maybe I missed that >> >> >> >> >> Hi, >> >> The server is a Microfost AD 2003. >> >> Best regards, >> Cristian Falcas >> > > this should work, is the AD also the DNS server for the ovirt engine > machine? > > yes

Itamar Heim

3:08 p.m.

On 11/20/2012 03:00 PM, Cristian Falcas wrote:

...

Hi, So there is no way to use the domain I have at work, right? I will need to make a freeipa installation in order to add new users.

there is no reason this shouldn't work with active directory 2003 (assuming its forest level isn't still in AD 2000 compatibility mode?). tcpdump for the traffic during engine-manage-domains should help diagnosing why.

...

Cristian On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas <cristi.falcas(a)gmail.com <mailto:cristi.falcas@gmail.com>> wrote: On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <iheim(a)redhat.com <mailto:iheim@redhat.com>> wrote: On 11/20/2012 09:56 AM, Cristian Falcas wrote: On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky <yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>> wrote: On 11/20/2012 09:05 AM, Cristian Falcas wrote: On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky <yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>>> wrote: On 11/20/2012 12:39 AM, Cristian Falcas wrote: On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim(a)redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>>>> wrote: On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote: On 11/19/2012 10:01 AM, Cristian Falcas wrote: Hi, I'm trying to add some users to ovirt using an AD. This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com>"); $wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-________NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=________com"); Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com> -provider=ActiveDirectory -user=user.name <http://user.name> <http://user.name> <http://user.name> <http://user.name> <http://user.name> -interactive engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name(a)company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>>__> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>>__>__> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>>__> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>>__>__>__> -interactive engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name(a)site.example.________com <mailto:user.name@site <mailto:user.name@site>. <mailto:user.name@site <mailto:user.name@site>.>__exam__p__le.com <http://examp__le.com> <http://example.com> <mailto:user.name@site. <mailto:user.name@site.>__examp__le.com <http://example.com> <mailto:user.name@site.__example.com <mailto:user.name@site.example.com>>>> <mailto:user.name@site <mailto:user.name@site> <mailto:user.name@site <mailto:user.name@site>>. <mailto:user.name@site <mailto:user.name@site> <mailto:user.name@site <mailto:user.name@site>>.>__exa__m__p__le.com <http://exam__p__le.com> <http://examp__le.com> <http://example.com> <mailto:user.name@site <mailto:user.name@site>. <mailto:user.name@site <mailto:user.name@site>.>__exam__p__le.com <http://examp__le.com> <http://example.com> <mailto:user.name@site. <mailto:user.name@site.>__examp__le.com <http://example.com> <mailto:user.name@site.__example.com <mailto:user.name@site.example.com>>>>> -interactive You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password. any domain user will do, doesn't have to be an admin. what does the log say? Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself. Regards, And the output on all tries: Enter password: Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct. Can someone help me with the correct parameters? Best regards, Cristian Falcas _______________________________________________________ Users mailing list Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>> http://lists.ovirt.org/________mailman/listinfo/users <http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users>> <http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>>> <http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>>> -- Regards, Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> IRC: vfeenstr or evilissimo Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com <http://redhat.com> <http://redhat.com> <http://redhat.com> <http://redhat.com> _______________________________________________________ Users mailing list Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>> http://lists.ovirt.org/________mailman/listinfo/users <http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users>> <http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>>> <http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>>> _______________________________________________________ Users mailing list Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>> http://lists.ovirt.org/________mailman/listinfo/users <http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users>> <http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>>> <http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>>> Hi, This is the command I used (the same error is with -interactive parameter): engine-manage-domains -action=add -domain=example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com> -provider=ActiveDirectory -user=user.name@a_domain -passwordFile=/tmp/pass [root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]# This is the log: 2012-11-20 00:30:40,443 INFO [org.ovirt.engine.core.utils.______kerberos.ManageDomains] Creating kerberos configuration for domain(s): example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com> 2012-11-20 00:30:40,525 INFO [org.ovirt.engine.core.utils.______kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com> 2012-11-20 00:30:40,526 INFO [org.ovirt.engine.core.utils.______kerberos.ManageDomains] Testing kerberos configuration for domain: example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com> 2012-11-20 00:30:40,830 ERROR [org.ovirt.engine.core.utils.______kerberos.__KerberosConfigCheck] Error: exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR [org.ovirt.engine.core.utils.______kerberos.ManageDomains] Failure while testing domain example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com>;. Details: Kerberos error. Please check log for further details. Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well). This is the ldapsearch command that works (it retrieves users) from the same machine: ldapsearch -H ldap://example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com> -b dc=example,dc=com -D user.name@a_domain -w qwerty Best regards, Cristian Falcas _____________________________________________________ Users mailing list Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>> Hi, I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains? Cristian Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that Hi, The server is a Microfost AD 2003. Best regards, Cristian Falcas this should work, is the AD also the DNS server for the ovirt engine machine? yes

Cristian Falcas

7:33 p.m.

On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim <iheim(a)redhat.com> wrote:

...

On 11/20/2012 03:00 PM, Cristian Falcas wrote: > Hi, > > So there is no way to use the domain I have at work, right? > > I will need to make a freeipa installation in order to add new users. > there is no reason this shouldn't work with active directory 2003 (assuming its forest level isn't still in AD 2000 compatibility mode?). tcpdump for the traffic during engine-manage-domains should help diagnosing why. > Cristian > > > On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas > <cristi.falcas(a)gmail.com <mailto:cristi.falcas@gmail.**com<cristi.falcas@gmail.com>>> > wrote: > > > > > On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <iheim(a)redhat.com > <mailto:iheim@redhat.com>> wrote: > > On 11/20/2012 09:56 AM, Cristian Falcas wrote: > > > > > On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky > <yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> > <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>> > wrote: > > > > On 11/20/2012 09:05 AM, Cristian Falcas wrote: > > > > > On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky > <yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> > <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>> > <mailto:yzaslavs@redhat.com > <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com > <mailto:yzaslavs@redhat.com>>>**> wrote: > > > > On 11/20/2012 12:39 AM, Cristian Falcas wrote: > > > > On Mon, Nov 19, 2012 at 10:53 PM, Itamar > Heim > <iheim(a)redhat.com <mailto:iheim@redhat.com> > <mailto:iheim@redhat.com <mailto:iheim@redhat.com>> > <mailto:iheim@redhat.com > <mailto:iheim@redhat.com> <mailto:iheim@redhat.com > <mailto:iheim@redhat.com>>> > <mailto:iheim@redhat.com > <mailto:iheim@redhat.com> <mailto:iheim@redhat.com > <mailto:iheim@redhat.com>> > <mailto:iheim@redhat.com <mailto:iheim@redhat.com> > <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>>>> wrote: > > On 11/19/2012 11:29 AM, Vinzenz > Feenstra wrote: > > On 11/19/2012 10:01 AM, Cristian > Falcas wrote: > > Hi, > > I'm trying to add some users > to ovirt > using an AD. > > This is the configuration I > used for a > mediawiki > site, which is > working correctly: > $wgAuth = new > LdapAuthenticationPlugin(); > $wgLDAPUseLocal = true; > $wgLDAPDomainNames = array( > "a_domain"); > $wgLDAPServerNames = array( > "a_domain"=>"site.example.com > <http://site.example.com> <http://site.example.com> > <http://site.example.com> > <http://site.example.com> > <http://site.example.com>"); > > $wgLDAPEncryptionType = array( > "a_domain"=>"clear"); > $wgLDAPSearchStrings = array( > > "a_domain"=>"rom_domain\\USER-**________NAME"); > $wgLDAPBaseDNs = array( > "a_domain"=>"dc=company,dc=___**_____com"); > > > > > > Those are the commands I > tried using: > engine-manage-domains > -action=add > -domain=site.example.com > <http://site.example.com> <http://site.example.com> > <http://site.example.com> > <http://site.example.com> > <http://site.example.com> > -provider=ActiveDirectory > -user=user.name > <http://user.name> <http://user.name> > <http://user.name> <http://user.name> > <http://user.name> > -interactive > > > engine-manage-domains > -action=add > -domain=a_domain > -provider=ActiveDirectory > -user=user.name(a)company.com > <mailto:user.name@company.com> > <mailto:user.name@company.com > <mailto:user.name@company.com>**> > <mailto:user.name@company.com <mailto:user.name@company.com> > <mailto:user.name@company.com > <mailto:user.name@company.com>**>__> > <mailto:user.name@company.com > <mailto:user.name@company.com> > <mailto:user.name@company.com > <mailto:user.name@company.com>**> > <mailto:user.name@company.com > <mailto:user.name@company.com> > <mailto:user.name@company.com > <mailto:user.name@company.com>**>__>__> > <mailto:user.name@company.com > <mailto:user.name@company.com> > <mailto:user.name@company.com > <mailto:user.name@company.com>**> > <mailto:user.name@company.com > <mailto:user.name@company.com> > <mailto:user.name@company.com > <mailto:user.name@company.com>**>__> > > <mailto:user.name@company.com > <mailto:user.name@company.com> > <mailto:user.name@company.com > <mailto:user.name@company.com>**> > <mailto:user.name@company.com > <mailto:user.name@company.com> > <mailto:user.name@company.com > <mailto:user.name@company.com>**>__>__>__> -interactive > > > engine-manage-domains > -action=add > -domain=a_domain > -provider=ActiveDirectory > -user=user.name(a)site.example._**_______com > > > <mailto:user.name@site > <mailto:user.name@site>. > <mailto:user.name@site > <mailto:user.name@site>.>__exa**m__p__le.com<http://exam__p__le.com> > <http://examp__le.com> <http://example.com> > <mailto:user.name@site. > <mailto:user.name@site.>__exam**p__le.com<http://examp__le.com>< > http://example.com> > <mailto:user.name@site.__examp**le.com<http://example.com> > <mailto:user.name@site.**example.com<user.name@site.example.com> > >>>> > <mailto:user.name@site > <mailto:user.name@site> > > <mailto:user.name@site <mailto:user.name@site>>. > <mailto:user.name@site <mailto: > user.name@site> > <mailto:user.name@site > <mailto:user.name@site>>.>__ex**a__m__p__le.com<http://exa__m__p__le.com> > <http://exam__p__le.com> > > <http://examp__le.com> <http://example.com> > > > > <mailto:user.name@site > <mailto:user.name@site>. > <mailto:user.name@site > <mailto:user.name@site>.>__exa**m__p__le.com<http://exam__p__le.com> > <http://examp__le.com> <http://example.com> > <mailto:user.name@site. > <mailto:user.name@site.>__exam**p__le.com<http://examp__le.com>< > http://example.com> > <mailto:user.name@site.__examp**le.com<http://example.com> > <mailto:user.name@site.**example.com<user.name@site.example.com>>>>>> > -interactive > > > You don't add an user this way. > You add the > domain. You > have to > pass the > domain admin user and the domain > admin password. > > > any domain user will do, doesn't have > to be an admin. > what does the log say? > > > Then you can use the domain > within the engine. > e.g. search > users, add > access rights for vms etc. > Even login to the engine and > assigning rights > within > the engine > you can > handle from the engine itself. > > Regards, > > And the output on all tries: > Enter password: > > Error: Authentication Failed. > Please > verify the fully > qualified domain > name that is used for > authentication is > correct.. > Problematic domain > is: domain_used_in_command > Failure while applying Kerberos > configuration. Details: > Authentication > Failed. Please verify the > fully qualified > domain > name that > is used for > authentication is correct. > > Can someone help me with the > correct > parameters? > > > Best regards, > Cristian Falcas > > > > > ______________________________**_________________________ > > > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> > <mailto:Users@ovirt.org > <mailto:Users@ovirt.org> <mailto:Users@ovirt.org > <mailto:Users@ovirt.org>>>> > http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.o... > <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... > > > > > <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > >> > > > <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > > > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > >>> > > > > > <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > > > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > >> > > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > > > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... > >>>> > > > > -- > Regards, > > Vinzenz Feenstra | Senior > Software Engineer > RedHat Engineering Virtualization > R & D > Phone: +420 532 294 625 > <tel:%2B420%20532%20294%20625> > <tel:%2B420%20532%20294%20625> > <tel:%2B420%20532%20294%20625> > <tel:%2B420%20532%20294%20625> > > IRC: vfeenstr or evilissimo > > Better technology. Faster > innovation. Powered > by community > collaboration. > See how it works at redhat.com > <http://redhat.com> > <http://redhat.com> <http://redhat.com> > <http://redhat.com> > > > > > > ______________________________**_________________________ > > > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> > <mailto:Users@ovirt.org > <mailto:Users@ovirt.org> <mailto:Users@ovirt.org > <mailto:Users@ovirt.org>>>> > http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.o... > <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... > > > > > <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > >> > > > <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > > > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > >>> > > > <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > > > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > >> > > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > > > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... > >>>> > > > > > ______________________________**_________________________ > > > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> > <mailto:Users@ovirt.org > <mailto:Users@ovirt.org> <mailto:Users@ovirt.org > <mailto:Users@ovirt.org>>>> > http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.o... > <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... > > > > > <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > >> > > <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > > > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > >>> > > > > <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > > > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > >> > > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > > > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... > >>>> > > > > > Hi, > > This is the command I used (the same error > is with > -interactive > parameter): > > engine-manage-domains -action=add > -domain=example.com <http://example.com> > <http://example.com> > <http://example.com> > <http://example.com> > -provider=ActiveDirectory > -user=user.name@a_domain > > -passwordFile=/tmp/pass > > [root@localhost ~]# cat /tmp/pass > qwerty[root@localhost ~]# > > This is the log: > > 2012-11-20 00:30:40,443 INFO > > > [org.ovirt.engine.core.utils._**_____kerberos.ManageDomains] > > Creating > > > kerberos > configuration for domain(s): example.com > <http://example.com> > <http://example.com> <http://example.com> > <http://example.com> > > 2012-11-20 00:30:40,525 INFO > > > [org.ovirt.engine.core.utils._**_____kerberos.ManageDomains] > > > Successfully > > created kerberos configuration for > domain(s): > example.com <http://example.com> <http://example.com> > <http://example.com> > <http://example.com> > > 2012-11-20 00:30:40,526 INFO > > > [org.ovirt.engine.core.utils._**_____kerberos.ManageDomains] > > Testing > > > kerberos > configuration for domain: example.com > <http://example.com> > <http://example.com> <http://example.com> > <http://example.com> > > 2012-11-20 00:30:40,830 ERROR > > > [org.ovirt.engine.core.utils._**_____kerberos.__** > KerberosConfigCheck] > > > Error: > > exception message: Cannot locate KDC > 2012-11-20 00:30:40,851 ERROR > > > [org.ovirt.engine.core.utils._**_____kerberos.ManageDomains] > > Failure > > while > > testing domain example.com > <http://example.com> <http://example.com> > <http://example.com> > <http://example.com>;. Details: Kerberos > > error. Please check log for further details. > > > Hi, the error indicates you don't have > kerberos configured. > manage-domains validates by default using > GSSAPI/Kerberos (if I > understand correctly, this is equivalent to > run ldapsearch > with -Y > gssapi option). > I wonder if -x (simple authentication) will > work for you as > well (as > manage-domains contains code for simple > authentication as > well). > > > > This is the ldapsearch command that works > (it retrieves > users) > from the > same machine: > > > > ldapsearch -H ldap://example.com > <http://example.com> <http://example.com> > <http://example.com> > <http://example.com> -b > > dc=example,dc=com -D user.name@a_domain -w > qwerty > > > Best regards, > Cristian Falcas > > > > > ______________________________**_______________________ > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org> > <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> > http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > > > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > >> > > <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > > > <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... > <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... > >>> > > > > > Hi, > > I used "-x" for ldapsearch and the result is the > same: list > retrieved. > Is there any equivalent for engine-manage-domains? > > Cristian > > Hi Christian, there is no code allowing to add > simple-authentication > domains to Manage-Domains. > In the past we did have the ability to do that, but > there are > several problematic issues. > What ldap server are you working against? Maybe I > missed that > > > > > Hi, > > The server is a Microfost AD 2003. > > Best regards, > Cristian Falcas > > > this should work, is the AD also the DNS server for the ovirt > engine machine? > > > > yes > > >

Could you take a look at the tcp dump? There are only 2 messages relevant to this (let me know if you want the full dump): - 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV _kerberos._tcp.EXAMPLE.COM - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response SRV 0 100 88 site1.example.com SRV 0 100 88 site2.example.comSRV 0 100 88 site3.example.com Also, I tries to run ldapsearch with -Y gssapi: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found Best regards, Cristian Falcas

Yair Zaslavsky

Wednesday, 21 November Wed, 21 Nov

5:05 a.m.

------=_Part_35338608_979479843.1353467130356 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit ----- Original Message -----

...

From: "Cristian Falcas" <cristi.falcas(a)gmail.com

...

To: "Itamar Heim" <iheim(a)redhat.com

...

Cc: "Yair Zaslavsky" <yzaslavs(a)redhat.com>, users(a)ovirt.org Sent: Tuesday, November 20, 2012 7:33:39 PM Subject: Re: [Users] I don't know how to add AD users

...

On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim < iheim(a)redhat.com

...

wrote:

...

> On 11/20/2012 03:00 PM, Cristian Falcas wrote:

...

> > Hi, >

...

> > So there is no way to use the domain I have at work, right? >

...

> > I will need to make a freeipa installation in order to add new > > users. >

...

> there is no reason this shouldn't work with active directory 2003 > (assuming its forest level isn't still in AD 2000 compatibility > mode?). > tcpdump for the traffic during engine-manage-domains should help > diagnosing why.

...

> > Cristian >

...

> > On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas >

...

> > < cristi.falcas(a)gmail.com <mailto: cristi.falcas@gmail. com >

...

> > wrote: >

...

> > On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim < iheim(a)redhat.com >

...

> > <mailto: iheim(a)redhat.com >> wrote: >

...

> > On 11/20/2012 09:56 AM, Cristian Falcas wrote: >

...

> > On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky > > > < yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com

...

> > <mailto: yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com >>

...

> > > wrote: >

...

> > On 11/20/2012 09:05 AM, Cristian Falcas wrote: >

...

> > On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky > > > < yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com

...

> > > <mailto: yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com >

...

> > > <mailto: yzaslavs(a)redhat.com > > > <mailto: yzaslavs(a)redhat.com > <mailto: yzaslavs(a)redhat.com > > > <mailto: yzaslavs(a)redhat.com >>> > wrote: >

...

> > On 11/20/2012 12:39 AM, Cristian Falcas wrote: >

...

> > On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim > > > < iheim(a)redhat.com <mailto: iheim(a)redhat.com

...

> > > <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com >

...

> > > <mailto: iheim(a)redhat.com > > > <mailto: iheim(a)redhat.com > <mailto: iheim(a)redhat.com > > > <mailto: iheim(a)redhat.com >>

...

> > > <mailto: iheim(a)redhat.com > > > <mailto: iheim(a)redhat.com > <mailto: iheim(a)redhat.com > > > <mailto: iheim(a)redhat.com >

...

> > > <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com

...

> > > <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com >>>>> wrote: >

...

> > On 11/19/2012 11:29 AM, Vinzenz > > > Feenstra wrote: >

...

> > On 11/19/2012 10:01 AM, Cristian > > > Falcas wrote: >

...

> > Hi, >

...

> > I'm trying to add some users > > > to ovirt > > > using an AD. >

...

> > This is the configuration I > > > used for a > > > mediawiki > > > site, which is > > > working correctly: > > > $wgAuth = new > > > LdapAuthenticationPlugin(); > > > $wgLDAPUseLocal = true; > > > $wgLDAPDomainNames = array( > > > "a_domain"); > > > $wgLDAPServerNames = array( > > > "a_domain"=>" site.example.com > > > < http://site.example.com > < http://site.example.com

...

> > > < http://site.example.com

...

> > > < http://site.example.com

...

> > > < http://site.example.com >"); >

...

> > $wgLDAPEncryptionType = array( > > > "a_domain"=>"clear"); > > > $wgLDAPSearchStrings = array( >

...

> > "a_domain"=>"rom_domain\\USER- ________NAME"); > > > $wgLDAPBaseDNs = array( > > > "a_domain"=>"dc=company,dc=___ _____com"); >

...

> > Those are the commands I > > > tried using: > > > engine-manage-domains -action=add > > > -domain= site.example.com > > > < http://site.example.com > < http://site.example.com

...

> > > < http://site.example.com

...

> > > < http://site.example.com

...

> > > < http://site.example.com

...

> > > -provider=ActiveDirectory > > > -user= user.name > > > < http://user.name > < http://user.name

...

> > > < http://user.name > < http://user.name

...

> > > < http://user.name > -interactive >

...

> > engine-manage-domains -action=add > > > -domain=a_domain > > > -provider=ActiveDirectory > > > -user= user.name(a)company.com > > > <mailto: user.name(a)company.com

...

> > > <mailto: user.name(a)company.com > > > <mailto: user.name(a)company.com >

...

> > > <mailto: user.name(a)company.com <mailto: user.name(a)company.com

...

> > > <mailto: user.name(a)company.com > > > <mailto: user.name(a)company.com > >__

...

> > > <mailto: user.name(a)company.com > > > <mailto: user.name(a)company.com

...

> > > <mailto: user.name(a)company.com > > > <mailto: user.name(a)company.com >

...

> > > <mailto: user.name(a)company.com > > > <mailto: user.name(a)company.com

...

> > > <mailto: user.name(a)company.com > > > <mailto: user.name(a)company.com > >__>__

...

> > > <mailto: user.name(a)company.com > > > <mailto: user.name(a)company.com

...

> > > <mailto: user.name(a)company.com > > > <mailto: user.name(a)company.com >

...

> > > <mailto: user.name(a)company.com > > > <mailto: user.name(a)company.com

...

> > > <mailto: user.name(a)company.com > > > <mailto: user.name(a)company.com > >__

...

> > <mailto: user.name(a)company.com > > > <mailto: user.name(a)company.com

...

> > > <mailto: user.name(a)company.com > > > <mailto: user.name(a)company.com >

...

> > > <mailto: user.name(a)company.com > > > <mailto: user.name(a)company.com

...

> > > <mailto: user.name(a)company.com > > > <mailto: user.name(a)company.com > >__>__>__> -interactive >

...

> > engine-manage-domains -action=add > > > -domain=a_domain > > > -provider=ActiveDirectory > > > -user=user.name(a)site.example._ _______com >

...

> > <mailto: user.name@site > > > <mailto: user.name@site >. > > > <mailto: user.name@site > > > <mailto: user.name@site >.>__ exa m__p__le.com > > > < http://examp__le.com > < http://example.com

...

> > > <mailto: user.name@site . > > > <mailto: user.name@site .>__ exam p__le.com < http://example.com > >

...

> > > <mailto: user.name@site. __ examp le.com > > > <mailto: user.name@site. example.com >>>

...

> > > <mailto: user.name@site > > > <mailto: user.name@site

...

> > <mailto: user.name@site <mailto: user.name@site >>. > > > <mailto: user.name@site <mailto: user.name@site

...

> > > <mailto: user.name@site > > > <mailto: user.name@site >>.>__ ex a__m__p__le.com > > > < http://exam__p__le.com

...

> > < http://examp__le.com > < http://example.com

...

> > > <mailto: user.name@site > > > > > > <mailto: user.name@site >. > > > > > > <mailto: user.name@site > > > > > > <mailto: user.name@site >.>__ exa m__p__le.com > > >

...

> > < http://examp__le.com > < http://example.com

...

> > > <mailto: user.name@site . > > > > > > <mailto: user.name@site .>__ exam p__le.com < http://example.com > > >

...

> > > > > > <mailto: user.name@site. __ examp le.com > > > > > > <mailto: user.name@site. example.com >>>>> -interactive > > >

...

> > You don't add an user this way. > > > You add the > > > domain. You > > > have to > > > pass the > > > domain admin user and the domain > > > admin password. >

...

> > any domain user will do, doesn't have > > > to be an admin. > > > what does the log say? >

...

> > Then you can use the domain > > > within the engine. > > > e.g. search > > > users, add > > > access rights for vms etc. > > > Even login to the engine and > > > assigning rights > > > within > > > the engine > > > you can > > > handle from the engine itself. >

...

> > Regards, >

...

> > And the output on all tries: > > > Enter password: >

...

> > Error: Authentication Failed. > > > Please > > > verify the fully > > > qualified domain > > > name that is used for > > > authentication is > > > correct.. > > > Problematic domain > > > is: domain_used_in_command > > > Failure while applying Kerberos > > > configuration. Details: > > > Authentication > > > Failed. Please verify the > > > fully qualified > > > domain > > > name that > > > is used for > > > authentication is correct. >

...

> > Can someone help me with the > > > correct > > > parameters? >

...

> > Best regards, > > > Cristian Falcas >

...

> > ______________________________ _________________________ >

...

> > Users mailing list > > > Users(a)ovirt.org <mailto: Users(a)ovirt.org

...

> > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >

...

> > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org

...

> > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>

...

> > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org

...

> > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >

...

> > > <mailto: Users(a)ovirt.org > > > <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org > > > <mailto: Users(a)ovirt.org >>>

...

> > > http://lists.ovirt.org/_______ _mailman/listinfo/users > > > < http://lists.ovirt.org/______ mailman/listinfo/users

...

> > < http://lists.ovirt.org/______ mailman/listinfo/users > > > < http://lists.ovirt.org/____ mailman/listinfo/users >

...

> > < http://lists.ovirt.org/______ mailman/listinfo/users > > > < http://lists.ovirt.org/____ mailman/listinfo/users

...

> > > < http://lists.ovirt.org/____ mailman/listinfo/users > > > < http://lists.ovirt.org/__ mailman/listinfo/users >>

...

> > < http://lists.ovirt.org/______ mailman/listinfo/users > > > < http://lists.ovirt.org/____ mailman/listinfo/users

...

> > > < http://lists.ovirt.org/____ mailman/listinfo/users > > > < http://lists.ovirt.org/__ mailman/listinfo/users >

...

> > < http://lists.ovirt.org/____ mailman/listinfo/users > > > < http://lists.ovirt.org/__ mailman/listinfo/users

...

> > > < http://lists.ovirt.org/__ mailman/listinfo/users > > > < http://lists.ovirt.org/ mailman/listinfo/users >>>

...

> > > -- > > >

...

> > Regards, >

...

> > Vinzenz Feenstra | Senior > > > Software Engineer > > > RedHat Engineering Virtualization > > > R & D > > > Phone: +420 532 294 625 > > > <tel:%2B420%20532%20294%20625

...

> > > <tel:%2B420%20532%20294%20625

...

> > > <tel:%2B420%20532%20294%20625

...

> > > <tel:%2B420%20532%20294%20625

...

> > IRC: vfeenstr or evilissimo >

...

> > Better technology. Faster > > > innovation. Powered > > > by community > > > collaboration. > > > See how it works at redhat.com > > > < http://redhat.com

...

> > > < http://redhat.com > < http://redhat.com

...

> > > < http://redhat.com

...

> > ______________________________ _________________________ >

...

> > Users mailing list > > > Users(a)ovirt.org <mailto: Users(a)ovirt.org

...

> > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >

...

> > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org

...

> > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>

...

> > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org

...

> > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >

...

> > > <mailto: Users(a)ovirt.org > > > <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org > > > <mailto: Users(a)ovirt.org >>>

...

> > > http://lists.ovirt.org/_______ _mailman/listinfo/users > > > < http://lists.ovirt.org/______ mailman/listinfo/users

...

> > < http://lists.ovirt.org/______ mailman/listinfo/users > > > < http://lists.ovirt.org/____ mailman/listinfo/users >

...

> > < http://lists.ovirt.org/______ mailman/listinfo/users > > > < http://lists.ovirt.org/____ mailman/listinfo/users

...

> > > < http://lists.ovirt.org/____ mailman/listinfo/users > > > < http://lists.ovirt.org/__ mailman/listinfo/users >>

...

> > < http://lists.ovirt.org/______ mailman/listinfo/users > > > < http://lists.ovirt.org/____ mailman/listinfo/users

...

> > > < http://lists.ovirt.org/____ mailman/listinfo/users > > > < http://lists.ovirt.org/__ mailman/listinfo/users >

...

> > < http://lists.ovirt.org/____ mailman/listinfo/users > > > < http://lists.ovirt.org/__ mailman/listinfo/users

...

> > > < http://lists.ovirt.org/__ mailman/listinfo/users > > > < http://lists.ovirt.org/ mailman/listinfo/users >>>

...

> > ______________________________ _________________________ >

...

> > Users mailing list > > > Users(a)ovirt.org <mailto: Users(a)ovirt.org

...

> > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >

...

> > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org

...

> > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>

...

> > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org

...

> > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >

...

> > > <mailto: Users(a)ovirt.org > > > <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org > > > <mailto: Users(a)ovirt.org >>>

...

> > > http://lists.ovirt.org/_______ _mailman/listinfo/users > > > < http://lists.ovirt.org/______ mailman/listinfo/users

...

> > < http://lists.ovirt.org/______ mailman/listinfo/users > > > < http://lists.ovirt.org/____ mailman/listinfo/users >

...

> > < http://lists.ovirt.org/______ mailman/listinfo/users > > > < http://lists.ovirt.org/____ mailman/listinfo/users

...

> > > < http://lists.ovirt.org/____ mailman/listinfo/users > > > < http://lists.ovirt.org/__ mailman/listinfo/users >>

...

> > < http://lists.ovirt.org/______ mailman/listinfo/users > > > < http://lists.ovirt.org/____ mailman/listinfo/users

...

> > > < http://lists.ovirt.org/____ mailman/listinfo/users > > > < http://lists.ovirt.org/__ mailman/listinfo/users >

...

> > < http://lists.ovirt.org/____ mailman/listinfo/users > > > < http://lists.ovirt.org/__ mailman/listinfo/users

...

> > > < http://lists.ovirt.org/__ mailman/listinfo/users > > > < http://lists.ovirt.org/ mailman/listinfo/users >>>

...

> > Hi, >

...

> > This is the command I used (the same error > > > is with > > > -interactive > > > parameter): >

...

> > engine-manage-domains -action=add > > > -domain= example.com < http://example.com

...

> > > < http://example.com

...

> > > < http://example.com

...

> > > < http://example.com > -provider=ActiveDirectory > > > -user=user.name@a_domain >

...

> > -passwordFile=/tmp/pass >

...

> > [root@localhost ~]# cat /tmp/pass > > > qwerty[root@localhost ~]# >

...

> > This is the log: >

...

> > 2012-11-20 00:30:40,443 INFO >

...

> > [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] >

...

> > Creating >

...

> > kerberos > > > configuration for domain(s): example.com > > > < http://example.com

...

> > > < http://example.com > < http://example.com

...

> > > < http://example.com

...

> > 2012-11-20 00:30:40,525 INFO >

...

> > [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] >

...

> > Successfully >

...

> > created kerberos configuration for domain(s): > > > example.com < http://example.com > < http://example.com

...

> > > < http://example.com

...

> > > < http://example.com

...

> > 2012-11-20 00:30:40,526 INFO >

...

> > [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] >

...

> > Testing >

...

> > kerberos > > > configuration for domain: example.com > > > < http://example.com

...

> > > < http://example.com > < http://example.com

...

> > > < http://example.com

...

> > 2012-11-20 00:30:40,830 ERROR >

...

> > [org.ovirt.engine.core.utils._ _____kerberos.__ > > KerberosConfigCheck] >

...

> > Error: >

...

> > exception message: Cannot locate KDC > > > 2012-11-20 00:30:40,851 ERROR >

...

> > [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] >

...

> > Failure >

...

> > while >

...

> > testing domain example.com > > > < http://example.com > < http://example.com

...

> > > < http://example.com

...

> > > < http://example.com >. Details: Kerberos >

...

> > error. Please check log for further details. >

...

> > Hi, the error indicates you don't have > > > kerberos configured. > > > manage-domains validates by default using > > > GSSAPI/Kerberos (if I > > > understand correctly, this is equivalent to > > > run ldapsearch > > > with -Y > > > gssapi option). > > > I wonder if -x (simple authentication) will > > > work for you as > > > well (as > > > manage-domains contains code for simple > > > authentication as > > > well). >

...

> > This is the ldapsearch command that works > > > (it retrieves > > > users) > > > from the > > > same machine: >

...

> > ldapsearch -H ldap:// example.com > > > < http://example.com > < http://example.com

...

> > > < http://example.com

...

> > > < http://example.com > -b >

...

> > dc=example,dc=com -D user.name@a_domain -w > > > qwerty >

...

> > Best regards, > > > Cristian Falcas >

...

> > ______________________________ _______________________ > > > Users mailing list > > > Users(a)ovirt.org <mailto: Users(a)ovirt.org

...

> > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >

...

> > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org

...

> > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>

...

> > > http://lists.ovirt.org/______ mailman/listinfo/users > > > < http://lists.ovirt.org/____ mailman/listinfo/users

...

> > > < http://lists.ovirt.org/____ mailman/listinfo/users > > > < http://lists.ovirt.org/__ mailman/listinfo/users >

...

> > < http://lists.ovirt.org/____ mailman/listinfo/users > > > < http://lists.ovirt.org/__ mailman/listinfo/users

...

> > > < http://lists.ovirt.org/__ mailman/listinfo/users > > > < http://lists.ovirt.org/ mailman/listinfo/users >>

...

> > Hi, >

...

> > I used "-x" for ldapsearch and the result is the > > > same: list > > > retrieved. > > > Is there any equivalent for engine-manage-domains? >

...

> > Cristian >

...

> > Hi Christian, there is no code allowing to add > > > simple-authentication > > > domains to Manage-Domains. > > > In the past we did have the ability to do that, but > > > there are > > > several problematic issues. > > > What ldap server are you working against? Maybe I > > > missed that >

...

> > Hi, >

...

> > The server is a Microfost AD 2003. >

...

> > Best regards, > > > Cristian Falcas >

...

> > this should work, is the AD also the DNS server for the ovirt > > > engine machine? >

...

> > yes >

...

Could you take a look at the tcp dump? There are only 2 messages relevant to this (let me know if you want the full dump):

...

- 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV _kerberos._ tcp.EXAMPLE.COM - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response SRV 0 100 88 site1.example.com SRV 0 100 88 site2.example.com SRV 0 100 88 site3.example.com

...

Also, I tries to run ldapsearch with -Y gssapi: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found

...

Best regards, Cristian Falcas

The SRV records look fine. If I remember correctly, your DNS should have a reverse-resolve PTR record to your engine machine. Does it exists? ------=_Part_35338608_979479843.1353467130356 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><head><style type=3D'text/css'>p { margin: 0; }</style></head><body><= div style=3D'font-family: times new roman,new york,times,serif; font-size: = 12pt; color: #000000'><br><br><hr id=3D"zwchr"><blockquote style=3D"border-= left:2px solid rgb(16, 16, 255);margin-left:5px;padding-left:5px;color:#000= ;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helv= etica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Cristian Falcas" <= cristi.falcas(a)gmail.com&gt;<br><b>To: </b>"Itamar Heim" &lt;iheim(a)redhat.co= m><br><b>Cc: </b>"Yair Zaslavsky" &lt;yzaslavs(a)redhat.com&gt;, users@ovi= rt.org<br><b>Sent: </b>Tuesday, November 20, 2012 7:33:39 PM<br><b>Subject:= </b>Re: [Users] I don't know how to add AD users<br><br><br><div class=3D"= gmail_extra"><br><br><div class=3D"gmail_quote">On Tue, Nov 20, 2012 at 3:0= 8 PM, Itamar Heim <span dir=3D"ltr"><<a href=3D"mailto:iheim@redhat.com"= target=3D"_blank">iheim(a)redhat.com</a>&gt;</span> wrote:<br><blockquote cl= ass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid= rgb(204,204,204);padding-left:1ex"

...

<div class=3D"im">On 11/20/2012 03:00 PM, Cristian Falcas wrote:<br

...

<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-= left:1px solid rgb(204,204,204);padding-left:1ex"

...

Hi,<br

...

<br

...

So there is no way to use the domain I have at work, right?<br

...

<br

...

I will need to make a freeipa installation in order to add new users.<br

...

</blockquote

...

<br></div

...

there is no reason this shouldn't work with active directory 2003 (assuming= its forest level isn't still in AD 2000 compatibility mode?).<br

...

tcpdump for the traffic during engine-manage-domains should help diagnosing= why.<br

...

<br

...

<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-= left:1px solid rgb(204,204,204);padding-left:1ex"><div class=3D"im"

<br

Cristian<br

<br

<br

On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas<br></div><div class=3D"im= "

...

<<a href=3D"mailto:cristi.falcas@gmail.com" target=3D"_blank">cristi.fal= cas(a)gmail.com</a> <mailto:<a href=3D"mailto:cristi.falcas@gmail.com" tar= get=3D"_blank">cristi.falcas(a)gmail.<u></u>com</a>&gt;&gt; wrote:<br

<br

<br

<br

<br

    On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <<a href=3D"m= ailto:iheim@redhat.com" target=3D"_blank">iheim(a)redhat.com</a><br></div><di= v class=3D"im"

...

    <mailto:<a href=3D"mailto:iheim@redhat.com" target=3D"_bla= nk">iheim(a)redhat.com</a>&gt;&gt; wrote:<br

...

<br

...

        On 11/20/2012 09:56 AM, Cristian Falcas wrote:<= br

<br

<br

<br

<br

            On Tue, Nov 20, 2012 at 9:42 AM, = Yair Zaslavsky<br

...

            <<a href=3D"mailto:yzaslavs@re= dhat.com" target=3D"_blank">yzaslavs(a)redhat.com</a> <mailto:<a href=3D"m= ailto:yzaslavs@redhat.com" target=3D"_blank">yzaslavs(a)redhat.com</a>&gt;<br=

...

</div><div><div class=3D"h5">

            <mailto:<a href=3D"mailto:yzas= lavs(a)redhat.com" target=3D"_blank">yzaslavs(a)redhat.com</a> <mailto:<a hr= ef=3D"mailto:yzaslavs@redhat.com" target=3D"_blank">yzaslavs(a)redhat.com</a>= >>><br

...

            wrote:<br

<br

<br

<br

                 On 11/20/2012= 09:05 AM, Cristian Falcas wrote:<br

<br

<br

<br

<br

                    &nbsp= ;On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky<br

...

                    &nbsp= ;<<a href=3D"mailto:yzaslavs@redhat.com" target=3D"_blank">yzaslavs@redh= at.com</a> <mailto:<a href=3D"mailto:yzaslavs@redhat.com" target=3D"_bla= nk">yzaslavs(a)redhat.com</a>&gt;<br

...

            <mailto:<a href=3D"mailto:yzas= lavs(a)redhat.com" target=3D"_blank">yzaslavs(a)redhat.com</a> <mailto:<a hr= ef=3D"mailto:yzaslavs@redhat.com" target=3D"_blank">yzaslavs(a)redhat.com</a>= >><br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:yzaslavs@redhat.com" target=3D"_blank">yzasla= vs(a)redhat.com</a><br

...

            <mailto:<a href=3D"mailto:yzas= lavs(a)redhat.com" target=3D"_blank">yzaslavs(a)redhat.com</a>&gt; <mailto:<= a href=3D"mailto:yzaslavs@redhat.com" target=3D"_blank">yzaslavs(a)redhat.com= </a><br

...

            <mailto:<a href=3D"mailto:yzas= lavs(a)redhat.com" target=3D"_blank">yzaslavs(a)redhat.com</a>&gt;&gt;&gt;<u></= u>> wrote:<br

<br

<br

<br

                    &nbsp= ;     On 11/20/2012 12:39 AM, Cristian Falcas wrote:<br

<br

<br

<br

                    &nbsp= ;         On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim= <br

...

                    &nbsp= ;<<a href=3D"mailto:iheim@redhat.com" target=3D"_blank">iheim(a)redhat.com= </a> <mailto:<a href=3D"mailto:iheim@redhat.com" target=3D"_blank">iheim= @redhat.com</a>><br

...

            <mailto:<a href=3D"mailto:ihei= m(a)redhat.com" target=3D"_blank">iheim(a)redhat.com</a> <mailto:<a href=3D"= mailto:iheim@redhat.com" target=3D"_blank">iheim(a)redhat.com</a>&gt;&gt;<br

...

                    &nbsp= ;         <mailto:<a href=3D"mailto:iheim@redhat.com= " target=3D"_blank">iheim(a)redhat.com</a><br

...

            <mailto:<a href=3D"mailto:ihei= m(a)redhat.com" target=3D"_blank">iheim(a)redhat.com</a>&gt; <mailto:<a href= =3D"mailto:iheim@redhat.com" target=3D"_blank">iheim(a)redhat.com</a><br

...

            <mailto:<a href=3D"mailto:ihei= m(a)redhat.com" target=3D"_blank">iheim(a)redhat.com</a>&gt;&gt;&gt;<br

...

                    &nbsp= ;         <mailto:<a href=3D"mailto:iheim@redhat.com= " target=3D"_blank">iheim(a)redhat.com</a><br

...

            <mailto:<a href=3D"mailto:ihei= m(a)redhat.com" target=3D"_blank">iheim(a)redhat.com</a>&gt; <mailto:<a href= =3D"mailto:iheim@redhat.com" target=3D"_blank">iheim(a)redhat.com</a><br

...

            <mailto:<a href=3D"mailto:ihei= m(a)redhat.com" target=3D"_blank">iheim(a)redhat.com</a>&gt;&gt;<br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:iheim@redhat.com" target=3D"_blank">iheim@red= hat.com</a> <mailto:<a href=3D"mailto:iheim@redhat.com" target=3D"_blank= ">iheim(a)redhat.com</a>&gt;<br

...

            <mailto:<a href=3D"mailto:ihei= m(a)redhat.com" target=3D"_blank">iheim(a)redhat.com</a> <mailto:<a href=3D"= mailto:iheim@redhat.com" target=3D"_blank">iheim(a)redhat.com</a>&gt;&gt;&gt;= >> wrote:<br

...

<br

...

                    &nbsp= ;              On 11/19/2012 11:29 AM, V= inzenz<br

...

            Feenstra wrote:<br

...

<br

...

                    &nbsp= ;                  On 11/19/20= 12 10:01 AM, Cristian<br

...

            Falcas wrote:<br

...

<br

...

                    &nbsp= ;                     &nb= sp;Hi,<br

...

<br

...

                    &nbsp= ;                     &nb= sp;I'm trying to add some users<br

...

            to ovirt<br

...

                    &nbsp= ;using an AD.<br

...

<br

...

                    &nbsp= ;                     &nb= sp;This is the configuration I<br

...

            used for a<br

...

                    &nbsp= ;mediawiki<br

...

                    &nbsp= ;         site, which is<br

...

                    &nbsp= ;                     &nb= sp;working correctly:<br

...

                    &nbsp= ;                     &nb= sp;$wgAuth =3D new<br

...

            LdapAuthenticationPlugin();<br

...

                    &nbsp= ;                     &nb= sp;$wgLDAPUseLocal =3D true;<br

...

                    &nbsp= ;                     &nb= sp;$wgLDAPDomainNames =3D array(<br

...

            "a_domain");<br

...

                    &nbsp= ;                     &nb= sp;$wgLDAPServerNames =3D array(<br

...

                    &nbsp= ;         "a_domain"=3D>"<a href=3D"http://site.exam= ple.com" target=3D"_blank">site.example.com</a><br

...

            <<a href=3D"http://site.exampl= e.com" target=3D"_blank">http://site.example.com</a>> <<a href=3D"htt= p://site.example.com" target=3D"_blank">http://site.example.com</a>><br

...

                    &nbsp= ;<<a href=3D"http://site.example.com" target=3D"_blank">http://site.exam= ple.com</a>><br

...

                    &nbsp= ;                     &nb= sp;<<a href=3D"http://site.example.com" target=3D"_blank">http://site.ex= ample.com</a>><br

...

                    &nbsp= ;                     &nb= sp;<<a href=3D"http://site.example.com" target=3D"_blank">http://site.ex= ample.com</a>>");<br

...

<br

...

                    &nbsp= ;                     &nb= sp;$wgLDAPEncryptionType =3D array(<br

...

                    &nbsp= ;"a_domain"=3D>"clear");<br

...

                    &nbsp= ;                     &nb= sp;$wgLDAPSearchStrings =3D array(<br

...

<br></div></div

...

            "a_domain"=3D>"rom_domain\\USE= R-<u></u>________NAME");<br

...

                    &nbsp= ;                     &nb= sp;$wgLDAPBaseDNs =3D array(<br

...

                    &nbsp= ;         "a_domain"=3D>"dc=3Dcompany,dc=3D___<u></u=

...

_____com");<div><div class=3D"h5"><br>

<br

<br

<br

<br

                    &nbsp= ;                     &nb= sp;Those are the commands I<br

...

            tried using:<br

...

                    &nbsp= ;                     &nb= sp;engine-manage-domains -action=3Dadd<br

...

                    &nbsp= ;         -domain=3D<a href=3D"http://site.example.com"= target=3D"_blank">site.example.com</a><br

...

            <<a href=3D"http://site.exampl= e.com" target=3D"_blank">http://site.example.com</a>> <<a href=3D"htt= p://site.example.com" target=3D"_blank">http://site.example.com</a>><br

...

                    &nbsp= ;<<a href=3D"http://site.example.com" target=3D"_blank">http://site.exam= ple.com</a>><br

...

                    &nbsp= ;                     &nb= sp;<<a href=3D"http://site.example.com" target=3D"_blank">http://site.ex= ample.com</a>><br

...

                    &nbsp= ;                     &nb= sp;<<a href=3D"http://site.example.com" target=3D"_blank">http://site.ex= ample.com</a>><br

...

                    &nbsp= ;-provider=3DActiveDirectory<br

...

                    &nbsp= ;                     &nb= sp;-user=3D<a href=3D"http://user.name" target=3D"_blank">user.name</a><br

...

            <<a href=3D"http://user.name" = target=3D"_blank">http://user.name</a>> <<a href=3D"http://user.name"= target=3D"_blank">http://user.name</a>><br

...

                    &nbsp= ;<<a href=3D"http://user.name" target=3D"_blank">http://user.name</a>&gt= ; <<a href=3D"http://user.name" target=3D"_blank">http://user.name</a>&g= t;<br

...

                    &nbsp= ;                     &nb= sp;<<a href=3D"http://user.name" target=3D"_blank">http://user.name</a>&= gt; -interactive<br

...

<br

...

<br

...

                    &nbsp= ;                     &nb= sp;engine-manage-domains -action=3Dadd<br

...

                    &nbsp= ;-domain=3Da_domain<br

...

                    &nbsp= ;                     &nb= sp;-provider=3DActiveDirectory<br

...

                    &nbsp= ;         -user=3D<a href=3D"mailto:user.name@company.c= om" target=3D"_blank">user.name(a)company.com</a><br

...

            <mailto:<a href=3D"mailto:user= .name(a)company.com" target=3D"_blank">user.name(a)company.com</a>&gt;<br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">user= .name(a)company.com</a><br

...

            <mailto:<a href=3D"mailto:user= .name(a)company.com" target=3D"_blank">user.name(a)company.com</a>&gt;<u></u>&g= t;<br

...

            <mailto:<a href=3D"mailto:user= .name(a)company.com" target=3D"_blank">user.name(a)company.com</a> <mailto:<= a href=3D"mailto:user.name@company.com" target=3D"_blank">user.name@company= .com</a>><br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">user= .name(a)company.com</a><br

...

            <mailto:<a href=3D"mailto:user= .name(a)company.com" target=3D"_blank">user.name(a)company.com</a>&gt;<u></u>&g= t;__><br

...

                    &nbsp= ;                     &nb= sp;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">us= er.name(a)company.com</a><br

...

            <mailto:<a href=3D"mailto:user= .name(a)company.com" target=3D"_blank">user.name(a)company.com</a>&gt;<br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">user= .name(a)company.com</a><br

...

            <mailto:<a href=3D"mailto:user= .name(a)company.com" target=3D"_blank">user.name(a)company.com</a>&gt;<u></u>&g= t;<br

...

                    &nbsp= ;         <mailto:<a href=3D"mailto:user.name@compan= y.com" target=3D"_blank">user.name(a)company.com</a><br

...

            <mailto:<a href=3D"mailto:user= .name(a)company.com" target=3D"_blank">user.name(a)company.com</a>&gt;<br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">user= .name(a)company.com</a><br

...

            <mailto:<a href=3D"mailto:user= .name(a)company.com" target=3D"_blank">user.name(a)company.com</a>&gt;<u></u>&g= t;__>__><br

...

                    &nbsp= ;                     &nb= sp;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">us= er.name(a)company.com</a><br

...

            <mailto:<a href=3D"mailto:user= .name(a)company.com" target=3D"_blank">user.name(a)company.com</a>&gt;<br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">user= .name(a)company.com</a><br

...

            <mailto:<a href=3D"mailto:user= .name(a)company.com" target=3D"_blank">user.name(a)company.com</a>&gt;<u></u>&g= t;<br

...

                    &nbsp= ;         <mailto:<a href=3D"mailto:user.name@compan= y.com" target=3D"_blank">user.name(a)company.com</a><br

...

            <mailto:<a href=3D"mailto:user= .name(a)company.com" target=3D"_blank">user.name(a)company.com</a>&gt;<br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">user= .name(a)company.com</a><br

...

            <mailto:<a href=3D"mailto:user= .name(a)company.com" target=3D"_blank">user.name(a)company.com</a>&gt;<u></u>&g= t;__><br

...

<br

...

                    &nbsp= ;                     &nb= sp;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">us= er.name(a)company.com</a><br

...

            <mailto:<a href=3D"mailto:user= .name(a)company.com" target=3D"_blank">user.name(a)company.com</a>&gt;<br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">user= .name(a)company.com</a><br

...

            <mailto:<a href=3D"mailto:user= .name(a)company.com" target=3D"_blank">user.name(a)company.com</a>&gt;<u></u>&g= t;<br

...

                    &nbsp= ;         <mailto:<a href=3D"mailto:user.name@compan= y.com" target=3D"_blank">user.name(a)company.com</a><br

...

            <mailto:<a href=3D"mailto:user= .name(a)company.com" target=3D"_blank">user.name(a)company.com</a>&gt;<br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">user= .name(a)company.com</a><br></div></div

...

            <mailto:<a href=3D"mailto:user= .name(a)company.com" target=3D"_blank">user.name(a)company.com</a>&gt;<u></u>&g= t;__>__>__> -interactive<br

...

<br

...

<br

...

                    &nbsp= ;                     &nb= sp;engine-manage-domains -action=3Dadd<br

...

                    &nbsp= ;-domain=3Da_domain<br

...

                    &nbsp= ;                     &nb= sp;-provider=3DActiveDirectory<br

...

                    &nbsp= ;         -user=3Duser.name(a)site.example._<u></u>______= _com<div class=3D"im"><br

...

<br

...

                    &nbsp= ;                     &nb= sp;<mailto:<a href=3D"mailto:user.name@site" target=3D"_blank">user.name= @site</a><br

...

            <mailto:<a href=3D"mailto:user= .name@site" target=3D"_blank">user.name(a)site</a>&gt;.<br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:user.name@site" target=3D"_blank">user.name@s= ite</a><br

...

            <mailto:<a href=3D"mailto:user= .name@site" target=3D"_blank">user.name(a)site</a>&gt;.&gt;__<a href=3D"http:= //exam__p__le.com" target=3D"_blank">exa<u></u>m__p__le.com</a><br

...

            <<a href=3D"http://examp__le.c= om" target=3D"_blank">http://examp__le.com</a>> <<a href=3D"http://ex= ample.com" target=3D"_blank">http://example.com</a>><br

...

                    &nbsp= ;         <mailto:<a href=3D"mailto:user.name@site" = target=3D"_blank">user.name(a)site</a>.<br

...

            <mailto:<a href=3D"mailto:user= .name@site" target=3D"_blank">user.name(a)site</a>.&gt;__<a href=3D"http://ex= amp__le.com" target=3D"_blank">exam<u></u>p__le.com</a> <<a href=3D"http= ://example.com" target=3D"_blank">http://example.com</a>><br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:user.name@site." target=3D"_blank">user.name@= site.</a>__<a href=3D"http://example.com" target=3D"_blank">examp<u></u>le.= com</a><br

...

            <mailto:<a href=3D"mailto:user= .name(a)site.example.com" target=3D"_blank">user.name(a)site.<u></u>example.com= </a>>>>><br></div

...

                    &nbsp= ;                     &nb= sp;<mailto:<a href=3D"mailto:user.name@site" target=3D"_blank">user.name= @site</a><br

...

            <mailto:<a href=3D"mailto:user= .name@site" target=3D"_blank">user.name@site</a>><div class=3D"im"><br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:user.name@site" target=3D"_blank">user.name@s= ite</a> <mailto:<a href=3D"mailto:user.name@site" target=3D"_blank">user= .name(a)site</a>&gt;&gt;.<br

...

                    &nbsp= ;         <mailto:<a href=3D"mailto:user.name@site" = target=3D"_blank">user.name@site</a> <mailto:<a href=3D"mailto:user.name= @site" target=3D"_blank">user.name@site</a>><br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:user.name@site" target=3D"_blank">user.name@s= ite</a><br></div

...

            <mailto:<a href=3D"mailto:user= .name@site" target=3D"_blank">user.name(a)site</a>&gt;&gt;.&gt;__<a href=3D"h= ttp://exa__m__p__le.com" target=3D"_blank">ex<u></u>a__m__p__le.com</a><br

...

            <<a href=3D"http://exam__p__le= .com" target=3D"_blank">http://exam__p__le.com</a>><div><div class=3D"h5= "><br

...

                    &nbsp= ;<<a href=3D"http://examp__le.com" target=3D"_blank">http://examp__le.co= m</a>> <<a href=3D"http://example.com" target=3D"_blank">http://examp= le.com</a>><br

<br

<br

<br

                    &nbsp= ;                     &nb= sp;<mailto:<a href=3D"mailto:user.name@site" target=3D"_blank">user.name= @site</a><br

...

            <mailto:<a href=3D"mailto:user= .name@site" target=3D"_blank">user.name(a)site</a>&gt;.<br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:user.name@site" target=3D"_blank">user.name@s= ite</a><br

...

            <mailto:<a href=3D"mailto:user= .name@site" target=3D"_blank">user.name(a)site</a>&gt;.&gt;__<a href=3D"http:= //exam__p__le.com" target=3D"_blank">exa<u></u>m__p__le.com</a><br

...

            <<a href=3D"http://examp__le.c= om" target=3D"_blank">http://examp__le.com</a>> <<a href=3D"http://ex= ample.com" target=3D"_blank">http://example.com</a>><br

...

                    &nbsp= ;         <mailto:<a href=3D"mailto:user.name@site" = target=3D"_blank">user.name(a)site</a>.<br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:user.name@site." target=3D"_blank">user.name@= site.</a>__<a href=3D"http://example.com" target=3D"_blank">examp<u></u>le.= com</a><br

...

            <mailto:<a href=3D"mailto:user= .name(a)site.example.com" target=3D"_blank">user.name(a)site.<u></u>example.com= </a>>>>>> -interactive<br

...

<br

...

<br

...

                    &nbsp= ;                  You don't a= dd an user this way.<br

...

            You add the<br

...

                    &nbsp= ;domain. You<br

...

                    &nbsp= ;         have to<br

...

                    &nbsp= ;                  pass the<br=

...

                    &nbsp= ;                  domain admi= n user and the domain<br

...

            admin password.<br

...

<br

...

<br

...

                    &nbsp= ;              any domain user will do, = doesn't have<br

...

            to be an admin.<br

...

                    &nbsp= ;              what does the log say?<br=

...

<br

...

<br

...

                    &nbsp= ;                  Then you ca= n use the domain<br

...

            within the engine.<br

...

                    &nbsp= ;e.g. search<br

...

                    &nbsp= ;                  users, add<= br

...

                    &nbsp= ;                  access righ= ts for vms etc.<br

...

                    &nbsp= ;                  Even login = to the engine and<br

...

            assigning rights<br

...

                    &nbsp= ;within<br

...

                    &nbsp= ;         the engine<br

...

                    &nbsp= ;                  you can<br

...

                    &nbsp= ;                  handle from= the engine itself.<br

...

<br

...

                    &nbsp= ;                  Regards,<br=

...

<br

...

                    &nbsp= ;                     &nb= sp;And the output on all tries:<br

...

                    &nbsp= ;                     &nb= sp;Enter password:<br

...

<br

...

                    &nbsp= ;                     &nb= sp;Error: Authentication Failed.<br

...

            Please<br

...

                    &nbsp= ;verify the fully<br

...

                    &nbsp= ;                     &nb= sp;qualified domain<br

...

                    &nbsp= ;                     &nb= sp;name that is used for<br

...

            authentication is<br

...

                    &nbsp= ;correct..<br

...

                    &nbsp= ;                     &nb= sp;Problematic domain<br

...

                    &nbsp= ;                     &nb= sp;is: domain_used_in_command<br

...

                    &nbsp= ;                     &nb= sp;Failure while applying Kerberos<br

...

                    &nbsp= ;configuration. Details:<br

...

                    &nbsp= ;                     &nb= sp;Authentication<br

...

                    &nbsp= ;                     &nb= sp;Failed. Please verify the<br

...

            fully qualified<br

...

                    &nbsp= ;domain<br

...

                    &nbsp= ;         name that<br

...

                    &nbsp= ;                     &nb= sp;is used for<br

...

                    &nbsp= ;                     &nb= sp;authentication is correct.<br

...

<br

...

                    &nbsp= ;                     &nb= sp;Can someone help me with the<br

...

            correct<br

...

                    &nbsp= ;parameters?<br

...

<br

...

<br

...

                    &nbsp= ;                     &nb= sp;Best regards,<br

...

                    &nbsp= ;                     &nb= sp;Cristian Falcas<br

<br

<br

<br

<br></div></div

            ______________________________<u>= </u>_________________________<div class=3D"im"><br

...

<br

...

                    &nbsp= ;                     &nb= sp;Users mailing list<br

...

            <a href=3D"mailto:Users@ovirt.org= " target=3D"_blank">Users(a)ovirt.org</a> <mailto:<a href=3D"mailto:Users@= ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt;<br

...

            <mailto:<a href=3D"mailto:User= s(a)ovirt.org" target=3D"_blank">Users(a)ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt;&gt;<br

...

            <mailto:<a href=3D"mailto:User= s(a)ovirt.org" target=3D"_blank">Users(a)ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt;<br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">Users@ovir= t.org</a> <mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">U= sers(a)ovirt.org</a>&gt;&gt;&gt;<br

...

            <mailto:<a href=3D"mailto:User= s(a)ovirt.org" target=3D"_blank">Users(a)ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt;<br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">Users@ovir= t.org</a> <mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">U= sers(a)ovirt.org</a>&gt;&gt;<br

...

                    &nbsp= ;         <mailto:<a href=3D"mailto:Users@ovirt.org"= target=3D"_blank">Users(a)ovirt.org</a><br

...

            <mailto:<a href=3D"mailto:User= s(a)ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt; <mailto:<a href= =3D"mailto:Users@ovirt.org" target=3D"_blank">Users(a)ovirt.org</a><br></div

...

            <mailto:<a href=3D"mailto:User= s(a)ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt;&gt;&gt;&gt;<br

...

            <a href=3D"http://lists.ovirt.org= /________mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ______<u></u>_mailman/listinfo/users</a><br

...

            <<a href=3D"http://lists.ovirt= .org/______mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org= /______<u></u>mailman/listinfo/users</a>><div><div class=3D"h5"><br

...

<br

...

            <<a href=3D"http://lists.ovirt= .org/______mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org= /______<u></u>mailman/listinfo/users</a><br

...

            <<a href=3D"http://lists.ovirt= .org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ___<u></u>mailman/listinfo/users</a>>><br

...

<br

...

<br

...

              <<a href=3D"http://list= s.ovirt.org/______mailman/listinfo/users" target=3D"_blank">http://lists.ov= irt.org/______<u></u>mailman/listinfo/users</a><br

...

            <<a href=3D"http://lists.ovirt= .org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ___<u></u>mailman/listinfo/users</a>><br

...

                    &nbsp= ;<<a href=3D"http://lists.ovirt.org/____mailman/listinfo/users" target= =3D"_blank">http://lists.ovirt.org/____<u></u>mailman/listinfo/users</a><br=

...

            <<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>>>><br

<br

<br

<br

<br

            <<a href=3D"http://lists.ovirt= .org/______mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org= /______<u></u>mailman/listinfo/users</a><br

...

            <<a href=3D"http://lists.ovirt= .org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ___<u></u>mailman/listinfo/users</a>><br

...

                    &nbsp= ;<<a href=3D"http://lists.ovirt.org/____mailman/listinfo/users" target= =3D"_blank">http://lists.ovirt.org/____<u></u>mailman/listinfo/users</a><br=

...

            <<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>>><br

...

<br

...

              <<a href=3D"http://list= s.ovirt.org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovir= t.org/____<u></u>mailman/listinfo/users</a><br

...

            <<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>><br

...

                    &nbsp= ;<<a href=3D"http://lists.ovirt.org/__mailman/listinfo/users" target=3D"= _blank">http://lists.ovirt.org/__<u></u>mailman/listi...

...

            <<a href=3D"http://lists.ovirt= .org/mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/<u></= u>mailman/listinfo/users</a>>>>><br

<br

<br

<br

                    &nbsp= ;                  --<br

...

                    &nbsp= ;                  Regards,<br=

...

<br

...

                    &nbsp= ;                  Vinzenz Fee= nstra | Senior<br

...

            Software Engineer<br

...

                    &nbsp= ;                  RedHat Engi= neering Virtualization<br

...

            R & D<br

...

                    &nbsp= ;                  Phone: <a h= ref=3D"tel:%2B420%20532%20294%20625" target=3D"_blank">+420 532 294 625</a>= <br

...

            <tel:%2B420%20532%20294%20625&= gt;<br

...

                    &nbsp= ;<tel:%2B420%20532%20294%20625><br

...

            <tel:%2B420%20532%20294%20625&= gt;<br

...

                    &nbsp= ;         <tel:%2B420%20532%20294%20625><br

...

<br

...

                    &nbsp= ;                  IRC: vfeens= tr or evilissimo<br

...

<br

...

                    &nbsp= ;                  Better tech= nology. Faster<br

...

            innovation. Powered<br

...

                    &nbsp= ;by community<br

...

                    &nbsp= ;                  collaborati= on.<br

...

                    &nbsp= ;                  See how it = works at <a href=3D"http://redhat.com" target=3D"_blank">redhat.com</a><br

...

            <<a href=3D"http://redhat.com"= target=3D"_blank">http://redhat.com</a>><br

...

                    &nbsp= ;<<a href=3D"http://redhat.com" target=3D"_blank">http://redhat.com</a>&= gt; <<a href=3D"http://redhat.com" target=3D"_blank">http://redhat.com</= a>><br></div></div

...

                    &nbsp= ;         <<a href=3D"http://redhat.com" target=3D"_= blank">http://redhat.com</a>><br

<br

<br

<br

<br

<br

            ______________________________<u>= </u>_________________________<div class=3D"im"><br

...

<br

...

                    &nbsp= ;                  Users maili= ng list<br

...

            <a href=3D"mailto:Users@ovirt.org= " target=3D"_blank">Users(a)ovirt.org</a> <mailto:<a href=3D"mailto:Users@= ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt;<br

...

            <mailto:<a href=3D"mailto:User= s(a)ovirt.org" target=3D"_blank">Users(a)ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt;&gt;<br

...

            <mailto:<a href=3D"mailto:User= s(a)ovirt.org" target=3D"_blank">Users(a)ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt;<br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">Users@ovir= t.org</a> <mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">U= sers(a)ovirt.org</a>&gt;&gt;&gt;<br

...

            <mailto:<a href=3D"mailto:User= s(a)ovirt.org" target=3D"_blank">Users(a)ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt;<br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">Users@ovir= t.org</a> <mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">U= sers(a)ovirt.org</a>&gt;&gt;<br

...

                    &nbsp= ;         <mailto:<a href=3D"mailto:Users@ovirt.org"= target=3D"_blank">Users(a)ovirt.org</a><br

...

            <mailto:<a href=3D"mailto:User= s(a)ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt; <mailto:<a href= =3D"mailto:Users@ovirt.org" target=3D"_blank">Users(a)ovirt.org</a><br></div

...

            <mailto:<a href=3D"mailto:User= s(a)ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt;&gt;&gt;&gt;<br

...

            <a href=3D"http://lists.ovirt.org= /________mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ______<u></u>_mailman/listinfo/users</a><br

...

            <<a href=3D"http://lists.ovirt= .org/______mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org= /______<u></u>mailman/listinfo/users</a>><div class=3D"im"><br

...

<br

...

            <<a href=3D"http://lists.ovirt= .org/______mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org= /______<u></u>mailman/listinfo/users</a><br

...

            <<a href=3D"http://lists.ovirt= .org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ___<u></u>mailman/listinfo/users</a>>><br

...

<br

...

<br

...

              <<a href=3D"http://list= s.ovirt.org/______mailman/listinfo/users" target=3D"_blank">http://lists.ov= irt.org/______<u></u>mailman/listinfo/users</a><br

...

            <<a href=3D"http://lists.ovirt= .org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ___<u></u>mailman/listinfo/users</a>><br

...

                    &nbsp= ;<<a href=3D"http://lists.ovirt.org/____mailman/listinfo/users" target= =3D"_blank">http://lists.ovirt.org/____<u></u>mailman/listinfo/users</a><br=

...

            <<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>>>><br

...

<br

...

<br

...

            <<a href=3D"http://lists.ovirt= .org/______mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org= /______<u></u>mailman/listinfo/users</a><br

...

            <<a href=3D"http://lists.ovirt= .org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ___<u></u>mailman/listinfo/users</a>><br

...

                    &nbsp= ;<<a href=3D"http://lists.ovirt.org/____mailman/listinfo/users" target= =3D"_blank">http://lists.ovirt.org/____<u></u>mailman/listinfo/users</a><br=

...

            <<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>>><br

...

<br

...

              <<a href=3D"http://list= s.ovirt.org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovir= t.org/____<u></u>mailman/listinfo/users</a><br

...

            <<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>><br

...

                    &nbsp= ;<<a href=3D"http://lists.ovirt.org/__mailman/listinfo/users" target=3D"= _blank">http://lists.ovirt.org/__<u></u>mailman/listi...

...

            <<a href=3D"http://lists.ovirt= .org/mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/<u></= u>mailman/listinfo/users</a>>>>><br

<br

<br

<br

<br></div

            ______________________________<u>= </u>_________________________<div class=3D"im"><br

...

<br

...

                    &nbsp= ;              Users mailing list<br

...

            <a href=3D"mailto:Users@ovirt.org= " target=3D"_blank">Users(a)ovirt.org</a> <mailto:<a href=3D"mailto:Users@= ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt;<br

...

            <mailto:<a href=3D"mailto:User= s(a)ovirt.org" target=3D"_blank">Users(a)ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt;&gt;<br

...

            <mailto:<a href=3D"mailto:User= s(a)ovirt.org" target=3D"_blank">Users(a)ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt;<br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">Users@ovir= t.org</a> <mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">U= sers(a)ovirt.org</a>&gt;&gt;&gt;<br

...

            <mailto:<a href=3D"mailto:User= s(a)ovirt.org" target=3D"_blank">Users(a)ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt;<br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">Users@ovir= t.org</a> <mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">U= sers(a)ovirt.org</a>&gt;&gt;<br

...

                    &nbsp= ;         <mailto:<a href=3D"mailto:Users@ovirt.org"= target=3D"_blank">Users(a)ovirt.org</a><br

...

            <mailto:<a href=3D"mailto:User= s(a)ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt; <mailto:<a href= =3D"mailto:Users@ovirt.org" target=3D"_blank">Users(a)ovirt.org</a><br></div

...

            <mailto:<a href=3D"mailto:User= s(a)ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt;&gt;&gt;&gt;<br

...

            <a href=3D"http://lists.ovirt.org= /________mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ______<u></u>_mailman/listinfo/users</a><br

...

            <<a href=3D"http://lists.ovirt= .org/______mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org= /______<u></u>mailman/listinfo/users</a>><div class=3D"im"><br

...

<br

...

            <<a href=3D"http://lists.ovirt= .org/______mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org= /______<u></u>mailman/listinfo/users</a><br

...

            <<a href=3D"http://lists.ovirt= .org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ___<u></u>mailman/listinfo/users</a>>><br

...

<br

...

              <<a href=3D"http://list= s.ovirt.org/______mailman/listinfo/users" target=3D"_blank">http://lists.ov= irt.org/______<u></u>mailman/listinfo/users</a><br

...

            <<a href=3D"http://lists.ovirt= .org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ___<u></u>mailman/listinfo/users</a>><br

...

                    &nbsp= ;<<a href=3D"http://lists.ovirt.org/____mailman/listinfo/users" target= =3D"_blank">http://lists.ovirt.org/____<u></u>mailman/listinfo/users</a><br=

...

            <<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>>>><br

...

<br

...

<br

...

<br></div><div class=3D"im"

...

            <<a href=3D"http://lists.ovirt= .org/______mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org= /______<u></u>mailman/listinfo/users</a><br

...

            <<a href=3D"http://lists.ovirt= .org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ___<u></u>mailman/listinfo/users</a>><br

...

                    &nbsp= ;<<a href=3D"http://lists.ovirt.org/____mailman/listinfo/users" target= =3D"_blank">http://lists.ovirt.org/____<u></u>mailman/listinfo/users</a><br=

...

            <<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>>><br

...

<br

...

              <<a href=3D"http://list= s.ovirt.org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovir= t.org/____<u></u>mailman/listinfo/users</a><br

...

            <<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>><br

...

                    &nbsp= ;<<a href=3D"http://lists.ovirt.org/__mailman/listinfo/users" target=3D"= _blank">http://lists.ovirt.org/__<u></u>mailman/listi...

...

            <<a href=3D"http://lists.ovirt= .org/mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/<u></= u>mailman/listinfo/users</a>>>>><br

<br

<br

<br

<br

                    &nbsp= ;         Hi,<br

...

<br

...

                    &nbsp= ;         This is the command I used (the same error<br=

...

            is with<br

...

                    &nbsp= ;-interactive<br

...

                    &nbsp= ;         parameter):<br

...

<br

...

                    &nbsp= ;         engine-manage-domains -action=3Dadd<br

...

            -domain=3D<a href=3D"http://examp= le.com" target=3D"_blank">example.com</a> <<a href=3D"http://example.com= " target=3D"_blank">http://example.com</a>><br

...

                    &nbsp= ;<<a href=3D"http://example.com" target=3D"_blank">http://example.com</a= >><br

...

                    &nbsp= ;         <<a href=3D"http://example.com" target=3D"= _blank">http://example.com</a>><br

...

                    &nbsp= ;         <<a href=3D"http://example.com" target=3D"= _blank">http://example.com</a>> -provider=3DActiveDirectory<br

...

                    &nbsp= ;         -user=3Duser.name@a_domain<br

...

<br

...

                    &nbsp= ;         -passwordFile=3D/tmp/pass<br

...

<br

...

                    &nbsp= ;         [root@localhost ~]# cat /tmp/pass<br

...

                    &nbsp= ;         qwerty[root@localhost ~]#<br

...

<br

...

                    &nbsp= ;         This is the log:<br

...

<br

...

                    &nbsp= ;         2012-11-20 00:30:40,443 INFO<br

...

<br

...

<br></div

...

            [org.ovirt.engine.core.utils._<u>= </u>_____kerberos.ManageDomains]<div class=3D"im"><br

...

            Creating<br

...

<br

...

<br

...

                    &nbsp= ;         kerberos<br

...

                    &nbsp= ;         configuration for domain(s): <a href=3D"http:= //example.com" target=3D"_blank">example.com</a><br

...

            <<a href=3D"http://example.com= " target=3D"_blank">http://example.com</a>><br

...

                    &nbsp= ;<<a href=3D"http://example.com" target=3D"_blank">http://example.com</a=

...

> <<a href=3D"http://example.com" target=3D"_blank">http://example.c=

om</a>><br

...

                    &nbsp= ;         <<a href=3D"http://example.com" target=3D"= _blank">http://example.com</a>><br

...

<br

...

                    &nbsp= ;         2012-11-20 00:30:40,525 INFO<br

...

<br

...

<br></div

...

            [org.ovirt.engine.core.utils._<u>= </u>_____kerberos.ManageDomains]<div class=3D"im"><br

...

<br

...

                    &nbsp= ;Successfully<br

...

<br

...

                    &nbsp= ;         created kerberos configuration for domain(s):= <br

...

            <a href=3D"http://example.com" ta= rget=3D"_blank">example.com</a> <<a href=3D"http://example.com" target= =3D"_blank">http://example.com</a>> <<a href=3D"http://example.com" t= arget=3D"_blank">http://example.com</a>><br

...

                    &nbsp= ;         <<a href=3D"http://example.com" target=3D"= _blank">http://example.com</a>><br

...

                    &nbsp= ;         <<a href=3D"http://example.com" target=3D"= _blank">http://example.com</a>><br

...

<br

...

                    &nbsp= ;         2012-11-20 00:30:40,526 INFO<br

...

<br

...

<br></div

...

            [org.ovirt.engine.core.utils._<u>= </u>_____kerberos.ManageDomains]<div class=3D"im"><br

...

            Testing<br

...

<br

...

<br

...

                    &nbsp= ;         kerberos<br

...

                    &nbsp= ;         configuration for domain: <a href=3D"http://e= xample.com" target=3D"_blank">example.com</a><br

...

            <<a href=3D"http://example.com= " target=3D"_blank">http://example.com</a>><br

...

                    &nbsp= ;<<a href=3D"http://example.com" target=3D"_blank">http://example.com</a=

...

> <<a href=3D"http://example.com" target=3D"_blank">http://example.c=

om</a>><br

...

                    &nbsp= ;         <<a href=3D"http://example.com" target=3D"= _blank">http://example.com</a>><br

...

<br

...

                    &nbsp= ;         2012-11-20 00:30:40,830 ERROR<br

...

<br

...

<br></div

...

            [org.ovirt.engine.core.utils._<u>= </u>_____kerberos.__<u></u>KerberosConfigCheck]<div class=3D"im"><br

...

<br

...

                    &nbsp= ;Error:<br

...

<br

...

                    &nbsp= ;         exception message: Cannot locate KDC<br

...

                    &nbsp= ;         2012-11-20 00:30:40,851 ERROR<br

...

<br

...

<br></div

...

            [org.ovirt.engine.core.utils._<u>= </u>_____kerberos.ManageDomains]<div><div class=3D"h5"><br

...

            Failure<br

...

<br

...

                    &nbsp= ;while<br

...

<br

...

                    &nbsp= ;         testing domain <a href=3D"http://example.com"= target=3D"_blank">example.com</a><br

...

            <<a href=3D"http://example.com= " target=3D"_blank">http://example.com</a>> <<a href=3D"http://exampl= e.com" target=3D"_blank">http://example.com</a>><br

...

                    &nbsp= ;<<a href=3D"http://example.com" target=3D"_blank">http://example.com</a= >><br

...

                    &nbsp= ;         <<a href=3D"http://example.com" target=3D"= _blank">http://example.com</a>>. Details: Kerberos<br

...

<br

...

                    &nbsp= ;         error. Please check log for further details.<= br

...

<br

...

<br

...

                    &nbsp= ;     Hi, the error indicates you don't have<br

...

            kerberos configured.<br

...

                    &nbsp= ;     manage-domains validates by default using<br

...

            GSSAPI/Kerberos (if I<br

...

                    &nbsp= ;     understand correctly, this is equivalent to<br

...

            run ldapsearch<br

...

                    &nbsp= ;with -Y<br

...

                    &nbsp= ;     gssapi option).<br

...

                    &nbsp= ;     I wonder if -x (simple authentication) will<br

...

            work for you as<br

...

                    &nbsp= ;well (as<br

...

                    &nbsp= ;     manage-domains contains code for simple<br

...

            authentication as<br

...

                    &nbsp= ;well).<br

<br

<br

<br

                    &nbsp= ;         This is the ldapsearch command that works<br

...

            (it retrieves<br

...

                    &nbsp= ;users)<br

...

                    &nbsp= ;         from the<br

...

                    &nbsp= ;         same machine:<br

<br

<br

<br

                    &nbsp= ;         ldapsearch -H ldap://<a href=3D"http://exampl= e.com" target=3D"_blank">example.com</a><br

...

            <<a href=3D"http://example.com= " target=3D"_blank">http://example.com</a>> <<a href=3D"http://exampl= e.com" target=3D"_blank">http://example.com</a>><br

...

                    &nbsp= ;<<a href=3D"http://example.com" target=3D"_blank">http://example.com</a= >><br

...

                    &nbsp= ;         <<a href=3D"http://example.com" target=3D"= _blank">http://example.com</a>> -b<br

...

<br

...

                    &nbsp= ;         dc=3Dexample,dc=3Dcom -D user.name@a_domain -= w<br

...

            qwerty<br

...

<br

...

<br

...

                    &nbsp= ;         Best regards,<br

...

                    &nbsp= ;         Cristian Falcas<br

<br

<br

<br

<br></div></div><div class=3D"im"

...

              __________________________= ____<u></u>_______________________<br

...

                    &nbsp= ;         Users mailing list<br

...

            <a href=3D"mailto:Users@ovirt.org= " target=3D"_blank">Users(a)ovirt.org</a> <mailto:<a href=3D"mailto:Users@= ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt;<br

...

            <mailto:<a href=3D"mailto:User= s(a)ovirt.org" target=3D"_blank">Users(a)ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt;&gt;<br

...

            <mailto:<a href=3D"mailto:User= s(a)ovirt.org" target=3D"_blank">Users(a)ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users(a)ovirt.org</a>&gt;<br

...

                    &nbsp= ;<mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">Users@ovir= t.org</a> <mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">U= sers(a)ovirt.org</a>&gt;&gt;&gt;<br

...

            <a href=3D"http://lists.ovirt.org= /______mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/___= ___<u></u>mailman/listinfo/users</a><br

...

            <<a href=3D"http://lists.ovirt= .org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ___<u></u>mailman/listinfo/users</a>><br

...

                    &nbsp= ;<<a href=3D"http://lists.ovirt.org/____mailman/listinfo/users" target= =3D"_blank">http://lists.ovirt.org/____<u></u>mailman/listinfo/users</a><br=

...

            <<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>>><br

...

<br

...

              <<a href=3D"http://list= s.ovirt.org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovir= t.org/____<u></u>mailman/listinfo/users</a><br

...

            <<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>><br

...

                    &nbsp= ;<<a href=3D"http://lists.ovirt.org/__mailman/listinfo/users" target=3D"= _blank">http://lists.ovirt.org/__<u></u>mailman/listi...

...

            <<a href=3D"http://lists.ovirt= .org/mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/<u></= u>mailman/listinfo/users</a>>>><br

<br

<br

<br

<br

                    &nbsp= ;Hi,<br

...

<br></div><div class=3D"im"

...

                    &nbsp= ;I used "-x" for ldapsearch and the result is the<br

...

            same: list<br

...

                    &nbsp= ;retrieved.<br

...

                    &nbsp= ;Is there any equivalent for engine-manage-domains?<br

...

<br

...

                    &nbsp= ;Cristian<br

...

<br

...

                 Hi Christian,= there is no code allowing to add<br

...

            simple-authentication<br

...

                 domains to Ma= nage-Domains.<br

...

                 In the past w= e did have the ability to do that, but<br

...

            there are<br

...

                 several probl= ematic issues.<br

...

                 What ldap ser= ver are you working against? Maybe I<br

...

            missed that<br

<br

<br

<br

<br

            Hi,<br

<br

            The server is a Microfost AD 2003= .<br

...

<br

...

            Best regards,<br

...

            Cristian Falcas<br

...

<br

...

<br

...

        this should work, is the AD also the DNS server= for the ovirt<br

...

        engine machine?<br

<br

<br

<br

    yes<br

<br

<br

</div></blockquote

<br

<br

</blockquote></div><br>Could you take a look at the tcp dump? There are onl= y 2 messages relevant to this (let me know if you want the full dump):<br><= br>- 2091    12.423634    10.0.0.xx  &nb= sp; 10.0.0.yyy    DNS    87    Stan= dard query SRV _kerberos._<a href=3D"http://tcp.EXAMPLE.COM" target=3D"_bla= nk">tcp.EXAMPLE.COM</a><br

...

- 2092    12.424357    10.0.0.yyy  &nbsp= ; 10.0.0.xx    DNS    245    Standa= rd query response SRV 0 100 88 <a href=3D"http://site1.example.com" target= =3D"_blank">site1.example.com</a> SRV 0 100 88 <a href=3D"http://site2.exam= ple.com" target=3D"_blank">site2.example.com</a> SRV 0 100 88 <a href=3D"ht= tp://site3.example.com" target=3D"_blank">site3.example.com</a><br

...

<br>Also, I tries to run ldapsearch with -Y gssapi:<br>ldap_sasl_interactiv= e_bind_s: Unknown authentication method (-6)<br>    &nb= sp;   additional info: SASL(-4): no mechanism available: No worth= y mechs found<br><br>Best regards, <br

...

Cristian Falcas<br></div

...

</blockquote>The SRV records look fine.<div>If I remember correctly, your D= NS should have a reverse-resolve PTR record to your engine machine. Does it= exists?</div><div><br></div></div></body></html

...

------=_Part_35338608_979479843.1353467130356--

Cristian Falcas

6:40 a.m.

On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky <yzaslavs(a)redhat.com> wrote:

...

------------------------------ *From: *"Cristian Falcas" <cristi.falcas(a)gmail.com> *To: *"Itamar Heim" <iheim(a)redhat.com> *Cc: *"Yair Zaslavsky" <yzaslavs(a)redhat.com>, users(a)ovirt.org *Sent: *Tuesday, November 20, 2012 7:33:39 PM *Subject: *Re: [Users] I don't know how to add AD users On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim <iheim(a)redhat.com> wrote: > On 11/20/2012 03:00 PM, Cristian Falcas wrote: > >> Hi, >> >> So there is no way to use the domain I have at work, right? >> >> I will need to make a freeipa installation in order to add new users. >> > > there is no reason this shouldn't work with active directory 2003 > (assuming its forest level isn't still in AD 2000 compatibility mode?). > tcpdump for the traffic during engine-manage-domains should help > diagnosing why. > > >> Cristian >> >> >> On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas >> <cristi.falcas(a)gmail.com <mailto:cristi.falcas@gmail.**com<cristi.falcas@gmail.com>>> >> wrote: >> >> >> >> >> On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <iheim(a)redhat.com >> <mailto:iheim@redhat.com>> wrote: >> >> On 11/20/2012 09:56 AM, Cristian Falcas wrote: >> >> >> >> >> On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky >> <yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> >> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>> >> wrote: >> >> >> >> On 11/20/2012 09:05 AM, Cristian Falcas wrote: >> >> >> >> >> On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky >> <yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> >> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>> >> <mailto:yzaslavs@redhat.com >> <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com >> <mailto:yzaslavs@redhat.com>>>**> wrote: >> >> >> >> On 11/20/2012 12:39 AM, Cristian Falcas wrote: >> >> >> >> On Mon, Nov 19, 2012 at 10:53 PM, Itamar >> Heim >> <iheim(a)redhat.com <mailto:iheim@redhat.com> >> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>> >> <mailto:iheim@redhat.com >> <mailto:iheim@redhat.com> <mailto:iheim@redhat.com >> <mailto:iheim@redhat.com>>> >> <mailto:iheim@redhat.com >> <mailto:iheim@redhat.com> <mailto:iheim@redhat.com >> <mailto:iheim@redhat.com>> >> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> >> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>>>> >> wrote: >> >> On 11/19/2012 11:29 AM, Vinzenz >> Feenstra wrote: >> >> On 11/19/2012 10:01 AM, Cristian >> Falcas wrote: >> >> Hi, >> >> I'm trying to add some users >> to ovirt >> using an AD. >> >> This is the configuration I >> used for a >> mediawiki >> site, which is >> working correctly: >> $wgAuth = new >> LdapAuthenticationPlugin(); >> $wgLDAPUseLocal = true; >> $wgLDAPDomainNames = array( >> "a_domain"); >> $wgLDAPServerNames = array( >> "a_domain"=>"site.example.com >> <http://site.example.com> <http://site.example.com> >> <http://site.example.com> >> <http://site.example.com> >> <http://site.example.com>"); >> >> $wgLDAPEncryptionType = array( >> "a_domain"=>"clear"); >> $wgLDAPSearchStrings = array( >> >> "a_domain"=>"rom_domain\\USER-**________NAME"); >> $wgLDAPBaseDNs = array( >> "a_domain"=>"dc=company,dc=___** >> _____com"); >> >> >> >> >> >> Those are the commands I >> tried using: >> engine-manage-domains >> -action=add >> -domain=site.example.com >> <http://site.example.com> <http://site.example.com> >> <http://site.example.com> >> <http://site.example.com> >> <http://site.example.com> >> -provider=ActiveDirectory >> -user=user.name >> <http://user.name> <http://user.name> >> <http://user.name> <http://user.name> >> <http://user.name> >> -interactive >> >> >> engine-manage-domains >> -action=add >> -domain=a_domain >> -provider=ActiveDirectory >> -user=user.name(a)company.com >> <mailto:user.name@company.com> >> <mailto:user.name@company.com >> <mailto:user.name@company.com>**> >> <mailto:user.name@company.com <mailto:user.name@company.com> >> <mailto:user.name@company.com >> <mailto:user.name@company.com>**>__> >> <mailto:user.name@company.com >> <mailto:user.name@company.com> >> <mailto:user.name@company.com >> <mailto:user.name@company.com>**> >> <mailto:user.name@company.com >> <mailto:user.name@company.com> >> <mailto:user.name@company.com >> <mailto:user.name@company.com>**>__>__> >> <mailto:user.name@company.com >> <mailto:user.name@company.com> >> <mailto:user.name@company.com >> <mailto:user.name@company.com>**> >> <mailto:user.name@company.com >> <mailto:user.name@company.com> >> <mailto:user.name@company.com >> <mailto:user.name@company.com>**>__> >> >> <mailto:user.name@company.com >> <mailto:user.name@company.com> >> <mailto:user.name@company.com >> <mailto:user.name@company.com>**> >> <mailto:user.name@company.com >> <mailto:user.name@company.com> >> <mailto:user.name@company.com >> <mailto:user.name@company.com>**>__>__>__> -interactive >> >> >> engine-manage-domains >> -action=add >> -domain=a_domain >> -provider=ActiveDirectory >> -user=user.name(a)site.example._**_______com >> >> >> <mailto:user.name@site >> <mailto:user.name@site>. >> <mailto:user.name@site >> <mailto:user.name@site>.>__exa**m__p__le.com<http://exam__p__le.com> >> <http://examp__le.com> <http://example.com> >> <mailto:user.name@site. >> <mailto:user.name@site.>__exam**p__le.com<http://examp__le.com>< >> http://example.com> >> <mailto:user.name@site.__examp**le.com<http://example.com> >> <mailto:user.name@site.**example.com<user.name@site.example.com> >> >>>> >> <mailto:user.name@site >> <mailto:user.name@site> >> >> <mailto:user.name@site <mailto:user.name@site>>. >> <mailto:user.name@site <mailto: >> user.name@site> >> <mailto:user.name@site >> <mailto:user.name@site>>.>__ex**a__m__p__le.com<http://exa__m__p__le.com> >> <http://exam__p__le.com> >> >> <http://examp__le.com> <http://example.com> >> >> >> >> <mailto:user.name@site >> <mailto:user.name@site>. >> <mailto:user.name@site >> <mailto:user.name@site>.>__exa**m__p__le.com<http://exam__p__le.com> >> <http://examp__le.com> <http://example.com> >> <mailto:user.name@site. >> <mailto:user.name@site.>__exam**p__le.com<http://examp__le.com>< >> http://example.com> >> <mailto:user.name@site.__examp**le.com<http://example.com> >> <mailto:user.name@site.**example.com<user.name@site.example.com>>>>>> >> -interactive >> >> >> You don't add an user this way. >> You add the >> domain. You >> have to >> pass the >> domain admin user and the domain >> admin password. >> >> >> any domain user will do, doesn't have >> to be an admin. >> what does the log say? >> >> >> Then you can use the domain >> within the engine. >> e.g. search >> users, add >> access rights for vms etc. >> Even login to the engine and >> assigning rights >> within >> the engine >> you can >> handle from the engine itself. >> >> Regards, >> >> And the output on all tries: >> Enter password: >> >> Error: Authentication Failed. >> Please >> verify the fully >> qualified domain >> name that is used for >> authentication is >> correct.. >> Problematic domain >> is: domain_used_in_command >> Failure while applying >> Kerberos >> configuration. Details: >> Authentication >> Failed. Please verify the >> fully qualified >> domain >> name that >> is used for >> authentication is correct. >> >> Can someone help me with the >> correct >> parameters? >> >> >> Best regards, >> Cristian Falcas >> >> >> >> >> ______________________________**_________________________ >> >> >> Users mailing list >> Users(a)ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> >> <mailto:Users@ovirt.org >> <mailto:Users@ovirt.org> <mailto:Users@ovirt.org >> <mailto:Users@ovirt.org>>>> >> http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.o... >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> > >> >> >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> >> >> >> >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> > >> <http://lists.ovirt.org/____** >> mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/use... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> >>> >> >> >> >> >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> > >> <http://lists.ovirt.org/____** >> mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/use... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> >> >> >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> > >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... >> >>>> >> >> >> >> -- >> Regards, >> >> Vinzenz Feenstra | Senior >> Software Engineer >> RedHat Engineering Virtualization >> R & D >> Phone: +420 532 294 625 >> <tel:%2B420%20532%20294%20625> >> <tel:%2B420%20532%20294%20625> >> <tel:%2B420%20532%20294%20625> >> <tel:%2B420%20532%20294%20625> >> >> IRC: vfeenstr or evilissimo >> >> Better technology. Faster >> innovation. Powered >> by community >> collaboration. >> See how it works at redhat.com >> <http://redhat.com> >> <http://redhat.com> <http://redhat.com> >> <http://redhat.com> >> >> >> >> >> >> ______________________________**_________________________ >> >> >> Users mailing list >> Users(a)ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> >> <mailto:Users@ovirt.org >> <mailto:Users@ovirt.org> <mailto:Users@ovirt.org >> <mailto:Users@ovirt.org>>>> >> http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.o... >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> > >> >> >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> >> >> >> >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> > >> <http://lists.ovirt.org/____** >> mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/use... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> >>> >> >> >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> > >> <http://lists.ovirt.org/____** >> mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/use... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> >> >> >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> > >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... >> >>>> >> >> >> >> >> ______________________________**_________________________ >> >> >> Users mailing list >> Users(a)ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> >> <mailto:Users@ovirt.org >> <mailto:Users@ovirt.org> <mailto:Users@ovirt.org >> <mailto:Users@ovirt.org>>>> >> http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.o... >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> > >> >> >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> >> >> >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> > >> <http://lists.ovirt.org/____** >> mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/use... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> >>> >> >> >> >> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> > >> <http://lists.ovirt.org/____** >> mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/use... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> >> >> >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> > >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... >> >>>> >> >> >> >> >> Hi, >> >> This is the command I used (the same error >> is with >> -interactive >> parameter): >> >> engine-manage-domains -action=add >> -domain=example.com <http://example.com> >> <http://example.com> >> <http://example.com> >> <http://example.com> >> -provider=ActiveDirectory >> -user=user.name@a_domain >> >> -passwordFile=/tmp/pass >> >> [root@localhost ~]# cat /tmp/pass >> qwerty[root@localhost ~]# >> >> This is the log: >> >> 2012-11-20 00:30:40,443 INFO >> >> >> [org.ovirt.engine.core.utils._**_____kerberos.ManageDomains] >> >> Creating >> >> >> kerberos >> configuration for domain(s): example.com >> <http://example.com> >> <http://example.com> <http://example.com> >> <http://example.com> >> >> 2012-11-20 00:30:40,525 INFO >> >> >> [org.ovirt.engine.core.utils._**_____kerberos.ManageDomains] >> >> >> Successfully >> >> created kerberos configuration for >> domain(s): >> example.com <http://example.com> <http://example.com> >> <http://example.com> >> <http://example.com> >> >> 2012-11-20 00:30:40,526 INFO >> >> >> [org.ovirt.engine.core.utils._**_____kerberos.ManageDomains] >> >> Testing >> >> >> kerberos >> configuration for domain: example.com >> <http://example.com> >> <http://example.com> <http://example.com> >> <http://example.com> >> >> 2012-11-20 00:30:40,830 ERROR >> >> >> [org.ovirt.engine.core.utils._**_____kerberos.__** >> KerberosConfigCheck] >> >> >> Error: >> >> exception message: Cannot locate KDC >> 2012-11-20 00:30:40,851 ERROR >> >> >> [org.ovirt.engine.core.utils._**_____kerberos.ManageDomains] >> >> Failure >> >> while >> >> testing domain example.com >> <http://example.com> <http://example.com> >> <http://example.com> >> <http://example.com>;. Details: Kerberos >> >> error. Please check log for further >> details. >> >> >> Hi, the error indicates you don't have >> kerberos configured. >> manage-domains validates by default using >> GSSAPI/Kerberos (if I >> understand correctly, this is equivalent to >> run ldapsearch >> with -Y >> gssapi option). >> I wonder if -x (simple authentication) will >> work for you as >> well (as >> manage-domains contains code for simple >> authentication as >> well). >> >> >> >> This is the ldapsearch command that works >> (it retrieves >> users) >> from the >> same machine: >> >> >> >> ldapsearch -H ldap://example.com >> <http://example.com> <http://example.com> >> <http://example.com> >> <http://example.com> -b >> >> dc=example,dc=com -D user.name@a_domain -w >> qwerty >> >> >> Best regards, >> Cristian Falcas >> >> >> >> >> ______________________________**_______________________ >> Users mailing list >> Users(a)ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> >> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovi... >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> > >> <http://lists.ovirt.org/____** >> mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/use... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> >> >> >> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt... >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> > >> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.o... >> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org... >> >>> >> >> >> >> >> Hi, >> >> I used "-x" for ldapsearch and the result is the >> same: list >> retrieved. >> Is there any equivalent for engine-manage-domains? >> >> Cristian >> >> Hi Christian, there is no code allowing to add >> simple-authentication >> domains to Manage-Domains. >> In the past we did have the ability to do that, but >> there are >> several problematic issues. >> What ldap server are you working against? Maybe I >> missed that >> >> >> >> >> Hi, >> >> The server is a Microfost AD 2003. >> >> Best regards, >> Cristian Falcas >> >> >> this should work, is the AD also the DNS server for the ovirt >> engine machine? >> >> >> >> yes >> >> >> > > Could you take a look at the tcp dump? There are only 2 messages relevant to this (let me know if you want the full dump): - 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV _kerberos._tcp.EXAMPLE.COM - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response SRV 0 100 88 site1.example.com SRV 0 100 88 site2.example.com SRV 0 100 88 site3.example.com Also, I tries to run ldapsearch with -Y gssapi: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found Best regards, Cristian Falcas The SRV records look fine. If I remember correctly, your DNS should have a reverse-resolve PTR record to your engine machine. Does it exists?

I don't think so (10.0.0.xx is engine machine, 10.0.0.yyy is dns): [root@localhost ~]# nslookup 10.0.0.xx Server: 10.0.0.yyy Address: 10.0.0.yyy#53 ** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN [root@localhost ~]# host 10.0.0.xx Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN) I will ask them to add a DNS record for the machine.

Oved Ourfalli

8:09 a.m.

----- Original Message -----

...

From: "Cristian Falcas" <cristi.falcas(a)gmail.com> To: "Yair Zaslavsky" <yzaslavs(a)redhat.com> Cc: users(a)ovirt.org Sent: Wednesday, November 21, 2012 6:40:34 AM Subject: Re: [Users] I don't know how to add AD users On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky < yzaslavs(a)redhat.com > wrote: From: "Cristian Falcas" < cristi.falcas(a)gmail.com > To: "Itamar Heim" < iheim(a)redhat.com > Cc: "Yair Zaslavsky" < yzaslavs(a)redhat.com >, users(a)ovirt.org Sent: Tuesday, November 20, 2012 7:33:39 PM Subject: Re: [Users] I don't know how to add AD users On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim < iheim(a)redhat.com > wrote: On 11/20/2012 03:00 PM, Cristian Falcas wrote: Hi, So there is no way to use the domain I have at work, right? I will need to make a freeipa installation in order to add new users. there is no reason this shouldn't work with active directory 2003 (assuming its forest level isn't still in AD 2000 compatibility mode?). tcpdump for the traffic during engine-manage-domains should help diagnosing why. Cristian On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas < cristi.falcas(a)gmail.com <mailto: cristi.falcas@gmail. com >> wrote: On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim < iheim(a)redhat.com <mailto: iheim(a)redhat.com >> wrote: On 11/20/2012 09:56 AM, Cristian Falcas wrote: On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky < yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com > <mailto: yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com >>> wrote: On 11/20/2012 09:05 AM, Cristian Falcas wrote: On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky < yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com > <mailto: yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com >> <mailto: yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com > <mailto: yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com >>> > wrote: On 11/20/2012 12:39 AM, Cristian Falcas wrote: On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim < iheim(a)redhat.com <mailto: iheim(a)redhat.com > <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com >> <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com > <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com >>> <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com > <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com >> <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com > <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com >>>>> wrote: On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote: On 11/19/2012 10:01 AM, Cristian Falcas wrote: Hi, I'm trying to add some users to ovirt using an AD. This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>" site.example.com < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com >"); $wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER- ________NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=___ _____com"); Those are the commands I tried using: engine-manage-domains -action=add -domain= site.example.com < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > -provider=ActiveDirectory -user= user.name < http://user.name > < http://user.name > < http://user.name > < http://user.name > < http://user.name > -interactive engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user= user.name(a)company.com <mailto: user.name(a)company.com > <mailto: user.name(a)company.com <mailto: user.name(a)company.com > > <mailto: user.name(a)company.com <mailto: user.name(a)company.com > <mailto: user.name(a)company.com <mailto: user.name(a)company.com > >__> <mailto: user.name(a)company.com <mailto: user.name(a)company.com > <mailto: user.name(a)company.com <mailto: user.name(a)company.com > > <mailto: user.name(a)company.com <mailto: user.name(a)company.com > <mailto: user.name(a)company.com <mailto: user.name(a)company.com > >__>__> <mailto: user.name(a)company.com <mailto: user.name(a)company.com > <mailto: user.name(a)company.com <mailto: user.name(a)company.com > > <mailto: user.name(a)company.com <mailto: user.name(a)company.com > <mailto: user.name(a)company.com <mailto: user.name(a)company.com > >__> <mailto: user.name(a)company.com <mailto: user.name(a)company.com > <mailto: user.name(a)company.com <mailto: user.name(a)company.com > > <mailto: user.name(a)company.com <mailto: user.name(a)company.com > <mailto: user.name(a)company.com <mailto: user.name(a)company.com > >__>__>__> -interactive engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name(a)site.example._ _______com <mailto: user.name@site <mailto: user.name@site >. <mailto: user.name@site <mailto: user.name@site >.>__ exa m__p__le.com < http://examp__le.com > < http://example.com > <mailto: user.name@site . <mailto: user.name@site .>__ exam p__le.com < http://example.com > <mailto: user.name@site. __ examp le.com <mailto: user.name@site. example.com >>>> <mailto: user.name@site <mailto: user.name@site > <mailto: user.name@site <mailto: user.name@site >>. <mailto: user.name@site <mailto: user.name@site > <mailto: user.name@site <mailto: user.name@site >>.>__ ex a__m__p__le.com < http://exam__p__le.com > < http://examp__le.com > < http://example.com > <mailto: user.name@site <mailto: user.name@site >. <mailto: user.name@site <mailto: user.name@site >.>__ exa m__p__le.com < http://examp__le.com > < http://example.com > <mailto: user.name@site . <mailto: user.name@site .>__ exam p__le.com < http://example.com > <mailto: user.name@site. __ examp le.com <mailto: user.name@site. example.com >>>>> -interactive You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password. any domain user will do, doesn't have to be an admin. what does the log say? Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself. Regards, And the output on all tries: Enter password: Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct. Can someone help me with the correct parameters? Best regards, Cristian Falcas ______________________________ _________________________ Users mailing list Users(a)ovirt.org <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >> < http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>> < http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >> < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>> -- Regards, Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> IRC: vfeenstr or evilissimo Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com < http://redhat.com > < http://redhat.com > < http://redhat.com > < http://redhat.com > ______________________________ _________________________ Users mailing list Users(a)ovirt.org <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >> < http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>> < http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >> < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>> ______________________________ _________________________ Users mailing list Users(a)ovirt.org <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >> < http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>> < http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >> < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>> Hi, This is the command I used (the same error is with -interactive parameter): engine-manage-domains -action=add -domain= example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com > -provider=ActiveDirectory -user=user.name@a_domain -passwordFile=/tmp/pass [root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]# This is the log: 2012-11-20 00:30:40,443 INFO [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] Creating kerberos configuration for domain(s): example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com > 2012-11-20 00:30:40,525 INFO [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com > 2012-11-20 00:30:40,526 INFO [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] Testing kerberos configuration for domain: example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com > 2012-11-20 00:30:40,830 ERROR [org.ovirt.engine.core.utils._ _____kerberos.__ KerberosConfigCheck] Error: exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] Failure while testing domain example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com >. Details: Kerberos error. Please check log for further details. Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well). This is the ldapsearch command that works (it retrieves users) from the same machine: ldapsearch -H ldap:// example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com > -b dc=example,dc=com -D user.name@a_domain -w qwerty Best regards, Cristian Falcas ______________________________ _______________________ Users mailing list Users(a)ovirt.org <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>> http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >> < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>> Hi, I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains? Cristian Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that Hi, The server is a Microfost AD 2003. Best regards, Cristian Falcas this should work, is the AD also the DNS server for the ovirt engine machine? yes Could you take a look at the tcp dump? There are only 2 messages relevant to this (let me know if you want the full dump): - 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV _kerberos._ tcp.EXAMPLE.COM - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response SRV 0 100 88 site1.example.com SRV 0 100 88 site2.example.com SRV 0 100 88 site3.example.com Also, I tries to run ldapsearch with -Y gssapi: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found Best regards, Cristian Falcas The SRV records look fine. If I remember correctly, your DNS should have a reverse-resolve PTR record to your engine machine. Does it exists? I don't think so (10.0.0.xx is engine machine, 10.0.0.yyy is dns): [root@localhost ~]# nslookup 10.0.0.xx Server: 10.0.0.yyy Address: 10.0.0.yyy#53 ** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN [root@localhost ~]# host 10.0.0.xx Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN) I will ask them to add a DNS record for the machine.

Indeed do that. In the engine we require both reverse-resolve PTR record, Kerberos SRV record and LDAP SRV record. Make sure you have all three in the DNS. The PTR + Kerberos records are used for the kerberos authentication (and constructing the krb5.conf file in the engine-manage-domains utility). The LDAP SRV record is used for the directory queries (it is used in the utility + the ovirt engine, to look for LDAP servers).

...

_______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users

Itamar Heim

8:10 a.m.

On 11/21/2012 08:09 AM, Oved Ourfalli wrote:

...

----- Original Message ----- > From: "Cristian Falcas" <cristi.falcas(a)gmail.com> > To: "Yair Zaslavsky" <yzaslavs(a)redhat.com> > Cc: users(a)ovirt.org > Sent: Wednesday, November 21, 2012 6:40:34 AM > Subject: Re: [Users] I don't know how to add AD users > > > > > > > > On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky < yzaslavs(a)redhat.com >> wrote: > > > > > > > > > > From: "Cristian Falcas" < cristi.falcas(a)gmail.com > > To: "Itamar Heim" < iheim(a)redhat.com > > Cc: "Yair Zaslavsky" < yzaslavs(a)redhat.com >, users(a)ovirt.org > Sent: Tuesday, November 20, 2012 7:33:39 PM > > Subject: Re: [Users] I don't know how to add AD users > > > > > > > > > On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim < iheim(a)redhat.com > > wrote: > > > > On 11/20/2012 03:00 PM, Cristian Falcas wrote: > > > Hi, > > So there is no way to use the domain I have at work, right? > > I will need to make a freeipa installation in order to add new users. > > there is no reason this shouldn't work with active directory 2003 > (assuming its forest level isn't still in AD 2000 compatibility > mode?). > tcpdump for the traffic during engine-manage-domains should help > diagnosing why. > > > > > > Cristian > > > On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas > > < cristi.falcas(a)gmail.com <mailto: cristi.falcas@gmail. com >> wrote: > > > > > On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim < iheim(a)redhat.com > > <mailto: iheim(a)redhat.com >> wrote: > > On 11/20/2012 09:56 AM, Cristian Falcas wrote: > > > > > On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky > < yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com > > > > <mailto: yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com >>> > wrote: > > > > On 11/20/2012 09:05 AM, Cristian Falcas wrote: > > > > > On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky > < yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com > > <mailto: yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com >> > <mailto: yzaslavs(a)redhat.com > <mailto: yzaslavs(a)redhat.com > <mailto: yzaslavs(a)redhat.com > <mailto: yzaslavs(a)redhat.com >>> > wrote: > > > > On 11/20/2012 12:39 AM, Cristian Falcas wrote: > > > > On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim > < iheim(a)redhat.com <mailto: iheim(a)redhat.com > > <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com >> > <mailto: iheim(a)redhat.com > <mailto: iheim(a)redhat.com > <mailto: iheim(a)redhat.com > <mailto: iheim(a)redhat.com >>> > <mailto: iheim(a)redhat.com > <mailto: iheim(a)redhat.com > <mailto: iheim(a)redhat.com > <mailto: iheim(a)redhat.com >> > <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com > > <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com >>>>> wrote: > > On 11/19/2012 11:29 AM, Vinzenz > Feenstra wrote: > > On 11/19/2012 10:01 AM, Cristian > Falcas wrote: > > Hi, > > I'm trying to add some users > to ovirt > using an AD. > > This is the configuration I > used for a > mediawiki > site, which is > working correctly: > $wgAuth = new > LdapAuthenticationPlugin(); > $wgLDAPUseLocal = true; > $wgLDAPDomainNames = array( > "a_domain"); > $wgLDAPServerNames = array( > "a_domain"=>" site.example.com > < http://site.example.com > < http://site.example.com > > < http://site.example.com > > < http://site.example.com > > < http://site.example.com >"); > > $wgLDAPEncryptionType = array( > "a_domain"=>"clear"); > $wgLDAPSearchStrings = array( > > "a_domain"=>"rom_domain\\USER- ________NAME"); > $wgLDAPBaseDNs = array( > "a_domain"=>"dc=company,dc=___ _____com"); > > > > > > > Those are the commands I > tried using: > engine-manage-domains -action=add > -domain= site.example.com > < http://site.example.com > < http://site.example.com > > < http://site.example.com > > < http://site.example.com > > < http://site.example.com > > -provider=ActiveDirectory > -user= user.name > < http://user.name > < http://user.name > > < http://user.name > < http://user.name > > < http://user.name > -interactive > > > engine-manage-domains -action=add > -domain=a_domain > -provider=ActiveDirectory > -user= user.name(a)company.com > <mailto: user.name(a)company.com > > <mailto: user.name(a)company.com > <mailto: user.name(a)company.com > > > <mailto: user.name(a)company.com <mailto: user.name(a)company.com > > <mailto: user.name(a)company.com > <mailto: user.name(a)company.com > >__> > <mailto: user.name(a)company.com > <mailto: user.name(a)company.com > > <mailto: user.name(a)company.com > <mailto: user.name(a)company.com > > > <mailto: user.name(a)company.com > <mailto: user.name(a)company.com > > <mailto: user.name(a)company.com > <mailto: user.name(a)company.com > >__>__> > <mailto: user.name(a)company.com > <mailto: user.name(a)company.com > > <mailto: user.name(a)company.com > <mailto: user.name(a)company.com > > > <mailto: user.name(a)company.com > <mailto: user.name(a)company.com > > <mailto: user.name(a)company.com > <mailto: user.name(a)company.com > >__> > > <mailto: user.name(a)company.com > <mailto: user.name(a)company.com > > <mailto: user.name(a)company.com > <mailto: user.name(a)company.com > > > <mailto: user.name(a)company.com > <mailto: user.name(a)company.com > > <mailto: user.name(a)company.com > <mailto: user.name(a)company.com > >__>__>__> -interactive > > > engine-manage-domains -action=add > -domain=a_domain > -provider=ActiveDirectory > -user=user.name(a)site.example._ _______com > > > <mailto: user.name@site > <mailto: user.name@site >. > <mailto: user.name@site > <mailto: user.name@site >.>__ exa m__p__le.com > < http://examp__le.com > < http://example.com > > <mailto: user.name@site . > <mailto: user.name@site .>__ exam p__le.com < http://example.com > > <mailto: user.name@site. __ examp le.com > <mailto: user.name@site. example.com >>>> > <mailto: user.name@site > <mailto: user.name@site > > > <mailto: user.name@site <mailto: user.name@site >>. > <mailto: user.name@site <mailto: user.name@site > > <mailto: user.name@site > <mailto: user.name@site >>.>__ ex a__m__p__le.com > < http://exam__p__le.com > > > > < http://examp__le.com > < http://example.com > > > > > <mailto: user.name@site > <mailto: user.name@site >. > <mailto: user.name@site > <mailto: user.name@site >.>__ exa m__p__le.com > < http://examp__le.com > < http://example.com > > <mailto: user.name@site . > <mailto: user.name@site .>__ exam p__le.com < http://example.com > > <mailto: user.name@site. __ examp le.com > <mailto: user.name@site. example.com >>>>> -interactive > > > You don't add an user this way. > You add the > domain. You > have to > pass the > domain admin user and the domain > admin password. > > > any domain user will do, doesn't have > to be an admin. > what does the log say? > > > Then you can use the domain > within the engine. > e.g. search > users, add > access rights for vms etc. > Even login to the engine and > assigning rights > within > the engine > you can > handle from the engine itself. > > Regards, > > And the output on all tries: > Enter password: > > Error: Authentication Failed. > Please > verify the fully > qualified domain > name that is used for > authentication is > correct.. > Problematic domain > is: domain_used_in_command > Failure while applying Kerberos > configuration. Details: > Authentication > Failed. Please verify the > fully qualified > domain > name that > is used for > authentication is correct. > > Can someone help me with the > correct > parameters? > > > Best regards, > Cristian Falcas > > > > > ______________________________ _________________________ > > > Users mailing list > Users(a)ovirt.org <mailto: Users(a)ovirt.org > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>> > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> > <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org >>>> > http://lists.ovirt.org/_______ _mailman/listinfo/users > < http://lists.ovirt.org/______ mailman/listinfo/users > > > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users >> > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >>> > > > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >> > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users > > < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/ mailman/listinfo/users >>>> > > > > -- > Regards, > > Vinzenz Feenstra | Senior > Software Engineer > RedHat Engineering Virtualization > R & D > Phone: +420 532 294 625 > <tel:%2B420%20532%20294%20625> > <tel:%2B420%20532%20294%20625> > <tel:%2B420%20532%20294%20625> > <tel:%2B420%20532%20294%20625> > > IRC: vfeenstr or evilissimo > > Better technology. Faster > innovation. Powered > by community > collaboration. > See how it works at redhat.com > < http://redhat.com > > < http://redhat.com > < http://redhat.com > > < http://redhat.com > > > > > > > ______________________________ _________________________ > > > Users mailing list > Users(a)ovirt.org <mailto: Users(a)ovirt.org > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>> > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> > <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org >>>> > http://lists.ovirt.org/_______ _mailman/listinfo/users > < http://lists.ovirt.org/______ mailman/listinfo/users > > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users >> > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >>> > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >> > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users > > < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/ mailman/listinfo/users >>>> > > > > > ______________________________ _________________________ > > > Users mailing list > Users(a)ovirt.org <mailto: Users(a)ovirt.org > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>> > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> > <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org >>>> > http://lists.ovirt.org/_______ _mailman/listinfo/users > < http://lists.ovirt.org/______ mailman/listinfo/users > > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users >> > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >>> > > > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >> > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users > > < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/ mailman/listinfo/users >>>> > > > > > Hi, > > This is the command I used (the same error > is with > -interactive > parameter): > > engine-manage-domains -action=add > -domain= example.com < http://example.com > > < http://example.com > > < http://example.com > > < http://example.com > -provider=ActiveDirectory > -user=user.name@a_domain > > -passwordFile=/tmp/pass > > [root@localhost ~]# cat /tmp/pass > qwerty[root@localhost ~]# > > This is the log: > > 2012-11-20 00:30:40,443 INFO > > > [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] > > Creating > > > kerberos > configuration for domain(s): example.com > < http://example.com > > < http://example.com > < http://example.com > > < http://example.com > > > 2012-11-20 00:30:40,525 INFO > > > [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] > > > Successfully > > created kerberos configuration for domain(s): > example.com < http://example.com > < http://example.com > > < http://example.com > > < http://example.com > > > 2012-11-20 00:30:40,526 INFO > > > [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] > > Testing > > > kerberos > configuration for domain: example.com > < http://example.com > > < http://example.com > < http://example.com > > < http://example.com > > > 2012-11-20 00:30:40,830 ERROR > > > [org.ovirt.engine.core.utils._ _____kerberos.__ KerberosConfigCheck] > > > Error: > > exception message: Cannot locate KDC > 2012-11-20 00:30:40,851 ERROR > > > [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] > > > Failure > > while > > testing domain example.com > < http://example.com > < http://example.com > > < http://example.com > > < http://example.com >. Details: Kerberos > > error. Please check log for further details. > > > Hi, the error indicates you don't have > kerberos configured. > manage-domains validates by default using > GSSAPI/Kerberos (if I > understand correctly, this is equivalent to > run ldapsearch > with -Y > gssapi option). > I wonder if -x (simple authentication) will > work for you as > well (as > manage-domains contains code for simple > authentication as > well). > > > > This is the ldapsearch command that works > (it retrieves > users) > from the > same machine: > > > > ldapsearch -H ldap:// example.com > < http://example.com > < http://example.com > > < http://example.com > > < http://example.com > -b > > dc=example,dc=com -D user.name@a_domain -w > qwerty > > > Best regards, > Cristian Falcas > > > > > > ______________________________ _______________________ > Users mailing list > Users(a)ovirt.org <mailto: Users(a)ovirt.org > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > > <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>> > http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >> > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users > > < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/ mailman/listinfo/users >>> > > > > > Hi, > > > I used "-x" for ldapsearch and the result is the > same: list > retrieved. > Is there any equivalent for engine-manage-domains? > > Cristian > > Hi Christian, there is no code allowing to add > simple-authentication > domains to Manage-Domains. > In the past we did have the ability to do that, but > there are > several problematic issues. > What ldap server are you working against? Maybe I > missed that > > > > > Hi, > > The server is a Microfost AD 2003. > > Best regards, > Cristian Falcas > > > this should work, is the AD also the DNS server for the ovirt > engine machine? > > > > yes > > > > > > Could you take a look at the tcp dump? There are only 2 messages > relevant to this (let me know if you want the full dump): > > - 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV > _kerberos._ tcp.EXAMPLE.COM > - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response > SRV 0 100 88 site1.example.com SRV 0 100 88 site2.example.com SRV 0 > 100 88 site3.example.com > > Also, I tries to run ldapsearch with -Y gssapi: > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > additional info: SASL(-4): no mechanism available: No worthy mechs > found > > Best regards, > Cristian Falcas > The SRV records look fine. > If I remember correctly, your DNS should have a reverse-resolve PTR > record to your engine machine. Does it exists? > > > > I don't think so (10.0.0.xx is engine machine, 10.0.0.yyy is dns): > > [root@localhost ~]# nslookup 10.0.0.xx > Server: 10.0.0.yyy > Address: 10.0.0.yyy#53 > > ** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN > > [root@localhost ~]# host 10.0.0.xx > Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN) > > I will ask them to add a DNS record for the machine. > Indeed do that. In the engine we require both reverse-resolve PTR record, Kerberos SRV record and LDAP SRV record. Make sure you have all three in the DNS. The PTR + Kerberos records are used for the kerberos authentication (and constructing the krb5.conf file in the engine-manage-domains utility). The LDAP SRV record is used for the directory queries (it is used in the utility + the ovirt engine, to look for LDAP servers).

Yair - sounds like we need a how to troubleshoot AD issues?

Cristian Falcas

9:37 p.m.

On Wed, Nov 21, 2012 at 8:10 AM, Itamar Heim <iheim(a)redhat.com> wrote:

...

On 11/21/2012 08:09 AM, Oved Ourfalli wrote: > > > ----- Original Message ----- > >> From: "Cristian Falcas" <cristi.falcas(a)gmail.com> >> To: "Yair Zaslavsky" <yzaslavs(a)redhat.com> >> Cc: users(a)ovirt.org >> Sent: Wednesday, November 21, 2012 6:40:34 AM >> Subject: Re: [Users] I don't know how to add AD users >> >> >> >> >> >> >> >> On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky < yzaslavs(a)redhat.com >> >>> wrote: >>> >> >> >> >> >> >> >> >> >> >> From: "Cristian Falcas" < cristi.falcas(a)gmail.com > >> To: "Itamar Heim" < iheim(a)redhat.com > >> Cc: "Yair Zaslavsky" < yzaslavs(a)redhat.com >, users(a)ovirt.org >> Sent: Tuesday, November 20, 2012 7:33:39 PM >> >> Subject: Re: [Users] I don't know how to add AD users >> >> >> >> >> >> >> >> >> On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim < iheim(a)redhat.com > >> wrote: >> >> >> >> On 11/20/2012 03:00 PM, Cristian Falcas wrote: >> >> >> Hi, >> >> So there is no way to use the domain I have at work, right? >> >> I will need to make a freeipa installation in order to add new users. >> >> there is no reason this shouldn't work with active directory 2003 >> (assuming its forest level isn't still in AD 2000 compatibility >> mode?). >> tcpdump for the traffic during engine-manage-domains should help >> diagnosing why. >> >> >> >> >> >> Cristian >> >> >> On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas >> >> < cristi.falcas(a)gmail.com <mailto: cristi.falcas@gmail. com >> wrote: >> >> >> >> >> On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim < iheim(a)redhat.com >> >> <mailto: iheim(a)redhat.com >> wrote: >> >> On 11/20/2012 09:56 AM, Cristian Falcas wrote: >> >> >> >> >> On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky >> < yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com > >> >> >> <mailto: yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com >>> >> wrote: >> >> >> >> On 11/20/2012 09:05 AM, Cristian Falcas wrote: >> >> >> >> >> On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky >> < yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com > >> <mailto: yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com >> >> <mailto: yzaslavs(a)redhat.com >> <mailto: yzaslavs(a)redhat.com > <mailto: yzaslavs(a)redhat.com >> <mailto: yzaslavs(a)redhat.com >>> > wrote: >> >> >> >> On 11/20/2012 12:39 AM, Cristian Falcas wrote: >> >> >> >> On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim >> < iheim(a)redhat.com <mailto: iheim(a)redhat.com > >> <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com >> >> <mailto: iheim(a)redhat.com >> <mailto: iheim(a)redhat.com > <mailto: iheim(a)redhat.com >> <mailto: iheim(a)redhat.com >>> >> <mailto: iheim(a)redhat.com >> <mailto: iheim(a)redhat.com > <mailto: iheim(a)redhat.com >> <mailto: iheim(a)redhat.com >> >> <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com > >> <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com >>>>> wrote: >> >> On 11/19/2012 11:29 AM, Vinzenz >> Feenstra wrote: >> >> On 11/19/2012 10:01 AM, Cristian >> Falcas wrote: >> >> Hi, >> >> I'm trying to add some users >> to ovirt >> using an AD. >> >> This is the configuration I >> used for a >> mediawiki >> site, which is >> working correctly: >> $wgAuth = new >> LdapAuthenticationPlugin(); >> $wgLDAPUseLocal = true; >> $wgLDAPDomainNames = array( >> "a_domain"); >> $wgLDAPServerNames = array( >> "a_domain"=>" site.example.com >> < http://site.example.com > < http://site.example.com > >> < http://site.example.com > >> < http://site.example.com > >> < http://site.example.com >"); >> >> $wgLDAPEncryptionType = array( >> "a_domain"=>"clear"); >> $wgLDAPSearchStrings = array( >> >> "a_domain"=>"rom_domain\\USER- ________NAME"); >> $wgLDAPBaseDNs = array( >> "a_domain"=>"dc=company,dc=___ _____com"); >> >> >> >> >> >> >> Those are the commands I >> tried using: >> engine-manage-domains -action=add >> -domain= site.example.com >> < http://site.example.com > < http://site.example.com > >> < http://site.example.com > >> < http://site.example.com > >> < http://site.example.com > >> -provider=ActiveDirectory >> -user= user.name >> < http://user.name > < http://user.name > >> < http://user.name > < http://user.name > >> < http://user.name > -interactive >> >> >> engine-manage-domains -action=add >> -domain=a_domain >> -provider=ActiveDirectory >> -user= user.name(a)company.com >> <mailto: user.name(a)company.com > >> <mailto: user.name(a)company.com >> <mailto: user.name(a)company.com > > >> <mailto: user.name(a)company.com <mailto: user.name(a)company.com > >> <mailto: user.name(a)company.com >> <mailto: user.name(a)company.com > >__> >> <mailto: user.name(a)company.com >> <mailto: user.name(a)company.com > >> <mailto: user.name(a)company.com >> <mailto: user.name(a)company.com > > >> <mailto: user.name(a)company.com >> <mailto: user.name(a)company.com > >> <mailto: user.name(a)company.com >> <mailto: user.name(a)company.com > >__>__> >> <mailto: user.name(a)company.com >> <mailto: user.name(a)company.com > >> <mailto: user.name(a)company.com >> <mailto: user.name(a)company.com > > >> <mailto: user.name(a)company.com >> <mailto: user.name(a)company.com > >> <mailto: user.name(a)company.com >> <mailto: user.name(a)company.com > >__> >> >> <mailto: user.name(a)company.com >> <mailto: user.name(a)company.com > >> <mailto: user.name(a)company.com >> <mailto: user.name(a)company.com > > >> <mailto: user.name(a)company.com >> <mailto: user.name(a)company.com > >> <mailto: user.name(a)company.com >> <mailto: user.name(a)company.com > >__>__>__> -interactive >> >> >> engine-manage-domains -action=add >> -domain=a_domain >> -provider=ActiveDirectory >> -user=user.name(a)site.example._ _______com >> >> >> <mailto: user.name@site >> <mailto: user.name@site >. >> <mailto: user.name@site >> <mailto: user.name@site >.>__ exa m__p__le.com >> < http://examp__le.com > < http://example.com > >> <mailto: user.name@site . >> <mailto: user.name@site .>__ exam p__le.com < http://example.com > >> <mailto: user.name@site. __ examp le.com >> <mailto: user.name@site. example.com >>>> >> <mailto: user.name@site >> <mailto: user.name@site > >> >> <mailto: user.name@site <mailto: user.name@site >>. >> <mailto: user.name@site <mailto: user.name@site > >> <mailto: user.name@site >> <mailto: user.name@site >>.>__ ex a__m__p__le.com >> < http://exam__p__le.com > >> >> >> < http://examp__le.com > < http://example.com > >> >> >> >> <mailto: user.name@site >> <mailto: user.name@site >. >> <mailto: user.name@site >> <mailto: user.name@site >.>__ exa m__p__le.com >> < http://examp__le.com > < http://example.com > >> <mailto: user.name@site . >> <mailto: user.name@site .>__ exam p__le.com < http://example.com > >> <mailto: user.name@site. __ examp le.com >> <mailto: user.name@site. example.com >>>>> -interactive >> >> >> You don't add an user this way. >> You add the >> domain. You >> have to >> pass the >> domain admin user and the domain >> admin password. >> >> >> any domain user will do, doesn't have >> to be an admin. >> what does the log say? >> >> >> Then you can use the domain >> within the engine. >> e.g. search >> users, add >> access rights for vms etc. >> Even login to the engine and >> assigning rights >> within >> the engine >> you can >> handle from the engine itself. >> >> Regards, >> >> And the output on all tries: >> Enter password: >> >> Error: Authentication Failed. >> Please >> verify the fully >> qualified domain >> name that is used for >> authentication is >> correct.. >> Problematic domain >> is: domain_used_in_command >> Failure while applying Kerberos >> configuration. Details: >> Authentication >> Failed. Please verify the >> fully qualified >> domain >> name that >> is used for >> authentication is correct. >> >> Can someone help me with the >> correct >> parameters? >> >> >> Best regards, >> Cristian Falcas >> >> >> >> >> ______________________________ _________________________ >> >> >> Users mailing list >> Users(a)ovirt.org <mailto: Users(a)ovirt.org > >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>> >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> >> <mailto: Users(a)ovirt.org >> <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org >> <mailto: Users(a)ovirt.org >>>> >> http://lists.ovirt.org/_______ _mailman/listinfo/users >> < http://lists.ovirt.org/______ mailman/listinfo/users > >> >> >> >> < http://lists.ovirt.org/______ mailman/listinfo/users >> < http://lists.ovirt.org/____ mailman/listinfo/users >> >> >> >> < http://lists.ovirt.org/______ mailman/listinfo/users >> < http://lists.ovirt.org/____ mailman/listinfo/users > >> < http://lists.ovirt.org/____ mailman/listinfo/users >> < http://lists.ovirt.org/__ mailman/listinfo/users >>> >> >> >> >> >> < http://lists.ovirt.org/______ mailman/listinfo/users >> < http://lists.ovirt.org/____ mailman/listinfo/users > >> < http://lists.ovirt.org/____ mailman/listinfo/users >> < http://lists.ovirt.org/__ mailman/listinfo/users >> >> >> < http://lists.ovirt.org/____ mailman/listinfo/users >> < http://lists.ovirt.org/__ mailman/listinfo/users > >> < http://lists.ovirt.org/__ mailman/listinfo/users >> < http://lists.ovirt.org/ mailman/listinfo/users >>>> >> >> >> >> -- >> Regards, >> >> Vinzenz Feenstra | Senior >> Software Engineer >> RedHat Engineering Virtualization >> R & D >> Phone: +420 532 294 625 >> <tel:%2B420%20532%20294%20625> >> <tel:%2B420%20532%20294%20625> >> <tel:%2B420%20532%20294%20625> >> <tel:%2B420%20532%20294%20625> >> >> IRC: vfeenstr or evilissimo >> >> Better technology. Faster >> innovation. Powered >> by community >> collaboration. >> See how it works at redhat.com >> < http://redhat.com > >> < http://redhat.com > < http://redhat.com > >> < http://redhat.com > >> >> >> >> >> >> ______________________________ _________________________ >> >> >> Users mailing list >> Users(a)ovirt.org <mailto: Users(a)ovirt.org > >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>> >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> >> <mailto: Users(a)ovirt.org >> <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org >> <mailto: Users(a)ovirt.org >>>> >> http://lists.ovirt.org/_______ _mailman/listinfo/users >> < http://lists.ovirt.org/______ mailman/listinfo/users > >> >> >> < http://lists.ovirt.org/______ mailman/listinfo/users >> < http://lists.ovirt.org/____ mailman/listinfo/users >> >> >> >> < http://lists.ovirt.org/______ mailman/listinfo/users >> < http://lists.ovirt.org/____ mailman/listinfo/users > >> < http://lists.ovirt.org/____ mailman/listinfo/users >> < http://lists.ovirt.org/__ mailman/listinfo/users >>> >> >> >> < http://lists.ovirt.org/______ mailman/listinfo/users >> < http://lists.ovirt.org/____ mailman/listinfo/users > >> < http://lists.ovirt.org/____ mailman/listinfo/users >> < http://lists.ovirt.org/__ mailman/listinfo/users >> >> >> < http://lists.ovirt.org/____ mailman/listinfo/users >> < http://lists.ovirt.org/__ mailman/listinfo/users > >> < http://lists.ovirt.org/__ mailman/listinfo/users >> < http://lists.ovirt.org/ mailman/listinfo/users >>>> >> >> >> >> >> ______________________________ _________________________ >> >> >> Users mailing list >> Users(a)ovirt.org <mailto: Users(a)ovirt.org > >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>> >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> >> <mailto: Users(a)ovirt.org >> <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org >> <mailto: Users(a)ovirt.org >>>> >> http://lists.ovirt.org/_______ _mailman/listinfo/users >> < http://lists.ovirt.org/______ mailman/listinfo/users > >> >> >> < http://lists.ovirt.org/______ mailman/listinfo/users >> < http://lists.ovirt.org/____ mailman/listinfo/users >> >> >> < http://lists.ovirt.org/______ mailman/listinfo/users >> < http://lists.ovirt.org/____ mailman/listinfo/users > >> < http://lists.ovirt.org/____ mailman/listinfo/users >> < http://lists.ovirt.org/__ mailman/listinfo/users >>> >> >> >> >> >> < http://lists.ovirt.org/______ mailman/listinfo/users >> < http://lists.ovirt.org/____ mailman/listinfo/users > >> < http://lists.ovirt.org/____ mailman/listinfo/users >> < http://lists.ovirt.org/__ mailman/listinfo/users >> >> >> < http://lists.ovirt.org/____ mailman/listinfo/users >> < http://lists.ovirt.org/__ mailman/listinfo/users > >> < http://lists.ovirt.org/__ mailman/listinfo/users >> < http://lists.ovirt.org/ mailman/listinfo/users >>>> >> >> >> >> >> Hi, >> >> This is the command I used (the same error >> is with >> -interactive >> parameter): >> >> engine-manage-domains -action=add >> -domain= example.com < http://example.com > >> < http://example.com > >> < http://example.com > >> < http://example.com > -provider=ActiveDirectory >> -user=user.name@a_domain >> >> -passwordFile=/tmp/pass >> >> [root@localhost ~]# cat /tmp/pass >> qwerty[root@localhost ~]# >> >> This is the log: >> >> 2012-11-20 00:30:40,443 INFO >> >> >> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] >> >> Creating >> >> >> kerberos >> configuration for domain(s): example.com >> < http://example.com > >> < http://example.com > < http://example.com > >> < http://example.com > >> >> 2012-11-20 00:30:40,525 INFO >> >> >> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] >> >> >> Successfully >> >> created kerberos configuration for domain(s): >> example.com < http://example.com > < http://example.com > >> < http://example.com > >> < http://example.com > >> >> 2012-11-20 00:30:40,526 INFO >> >> >> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] >> >> Testing >> >> >> kerberos >> configuration for domain: example.com >> < http://example.com > >> < http://example.com > < http://example.com > >> < http://example.com > >> >> 2012-11-20 00:30:40,830 ERROR >> >> >> [org.ovirt.engine.core.utils._ _____kerberos.__ KerberosConfigCheck] >> >> >> Error: >> >> exception message: Cannot locate KDC >> 2012-11-20 00:30:40,851 ERROR >> >> >> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] >> >> >> Failure >> >> while >> >> testing domain example.com >> < http://example.com > < http://example.com > >> < http://example.com > >> < http://example.com >. Details: Kerberos >> >> error. Please check log for further details. >> >> >> Hi, the error indicates you don't have >> kerberos configured. >> manage-domains validates by default using >> GSSAPI/Kerberos (if I >> understand correctly, this is equivalent to >> run ldapsearch >> with -Y >> gssapi option). >> I wonder if -x (simple authentication) will >> work for you as >> well (as >> manage-domains contains code for simple >> authentication as >> well). >> >> >> >> This is the ldapsearch command that works >> (it retrieves >> users) >> from the >> same machine: >> >> >> >> ldapsearch -H ldap:// example.com >> < http://example.com > < http://example.com > >> < http://example.com > >> < http://example.com > -b >> >> dc=example,dc=com -D user.name@a_domain -w >> qwerty >> >> >> Best regards, >> Cristian Falcas >> >> >> >> >> >> ______________________________ _______________________ >> Users mailing list >> Users(a)ovirt.org <mailto: Users(a)ovirt.org > >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > >> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>> >> http://lists.ovirt.org/______ mailman/listinfo/users >> < http://lists.ovirt.org/____ mailman/listinfo/users > >> < http://lists.ovirt.org/____ mailman/listinfo/users >> < http://lists.ovirt.org/__ mailman/listinfo/users >> >> >> < http://lists.ovirt.org/____ mailman/listinfo/users >> < http://lists.ovirt.org/__ mailman/listinfo/users > >> < http://lists.ovirt.org/__ mailman/listinfo/users >> < http://lists.ovirt.org/ mailman/listinfo/users >>> >> >> >> >> >> Hi, >> >> >> I used "-x" for ldapsearch and the result is the >> same: list >> retrieved. >> Is there any equivalent for engine-manage-domains? >> >> Cristian >> >> Hi Christian, there is no code allowing to add >> simple-authentication >> domains to Manage-Domains. >> In the past we did have the ability to do that, but >> there are >> several problematic issues. >> What ldap server are you working against? Maybe I >> missed that >> >> >> >> >> Hi, >> >> The server is a Microfost AD 2003. >> >> Best regards, >> Cristian Falcas >> >> >> this should work, is the AD also the DNS server for the ovirt >> engine machine? >> >> >> >> yes >> >> >> >> >> >> Could you take a look at the tcp dump? There are only 2 messages >> relevant to this (let me know if you want the full dump): >> >> - 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV >> _kerberos._ tcp.EXAMPLE.COM >> - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response >> SRV 0 100 88 site1.example.com SRV 0 100 88 site2.example.com SRV 0 >> 100 88 site3.example.com >> >> Also, I tries to run ldapsearch with -Y gssapi: >> ldap_sasl_interactive_bind_s: Unknown authentication method (-6) >> additional info: SASL(-4): no mechanism available: No worthy mechs >> found >> >> Best regards, >> Cristian Falcas >> The SRV records look fine. >> If I remember correctly, your DNS should have a reverse-resolve PTR >> record to your engine machine. Does it exists? >> >> >> >> I don't think so (10.0.0.xx is engine machine, 10.0.0.yyy is dns): >> >> [root@localhost ~]# nslookup 10.0.0.xx >> Server: 10.0.0.yyy >> Address: 10.0.0.yyy#53 >> >> ** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN >> >> [root@localhost ~]# host 10.0.0.xx >> Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN) >> >> I will ask them to add a DNS record for the machine. >> >> Indeed do that. > In the engine we require both reverse-resolve PTR record, Kerberos SRV > record and LDAP SRV record. > Make sure you have all three in the DNS. > The PTR + Kerberos records are used for the kerberos authentication (and > constructing the krb5.conf file in the engine-manage-domains utility). > The LDAP SRV record is used for the directory queries (it is used in the > utility + the ovirt engine, to look for LDAP servers). > Yair - sounds like we need a how to troubleshoot AD issues?

Hi, So, after all, I was using the wrong domain. In my company we use everywhere (web, email, etc) as the domain "a_domain" instead of the usual company.com. So it worked with: engine-manage-domains -action=add -domain=company.com-provider=ActiveDirectory -user= user.name -passwordFile=/tmp/pass Some steps I did for my investigation: 1. test if the domain has a kerberos service: host -t srv _kerberos._tcp.company.com 2. use kinit instead of engine-manage-domains (mush faster) cp /etc/ovirt-engine/krb5.conf /etc/ 3. test with: kinit user.name(a)company.com -V Just to let others know what errors I had and how I fixed them: 1. Client not found in Kerberos database while getting initial credentials: wrong user name 2. Cannot find KDC for requested realm: the realm you are using in the command line is not define in krb5.conf file. - at the beginning I was using kinit user.name@a_domain -V, but there was no a_domain realm defined. - check the file and try to update it or correct your kinit command in order to use the correct realm [realms] COMPANY.COM = { kdc = site1.company.com.:88 kdc = site2.company.com.:88 kdc = site3.company.com.:88 } 3. KDC reply did not match expectations while getting initial credentials: you may have the same realm in your command line and in the krb5.conf file, but the server thinks this is not correct. - use wireshark to see what realm the server has: protocol KRB5, messages AS-REQ and AS-REP Thank you for all your help. Cristian

Cristian Falcas

9:40 p.m.

On Wed, Nov 21, 2012 at 9:37 PM, Cristian Falcas <cristi.falcas(a)gmail.com>wrote:

...

On Wed, Nov 21, 2012 at 8:10 AM, Itamar Heim <iheim(a)redhat.com> wrote: > On 11/21/2012 08:09 AM, Oved Ourfalli wrote: > >> >> >> ----- Original Message ----- >> >>> From: "Cristian Falcas" <cristi.falcas(a)gmail.com> >>> To: "Yair Zaslavsky" <yzaslavs(a)redhat.com> >>> Cc: users(a)ovirt.org >>> Sent: Wednesday, November 21, 2012 6:40:34 AM >>> Subject: Re: [Users] I don't know how to add AD users >>> >>> >>> >>> >>> >>> >>> >>> On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky < yzaslavs(a)redhat.com >>> >>>> wrote: >>>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> From: "Cristian Falcas" < cristi.falcas(a)gmail.com > >>> To: "Itamar Heim" < iheim(a)redhat.com > >>> Cc: "Yair Zaslavsky" < yzaslavs(a)redhat.com >, users(a)ovirt.org >>> Sent: Tuesday, November 20, 2012 7:33:39 PM >>> >>> Subject: Re: [Users] I don't know how to add AD users >>> >>> >>> >>> >>> >>> >>> >>> >>> On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim < iheim(a)redhat.com > >>> wrote: >>> >>> >>> >>> On 11/20/2012 03:00 PM, Cristian Falcas wrote: >>> >>> >>> Hi, >>> >>> So there is no way to use the domain I have at work, right? >>> >>> I will need to make a freeipa installation in order to add new users. >>> >>> there is no reason this shouldn't work with active directory 2003 >>> (assuming its forest level isn't still in AD 2000 compatibility >>> mode?). >>> tcpdump for the traffic during engine-manage-domains should help >>> diagnosing why. >>> >>> >>> >>> >>> >>> Cristian >>> >>> >>> On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas >>> >>> < cristi.falcas(a)gmail.com <mailto: cristi.falcas@gmail. com >> wrote: >>> >>> >>> >>> >>> On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim < iheim(a)redhat.com >>> >>> <mailto: iheim(a)redhat.com >> wrote: >>> >>> On 11/20/2012 09:56 AM, Cristian Falcas wrote: >>> >>> >>> >>> >>> On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky >>> < yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com > >>> >>> >>> <mailto: yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com >>> >>> wrote: >>> >>> >>> >>> On 11/20/2012 09:05 AM, Cristian Falcas wrote: >>> >>> >>> >>> >>> On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky >>> < yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com > >>> <mailto: yzaslavs(a)redhat.com <mailto: yzaslavs(a)redhat.com >> >>> <mailto: yzaslavs(a)redhat.com >>> <mailto: yzaslavs(a)redhat.com > <mailto: yzaslavs(a)redhat.com >>> <mailto: yzaslavs(a)redhat.com >>> > wrote: >>> >>> >>> >>> On 11/20/2012 12:39 AM, Cristian Falcas wrote: >>> >>> >>> >>> On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim >>> < iheim(a)redhat.com <mailto: iheim(a)redhat.com > >>> <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com >> >>> <mailto: iheim(a)redhat.com >>> <mailto: iheim(a)redhat.com > <mailto: iheim(a)redhat.com >>> <mailto: iheim(a)redhat.com >>> >>> <mailto: iheim(a)redhat.com >>> <mailto: iheim(a)redhat.com > <mailto: iheim(a)redhat.com >>> <mailto: iheim(a)redhat.com >> >>> <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com > >>> <mailto: iheim(a)redhat.com <mailto: iheim(a)redhat.com >>>>> wrote: >>> >>> On 11/19/2012 11:29 AM, Vinzenz >>> Feenstra wrote: >>> >>> On 11/19/2012 10:01 AM, Cristian >>> Falcas wrote: >>> >>> Hi, >>> >>> I'm trying to add some users >>> to ovirt >>> using an AD. >>> >>> This is the configuration I >>> used for a >>> mediawiki >>> site, which is >>> working correctly: >>> $wgAuth = new >>> LdapAuthenticationPlugin(); >>> $wgLDAPUseLocal = true; >>> $wgLDAPDomainNames = array( >>> "a_domain"); >>> $wgLDAPServerNames = array( >>> "a_domain"=>" site.example.com >>> < http://site.example.com > < http://site.example.com > >>> < http://site.example.com > >>> < http://site.example.com > >>> < http://site.example.com >"); >>> >>> $wgLDAPEncryptionType = array( >>> "a_domain"=>"clear"); >>> $wgLDAPSearchStrings = array( >>> >>> "a_domain"=>"rom_domain\\USER- ________NAME"); >>> $wgLDAPBaseDNs = array( >>> "a_domain"=>"dc=company,dc=___ _____com"); >>> >>> >>> >>> >>> >>> >>> Those are the commands I >>> tried using: >>> engine-manage-domains -action=add >>> -domain= site.example.com >>> < http://site.example.com > < http://site.example.com > >>> < http://site.example.com > >>> < http://site.example.com > >>> < http://site.example.com > >>> -provider=ActiveDirectory >>> -user= user.name >>> < http://user.name > < http://user.name > >>> < http://user.name > < http://user.name > >>> < http://user.name > -interactive >>> >>> >>> engine-manage-domains -action=add >>> -domain=a_domain >>> -provider=ActiveDirectory >>> -user= user.name(a)company.com >>> <mailto: user.name(a)company.com > >>> <mailto: user.name(a)company.com >>> <mailto: user.name(a)company.com > > >>> <mailto: user.name(a)company.com <mailto: user.name(a)company.com > >>> <mailto: user.name(a)company.com >>> <mailto: user.name(a)company.com > >__> >>> <mailto: user.name(a)company.com >>> <mailto: user.name(a)company.com > >>> <mailto: user.name(a)company.com >>> <mailto: user.name(a)company.com > > >>> <mailto: user.name(a)company.com >>> <mailto: user.name(a)company.com > >>> <mailto: user.name(a)company.com >>> <mailto: user.name(a)company.com > >__>__> >>> <mailto: user.name(a)company.com >>> <mailto: user.name(a)company.com > >>> <mailto: user.name(a)company.com >>> <mailto: user.name(a)company.com > > >>> <mailto: user.name(a)company.com >>> <mailto: user.name(a)company.com > >>> <mailto: user.name(a)company.com >>> <mailto: user.name(a)company.com > >__> >>> >>> <mailto: user.name(a)company.com >>> <mailto: user.name(a)company.com > >>> <mailto: user.name(a)company.com >>> <mailto: user.name(a)company.com > > >>> <mailto: user.name(a)company.com >>> <mailto: user.name(a)company.com > >>> <mailto: user.name(a)company.com >>> <mailto: user.name(a)company.com > >__>__>__> -interactive >>> >>> >>> engine-manage-domains -action=add >>> -domain=a_domain >>> -provider=ActiveDirectory >>> -user=user.name(a)site.example._ _______com >>> >>> >>> <mailto: user.name@site >>> <mailto: user.name@site >. >>> <mailto: user.name@site >>> <mailto: user.name@site >.>__ exa m__p__le.com >>> < http://examp__le.com > < http://example.com > >>> <mailto: user.name@site . >>> <mailto: user.name@site .>__ exam p__le.com < http://example.com > >>> <mailto: user.name@site. __ examp le.com >>> <mailto: user.name@site. example.com >>>> >>> <mailto: user.name@site >>> <mailto: user.name@site > >>> >>> <mailto: user.name@site <mailto: user.name@site >>. >>> <mailto: user.name@site <mailto: user.name@site > >>> <mailto: user.name@site >>> <mailto: user.name@site >>.>__ ex a__m__p__le.com >>> < http://exam__p__le.com > >>> >>> >>> < http://examp__le.com > < http://example.com > >>> >>> >>> >>> <mailto: user.name@site >>> <mailto: user.name@site >. >>> <mailto: user.name@site >>> <mailto: user.name@site >.>__ exa m__p__le.com >>> < http://examp__le.com > < http://example.com > >>> <mailto: user.name@site . >>> <mailto: user.name@site .>__ exam p__le.com < http://example.com > >>> <mailto: user.name@site. __ examp le.com >>> <mailto: user.name@site. example.com >>>>> -interactive >>> >>> >>> You don't add an user this way. >>> You add the >>> domain. You >>> have to >>> pass the >>> domain admin user and the domain >>> admin password. >>> >>> >>> any domain user will do, doesn't have >>> to be an admin. >>> what does the log say? >>> >>> >>> Then you can use the domain >>> within the engine. >>> e.g. search >>> users, add >>> access rights for vms etc. >>> Even login to the engine and >>> assigning rights >>> within >>> the engine >>> you can >>> handle from the engine itself. >>> >>> Regards, >>> >>> And the output on all tries: >>> Enter password: >>> >>> Error: Authentication Failed. >>> Please >>> verify the fully >>> qualified domain >>> name that is used for >>> authentication is >>> correct.. >>> Problematic domain >>> is: domain_used_in_command >>> Failure while applying Kerberos >>> configuration. Details: >>> Authentication >>> Failed. Please verify the >>> fully qualified >>> domain >>> name that >>> is used for >>> authentication is correct. >>> >>> Can someone help me with the >>> correct >>> parameters? >>> >>> >>> Best regards, >>> Cristian Falcas >>> >>> >>> >>> >>> ______________________________ _________________________ >>> >>> >>> Users mailing list >>> Users(a)ovirt.org <mailto: Users(a)ovirt.org > >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>> >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> >>> <mailto: Users(a)ovirt.org >>> <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org >>> <mailto: Users(a)ovirt.org >>>> >>> http://lists.ovirt.org/_______ _mailman/listinfo/users >>> < http://lists.ovirt.org/______ mailman/listinfo/users > >>> >>> >>> >>> < http://lists.ovirt.org/______ mailman/listinfo/users >>> < http://lists.ovirt.org/____ mailman/listinfo/users >> >>> >>> >>> < http://lists.ovirt.org/______ mailman/listinfo/users >>> < http://lists.ovirt.org/____ mailman/listinfo/users > >>> < http://lists.ovirt.org/____ mailman/listinfo/users >>> < http://lists.ovirt.org/__ mailman/listinfo/users >>> >>> >>> >>> >>> >>> < http://lists.ovirt.org/______ mailman/listinfo/users >>> < http://lists.ovirt.org/____ mailman/listinfo/users > >>> < http://lists.ovirt.org/____ mailman/listinfo/users >>> < http://lists.ovirt.org/__ mailman/listinfo/users >> >>> >>> < http://lists.ovirt.org/____ mailman/listinfo/users >>> < http://lists.ovirt.org/__ mailman/listinfo/users > >>> < http://lists.ovirt.org/__ mailman/listinfo/users >>> < http://lists.ovirt.org/ mailman/listinfo/users >>>> >>> >>> >>> >>> -- >>> Regards, >>> >>> Vinzenz Feenstra | Senior >>> Software Engineer >>> RedHat Engineering Virtualization >>> R & D >>> Phone: +420 532 294 625 >>> <tel:%2B420%20532%20294%20625> >>> <tel:%2B420%20532%20294%20625> >>> <tel:%2B420%20532%20294%20625> >>> <tel:%2B420%20532%20294%20625> >>> >>> IRC: vfeenstr or evilissimo >>> >>> Better technology. Faster >>> innovation. Powered >>> by community >>> collaboration. >>> See how it works at redhat.com >>> < http://redhat.com > >>> < http://redhat.com > < http://redhat.com > >>> < http://redhat.com > >>> >>> >>> >>> >>> >>> ______________________________ _________________________ >>> >>> >>> Users mailing list >>> Users(a)ovirt.org <mailto: Users(a)ovirt.org > >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>> >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> >>> <mailto: Users(a)ovirt.org >>> <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org >>> <mailto: Users(a)ovirt.org >>>> >>> http://lists.ovirt.org/_______ _mailman/listinfo/users >>> < http://lists.ovirt.org/______ mailman/listinfo/users > >>> >>> >>> < http://lists.ovirt.org/______ mailman/listinfo/users >>> < http://lists.ovirt.org/____ mailman/listinfo/users >> >>> >>> >>> < http://lists.ovirt.org/______ mailman/listinfo/users >>> < http://lists.ovirt.org/____ mailman/listinfo/users > >>> < http://lists.ovirt.org/____ mailman/listinfo/users >>> < http://lists.ovirt.org/__ mailman/listinfo/users >>> >>> >>> >>> < http://lists.ovirt.org/______ mailman/listinfo/users >>> < http://lists.ovirt.org/____ mailman/listinfo/users > >>> < http://lists.ovirt.org/____ mailman/listinfo/users >>> < http://lists.ovirt.org/__ mailman/listinfo/users >> >>> >>> < http://lists.ovirt.org/____ mailman/listinfo/users >>> < http://lists.ovirt.org/__ mailman/listinfo/users > >>> < http://lists.ovirt.org/__ mailman/listinfo/users >>> < http://lists.ovirt.org/ mailman/listinfo/users >>>> >>> >>> >>> >>> >>> ______________________________ _________________________ >>> >>> >>> Users mailing list >>> Users(a)ovirt.org <mailto: Users(a)ovirt.org > >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>> >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> >>> <mailto: Users(a)ovirt.org >>> <mailto: Users(a)ovirt.org > <mailto: Users(a)ovirt.org >>> <mailto: Users(a)ovirt.org >>>> >>> http://lists.ovirt.org/_______ _mailman/listinfo/users >>> < http://lists.ovirt.org/______ mailman/listinfo/users > >>> >>> >>> < http://lists.ovirt.org/______ mailman/listinfo/users >>> < http://lists.ovirt.org/____ mailman/listinfo/users >> >>> >>> < http://lists.ovirt.org/______ mailman/listinfo/users >>> < http://lists.ovirt.org/____ mailman/listinfo/users > >>> < http://lists.ovirt.org/____ mailman/listinfo/users >>> < http://lists.ovirt.org/__ mailman/listinfo/users >>> >>> >>> >>> >>> >>> < http://lists.ovirt.org/______ mailman/listinfo/users >>> < http://lists.ovirt.org/____ mailman/listinfo/users > >>> < http://lists.ovirt.org/____ mailman/listinfo/users >>> < http://lists.ovirt.org/__ mailman/listinfo/users >> >>> >>> < http://lists.ovirt.org/____ mailman/listinfo/users >>> < http://lists.ovirt.org/__ mailman/listinfo/users > >>> < http://lists.ovirt.org/__ mailman/listinfo/users >>> < http://lists.ovirt.org/ mailman/listinfo/users >>>> >>> >>> >>> >>> >>> Hi, >>> >>> This is the command I used (the same error >>> is with >>> -interactive >>> parameter): >>> >>> engine-manage-domains -action=add >>> -domain= example.com < http://example.com > >>> < http://example.com > >>> < http://example.com > >>> < http://example.com > -provider=ActiveDirectory >>> -user=user.name@a_domain >>> >>> -passwordFile=/tmp/pass >>> >>> [root@localhost ~]# cat /tmp/pass >>> qwerty[root@localhost ~]# >>> >>> This is the log: >>> >>> 2012-11-20 00:30:40,443 INFO >>> >>> >>> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] >>> >>> Creating >>> >>> >>> kerberos >>> configuration for domain(s): example.com >>> < http://example.com > >>> < http://example.com > < http://example.com > >>> < http://example.com > >>> >>> 2012-11-20 00:30:40,525 INFO >>> >>> >>> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] >>> >>> >>> Successfully >>> >>> created kerberos configuration for domain(s): >>> example.com < http://example.com > < http://example.com > >>> < http://example.com > >>> < http://example.com > >>> >>> 2012-11-20 00:30:40,526 INFO >>> >>> >>> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] >>> >>> Testing >>> >>> >>> kerberos >>> configuration for domain: example.com >>> < http://example.com > >>> < http://example.com > < http://example.com > >>> < http://example.com > >>> >>> 2012-11-20 00:30:40,830 ERROR >>> >>> >>> [org.ovirt.engine.core.utils._ _____kerberos.__ KerberosConfigCheck] >>> >>> >>> Error: >>> >>> exception message: Cannot locate KDC >>> 2012-11-20 00:30:40,851 ERROR >>> >>> >>> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] >>> >>> >>> Failure >>> >>> while >>> >>> testing domain example.com >>> < http://example.com > < http://example.com > >>> < http://example.com > >>> < http://example.com >. Details: Kerberos >>> >>> error. Please check log for further details. >>> >>> >>> Hi, the error indicates you don't have >>> kerberos configured. >>> manage-domains validates by default using >>> GSSAPI/Kerberos (if I >>> understand correctly, this is equivalent to >>> run ldapsearch >>> with -Y >>> gssapi option). >>> I wonder if -x (simple authentication) will >>> work for you as >>> well (as >>> manage-domains contains code for simple >>> authentication as >>> well). >>> >>> >>> >>> This is the ldapsearch command that works >>> (it retrieves >>> users) >>> from the >>> same machine: >>> >>> >>> >>> ldapsearch -H ldap:// example.com >>> < http://example.com > < http://example.com > >>> < http://example.com > >>> < http://example.com > -b >>> >>> dc=example,dc=com -D user.name@a_domain -w >>> qwerty >>> >>> >>> Best regards, >>> Cristian Falcas >>> >>> >>> >>> >>> >>> ______________________________ _______________________ >>> Users mailing list >>> Users(a)ovirt.org <mailto: Users(a)ovirt.org > >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >> >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org > >>> <mailto: Users(a)ovirt.org <mailto: Users(a)ovirt.org >>> >>> http://lists.ovirt.org/______ mailman/listinfo/users >>> < http://lists.ovirt.org/____ mailman/listinfo/users > >>> < http://lists.ovirt.org/____ mailman/listinfo/users >>> < http://lists.ovirt.org/__ mailman/listinfo/users >> >>> >>> < http://lists.ovirt.org/____ mailman/listinfo/users >>> < http://lists.ovirt.org/__ mailman/listinfo/users > >>> < http://lists.ovirt.org/__ mailman/listinfo/users >>> < http://lists.ovirt.org/ mailman/listinfo/users >>> >>> >>> >>> >>> >>> Hi, >>> >>> >>> I used "-x" for ldapsearch and the result is the >>> same: list >>> retrieved. >>> Is there any equivalent for engine-manage-domains? >>> >>> Cristian >>> >>> Hi Christian, there is no code allowing to add >>> simple-authentication >>> domains to Manage-Domains. >>> In the past we did have the ability to do that, but >>> there are >>> several problematic issues. >>> What ldap server are you working against? Maybe I >>> missed that >>> >>> >>> >>> >>> Hi, >>> >>> The server is a Microfost AD 2003. >>> >>> Best regards, >>> Cristian Falcas >>> >>> >>> this should work, is the AD also the DNS server for the ovirt >>> engine machine? >>> >>> >>> >>> yes >>> >>> >>> >>> >>> >>> Could you take a look at the tcp dump? There are only 2 messages >>> relevant to this (let me know if you want the full dump): >>> >>> - 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV >>> _kerberos._ tcp.EXAMPLE.COM >>> - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response >>> SRV 0 100 88 site1.example.com SRV 0 100 88 site2.example.com SRV 0 >>> 100 88 site3.example.com >>> >>> Also, I tries to run ldapsearch with -Y gssapi: >>> ldap_sasl_interactive_bind_s: Unknown authentication method (-6) >>> additional info: SASL(-4): no mechanism available: No worthy mechs >>> found >>> >>> Best regards, >>> Cristian Falcas >>> The SRV records look fine. >>> If I remember correctly, your DNS should have a reverse-resolve PTR >>> record to your engine machine. Does it exists? >>> >>> >>> >>> I don't think so (10.0.0.xx is engine machine, 10.0.0.yyy is dns): >>> >>> [root@localhost ~]# nslookup 10.0.0.xx >>> Server: 10.0.0.yyy >>> Address: 10.0.0.yyy#53 >>> >>> ** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN >>> >>> [root@localhost ~]# host 10.0.0.xx >>> Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN) >>> >>> I will ask them to add a DNS record for the machine. >>> >>> Indeed do that. >> In the engine we require both reverse-resolve PTR record, Kerberos SRV >> record and LDAP SRV record. >> Make sure you have all three in the DNS. >> The PTR + Kerberos records are used for the kerberos authentication (and >> constructing the krb5.conf file in the engine-manage-domains utility). >> The LDAP SRV record is used for the directory queries (it is used in the >> utility + the ovirt engine, to look for LDAP servers). >> > > > Yair - sounds like we need a how to troubleshoot AD issues? > > > Hi, So, after all, I was using the wrong domain. In my company we use everywhere (web, email, etc) as the domain "a_domain" instead of the usual company.com. So it worked with: engine-manage-domains -action=add -domain=company.com-provider=ActiveDirectory -user= user.name -passwordFile=/tmp/pass Some steps I did for my investigation: 1. test if the domain has a kerberos service: host -t srv _kerberos._tcp.company.com 2. use kinit instead of engine-manage-domains (mush faster) cp /etc/ovirt-engine/krb5.conf /etc/ 3. test with: kinit user.name(a)company.com -V Just to let others know what errors I had and how I fixed them: 1. Client not found in Kerberos database while getting initial credentials: wrong user name 2. Cannot find KDC for requested realm: the realm you are using in the command line is not define in krb5.conf file. - at the beginning I was using kinit user.name@a_domain -V, but there was no a_domain realm defined. - check the file and try to update it or correct your kinit command in order to use the correct realm [realms] COMPANY.COM = { kdc = site1.company.com.:88 kdc = site2.company.com.:88 kdc = site3.company.com.:88 } 3. KDC reply did not match expectations while getting initial credentials: you may have the same realm in your command line and in the krb5.conf file, but the server thinks this is not correct. - use wireshark to see what realm the server has: protocol KRB5, messages AS-REQ and AS-REP Thank you for all your help. Cristian

I forgot. Use this kinit command for tests instead: kinit user.name Because I was using the realm in the command line I had all of the above problems

Itamar Heim

10:49 p.m.

On 11/21/2012 09:40 PM, Cristian Falcas wrote:

...

On Wed, Nov 21, 2012 at 9:37 PM, Cristian Falcas <cristi.falcas(a)gmail.com <mailto:cristi.falcas@gmail.com>> wrote: On Wed, Nov 21, 2012 at 8:10 AM, Itamar Heim <iheim(a)redhat.com <mailto:iheim@redhat.com>> wrote: On 11/21/2012 08:09 AM, Oved Ourfalli wrote: ----- Original Message ----- From: "Cristian Falcas" <cristi.falcas(a)gmail.com <mailto:cristi.falcas@gmail.com>> To: "Yair Zaslavsky" <yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com>> Cc: users(a)ovirt.org <mailto:users@ovirt.org> Sent: Wednesday, November 21, 2012 6:40:34 AM Subject: Re: [Users] I don't know how to add AD users On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky < yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> wrote: From: "Cristian Falcas" < cristi.falcas(a)gmail.com <mailto:cristi.falcas@gmail.com> > To: "Itamar Heim" < iheim(a)redhat.com <mailto:iheim@redhat.com> > Cc: "Yair Zaslavsky" < yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> >, users(a)ovirt.org <mailto:users@ovirt.org> Sent: Tuesday, November 20, 2012 7:33:39 PM Subject: Re: [Users] I don't know how to add AD users On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim < iheim(a)redhat.com <mailto:iheim@redhat.com> > wrote: On 11/20/2012 03:00 PM, Cristian Falcas wrote: Hi, So there is no way to use the domain I have at work, right? I will need to make a freeipa installation in order to add new users. there is no reason this shouldn't work with active directory 2003 (assuming its forest level isn't still in AD 2000 compatibility mode?). tcpdump for the traffic during engine-manage-domains should help diagnosing why. Cristian On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas < cristi.falcas(a)gmail.com <mailto:cristi.falcas@gmail.com> <mailto: cristi.falcas@gmail. com >> wrote: On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim < iheim(a)redhat.com <mailto:iheim@redhat.com> <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> >> wrote: On 11/20/2012 09:56 AM, Cristian Falcas wrote: On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky < yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> <mailto: yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> > <mailto: yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> <mailto: yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> >>> wrote: On 11/20/2012 09:05 AM, Cristian Falcas wrote: On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky < yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> <mailto: yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> > <mailto: yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> <mailto: yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> >> <mailto: yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> <mailto: yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> > <mailto: yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> <mailto: yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> >>> > wrote: On 11/20/2012 12:39 AM, Cristian Falcas wrote: On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim < iheim(a)redhat.com <mailto:iheim@redhat.com> <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> >> <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> >>> <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> >> <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> >>>>> wrote: On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote: On 11/19/2012 10:01 AM, Cristian Falcas wrote: Hi, I'm trying to add some users to ovirt using an AD. This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>" site.example.com <http://site.example.com> < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com >"); $wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER- ________NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=___ _____com"); Those are the commands I tried using: engine-manage-domains -action=add -domain= site.example.com <http://site.example.com> < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > -provider=ActiveDirectory -user= user.name <http://user.name> < http://user.name > < http://user.name > < http://user.name > < http://user.name > < http://user.name > -interactive engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user= user.name(a)company.com <mailto:user.name@company.com> <mailto: user.name(a)company.com <mailto:user.name@company.com> > <mailto: user.name(a)company.com <mailto:user.name@company.com> <mailto: user.name(a)company.com <mailto:user.name@company.com> > > <mailto: user.name(a)company.com <mailto:user.name@company.com> <mailto: user.name(a)company.com <mailto:user.name@company.com> > <mailto: user.name(a)company.com <mailto:user.name@company.com> <mailto: user.name(a)company.com <mailto:user.name@company.com> > >__> <mailto: user.name(a)company.com <mailto:user.name@company.com> <mailto: user.name(a)company.com <mailto:user.name@company.com> > <mailto: user.name(a)company.com <mailto:user.name@company.com> <mailto: user.name(a)company.com <mailto:user.name@company.com> > > <mailto: user.name(a)company.com <mailto:user.name@company.com> <mailto: user.name(a)company.com <mailto:user.name@company.com> > <mailto: user.name(a)company.com <mailto:user.name@company.com> <mailto: user.name(a)company.com <mailto:user.name@company.com> > >__>__> <mailto: user.name(a)company.com <mailto:user.name@company.com> <mailto: user.name(a)company.com <mailto:user.name@company.com> > <mailto: user.name(a)company.com <mailto:user.name@company.com> <mailto: user.name(a)company.com <mailto:user.name@company.com> > > <mailto: user.name(a)company.com <mailto:user.name@company.com> <mailto: user.name(a)company.com <mailto:user.name@company.com> > <mailto: user.name(a)company.com <mailto:user.name@company.com> <mailto: user.name(a)company.com <mailto:user.name@company.com> > >__> <mailto: user.name(a)company.com <mailto:user.name@company.com> <mailto: user.name(a)company.com <mailto:user.name@company.com> > <mailto: user.name(a)company.com <mailto:user.name@company.com> <mailto: user.name(a)company.com <mailto:user.name@company.com> > > <mailto: user.name(a)company.com <mailto:user.name@company.com> <mailto: user.name(a)company.com <mailto:user.name@company.com> > <mailto: user.name(a)company.com <mailto:user.name@company.com> <mailto: user.name(a)company.com <mailto:user.name@company.com> > >__>__>__> -interactive engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name(a)site.example._ _______com <mailto: user.name@site <mailto: user.name@site >. <mailto: user.name@site <mailto: user.name@site >.>__ exa m__p__le.com <http://m__p__le.com> < http://examp__le.com > < http://example.com > <mailto: user.name@site . <mailto: user.name@site .>__ exam p__le.com <http://p__le.com> < http://example.com > <mailto: user.name@site. __ examp le.com <http://le.com> <mailto: user.name@site. example.com <http://example.com> >>>> <mailto: user.name@site <mailto: user.name@site > <mailto: user.name@site <mailto: user.name@site >>. <mailto: user.name@site <mailto: user.name@site > <mailto: user.name@site <mailto: user.name@site >>.>__ ex a__m__p__le.com <http://a__m__p__le.com> < http://exam__p__le.com > < http://examp__le.com > < http://example.com > <mailto: user.name@site <mailto: user.name@site >. <mailto: user.name@site <mailto: user.name@site >.>__ exa m__p__le.com <http://m__p__le.com> < http://examp__le.com > < http://example.com > <mailto: user.name@site . <mailto: user.name@site .>__ exam p__le.com <http://p__le.com> < http://example.com > <mailto: user.name@site. __ examp le.com <http://le.com> <mailto: user.name@site. example.com <http://example.com> >>>>> -interactive You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password. any domain user will do, doesn't have to be an admin. what does the log say? Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself. Regards, And the output on all tries: Enter password: Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct. Can someone help me with the correct parameters? Best regards, Cristian Falcas ______________________________ _________________________ Users mailing list Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >> < http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>> < http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >> < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>> -- Regards, Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> IRC: vfeenstr or evilissimo Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com <http://redhat.com> < http://redhat.com > < http://redhat.com > < http://redhat.com > < http://redhat.com > ______________________________ _________________________ Users mailing list Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >> < http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>> < http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >> < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>> ______________________________ _________________________ Users mailing list Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >> < http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>> < http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >> < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>> Hi, This is the command I used (the same error is with -interactive parameter): engine-manage-domains -action=add -domain= example.com <http://example.com> < http://example.com > < http://example.com > < http://example.com > < http://example.com > -provider=ActiveDirectory -user=user.name@a_domain -passwordFile=/tmp/pass [root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]# This is the log: 2012-11-20 00:30:40,443 INFO [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] Creating kerberos configuration for domain(s): example.com <http://example.com> < http://example.com > < http://example.com > < http://example.com > < http://example.com > 2012-11-20 00:30:40,525 INFO [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): example.com <http://example.com> < http://example.com > < http://example.com > < http://example.com > < http://example.com > 2012-11-20 00:30:40,526 INFO [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] Testing kerberos configuration for domain: example.com <http://example.com> < http://example.com > < http://example.com > < http://example.com > < http://example.com > 2012-11-20 00:30:40,830 ERROR [org.ovirt.engine.core.utils._ _____kerberos.__ KerberosConfigCheck] Error: exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains] Failure while testing domain example.com <http://example.com> < http://example.com > < http://example.com > < http://example.com > < http://example.com >. Details: Kerberos error. Please check log for further details. Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well). This is the ldapsearch command that works (it retrieves users) from the same machine: ldapsearch -H ldap:// example.com <http://example.com> < http://example.com > < http://example.com > < http://example.com > < http://example.com > -b dc=example,dc=com -D user.name@a_domain -w qwerty Best regards, Cristian Falcas ______________________________ _______________________ Users mailing list Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>> http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >> < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>> Hi, I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains? Cristian Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that Hi, The server is a Microfost AD 2003. Best regards, Cristian Falcas this should work, is the AD also the DNS server for the ovirt engine machine? yes Could you take a look at the tcp dump? There are only 2 messages relevant to this (let me know if you want the full dump): - 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV _kerberos._ tcp.EXAMPLE.COM <http://tcp.EXAMPLE.COM> - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response SRV 0 100 88 site1.example.com <http://site1.example.com> SRV 0 100 88 site2.example.com <http://site2.example.com> SRV 0 100 88 site3.example.com <http://site3.example.com> Also, I tries to run ldapsearch with -Y gssapi: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found Best regards, Cristian Falcas The SRV records look fine. If I remember correctly, your DNS should have a reverse-resolve PTR record to your engine machine. Does it exists? I don't think so (10.0.0.xx is engine machine, 10.0.0.yyy is dns): [root@localhost ~]# nslookup 10.0.0.xx Server: 10.0.0.yyy Address: 10.0.0.yyy#53 ** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN [root@localhost ~]# host 10.0.0.xx Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN) I will ask them to add a DNS record for the machine. Indeed do that. In the engine we require both reverse-resolve PTR record, Kerberos SRV record and LDAP SRV record. Make sure you have all three in the DNS. The PTR + Kerberos records are used for the kerberos authentication (and constructing the krb5.conf file in the engine-manage-domains utility). The LDAP SRV record is used for the directory queries (it is used in the utility + the ovirt engine, to look for LDAP servers). Yair - sounds like we need a how to troubleshoot AD issues? Hi, So, after all, I was using the wrong domain. In my company we use everywhere (web, email, etc) as the domain "a_domain" instead of the usual company.com <http://company.com>;. So it worked with: engine-manage-domains -action=add -domain=company.com <http://company.com> -provider=ActiveDirectory -user=user.name <http://user.name> -passwordFile=/tmp/pass Some steps I did for my investigation: 1. test if the domain has a kerberos service: host -t srv _kerberos._tcp.company.com <http://tcp.company.com> 2. use kinit instead of engine-manage-domains (mush faster) cp /etc/ovirt-engine/krb5.conf /etc/ 3. test with: kinit user.name(a)company.com <mailto:user.name@company.com> -V Just to let others know what errors I had and how I fixed them: 1. Client not found in Kerberos database while getting initial credentials: wrong user name 2. Cannot find KDC for requested realm: the realm you are using in the command line is not define in krb5.conf file. - at the beginning I was using kinit user.name@a_domain -V, but there was no a_domain realm defined. - check the file and try to update it or correct your kinit command in order to use the correct realm [realms] COMPANY.COM <http://COMPANY.COM> = { kdc = site1.company.com.:88 kdc = site2.company.com.:88 kdc = site3.company.com.:88 } 3. KDC reply did not match expectations while getting initial credentials: you may have the same realm in your command line and in the krb5.conf file, but the server thinks this is not correct. - use wireshark to see what realm the server has: protocol KRB5, messages AS-REQ and AS-REP Thank you for all your help. Cristian I forgot. Use this kinit command for tests instead: kinit user.name <http://user.name> Because I was using the realm in the command line I had all of the above problems

do you mind adding these to a wiki for steps to troubleshoot for the next one to tackle this? thanks, Itamar

Cristian Falcas

10:58 p.m.

On Wed, Nov 21, 2012 at 10:49 PM, Itamar Heim <iheim(a)redhat.com> wrote:

...

On 11/21/2012 09:40 PM, Cristian Falcas wrote: > > > > On Wed, Nov 21, 2012 at 9:37 PM, Cristian Falcas > <cristi.falcas(a)gmail.com <mailto:cristi.falcas@gmail.**com<cristi.falcas@gmail.com>>> > wrote: > > > > > On Wed, Nov 21, 2012 at 8:10 AM, Itamar Heim <iheim(a)redhat.com > <mailto:iheim@redhat.com>> wrote: > > On 11/21/2012 08:09 AM, Oved Ourfalli wrote: > > > > ----- Original Message ----- > > From: "Cristian Falcas" <cristi.falcas(a)gmail.com > <mailto:cristi.falcas@gmail.**com<cristi.falcas@gmail.com> > >> > To: "Yair Zaslavsky" <yzaslavs(a)redhat.com > <mailto:yzaslavs@redhat.com>> > Cc: users(a)ovirt.org <mailto:users@ovirt.org> > > Sent: Wednesday, November 21, 2012 6:40:34 AM > Subject: Re: [Users] I don't know how to add AD users > > > > > > > > On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky < > yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> > > > wrote: > > > > > > > > > > > From: "Cristian Falcas" < cristi.falcas(a)gmail.com > <mailto:cristi.falcas@gmail.**com<cristi.falcas@gmail.com>> > > > To: "Itamar Heim" < iheim(a)redhat.com > <mailto:iheim@redhat.com> > > Cc: "Yair Zaslavsky" < yzaslavs(a)redhat.com > <mailto:yzaslavs@redhat.com> >, users(a)ovirt.org > <mailto:users@ovirt.org> > > Sent: Tuesday, November 20, 2012 7:33:39 PM > > Subject: Re: [Users] I don't know how to add AD users > > > > > > > > > On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim < > iheim(a)redhat.com <mailto:iheim@redhat.com> > > > wrote: > > > > On 11/20/2012 03:00 PM, Cristian Falcas wrote: > > > Hi, > > So there is no way to use the domain I have at work, > right? > > I will need to make a freeipa installation in order to > add new users. > > there is no reason this shouldn't work with active > directory 2003 > (assuming its forest level isn't still in AD 2000 > compatibility > mode?). > tcpdump for the traffic during engine-manage-domains > should help > diagnosing why. > > > > > > Cristian > > > On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas > > < cristi.falcas(a)gmail.com > <mailto:cristi.falcas@gmail.**com<cristi.falcas@gmail.com>> > <mailto: > > cristi.falcas@gmail. com >> wrote: > > > > > On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim < > iheim(a)redhat.com <mailto:iheim@redhat.com> > > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> >> > wrote: > > On 11/20/2012 09:56 AM, Cristian Falcas wrote: > > > > > On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky > < yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> > <mailto: yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> > > > > > <mailto: yzaslavs(a)redhat.com > <mailto:yzaslavs@redhat.com> <mailto: > yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> >>> > wrote: > > > > On 11/20/2012 09:05 AM, Cristian Falcas wrote: > > > > > On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky > < yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> > <mailto: yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> > > > <mailto: yzaslavs(a)redhat.com > <mailto:yzaslavs@redhat.com> <mailto: > yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> >> > <mailto: yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> > <mailto: yzaslavs(a)redhat.com > <mailto:yzaslavs@redhat.com> > <mailto: > yzaslavs(a)redhat.com <mailto:yzaslavs@redhat.com> > <mailto: yzaslavs(a)redhat.com > <mailto:yzaslavs@redhat.com> >>> > wrote: > > > > On 11/20/2012 12:39 AM, Cristian Falcas wrote: > > > > On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim > < iheim(a)redhat.com <mailto:iheim@redhat.com> <mailto: > iheim(a)redhat.com <mailto:iheim@redhat.com> > > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> >> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> >>> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> >> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > <mailto: iheim(a)redhat.com <mailto:iheim@redhat.com> > >>>>> wrote: > > On 11/19/2012 11:29 AM, Vinzenz > Feenstra wrote: > > On 11/19/2012 10:01 AM, Cristian > Falcas wrote: > > Hi, > > I'm trying to add some users > to ovirt > using an AD. > > This is the configuration I > used for a > mediawiki > site, which is > working correctly: > $wgAuth = new > LdapAuthenticationPlugin(); > $wgLDAPUseLocal = true; > $wgLDAPDomainNames = array( > "a_domain"); > $wgLDAPServerNames = array( > "a_domain"=>" site.example.com <http://site.example.com> > < http://site.example.com > < http://site.example.com > > < http://site.example.com > > < http://site.example.com > > < http://site.example.com >"); > > $wgLDAPEncryptionType = array( > "a_domain"=>"clear"); > $wgLDAPSearchStrings = array( > > "a_domain"=>"rom_domain\\USER- ________NAME"); > $wgLDAPBaseDNs = array( > "a_domain"=>"dc=company,dc=___ _____com"); > > > > > > > Those are the commands I > tried using: > engine-manage-domains -action=add > -domain= site.example.com <http://site.example.com> > < http://site.example.com > < http://site.example.com > > < http://site.example.com > > < http://site.example.com > > < http://site.example.com > > -provider=ActiveDirectory > -user= user.name <http://user.name> > < http://user.name > < http://user.name > > < http://user.name > < http://user.name > > < http://user.name > -interactive > > > engine-manage-domains -action=add > -domain=a_domain > -provider=ActiveDirectory > -user= user.name(a)company.com <mailto: > user.name(a)company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> <mailto: > user.name(a)company.com <mailto:user.name@company.com> > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > >__> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > >__>__> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > >__> > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > <mailto: user.name(a)company.com > <mailto:user.name@company.com> > >__>__>__> -interactive > > > engine-manage-domains -action=add > -domain=a_domain > -provider=ActiveDirectory > -user=user.name(a)site.example._ _______com > > > <mailto: user.name@site > <mailto: user.name@site >. > <mailto: user.name@site > <mailto: user.name@site >.>__ exa m__p__le.com > <http://m__p__le.com> > > < http://examp__le.com > < http://example.com > > <mailto: user.name@site . > <mailto: user.name@site .>__ exam p__le.com > <http://p__le.com> < http://example.com > > <mailto: user.name@site. __ examp le.com <http://le.com> > <mailto: user.name@site. example.com > > <http://example.com> >>>> > <mailto: user.name@site > <mailto: user.name@site > > > <mailto: user.name@site <mailto: user.name@site >>. > <mailto: user.name@site <mailto: user.name@site > > <mailto: user.name@site > <mailto: user.name@site >>.>__ ex a__m__p__le.com > <http://a__m__p__le.com> > > < http://exam__p__le.com > > > > < http://examp__le.com > < http://example.com > > > > > <mailto: user.name@site > <mailto: user.name@site >. > <mailto: user.name@site > <mailto: user.name@site >.>__ exa m__p__le.com > <http://m__p__le.com> > > < http://examp__le.com > < http://example.com > > <mailto: user.name@site . > <mailto: user.name@site .>__ exam p__le.com > <http://p__le.com> < http://example.com > > <mailto: user.name@site. __ examp le.com <http://le.com> > <mailto: user.name@site. example.com > <http://example.com> >>>>> -interactive > > > > You don't add an user this way. > You add the > domain. You > have to > pass the > domain admin user and the domain > admin password. > > > any domain user will do, doesn't have > to be an admin. > what does the log say? > > > Then you can use the domain > within the engine. > e.g. search > users, add > access rights for vms etc. > Even login to the engine and > assigning rights > within > the engine > you can > handle from the engine itself. > > Regards, > > And the output on all tries: > Enter password: > > Error: Authentication Failed. > Please > verify the fully > qualified domain > name that is used for > authentication is > correct.. > Problematic domain > is: domain_used_in_command > Failure while applying Kerberos > configuration. Details: > Authentication > Failed. Please verify the > fully qualified > domain > name that > is used for > authentication is correct. > > Can someone help me with the > correct > parameters? > > > Best regards, > Cristian Falcas > > > > > ______________________________ _________________________ > > > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: > Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>>> > > http://lists.ovirt.org/_______ _mailman/listinfo/users > < http://lists.ovirt.org/______ mailman/listinfo/users > > > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users >> > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >>> > > > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >> > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users > > < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/ mailman/listinfo/users >>>> > > > > -- > Regards, > > Vinzenz Feenstra | Senior > Software Engineer > RedHat Engineering Virtualization > R & D > Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> > <tel:%2B420%20532%20294%20625> > <tel:%2B420%20532%20294%20625> > <tel:%2B420%20532%20294%20625> > <tel:%2B420%20532%20294%20625> > > IRC: vfeenstr or evilissimo > > Better technology. Faster > innovation. Powered > by community > collaboration. > See how it works at redhat.com <http://redhat.com> > < http://redhat.com > > < http://redhat.com > < http://redhat.com > > < http://redhat.com > > > > > > > ______________________________ _________________________ > > > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: > Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>>> > > http://lists.ovirt.org/_______ _mailman/listinfo/users > < http://lists.ovirt.org/______ mailman/listinfo/users > > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users >> > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >>> > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >> > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users > > < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/ mailman/listinfo/users >>>> > > > > > ______________________________ _________________________ > > > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: > Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>>> > > http://lists.ovirt.org/_______ _mailman/listinfo/users > < http://lists.ovirt.org/______ mailman/listinfo/users > > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users >> > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >>> > > > > > < http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >> > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users > > < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/ mailman/listinfo/users >>>> > > > > > Hi, > > This is the command I used (the same error > is with > -interactive > parameter): > > engine-manage-domains -action=add > -domain= example.com <http://example.com> < > http://example.com > > < http://example.com > > < http://example.com > > < http://example.com > -provider=ActiveDirectory > -user=user.name@a_domain > > -passwordFile=/tmp/pass > > [root@localhost ~]# cat /tmp/pass > qwerty[root@localhost ~]# > > This is the log: > > 2012-11-20 00:30:40,443 INFO > > > [org.ovirt.engine.core.utils._ > _____kerberos.ManageDomains] > > Creating > > > kerberos > configuration for domain(s): example.com > <http://example.com> > < http://example.com > > < http://example.com > < http://example.com > > < http://example.com > > > 2012-11-20 00:30:40,525 INFO > > > [org.ovirt.engine.core.utils._ > _____kerberos.ManageDomains] > > > Successfully > > created kerberos configuration for domain(s): > example.com <http://example.com> < http://example.com > > < http://example.com > > < http://example.com > > < http://example.com > > > 2012-11-20 00:30:40,526 INFO > > > [org.ovirt.engine.core.utils._ > _____kerberos.ManageDomains] > > Testing > > > kerberos > configuration for domain: example.com <http://example.com > > > < http://example.com > > < http://example.com > < http://example.com > > < http://example.com > > > 2012-11-20 00:30:40,830 ERROR > > > [org.ovirt.engine.core.utils._ _____kerberos.__ > KerberosConfigCheck] > > > Error: > > exception message: Cannot locate KDC > 2012-11-20 00:30:40,851 ERROR > > > [org.ovirt.engine.core.utils._ > _____kerberos.ManageDomains] > > > Failure > > while > > testing domain example.com <http://example.com> > < http://example.com > < http://example.com > > < http://example.com > > < http://example.com >. Details: Kerberos > > error. Please check log for further details. > > > Hi, the error indicates you don't have > kerberos configured. > manage-domains validates by default using > GSSAPI/Kerberos (if I > understand correctly, this is equivalent to > run ldapsearch > with -Y > gssapi option). > I wonder if -x (simple authentication) will > work for you as > well (as > manage-domains contains code for simple > authentication as > well). > > > > This is the ldapsearch command that works > (it retrieves > users) > from the > same machine: > > > > ldapsearch -H ldap:// example.com <http://example.com> > < http://example.com > < http://example.com > > < http://example.com > > < http://example.com > -b > > dc=example,dc=com -D user.name@a_domain -w > qwerty > > > Best regards, > Cristian Falcas > > > > > > ______________________________ _______________________ > Users mailing list > Users(a)ovirt.org <mailto:Users@ovirt.org> <mailto: > Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> > <mailto: Users(a)ovirt.org <mailto:Users@ovirt.org> >>> > http://lists.ovirt.org/______ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users >> > > < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users > > < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/ mailman/listinfo/users >>> > > > > > Hi, > > > I used "-x" for ldapsearch and the result is the > same: list > retrieved. > Is there any equivalent for engine-manage-domains? > > Cristian > > Hi Christian, there is no code allowing to add > simple-authentication > domains to Manage-Domains. > In the past we did have the ability to do that, but > there are > several problematic issues. > What ldap server are you working against? Maybe I > missed that > > > > > Hi, > > The server is a Microfost AD 2003. > > Best regards, > Cristian Falcas > > > this should work, is the AD also the DNS server for the > ovirt > engine machine? > > > > yes > > > > > > Could you take a look at the tcp dump? There are only 2 > messages > relevant to this (let me know if you want the full dump): > > - 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard > query SRV > _kerberos._ tcp.EXAMPLE.COM <http://tcp.EXAMPLE.COM> > > - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard > query response > SRV 0 100 88 site1.example.com > <http://site1.example.com> SRV 0 100 88 > site2.example.com <http://site2.example.com> SRV 0 > 100 88 site3.example.com <http://site3.example.com> > > > Also, I tries to run ldapsearch with -Y gssapi: > ldap_sasl_interactive_bind_s: Unknown authentication > method (-6) > additional info: SASL(-4): no mechanism available: No > worthy mechs > found > > Best regards, > Cristian Falcas > The SRV records look fine. > If I remember correctly, your DNS should have a > reverse-resolve PTR > record to your engine machine. Does it exists? > > > > I don't think so (10.0.0.xx is engine machine, > 10.0.0.yyy is dns): > > [root@localhost ~]# nslookup 10.0.0.xx > Server: 10.0.0.yyy > Address: 10.0.0.yyy#53 > > ** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN > > [root@localhost ~]# host 10.0.0.xx > Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN) > > I will ask them to add a DNS record for the machine. > > Indeed do that. > In the engine we require both reverse-resolve PTR record, > Kerberos SRV record and LDAP SRV record. > Make sure you have all three in the DNS. > The PTR + Kerberos records are used for the kerberos > authentication (and constructing the krb5.conf file in the > engine-manage-domains utility). > The LDAP SRV record is used for the directory queries (it is > used in the utility + the ovirt engine, to look for LDAP > servers). > > > > Yair - sounds like we need a how to troubleshoot AD issues? > > > > > Hi, > > So, after all, I was using the wrong domain. In my company we use > everywhere (web, email, etc) as the domain "a_domain" instead of the > usual company.com <http://company.com>;. So it worked with: > > engine-manage-domains -action=add -domain=company.com > <http://company.com> -provider=ActiveDirectory -user=user.name > <http://user.name> -passwordFile=/tmp/pass > > > Some steps I did for my investigation: > > 1. test if the domain has a kerberos service: > > host -t srv _kerberos._tcp.company.com <http://tcp.company.com> > > > 2. use kinit instead of engine-manage-domains (mush faster) > cp /etc/ovirt-engine/krb5.conf /etc/ > > 3. test with: > kinit user.name(a)company.com <mailto:user.name@company.com> -V > > > > Just to let others know what errors I had and how I fixed them: > > 1. Client not found in Kerberos database while getting initial > credentials: wrong user name > > 2. Cannot find KDC for requested realm: the realm you are using in > the command line is not define in krb5.conf file. > > - at the beginning I was using kinit user.name@a_domain -V, but > there was no a_domain realm defined. > - check the file and try to update it or correct your kinit command > in order to use the correct realm > > [realms] > COMPANY.COM <http://COMPANY.COM> = { > > kdc = site1.company.com.:88 > kdc = site2.company.com.:88 > kdc = site3.company.com.:88 > } > > > > 3. KDC reply did not match expectations while getting initial > credentials: you may have the same realm in your command line and in > the krb5.conf file, but the server thinks this is not correct. > - use wireshark to see what realm the server has: protocol KRB5, > messages AS-REQ and AS-REP > > Thank you for all your help. > > Cristian > > > > I forgot. Use this kinit command for tests instead: > > kinit user.name <http://user.name> > > > Because I was using the realm in the command line I had all of the above > problems > do you mind adding these to a wiki for steps to troubleshoot for the next one to tackle this? thanks, Itamar

I'm glad to help. Can someone help me with an account?

Itamar Heim

11:10 p.m.

On 11/21/2012 10:58 PM, Cristian Falcas wrote:

...

I'm glad to help. Can someone help me with an account?

http://wiki.ovirt.org/wiki/Special:RequestAccount

4385

days inactive

4387

days old

users@ovirt.org

Manage subscription

23 comments

5 participants

tags (0)

participants (5)

Cristian Falcas
Itamar Heim
Oved Ourfalli
Vinzenz Feenstra
Yair Zaslavsky

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

[Users] I don't know how to add AD users