On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
------------------------------
*From: *"Cristian Falcas" <cristi.falcas@gmail.com> *To: *"Itamar Heim" <iheim@redhat.com> *Cc: *"Yair Zaslavsky" <yzaslavs@redhat.com>, users@ovirt.org *Sent: *Tuesday, November 20, 2012 7:33:39 PM
*Subject: *Re: [Users] I don't know how to add AD users
On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim <iheim@redhat.com> wrote:
On 11/20/2012 03:00 PM, Cristian Falcas wrote:
Hi,
So there is no way to use the domain I have at work, right?
I will need to make a freeipa installation in order to add new users.
there is no reason this shouldn't work with active directory 2003 (assuming its forest level isn't still in AD 2000 compatibility mode?). tcpdump for the traffic during engine-manage-domains should help diagnosing why.
Cristian
On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas <cristi.falcas@gmail.com <mailto:cristi.falcas@gmail.**com<cristi.falcas@gmail.com>>> wrote:
On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com>> wrote:
On 11/20/2012 09:56 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>> wrote:
On 11/20/2012 09:05 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>>**> wrote:
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>>>> wrote:
On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com>");
$wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array(
"a_domain"=>"rom_domain\\USER-**________NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=___** _____com");
Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com> -provider=ActiveDirectory -user=user.name <http://user.name> <http://user.name> <http://user.name> <http://user.name> <http://user.name> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**>__> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**>__>__> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**>__>
<mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**>__>__>__> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example._**_______com
<mailto:user.name@site <mailto:user.name@site>. <mailto:user.name@site <mailto:user.name@site>.>__exa**m__p__le.com<http://exam__p__le.com> <http://examp__le.com> <http://example.com> <mailto:user.name@site. <mailto:user.name@site.>__exam**p__le.com<http://examp__le.com><; http://example.com> <mailto:user.name@site.__examp**le.com<http://example.com> <mailto:user.name@site.**example.com<user.name@site.example.com>
> <mailto:user.name@site <mailto:user.name@site>
<mailto:user.name@site <mailto:user.name@site>>. <mailto:user.name@site <mailto: user.name@site> <mailto:user.name@site <mailto:user.name@site>>.>__ex**a__m__p__le.com<http://exa__m__p__le.com> <http://exam__p__le.com>
<http://examp__le.com> <http://example.com>
<mailto:user.name@site <mailto:user.name@site>. <mailto:user.name@site <mailto:user.name@site>.>__exa**m__p__le.com<http://exam__p__le.com> <http://examp__le.com> <http://example.com> <mailto:user.name@site. <mailto:user.name@site.>__exam**p__le.com<http://examp__le.com><; http://example.com> <mailto:user.name@site.__examp**le.com<http://example.com> <mailto:user.name@site.**example.com<user.name@site.example.com>>>>>> -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.
any domain user will do, doesn't have to be an admin. what does the log say?
Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
______________________________**_________________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>> http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.ovirt.org/________mailman/listinfo/users> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____** mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____** mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625>
IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com <http://redhat.com> <http://redhat.com> <http://redhat.com> <http://redhat.com>
______________________________**_________________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>> http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.ovirt.org/________mailman/listinfo/users> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____** mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____** mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>
______________________________**_________________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>> http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.ovirt.org/________mailman/listinfo/users> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____** mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____** mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>
Hi,
This is the command I used (the same error is with -interactive parameter):
engine-manage-domains -action=add -domain=example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com> -provider=ActiveDirectory -user=user.name@a_domain
-passwordFile=/tmp/pass
[root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]#
This is the log:
2012-11-20 00:30:40,443 INFO
[org.ovirt.engine.core.utils._**_____kerberos.ManageDomains]
Creating
kerberos configuration for domain(s): example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,525 INFO
[org.ovirt.engine.core.utils._**_____kerberos.ManageDomains]
Successfully
created kerberos configuration for domain(s): example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,526 INFO
[org.ovirt.engine.core.utils._**_____kerberos.ManageDomains]
Testing
kerberos configuration for domain: example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,830 ERROR
[org.ovirt.engine.core.utils._**_____kerberos.__** KerberosConfigCheck]
Error:
exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR
[org.ovirt.engine.core.utils._**_____kerberos.ManageDomains]
Failure
while
testing domain example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com>. Details: Kerberos
error. Please check log for further details.
Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well).
This is the ldapsearch command that works (it retrieves users) from the same machine:
ldapsearch -H ldap://example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com> -b
dc=example,dc=com -D user.name@a_domain -w qwerty
Best regards, Cristian Falcas
______________________________**_______________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____** mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
Hi,
I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains?
Cristian
Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that
Hi,
The server is a Microfost AD 2003.
Best regards, Cristian Falcas
this should work, is the AD also the DNS server for the ovirt engine machine?
yes
Could you take a look at the tcp dump? There are only 2 messages relevant to this (let me know if you want the full dump):
- 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV _kerberos._tcp.EXAMPLE.COM - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response SRV 0 100 88 site1.example.com SRV 0 100 88 site2.example.com SRV 0 100 88 site3.example.com
Also, I tries to run ldapsearch with -Y gssapi: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found
Best regards, Cristian Falcas
The SRV records look fine. If I remember correctly, your DNS should have a reverse-resolve PTR record to your engine machine. Does it exists?
I don't think so (10.0.0.xx is engine machine, 10.0.0.yyy is dns): [root@localhost ~]# nslookup 10.0.0.xx Server: 10.0.0.yyy Address: 10.0.0.yyy#53 ** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN [root@localhost ~]# host 10.0.0.xx Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN) I will ask them to add a DNS record for the machine.