[Users] engine-manage-domains can't add user , domain
I use FreeIPA to authenticate users, ipa user-add has no problem, but when i do : [root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: local Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct. and log from engine-manage-domains.log : 2012-05-14 21:58:47,892 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): local 2012-05-14 21:58:47,923 ERROR [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting SRV list for protocol _tcp and domain LOCAL Exception message is DNS name not found [response code 3] my domain is 'local' , like ovirt-engine.local 、ovirt-node-1.local …etc What can i do to get through it?
----- Original Message -----
From: "T-Sinjon" <tscbj1989@gmail.com> To: users@ovirt.org Sent: Monday, May 14, 2012 5:07:46 PM Subject: [Users] engine-manage-domains can't add user , domain
I use FreeIPA to authenticate users, ipa user-add has no problem, but when i do :
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: local Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
and log from engine-manage-domains.log :
2012-05-14 21:58:47,892 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): local 2012-05-14 21:58:47,923 ERROR [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting SRV list for protocol _tcp and domain LOCAL Exception message is DNS name not found [response code 3]
my domain is 'local' , like ovirt-engine.local 、ovirt-node-1.local …etc
What can i do to get through it?
The utility (and also the ovirt engine) are relying on DNS SRV records in order to find LDAP and kerberos servers (supporting Active directory, IPA or RHDS). So, in order to work with it you must have the following in the DNS 1. PTR record for your LDAP server 2. LDAP SRV record for your LDAP server 3. LDAP kerberos record for your LDAP server If you don't really have access to the DNS you can install a package called "dnsmasq", and perform this changes by yourself in its config file. Oved
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
I have added those SRV info into my zone file , and it did go , the log looks fine , but engine-manage-domains still return error 2012-05-15 10:45:19,222 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): local 2012-05-15 10:45:19,258 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): local 2012-05-15 10:45:19,259 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: local [root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password: Error: exception message: Integrity check on decrypted field failed (31) - PREAUTH_FAILED Failure while testing domain local. Details: Kerberos error. Please check log for further details. On 14 May, 2012, at 10:12 PM, Oved Ourfalli wrote:
----- Original Message -----
From: "T-Sinjon" <tscbj1989@gmail.com> To: users@ovirt.org Sent: Monday, May 14, 2012 5:07:46 PM Subject: [Users] engine-manage-domains can't add user , domain
I use FreeIPA to authenticate users, ipa user-add has no problem, but when i do :
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: local Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
and log from engine-manage-domains.log :
2012-05-14 21:58:47,892 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): local 2012-05-14 21:58:47,923 ERROR [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting SRV list for protocol _tcp and domain LOCAL Exception message is DNS name not found [response code 3]
my domain is 'local' , like ovirt-engine.local 、ovirt-node-1.local …etc
What can i do to get through it?
The utility (and also the ovirt engine) are relying on DNS SRV records in order to find LDAP and kerberos servers (supporting Active directory, IPA or RHDS). So, in order to work with it you must have the following in the DNS 1. PTR record for your LDAP server 2. LDAP SRV record for your LDAP server 3. LDAP kerberos record for your LDAP server
If you don't really have access to the DNS you can install a package called "dnsmasq", and perform this changes by yourself in its config file.
Oved
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
after use kinit login tsinjon , the error changes to , why this happened? [root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password: No user in Directory was found for tsinjon@LOCAL. Trying next LDAP server in list Failure while testing domain local. Details: No user information was found for user On 15 May, 2012, at 10:47 AM, T-Sinjon wrote:
I have added those SRV info into my zone file , and it did go , the log looks fine , but engine-manage-domains still return error
2012-05-15 10:45:19,222 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): local 2012-05-15 10:45:19,258 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): local 2012-05-15 10:45:19,259 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: local
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password:
Error: exception message: Integrity check on decrypted field failed (31) - PREAUTH_FAILED Failure while testing domain local. Details: Kerberos error. Please check log for further details.
On 14 May, 2012, at 10:12 PM, Oved Ourfalli wrote:
----- Original Message -----
From: "T-Sinjon" <tscbj1989@gmail.com> To: users@ovirt.org Sent: Monday, May 14, 2012 5:07:46 PM Subject: [Users] engine-manage-domains can't add user , domain
I use FreeIPA to authenticate users, ipa user-add has no problem, but when i do :
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: local Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
and log from engine-manage-domains.log :
2012-05-14 21:58:47,892 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): local 2012-05-14 21:58:47,923 ERROR [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting SRV list for protocol _tcp and domain LOCAL Exception message is DNS name not found [response code 3]
my domain is 'local' , like ovirt-engine.local 、ovirt-node-1.local …etc
What can i do to get through it?
The utility (and also the ovirt engine) are relying on DNS SRV records in order to find LDAP and kerberos servers (supporting Active directory, IPA or RHDS). So, in order to work with it you must have the following in the DNS 1. PTR record for your LDAP server 2. LDAP SRV record for your LDAP server 3. LDAP kerberos record for your LDAP server
If you don't really have access to the DNS you can install a package called "dnsmasq", and perform this changes by yourself in its config file.
Oved
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: "T-Sinjon" <tscbj1989@gmail.com> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: users@ovirt.org Sent: Tuesday, May 15, 2012 5:53:16 AM Subject: Re: [Users] engine-manage-domains can't add user , domain
after use kinit login tsinjon , the error changes to , why this happened?
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password:
No user in Directory was found for tsinjon@LOCAL. Trying next LDAP server in list Failure while testing domain local. Details: No user information was found for user
Can't see why kinit matters here, but looking at your command I noticed you used single quotes for the user and domain name. I'm not sure it knows to handle this correctly. Did you try without the quotes? Also, what version are you working with? We had a problem a few weeks ago, of identifying the correct ldap provider. To fix that we added an option to specify the ldap provider type. It determines which query will be used in order to get the user details. cc-ing Roy, which added this. iirc it is mandatory to provide this option, so you probably don't have this option in your environment. Roy - is there an upstream release with this fix? Regards, Oved
On 15 May, 2012, at 10:47 AM, T-Sinjon wrote:
I have added those SRV info into my zone file , and it did go , the log looks fine , but engine-manage-domains still return error
2012-05-15 10:45:19,222 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): local 2012-05-15 10:45:19,258 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): local 2012-05-15 10:45:19,259 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: local
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password:
Error: exception message: Integrity check on decrypted field failed (31) - PREAUTH_FAILED Failure while testing domain local. Details: Kerberos error. Please check log for further details.
On 14 May, 2012, at 10:12 PM, Oved Ourfalli wrote:
----- Original Message -----
From: "T-Sinjon" <tscbj1989@gmail.com> To: users@ovirt.org Sent: Monday, May 14, 2012 5:07:46 PM Subject: [Users] engine-manage-domains can't add user , domain
I use FreeIPA to authenticate users, ipa user-add has no problem, but when i do :
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: local Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
and log from engine-manage-domains.log :
2012-05-14 21:58:47,892 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): local 2012-05-14 21:58:47,923 ERROR [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting SRV list for protocol _tcp and domain LOCAL Exception message is DNS name not found [response code 3]
my domain is 'local' , like ovirt-engine.local 、ovirt-node-1.local …etc
What can i do to get through it?
The utility (and also the ovirt engine) are relying on DNS SRV records in order to find LDAP and kerberos servers (supporting Active directory, IPA or RHDS). So, in order to work with it you must have the following in the DNS 1. PTR record for your LDAP server 2. LDAP SRV record for your LDAP server 3. LDAP kerberos record for your LDAP server
If you don't really have access to the DNS you can install a package called "dnsmasq", and perform this changes by yourself in its config file.
Oved
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 05/15/2012 08:35 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "T-Sinjon" <tscbj1989@gmail.com> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: users@ovirt.org Sent: Tuesday, May 15, 2012 5:53:16 AM Subject: Re: [Users] engine-manage-domains can't add user , domain
after use kinit login tsinjon , the error changes to , why this happened?
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password:
No user in Directory was found for tsinjon@LOCAL. Trying next LDAP server in list Failure while testing domain local. Details: No user information was found for user
Can't see why kinit matters here, but looking at your command I noticed you used single quotes for the user and domain name. I'm not sure it knows to handle this correctly. Did you try without the quotes?
Also, what version are you working with? We had a problem a few weeks ago, of identifying the correct ldap provider. To fix that we added an option to specify the ldap provider type. It determines which query will be used in order to get the user details.
cc-ing Roy, which added this. iirc it is mandatory to provide this option, so you probably don't have this option in your environment. Roy - is there an upstream release with this fix?
Oved - this was merged upstream. T-Sinjon - have you cloned the git repo and compiled or are you using RPMs?
Regards, Oved
On 15 May, 2012, at 10:47 AM, T-Sinjon wrote:
I have added those SRV info into my zone file , and it did go , the log looks fine , but engine-manage-domains still return error
2012-05-15 10:45:19,222 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): local 2012-05-15 10:45:19,258 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): local 2012-05-15 10:45:19,259 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: local
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password:
Error: exception message: Integrity check on decrypted field failed (31) - PREAUTH_FAILED Failure while testing domain local. Details: Kerberos error. Please check log for further details.
On 14 May, 2012, at 10:12 PM, Oved Ourfalli wrote:
----- Original Message -----
From: "T-Sinjon" <tscbj1989@gmail.com> To: users@ovirt.org Sent: Monday, May 14, 2012 5:07:46 PM Subject: [Users] engine-manage-domains can't add user , domain
I use FreeIPA to authenticate users, ipa user-add has no problem, but when i do :
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: local Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
and log from engine-manage-domains.log :
2012-05-14 21:58:47,892 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): local 2012-05-14 21:58:47,923 ERROR [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting SRV list for protocol _tcp and domain LOCAL Exception message is DNS name not found [response code 3]
my domain is 'local' , like ovirt-engine.local 、ovirt-node-1.local …etc
What can i do to get through it?
The utility (and also the ovirt engine) are relying on DNS SRV records in order to find LDAP and kerberos servers (supporting Active directory, IPA or RHDS). So, in order to work with it you must have the following in the DNS 1. PTR record for your LDAP server 2. LDAP SRV record for your LDAP server 3. LDAP kerberos record for your LDAP server
If you don't really have access to the DNS you can install a package called "dnsmasq", and perform this changes by yourself in its config file.
Oved
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: "Yair Zaslavsky" <yzaslavs@redhat.com> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: "T-Sinjon" <tscbj1989@gmail.com>, users@ovirt.org Sent: Tuesday, May 15, 2012 8:48:26 AM Subject: Re: [Users] engine-manage-domains can't add user , domain
On 05/15/2012 08:35 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "T-Sinjon" <tscbj1989@gmail.com> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: users@ovirt.org Sent: Tuesday, May 15, 2012 5:53:16 AM Subject: Re: [Users] engine-manage-domains can't add user , domain
after use kinit login tsinjon , the error changes to , why this happened?
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password:
No user in Directory was found for tsinjon@LOCAL. Trying next LDAP server in list Failure while testing domain local. Details: No user information was found for user
Can't see why kinit matters here, but looking at your command I noticed you used single quotes for the user and domain name. I'm not sure it knows to handle this correctly. Did you try without the quotes?
Also, what version are you working with? We had a problem a few weeks ago, of identifying the correct ldap provider. To fix that we added an option to specify the ldap provider type. It determines which query will be used in order to get the user details.
cc-ing Roy, which added this. iirc it is mandatory to provide this option, so you probably don't have this option in your environment. Roy - is there an upstream release with this fix?
Oved - this was merged upstream. T-Sinjon - have you cloned the git repo and compiled or are you using RPMs?
Yair - he is probably using the RPMs, as it is harder to run the utility from the git repo.
Regards, Oved
On 15 May, 2012, at 10:47 AM, T-Sinjon wrote:
I have added those SRV info into my zone file , and it did go , the log looks fine , but engine-manage-domains still return error
2012-05-15 10:45:19,222 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): local 2012-05-15 10:45:19,258 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): local 2012-05-15 10:45:19,259 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: local
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password:
Error: exception message: Integrity check on decrypted field failed (31) - PREAUTH_FAILED Failure while testing domain local. Details: Kerberos error. Please check log for further details.
On 14 May, 2012, at 10:12 PM, Oved Ourfalli wrote:
----- Original Message -----
From: "T-Sinjon" <tscbj1989@gmail.com> To: users@ovirt.org Sent: Monday, May 14, 2012 5:07:46 PM Subject: [Users] engine-manage-domains can't add user , domain
I use FreeIPA to authenticate users, ipa user-add has no problem, but when i do :
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: local Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
and log from engine-manage-domains.log :
2012-05-14 21:58:47,892 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): local 2012-05-14 21:58:47,923 ERROR [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting SRV list for protocol _tcp and domain LOCAL Exception message is DNS name not found [response code 3]
my domain is 'local' , like ovirt-engine.local 、ovirt-node-1.local …etc
What can i do to get through it?
The utility (and also the ovirt engine) are relying on DNS SRV records in order to find LDAP and kerberos servers (supporting Active directory, IPA or RHDS). So, in order to work with it you must have the following in the DNS 1. PTR record for your LDAP server 2. LDAP SRV record for your LDAP server 3. LDAP kerberos record for your LDAP server
If you don't really have access to the DNS you can install a package called "dnsmasq", and perform this changes by yourself in its config file.
Oved
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Oved: 1,Yes , I used RPMs ovirt-engine-restapi-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-dbscripts-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-notification-service-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-backend-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-jboss-deps-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-config-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-webadmin-portal-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-sdk-1.3-1.fc16.noarch ovirt-engine-jbossas-1.2-2.fc16.x86_64 ovirt-engine-iso-uploader-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-setup-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-userportal-3.0.0_0001-1.6.fc16.x86_64 ovirt-node-2.2.2-2.fc16.noarch ovirt-engine-genericapi-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-tools-common-3.0.0_0001-1.6.fc16.x86_64 ovirt-node-tools-2.2.2-2.fc16.noarch ovirt-engine-log-collector-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-3.0.0_0001-1.6.fc16.x86_64 2,they are same whether use single quota or not [root@ovirt-engine ~]# engine-manage-domains -action=add -domain=local -user=tsinjon -passwordFile=/root/tsinjon No user in Directory was found for tsinjon@LOCAL. Trying next LDAP server in list Failure while testing domain local. Details: No user information was found for user On 15 May, 2012, at 1:47 PM, Oved Ourfalli wrote:
----- Original Message -----
From: "Yair Zaslavsky" <yzaslavs@redhat.com> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: "T-Sinjon" <tscbj1989@gmail.com>, users@ovirt.org Sent: Tuesday, May 15, 2012 8:48:26 AM Subject: Re: [Users] engine-manage-domains can't add user , domain
On 05/15/2012 08:35 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "T-Sinjon" <tscbj1989@gmail.com> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: users@ovirt.org Sent: Tuesday, May 15, 2012 5:53:16 AM Subject: Re: [Users] engine-manage-domains can't add user , domain
after use kinit login tsinjon , the error changes to , why this happened?
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password:
No user in Directory was found for tsinjon@LOCAL. Trying next LDAP server in list Failure while testing domain local. Details: No user information was found for user
Can't see why kinit matters here, but looking at your command I noticed you used single quotes for the user and domain name. I'm not sure it knows to handle this correctly. Did you try without the quotes?
Also, what version are you working with? We had a problem a few weeks ago, of identifying the correct ldap provider. To fix that we added an option to specify the ldap provider type. It determines which query will be used in order to get the user details.
cc-ing Roy, which added this. iirc it is mandatory to provide this option, so you probably don't have this option in your environment. Roy - is there an upstream release with this fix?
Oved - this was merged upstream. T-Sinjon - have you cloned the git repo and compiled or are you using RPMs?
Yair - he is probably using the RPMs, as it is harder to run the utility from the git repo.
Regards, Oved
On 15 May, 2012, at 10:47 AM, T-Sinjon wrote:
I have added those SRV info into my zone file , and it did go , the log looks fine , but engine-manage-domains still return error
2012-05-15 10:45:19,222 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): local 2012-05-15 10:45:19,258 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): local 2012-05-15 10:45:19,259 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: local
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password:
Error: exception message: Integrity check on decrypted field failed (31) - PREAUTH_FAILED Failure while testing domain local. Details: Kerberos error. Please check log for further details.
On 14 May, 2012, at 10:12 PM, Oved Ourfalli wrote:
----- Original Message ----- > From: "T-Sinjon" <tscbj1989@gmail.com> > To: users@ovirt.org > Sent: Monday, May 14, 2012 5:07:46 PM > Subject: [Users] engine-manage-domains can't add user , domain > > > I use FreeIPA to authenticate users, ipa user-add has no > problem, > but when i do : > > [root@ovirt-engine ~]# engine-manage-domains -action=add > -domain='local' -user='tsinjon' -interactive > > Error: Authentication Failed. Please verify the fully qualified > domain name that is used for authentication is correct.. > Problematic > domain is: local > Failure while applying Kerberos configuration. Details: > Authentication Failed. Please verify the fully qualified domain > name > that is used for authentication is correct. > > and log from engine-manage-domains.log : > > 2012-05-14 21:58:47,892 INFO > [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating > kerberos configuration for domain(s): local > 2012-05-14 21:58:47,923 ERROR > [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting SRV > list > for protocol _tcp and domain LOCAL Exception message is DNS > name > not > found [response code 3] > > my domain is 'local' , like ovirt-engine.local > 、ovirt-node-1.local > …etc > > What can i do to get through it? > The utility (and also the ovirt engine) are relying on DNS SRV records in order to find LDAP and kerberos servers (supporting Active directory, IPA or RHDS). So, in order to work with it you must have the following in the DNS 1. PTR record for your LDAP server 2. LDAP SRV record for your LDAP server 3. LDAP kerberos record for your LDAP server
If you don't really have access to the DNS you can install a package called "dnsmasq", and perform this changes by yourself in its config file.
Oved > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 05/15/2012 09:17 AM, T-Sinjon wrote:
Oved: 1,Yes , I used RPMs
ovirt-engine-restapi-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-dbscripts-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-notification-service-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-backend-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-jboss-deps-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-config-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-webadmin-portal-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-sdk-1.3-1.fc16.noarch ovirt-engine-jbossas-1.2-2.fc16.x86_64 ovirt-engine-iso-uploader-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-setup-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-userportal-3.0.0_0001-1.6.fc16.x86_64 ovirt-node-2.2.2-2.fc16.noarch ovirt-engine-genericapi-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-tools-common-3.0.0_0001-1.6.fc16.x86_64 ovirt-node-tools-2.2.2-2.fc16.noarch ovirt-engine-log-collector-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-3.0.0_0001-1.6.fc16.x86_64
2,they are same whether use single quota or not
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain=local -user=tsinjon -passwordFile=/root/tsinjon No user in Directory was found for tsinjon@LOCAL. Trying next LDAP server in list Failure while testing domain local. Details: No user information was found for user
When you run engine-manage-domains without parameters, what do you get?
On 15 May, 2012, at 1:47 PM, Oved Ourfalli wrote:
----- Original Message -----
From: "Yair Zaslavsky" <yzaslavs@redhat.com> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: "T-Sinjon" <tscbj1989@gmail.com>, users@ovirt.org Sent: Tuesday, May 15, 2012 8:48:26 AM Subject: Re: [Users] engine-manage-domains can't add user , domain
On 05/15/2012 08:35 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "T-Sinjon" <tscbj1989@gmail.com> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: users@ovirt.org Sent: Tuesday, May 15, 2012 5:53:16 AM Subject: Re: [Users] engine-manage-domains can't add user , domain
after use kinit login tsinjon , the error changes to , why this happened?
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password:
No user in Directory was found for tsinjon@LOCAL. Trying next LDAP server in list Failure while testing domain local. Details: No user information was found for user
Can't see why kinit matters here, but looking at your command I noticed you used single quotes for the user and domain name. I'm not sure it knows to handle this correctly. Did you try without the quotes?
Also, what version are you working with? We had a problem a few weeks ago, of identifying the correct ldap provider. To fix that we added an option to specify the ldap provider type. It determines which query will be used in order to get the user details.
cc-ing Roy, which added this. iirc it is mandatory to provide this option, so you probably don't have this option in your environment. Roy - is there an upstream release with this fix?
Oved - this was merged upstream. T-Sinjon - have you cloned the git repo and compiled or are you using RPMs?
Yair - he is probably using the RPMs, as it is harder to run the utility from the git repo.
Regards, Oved
On 15 May, 2012, at 10:47 AM, T-Sinjon wrote:
I have added those SRV info into my zone file , and it did go , the log looks fine , but engine-manage-domains still return error
2012-05-15 10:45:19,222 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): local 2012-05-15 10:45:19,258 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): local 2012-05-15 10:45:19,259 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: local
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password:
Error: exception message: Integrity check on decrypted field failed (31) - PREAUTH_FAILED Failure while testing domain local. Details: Kerberos error. Please check log for further details.
On 14 May, 2012, at 10:12 PM, Oved Ourfalli wrote:
> > > ----- Original Message ----- >> From: "T-Sinjon" <tscbj1989@gmail.com> >> To: users@ovirt.org >> Sent: Monday, May 14, 2012 5:07:46 PM >> Subject: [Users] engine-manage-domains can't add user , domain >> >> >> I use FreeIPA to authenticate users, ipa user-add has no >> problem, >> but when i do : >> >> [root@ovirt-engine ~]# engine-manage-domains -action=add >> -domain='local' -user='tsinjon' -interactive >> >> Error: Authentication Failed. Please verify the fully qualified >> domain name that is used for authentication is correct.. >> Problematic >> domain is: local >> Failure while applying Kerberos configuration. Details: >> Authentication Failed. Please verify the fully qualified domain >> name >> that is used for authentication is correct. >> >> and log from engine-manage-domains.log : >> >> 2012-05-14 21:58:47,892 INFO >> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating >> kerberos configuration for domain(s): local >> 2012-05-14 21:58:47,923 ERROR >> [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting SRV >> list >> for protocol _tcp and domain LOCAL Exception message is DNS >> name >> not >> found [response code 3] >> >> my domain is 'local' , like ovirt-engine.local >> 、ovirt-node-1.local >> …etc >> >> What can i do to get through it? >> > The utility (and also the ovirt engine) are relying on DNS SRV > records in order to find LDAP and kerberos servers (supporting > Active directory, IPA or RHDS). > So, in order to work with it you must have the following in the > DNS > 1. PTR record for your LDAP server > 2. LDAP SRV record for your LDAP server > 3. LDAP kerberos record for your LDAP server > > If you don't really have access to the DNS you can install a > package called "dnsmasq", and perform this changes by yourself > in > its config file. > > Oved >> >> _______________________________________________ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >>
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
help info like this [root@ovirt-engine ~]# engine-manage-domains engine-manage-domains: add/edit/delete/validate/list domains USAGE: engine-manage-domains -action=ACTION [-domain=DOMAIN -user=USER -passwordFile=PASSWORD_FILE -interactive -configFile=PATH] -report Where: ACTION action to perform (add/edit/delete/validate/list). See details below. DOMAIN (mandatory for add, edit and delete) the domain you wish to perform the action on. USER (optional for edit, mandatory for add) the domain user. PASSWORD_FILE (optional for edit, mandatory for add) a file containing the password in the first line. interactive alternative for using -passwordFile - read the password interactively. PATH (optional) use the given alternate configuration file. Available actions: add Examples: -action=add -domain=example.com -user=admin -passwordFile=/tmp/.pwd Add a domain called example.com, using user admin and read the password from /tmp/.pwd. -action=edit -domain=example.com -passwordFile=/tmp/.new_password Edit the domain example.com, using another password file. -action=delete -domain=example.com Delete the domain example.com. -action=validate Validate the current configuration (go over all the domains, try to authenticate to each domain using the configured user/password.). -report In combination with -action=validate will report all validation error, if occured. Default behaviour is to exit when a validation error occurs. -action=list Lists the current configuration. -h Show this help. On 15 May, 2012, at 2:22 PM, Yair Zaslavsky wrote:
On 05/15/2012 09:17 AM, T-Sinjon wrote:
Oved: 1,Yes , I used RPMs
ovirt-engine-restapi-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-dbscripts-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-notification-service-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-backend-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-jboss-deps-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-config-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-webadmin-portal-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-sdk-1.3-1.fc16.noarch ovirt-engine-jbossas-1.2-2.fc16.x86_64 ovirt-engine-iso-uploader-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-setup-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-userportal-3.0.0_0001-1.6.fc16.x86_64 ovirt-node-2.2.2-2.fc16.noarch ovirt-engine-genericapi-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-tools-common-3.0.0_0001-1.6.fc16.x86_64 ovirt-node-tools-2.2.2-2.fc16.noarch ovirt-engine-log-collector-3.0.0_0001-1.6.fc16.x86_64 ovirt-engine-3.0.0_0001-1.6.fc16.x86_64
2,they are same whether use single quota or not
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain=local -user=tsinjon -passwordFile=/root/tsinjon No user in Directory was found for tsinjon@LOCAL. Trying next LDAP server in list Failure while testing domain local. Details: No user information was found for user
When you run engine-manage-domains without parameters, what do you get?
On 15 May, 2012, at 1:47 PM, Oved Ourfalli wrote:
----- Original Message -----
From: "Yair Zaslavsky" <yzaslavs@redhat.com> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: "T-Sinjon" <tscbj1989@gmail.com>, users@ovirt.org Sent: Tuesday, May 15, 2012 8:48:26 AM Subject: Re: [Users] engine-manage-domains can't add user , domain
On 05/15/2012 08:35 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "T-Sinjon" <tscbj1989@gmail.com> To: "Oved Ourfalli" <ovedo@redhat.com> Cc: users@ovirt.org Sent: Tuesday, May 15, 2012 5:53:16 AM Subject: Re: [Users] engine-manage-domains can't add user , domain
after use kinit login tsinjon , the error changes to , why this happened?
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password:
No user in Directory was found for tsinjon@LOCAL. Trying next LDAP server in list Failure while testing domain local. Details: No user information was found for user
Can't see why kinit matters here, but looking at your command I noticed you used single quotes for the user and domain name. I'm not sure it knows to handle this correctly. Did you try without the quotes?
Also, what version are you working with? We had a problem a few weeks ago, of identifying the correct ldap provider. To fix that we added an option to specify the ldap provider type. It determines which query will be used in order to get the user details.
cc-ing Roy, which added this. iirc it is mandatory to provide this option, so you probably don't have this option in your environment. Roy - is there an upstream release with this fix?
Oved - this was merged upstream. T-Sinjon - have you cloned the git repo and compiled or are you using RPMs?
Yair - he is probably using the RPMs, as it is harder to run the utility from the git repo.
Regards, Oved
On 15 May, 2012, at 10:47 AM, T-Sinjon wrote:
> > I have added those SRV info into my zone file , and it did go , > the log looks fine , but engine-manage-domains still return > error > > 2012-05-15 10:45:19,222 INFO > [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating > kerberos configuration for domain(s): local > 2012-05-15 10:45:19,258 INFO > [org.ovirt.engine.core.utils.kerberos.ManageDomains] > Successfully > created kerberos configuration for domain(s): local > 2012-05-15 10:45:19,259 INFO > [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing > kerberos configuration for domain: local > > [root@ovirt-engine ~]# engine-manage-domains -action=add > -domain='local' -user='tsinjon' -interactive > Enter password: > > Error: exception message: Integrity check on decrypted field > failed (31) - PREAUTH_FAILED > Failure while testing domain local. Details: Kerberos error. > Please > check log for further details. > > > On 14 May, 2012, at 10:12 PM, Oved Ourfalli wrote: > >> >> >> ----- Original Message ----- >>> From: "T-Sinjon" <tscbj1989@gmail.com> >>> To: users@ovirt.org >>> Sent: Monday, May 14, 2012 5:07:46 PM >>> Subject: [Users] engine-manage-domains can't add user , domain >>> >>> >>> I use FreeIPA to authenticate users, ipa user-add has no >>> problem, >>> but when i do : >>> >>> [root@ovirt-engine ~]# engine-manage-domains -action=add >>> -domain='local' -user='tsinjon' -interactive >>> >>> Error: Authentication Failed. Please verify the fully qualified >>> domain name that is used for authentication is correct.. >>> Problematic >>> domain is: local >>> Failure while applying Kerberos configuration. Details: >>> Authentication Failed. Please verify the fully qualified domain >>> name >>> that is used for authentication is correct. >>> >>> and log from engine-manage-domains.log : >>> >>> 2012-05-14 21:58:47,892 INFO >>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating >>> kerberos configuration for domain(s): local >>> 2012-05-14 21:58:47,923 ERROR >>> [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting SRV >>> list >>> for protocol _tcp and domain LOCAL Exception message is DNS >>> name >>> not >>> found [response code 3] >>> >>> my domain is 'local' , like ovirt-engine.local >>> 、ovirt-node-1.local >>> …etc >>> >>> What can i do to get through it? >>> >> The utility (and also the ovirt engine) are relying on DNS SRV >> records in order to find LDAP and kerberos servers (supporting >> Active directory, IPA or RHDS). >> So, in order to work with it you must have the following in the >> DNS >> 1. PTR record for your LDAP server >> 2. LDAP SRV record for your LDAP server >> 3. LDAP kerberos record for your LDAP server >> >> If you don't really have access to the DNS you can install a >> package called "dnsmasq", and perform this changes by yourself >> in >> its config file. >> >> Oved >>> >>> _______________________________________________ >>> Users mailing list >>> Users@ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users >>> >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 05/15/2012 08:48 AM, Yair Zaslavsky wrote:
On 05/15/2012 08:35 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "T-Sinjon"<tscbj1989@gmail.com> To: "Oved Ourfalli"<ovedo@redhat.com> Cc: users@ovirt.org Sent: Tuesday, May 15, 2012 5:53:16 AM Subject: Re: [Users] engine-manage-domains can't add user , domain
after use kinit login tsinjon , the error changes to , why this happened?
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password:
No user in Directory was found for tsinjon@LOCAL. Trying next LDAP server in list Failure while testing domain local. Details: No user information was found for user
Can't see why kinit matters here, but looking at your command I noticed you used single quotes for the user and domain name. I'm not sure it knows to handle this correctly. Did you try without the quotes?
Also, what version are you working with? We had a problem a few weeks ago, of identifying the correct ldap provider. To fix that we added an option to specify the ldap provider type. It determines which query will be used in order to get the user details.
cc-ing Roy, which added this. iirc it is mandatory to provide this option, so you probably don't have this option in your environment. Roy - is there an upstream release with this fix?
Oved - this was merged upstream. T-Sinjon - have you cloned the git repo and compiled or are you using RPMs? T-Sinjon - once your updated you'll be able to specify the which type is your LDAP server and overcome this problem.
e.g. engine-manage-domains -action=add -domain='local' -provider=ipa -user='tsinjon' -interactive
Regards, Oved
On 15 May, 2012, at 10:47 AM, T-Sinjon wrote:
I have added those SRV info into my zone file , and it did go , the log looks fine , but engine-manage-domains still return error
2012-05-15 10:45:19,222 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): local 2012-05-15 10:45:19,258 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): local 2012-05-15 10:45:19,259 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: local
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password:
Error: exception message: Integrity check on decrypted field failed (31) - PREAUTH_FAILED Failure while testing domain local. Details: Kerberos error. Please check log for further details.
On 14 May, 2012, at 10:12 PM, Oved Ourfalli wrote:
----- Original Message -----
From: "T-Sinjon"<tscbj1989@gmail.com> To: users@ovirt.org Sent: Monday, May 14, 2012 5:07:46 PM Subject: [Users] engine-manage-domains can't add user , domain
I use FreeIPA to authenticate users, ipa user-add has no problem, but when i do :
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: local Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
and log from engine-manage-domains.log :
2012-05-14 21:58:47,892 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): local 2012-05-14 21:58:47,923 ERROR [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting SRV list for protocol _tcp and domain LOCAL Exception message is DNS name not found [response code 3]
my domain is 'local' , like ovirt-engine.local 、ovirt-node-1.local …etc
What can i do to get through it?
The utility (and also the ovirt engine) are relying on DNS SRV records in order to find LDAP and kerberos servers (supporting Active directory, IPA or RHDS). So, in order to work with it you must have the following in the DNS 1. PTR record for your LDAP server 2. LDAP SRV record for your LDAP server 3. LDAP kerberos record for your LDAP server
If you don't really have access to the DNS you can install a package called "dnsmasq", and perform this changes by yourself in its config file.
Oved
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
HI, Roy I have update my engine to newest use ' rpm -Uvh ' - I used rpms from http://jenkins.ovirt.org/view/ovirt_engine/job/ovirt_engine_create_rpms/ . [root@ovirt-engine ~]# rpm -qa | grep ovirt-engine ovirt-engine-dbscripts-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-config-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-log-collector-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-image-uploader-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-restapi-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-sdk-1.3-1.fc16.noarch ovirt-engine-tools-common-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-backend-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-jbossas-1.2-2.fc16.x86_64 ovirt-engine-iso-uploader-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-setup-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-userportal-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-jboss-deps-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-webadmin-portal-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-genericapi-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-notification-service-3.1.0_0001-1.8.fc16.x86_64 and now I add domain again , it still have error and there's no log can find from engine-manage-domains.log, what should i do now ? [root@ovirt-engine ~]# engine-manage-domains -action=add -domain=local -user=admin -provider=IPA -interactive Failed reading current configuration. Details: Error "Error fetching LDAPProviderTypes value: no such entry with version 'general'." while reading configuration value LDAPProviderTypes. On 15 May, 2012, at 5:10 PM, Roy Golan wrote:
On 05/15/2012 08:48 AM, Yair Zaslavsky wrote:
On 05/15/2012 08:35 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "T-Sinjon"<tscbj1989@gmail.com> To: "Oved Ourfalli"<ovedo@redhat.com> Cc: users@ovirt.org Sent: Tuesday, May 15, 2012 5:53:16 AM Subject: Re: [Users] engine-manage-domains can't add user , domain
after use kinit login tsinjon , the error changes to , why this happened?
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password:
No user in Directory was found for tsinjon@LOCAL. Trying next LDAP server in list Failure while testing domain local. Details: No user information was found for user
Can't see why kinit matters here, but looking at your command I noticed you used single quotes for the user and domain name. I'm not sure it knows to handle this correctly. Did you try without the quotes?
Also, what version are you working with? We had a problem a few weeks ago, of identifying the correct ldap provider. To fix that we added an option to specify the ldap provider type. It determines which query will be used in order to get the user details.
cc-ing Roy, which added this. iirc it is mandatory to provide this option, so you probably don't have this option in your environment. Roy - is there an upstream release with this fix?
Oved - this was merged upstream. T-Sinjon - have you cloned the git repo and compiled or are you using RPMs? T-Sinjon - once your updated you'll be able to specify the which type is your LDAP server and overcome this problem.
e.g. engine-manage-domains -action=add -domain='local' -provider=ipa -user='tsinjon' -interactive
Regards, Oved
On 15 May, 2012, at 10:47 AM, T-Sinjon wrote:
I have added those SRV info into my zone file , and it did go , the log looks fine , but engine-manage-domains still return error
2012-05-15 10:45:19,222 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): local 2012-05-15 10:45:19,258 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): local 2012-05-15 10:45:19,259 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: local
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password:
Error: exception message: Integrity check on decrypted field failed (31) - PREAUTH_FAILED Failure while testing domain local. Details: Kerberos error. Please check log for further details.
On 14 May, 2012, at 10:12 PM, Oved Ourfalli wrote:
----- Original Message ----- > From: "T-Sinjon"<tscbj1989@gmail.com> > To: users@ovirt.org > Sent: Monday, May 14, 2012 5:07:46 PM > Subject: [Users] engine-manage-domains can't add user , domain > > > I use FreeIPA to authenticate users, ipa user-add has no > problem, > but when i do : > > [root@ovirt-engine ~]# engine-manage-domains -action=add > -domain='local' -user='tsinjon' -interactive > > Error: Authentication Failed. Please verify the fully qualified > domain name that is used for authentication is correct.. > Problematic > domain is: local > Failure while applying Kerberos configuration. Details: > Authentication Failed. Please verify the fully qualified domain > name > that is used for authentication is correct. > > and log from engine-manage-domains.log : > > 2012-05-14 21:58:47,892 INFO > [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating > kerberos configuration for domain(s): local > 2012-05-14 21:58:47,923 ERROR > [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting SRV > list > for protocol _tcp and domain LOCAL Exception message is DNS name > not > found [response code 3] > > my domain is 'local' , like ovirt-engine.local > 、ovirt-node-1.local > …etc > > What can i do to get through it? > The utility (and also the ovirt engine) are relying on DNS SRV records in order to find LDAP and kerberos servers (supporting Active directory, IPA or RHDS). So, in order to work with it you must have the following in the DNS 1. PTR record for your LDAP server 2. LDAP SRV record for your LDAP server 3. LDAP kerberos record for your LDAP server
If you don't really have access to the DNS you can install a package called "dnsmasq", and perform this changes by yourself in its config file.
Oved > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: "T-Sinjon" <tscbj1989@gmail.com> To: "Roy Golan" <rgolan@redhat.com> Cc: "Oved Ourfalli" <ovedo@redhat.com>, users@ovirt.org Sent: Tuesday, May 22, 2012 5:33:06 AM Subject: Re: [Users] engine-manage-domains can't add user , domain
HI, Roy
I have update my engine to newest use ' rpm -Uvh ' -
I used rpms from http://jenkins.ovirt.org/view/ovirt_engine/job/ovirt_engine_create_rpms/ .
[root@ovirt-engine ~]# rpm -qa | grep ovirt-engine ovirt-engine-dbscripts-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-config-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-log-collector-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-image-uploader-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-restapi-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-sdk-1.3-1.fc16.noarch ovirt-engine-tools-common-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-backend-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-jbossas-1.2-2.fc16.x86_64 ovirt-engine-iso-uploader-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-setup-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-userportal-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-jboss-deps-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-webadmin-portal-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-genericapi-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-notification-service-3.1.0_0001-1.8.fc16.x86_64
and now I add domain again , it still have error and there's no log can find from engine-manage-domains.log, what should i do now ?
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain=local -user=admin -provider=IPA -interactive Failed reading current configuration. Details: Error "Error fetching LDAPProviderTypes value: no such entry with version 'general'." while reading configuration value LDAPProviderTypes.
Looks like your database isn't updated. I'm not sure whether a database upgrade is run automatically when you update the RPMs, but according to the error you get it is probably isn't. In the RPM ovirt-engine-dbscripts-3.1.0_0001-1.8.fc16.x86_64 you should have an upgrade script. (use rpm -qil on ovirt-engine-dbscripts-3.1.0_0001-1.8.fc16.x86_64 to find out where it is, as I'm not sure exactly where it's installed). Run it using the command" ./upgrade.sh -u postgres It will upgrade your database. Oved
On 15 May, 2012, at 5:10 PM, Roy Golan wrote:
On 05/15/2012 08:48 AM, Yair Zaslavsky wrote:
On 05/15/2012 08:35 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "T-Sinjon"<tscbj1989@gmail.com> To: "Oved Ourfalli"<ovedo@redhat.com> Cc: users@ovirt.org Sent: Tuesday, May 15, 2012 5:53:16 AM Subject: Re: [Users] engine-manage-domains can't add user , domain
after use kinit login tsinjon , the error changes to , why this happened?
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password:
No user in Directory was found for tsinjon@LOCAL. Trying next LDAP server in list Failure while testing domain local. Details: No user information was found for user
Can't see why kinit matters here, but looking at your command I noticed you used single quotes for the user and domain name. I'm not sure it knows to handle this correctly. Did you try without the quotes?
Also, what version are you working with? We had a problem a few weeks ago, of identifying the correct ldap provider. To fix that we added an option to specify the ldap provider type. It determines which query will be used in order to get the user details.
cc-ing Roy, which added this. iirc it is mandatory to provide this option, so you probably don't have this option in your environment. Roy - is there an upstream release with this fix?
Oved - this was merged upstream. T-Sinjon - have you cloned the git repo and compiled or are you using RPMs? T-Sinjon - once your updated you'll be able to specify the which type is your LDAP server and overcome this problem.
e.g. engine-manage-domains -action=add -domain='local' -provider=ipa -user='tsinjon' -interactive
Regards, Oved
On 15 May, 2012, at 10:47 AM, T-Sinjon wrote:
I have added those SRV info into my zone file , and it did go , the log looks fine , but engine-manage-domains still return error
2012-05-15 10:45:19,222 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): local 2012-05-15 10:45:19,258 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): local 2012-05-15 10:45:19,259 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: local
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password:
Error: exception message: Integrity check on decrypted field failed (31) - PREAUTH_FAILED Failure while testing domain local. Details: Kerberos error. Please check log for further details.
On 14 May, 2012, at 10:12 PM, Oved Ourfalli wrote:
> > ----- Original Message ----- >> From: "T-Sinjon"<tscbj1989@gmail.com> >> To: users@ovirt.org >> Sent: Monday, May 14, 2012 5:07:46 PM >> Subject: [Users] engine-manage-domains can't add user , >> domain >> >> >> I use FreeIPA to authenticate users, ipa user-add has no >> problem, >> but when i do : >> >> [root@ovirt-engine ~]# engine-manage-domains -action=add >> -domain='local' -user='tsinjon' -interactive >> >> Error: Authentication Failed. Please verify the fully >> qualified >> domain name that is used for authentication is correct.. >> Problematic >> domain is: local >> Failure while applying Kerberos configuration. Details: >> Authentication Failed. Please verify the fully qualified >> domain >> name >> that is used for authentication is correct. >> >> and log from engine-manage-domains.log : >> >> 2012-05-14 21:58:47,892 INFO >> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating >> kerberos configuration for domain(s): local >> 2012-05-14 21:58:47,923 ERROR >> [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting >> SRV >> list >> for protocol _tcp and domain LOCAL Exception message is DNS >> name >> not >> found [response code 3] >> >> my domain is 'local' , like ovirt-engine.local >> 、ovirt-node-1.local >> …etc >> >> What can i do to get through it? >> > The utility (and also the ovirt engine) are relying on DNS SRV > records in order to find LDAP and kerberos servers (supporting > Active directory, IPA or RHDS). > So, in order to work with it you must have the following in > the > DNS > 1. PTR record for your LDAP server > 2. LDAP SRV record for your LDAP server > 3. LDAP kerberos record for your LDAP server > > If you don't really have access to the DNS you can install a > package called "dnsmasq", and perform this changes by yourself > in > its config file. > > Oved >> _______________________________________________ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >>
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 05/22/2012 08:34 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "T-Sinjon"<tscbj1989@gmail.com> To: "Roy Golan"<rgolan@redhat.com> Cc: "Oved Ourfalli"<ovedo@redhat.com>, users@ovirt.org Sent: Tuesday, May 22, 2012 5:33:06 AM Subject: Re: [Users] engine-manage-domains can't add user , domain
HI, Roy
I have update my engine to newest use ' rpm -Uvh ' -
I used rpms from http://jenkins.ovirt.org/view/ovirt_engine/job/ovirt_engine_create_rpms/ .
[root@ovirt-engine ~]# rpm -qa | grep ovirt-engine ovirt-engine-dbscripts-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-config-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-log-collector-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-image-uploader-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-restapi-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-sdk-1.3-1.fc16.noarch ovirt-engine-tools-common-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-backend-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-jbossas-1.2-2.fc16.x86_64 ovirt-engine-iso-uploader-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-setup-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-userportal-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-jboss-deps-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-webadmin-portal-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-genericapi-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-notification-service-3.1.0_0001-1.8.fc16.x86_64
and now I add domain again , it still have error and there's no log can find from engine-manage-domains.log, what should i do now ?
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain=local -user=admin -provider=IPA -interactive Failed reading current configuration. Details: Error "Error fetching LDAPProviderTypes value: no such entry with version 'general'." while reading configuration value LDAPProviderTypes.
Looks like your database isn't updated. I'm not sure whether a database upgrade is run automatically when you update the RPMs, but according to the error you get it is probably isn't.
if rpm -Uvh didn't fire the upgrade script its a bug. pls attach /var/log/ovirt-engine/ovirt-engine-upgrade.log to see if something went wrong
In the RPM ovirt-engine-dbscripts-3.1.0_0001-1.8.fc16.x86_64 you should have an upgrade script. (use rpm -qil on ovirt-engine-dbscripts-3.1.0_0001-1.8.fc16.x86_64 to find out where it is, as I'm not sure exactly where it's installed).
Run it using the command" ./upgrade.sh -u postgres It will upgrade your database.
Oved
On 15 May, 2012, at 5:10 PM, Roy Golan wrote:
On 05/15/2012 08:48 AM, Yair Zaslavsky wrote:
On 05/15/2012 08:35 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "T-Sinjon"<tscbj1989@gmail.com> To: "Oved Ourfalli"<ovedo@redhat.com> Cc: users@ovirt.org Sent: Tuesday, May 15, 2012 5:53:16 AM Subject: Re: [Users] engine-manage-domains can't add user , domain
after use kinit login tsinjon , the error changes to , why this happened?
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain='local' -user='tsinjon' -interactive Enter password:
No user in Directory was found for tsinjon@LOCAL. Trying next LDAP server in list Failure while testing domain local. Details: No user information was found for user
Can't see why kinit matters here, but looking at your command I noticed you used single quotes for the user and domain name. I'm not sure it knows to handle this correctly. Did you try without the quotes?
Also, what version are you working with? We had a problem a few weeks ago, of identifying the correct ldap provider. To fix that we added an option to specify the ldap provider type. It determines which query will be used in order to get the user details.
cc-ing Roy, which added this. iirc it is mandatory to provide this option, so you probably don't have this option in your environment. Roy - is there an upstream release with this fix? Oved - this was merged upstream. T-Sinjon - have you cloned the git repo and compiled or are you using RPMs? T-Sinjon - once your updated you'll be able to specify the which type is your LDAP server and overcome this problem.
e.g. engine-manage-domains -action=add -domain='local' -provider=ipa -user='tsinjon' -interactive
Regards, Oved
On 15 May, 2012, at 10:47 AM, T-Sinjon wrote:
> I have added those SRV info into my zone file , and it did go , > the log looks fine , but engine-manage-domains still return > error > > 2012-05-15 10:45:19,222 INFO > [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating > kerberos configuration for domain(s): local > 2012-05-15 10:45:19,258 INFO > [org.ovirt.engine.core.utils.kerberos.ManageDomains] > Successfully > created kerberos configuration for domain(s): local > 2012-05-15 10:45:19,259 INFO > [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing > kerberos configuration for domain: local > > [root@ovirt-engine ~]# engine-manage-domains -action=add > -domain='local' -user='tsinjon' -interactive > Enter password: > > Error: exception message: Integrity check on decrypted field > failed (31) - PREAUTH_FAILED > Failure while testing domain local. Details: Kerberos error. > Please > check log for further details. > > > On 14 May, 2012, at 10:12 PM, Oved Ourfalli wrote: > >> ----- Original Message ----- >>> From: "T-Sinjon"<tscbj1989@gmail.com> >>> To: users@ovirt.org >>> Sent: Monday, May 14, 2012 5:07:46 PM >>> Subject: [Users] engine-manage-domains can't add user , >>> domain >>> >>> >>> I use FreeIPA to authenticate users, ipa user-add has no >>> problem, >>> but when i do : >>> >>> [root@ovirt-engine ~]# engine-manage-domains -action=add >>> -domain='local' -user='tsinjon' -interactive >>> >>> Error: Authentication Failed. Please verify the fully >>> qualified >>> domain name that is used for authentication is correct.. >>> Problematic >>> domain is: local >>> Failure while applying Kerberos configuration. Details: >>> Authentication Failed. Please verify the fully qualified >>> domain >>> name >>> that is used for authentication is correct. >>> >>> and log from engine-manage-domains.log : >>> >>> 2012-05-14 21:58:47,892 INFO >>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating >>> kerberos configuration for domain(s): local >>> 2012-05-14 21:58:47,923 ERROR >>> [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting >>> SRV >>> list >>> for protocol _tcp and domain LOCAL Exception message is DNS >>> name >>> not >>> found [response code 3] >>> >>> my domain is 'local' , like ovirt-engine.local >>> 、ovirt-node-1.local >>> …etc >>> >>> What can i do to get through it? >>> >> The utility (and also the ovirt engine) are relying on DNS SRV >> records in order to find LDAP and kerberos servers (supporting >> Active directory, IPA or RHDS). >> So, in order to work with it you must have the following in >> the >> DNS >> 1. PTR record for your LDAP server >> 2. LDAP SRV record for your LDAP server >> 3. LDAP kerberos record for your LDAP server >> >> If you don't really have access to the DNS you can install a >> package called "dnsmasq", and perform this changes by yourself >> in >> its config file. >> >> Oved >>> _______________________________________________ >>> Users mailing list >>> Users@ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users >>>
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Thk Roy,it did help me ! when i update my database then engine-manage-domain goes fine! I really prefer to attach the log ,but there has no such file /var/log/ovirt-engine/ovirt-engine-upgrade.log [root@ovirt-engine ~]# ls -ld /var/log/ovirt-engine/ovirt-engine-upgrade.log ls: cannot access /var/log/ovirt-engine/ovirt-engine-upgrade.log: No such file or directory [root@ovirt-engine ~]# find /var/log/ -iname "*upgrade*" nothing.. Anything else can i help? On 22 May, 2012, at 3:04 PM, Roy Golan wrote:
On 05/22/2012 08:34 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "T-Sinjon"<tscbj1989@gmail.com> To: "Roy Golan"<rgolan@redhat.com> Cc: "Oved Ourfalli"<ovedo@redhat.com>, users@ovirt.org Sent: Tuesday, May 22, 2012 5:33:06 AM Subject: Re: [Users] engine-manage-domains can't add user , domain
HI, Roy
I have update my engine to newest use ' rpm -Uvh ' -
I used rpms from http://jenkins.ovirt.org/view/ovirt_engine/job/ovirt_engine_create_rpms/ .
[root@ovirt-engine ~]# rpm -qa | grep ovirt-engine ovirt-engine-dbscripts-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-config-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-log-collector-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-image-uploader-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-restapi-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-sdk-1.3-1.fc16.noarch ovirt-engine-tools-common-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-backend-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-jbossas-1.2-2.fc16.x86_64 ovirt-engine-iso-uploader-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-setup-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-userportal-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-jboss-deps-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-webadmin-portal-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-genericapi-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-notification-service-3.1.0_0001-1.8.fc16.x86_64
and now I add domain again , it still have error and there's no log can find from engine-manage-domains.log, what should i do now ?
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain=local -user=admin -provider=IPA -interactive Failed reading current configuration. Details: Error "Error fetching LDAPProviderTypes value: no such entry with version 'general'." while reading configuration value LDAPProviderTypes.
Looks like your database isn't updated. I'm not sure whether a database upgrade is run automatically when you update the RPMs, but according to the error you get it is probably isn't.
if rpm -Uvh didn't fire the upgrade script its a bug. pls attach /var/log/ovirt-engine/ovirt-engine-upgrade.log to see if something went wrong
In the RPM ovirt-engine-dbscripts-3.1.0_0001-1.8.fc16.x86_64 you should have an upgrade script. (use rpm -qil on ovirt-engine-dbscripts-3.1.0_0001-1.8.fc16.x86_64 to find out where it is, as I'm not sure exactly where it's installed).
Run it using the command" ./upgrade.sh -u postgres It will upgrade your database.
Oved
On 15 May, 2012, at 5:10 PM, Roy Golan wrote:
On 05/15/2012 08:48 AM, Yair Zaslavsky wrote:
On 05/15/2012 08:35 AM, Oved Ourfalli wrote:
----- Original Message ----- > From: "T-Sinjon"<tscbj1989@gmail.com> > To: "Oved Ourfalli"<ovedo@redhat.com> > Cc: users@ovirt.org > Sent: Tuesday, May 15, 2012 5:53:16 AM > Subject: Re: [Users] engine-manage-domains can't add user , > domain > > after use kinit login tsinjon , the error changes to , why this > happened? > > [root@ovirt-engine ~]# engine-manage-domains -action=add > -domain='local' -user='tsinjon' -interactive > Enter password: > > No user in Directory was found for tsinjon@LOCAL. Trying next > LDAP > server in list > Failure while testing domain local. Details: No user information > was > found for user > Can't see why kinit matters here, but looking at your command I noticed you used single quotes for the user and domain name. I'm not sure it knows to handle this correctly. Did you try without the quotes?
Also, what version are you working with? We had a problem a few weeks ago, of identifying the correct ldap provider. To fix that we added an option to specify the ldap provider type. It determines which query will be used in order to get the user details.
cc-ing Roy, which added this. iirc it is mandatory to provide this option, so you probably don't have this option in your environment. Roy - is there an upstream release with this fix? Oved - this was merged upstream. T-Sinjon - have you cloned the git repo and compiled or are you using RPMs? T-Sinjon - once your updated you'll be able to specify the which type is your LDAP server and overcome this problem.
e.g. engine-manage-domains -action=add -domain='local' -provider=ipa -user='tsinjon' -interactive
Regards, Oved > On 15 May, 2012, at 10:47 AM, T-Sinjon wrote: > >> I have added those SRV info into my zone file , and it did go , >> the log looks fine , but engine-manage-domains still return >> error >> >> 2012-05-15 10:45:19,222 INFO >> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating >> kerberos configuration for domain(s): local >> 2012-05-15 10:45:19,258 INFO >> [org.ovirt.engine.core.utils.kerberos.ManageDomains] >> Successfully >> created kerberos configuration for domain(s): local >> 2012-05-15 10:45:19,259 INFO >> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing >> kerberos configuration for domain: local >> >> [root@ovirt-engine ~]# engine-manage-domains -action=add >> -domain='local' -user='tsinjon' -interactive >> Enter password: >> >> Error: exception message: Integrity check on decrypted field >> failed (31) - PREAUTH_FAILED >> Failure while testing domain local. Details: Kerberos error. >> Please >> check log for further details. >> >> >> On 14 May, 2012, at 10:12 PM, Oved Ourfalli wrote: >> >>> ----- Original Message ----- >>>> From: "T-Sinjon"<tscbj1989@gmail.com> >>>> To: users@ovirt.org >>>> Sent: Monday, May 14, 2012 5:07:46 PM >>>> Subject: [Users] engine-manage-domains can't add user , >>>> domain >>>> >>>> >>>> I use FreeIPA to authenticate users, ipa user-add has no >>>> problem, >>>> but when i do : >>>> >>>> [root@ovirt-engine ~]# engine-manage-domains -action=add >>>> -domain='local' -user='tsinjon' -interactive >>>> >>>> Error: Authentication Failed. Please verify the fully >>>> qualified >>>> domain name that is used for authentication is correct.. >>>> Problematic >>>> domain is: local >>>> Failure while applying Kerberos configuration. Details: >>>> Authentication Failed. Please verify the fully qualified >>>> domain >>>> name >>>> that is used for authentication is correct. >>>> >>>> and log from engine-manage-domains.log : >>>> >>>> 2012-05-14 21:58:47,892 INFO >>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating >>>> kerberos configuration for domain(s): local >>>> 2012-05-14 21:58:47,923 ERROR >>>> [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting >>>> SRV >>>> list >>>> for protocol _tcp and domain LOCAL Exception message is DNS >>>> name >>>> not >>>> found [response code 3] >>>> >>>> my domain is 'local' , like ovirt-engine.local >>>> 、ovirt-node-1.local >>>> …etc >>>> >>>> What can i do to get through it? >>>> >>> The utility (and also the ovirt engine) are relying on DNS SRV >>> records in order to find LDAP and kerberos servers (supporting >>> Active directory, IPA or RHDS). >>> So, in order to work with it you must have the following in >>> the >>> DNS >>> 1. PTR record for your LDAP server >>> 2. LDAP SRV record for your LDAP server >>> 3. LDAP kerberos record for your LDAP server >>> >>> If you don't really have access to the DNS you can install a >>> package called "dnsmasq", and perform this changes by yourself >>> in >>> its config file. >>> >>> Oved >>>> _______________________________________________ >>>> Users mailing list >>>> Users@ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>>> _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
On 05/22/2012 08:34 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "T-Sinjon"<tscbj1989@gmail.com> To: "Roy Golan"<rgolan@redhat.com> Cc: "Oved Ourfalli"<ovedo@redhat.com>, users@ovirt.org Sent: Tuesday, May 22, 2012 5:33:06 AM Subject: Re: [Users] engine-manage-domains can't add user , domain
HI, Roy
I have update my engine to newest use ' rpm -Uvh ' -
I used rpms from http://jenkins.ovirt.org/view/ovirt_engine/job/ovirt_engine_create_rpms/ .
[root@ovirt-engine ~]# rpm -qa | grep ovirt-engine ovirt-engine-dbscripts-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-config-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-log-collector-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-image-uploader-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-restapi-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-sdk-1.3-1.fc16.noarch ovirt-engine-tools-common-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-backend-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-jbossas-1.2-2.fc16.x86_64 ovirt-engine-iso-uploader-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-setup-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-userportal-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-jboss-deps-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-webadmin-portal-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-genericapi-3.1.0_0001-1.8.fc16.x86_64 ovirt-engine-notification-service-3.1.0_0001-1.8.fc16.x86_64
and now I add domain again , it still have error and there's no log can find from engine-manage-domains.log, what should i do now ?
[root@ovirt-engine ~]# engine-manage-domains -action=add -domain=local -user=admin -provider=IPA -interactive Failed reading current configuration. Details: Error "Error fetching LDAPProviderTypes value: no such entry with version 'general'." while reading configuration value LDAPProviderTypes.
Looks like your database isn't updated. I'm not sure whether a database upgrade is run automatically when you update the RPMs, but according to the error you get it is probably isn't.
if rpm -Uvh didn't fire the upgrade script its a bug. pls attach /var/log/ovirt-engine/ovirt-engine-upgrade.log to see if something went wrong
This is completely not true. We don't support rpm -Uvh rhevm at all, the right way to upgrade rpms is using the engine-upgrade utility. Also, since you have a "devel" rpms, it is recommended to do a clean install of the rpms.
In the RPM ovirt-engine-dbscripts-3.1.0_0001-1.8.fc16.x86_64 you should have an upgrade script. (use rpm -qil on ovirt-engine-dbscripts-3.1.0_0001-1.8.fc16.x86_64 to find out where it is, as I'm not sure exactly where it's installed).
Run it using the command" ./upgrade.sh -u postgres It will upgrade your database.
Oved
On 15 May, 2012, at 5:10 PM, Roy Golan wrote:
On 05/15/2012 08:48 AM, Yair Zaslavsky wrote:
On 05/15/2012 08:35 AM, Oved Ourfalli wrote:
----- Original Message ----- > From: "T-Sinjon"<tscbj1989@gmail.com> > To: "Oved Ourfalli"<ovedo@redhat.com> > Cc: users@ovirt.org > Sent: Tuesday, May 15, 2012 5:53:16 AM > Subject: Re: [Users] engine-manage-domains can't add user , > domain > > after use kinit login tsinjon , the error changes to , why > this > happened? > > [root@ovirt-engine ~]# engine-manage-domains -action=add > -domain='local' -user='tsinjon' -interactive > Enter password: > > No user in Directory was found for tsinjon@LOCAL. Trying next > LDAP > server in list > Failure while testing domain local. Details: No user > information > was > found for user > Can't see why kinit matters here, but looking at your command I noticed you used single quotes for the user and domain name. I'm not sure it knows to handle this correctly. Did you try without the quotes?
Also, what version are you working with? We had a problem a few weeks ago, of identifying the correct ldap provider. To fix that we added an option to specify the ldap provider type. It determines which query will be used in order to get the user details.
cc-ing Roy, which added this. iirc it is mandatory to provide this option, so you probably don't have this option in your environment. Roy - is there an upstream release with this fix? Oved - this was merged upstream. T-Sinjon - have you cloned the git repo and compiled or are you using RPMs? T-Sinjon - once your updated you'll be able to specify the which type is your LDAP server and overcome this problem.
e.g. engine-manage-domains -action=add -domain='local' -provider=ipa -user='tsinjon' -interactive
Regards, Oved > On 15 May, 2012, at 10:47 AM, T-Sinjon wrote: > >> I have added those SRV info into my zone file , and it did go >> , >> the log looks fine , but engine-manage-domains still return >> error >> >> 2012-05-15 10:45:19,222 INFO >> [org.ovirt.engine.core.utils.kerberos.ManageDomains] >> Creating >> kerberos configuration for domain(s): local >> 2012-05-15 10:45:19,258 INFO >> [org.ovirt.engine.core.utils.kerberos.ManageDomains] >> Successfully >> created kerberos configuration for domain(s): local >> 2012-05-15 10:45:19,259 INFO >> [org.ovirt.engine.core.utils.kerberos.ManageDomains] >> Testing >> kerberos configuration for domain: local >> >> [root@ovirt-engine ~]# engine-manage-domains -action=add >> -domain='local' -user='tsinjon' -interactive >> Enter password: >> >> Error: exception message: Integrity check on decrypted field >> failed (31) - PREAUTH_FAILED >> Failure while testing domain local. Details: Kerberos error. >> Please >> check log for further details. >> >> >> On 14 May, 2012, at 10:12 PM, Oved Ourfalli wrote: >> >>> ----- Original Message ----- >>>> From: "T-Sinjon"<tscbj1989@gmail.com> >>>> To: users@ovirt.org >>>> Sent: Monday, May 14, 2012 5:07:46 PM >>>> Subject: [Users] engine-manage-domains can't add user , >>>> domain >>>> >>>> >>>> I use FreeIPA to authenticate users, ipa user-add has no >>>> problem, >>>> but when i do : >>>> >>>> [root@ovirt-engine ~]# engine-manage-domains -action=add >>>> -domain='local' -user='tsinjon' -interactive >>>> >>>> Error: Authentication Failed. Please verify the fully >>>> qualified >>>> domain name that is used for authentication is correct.. >>>> Problematic >>>> domain is: local >>>> Failure while applying Kerberos configuration. Details: >>>> Authentication Failed. Please verify the fully qualified >>>> domain >>>> name >>>> that is used for authentication is correct. >>>> >>>> and log from engine-manage-domains.log : >>>> >>>> 2012-05-14 21:58:47,892 INFO >>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] >>>> Creating >>>> kerberos configuration for domain(s): local >>>> 2012-05-14 21:58:47,923 ERROR >>>> [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting >>>> SRV >>>> list >>>> for protocol _tcp and domain LOCAL Exception message is DNS >>>> name >>>> not >>>> found [response code 3] >>>> >>>> my domain is 'local' , like ovirt-engine.local >>>> 、ovirt-node-1.local >>>> …etc >>>> >>>> What can i do to get through it? >>>> >>> The utility (and also the ovirt engine) are relying on DNS >>> SRV >>> records in order to find LDAP and kerberos servers >>> (supporting >>> Active directory, IPA or RHDS). >>> So, in order to work with it you must have the following in >>> the >>> DNS >>> 1. PTR record for your LDAP server >>> 2. LDAP SRV record for your LDAP server >>> 3. LDAP kerberos record for your LDAP server >>> >>> If you don't really have access to the DNS you can install a >>> package called "dnsmasq", and perform this changes by >>> yourself >>> in >>> its config file. >>> >>> Oved >>>> _______________________________________________ >>>> Users mailing list >>>> Users@ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>>> _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (5)
-
Ofer Schreiber -
Oved Ourfalli -
Roy Golan -
T-Sinjon -
Yair Zaslavsky