[Users] I don't know how to add AD users
Hi, I'm trying to add some users to ovirt using an AD. This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com"); $wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=com"); Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com-provider=ActiveDirectory -user= user.name -interactive engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@company.com -interactive engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example.com -interactive And the output on all tries: Enter password: Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct. Can someone help me with the correct parameters? Best regards, Cristian Falcas
This is a multi-part message in MIME format. --------------060405070304010603070504 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com <http://site.example.com>"); $wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=com");
Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com <http://site.example.com> -provider=ActiveDirectory -user=user.name <http://user.name> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@company.com <mailto:user.name@company.com> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example.com <mailto:user.name@site.example.com> -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password. Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself. Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Regards, Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 IRC: vfeenstr or evilissimo Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com --------------060405070304010603070504 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 11/19/2012 10:01 AM, Cristian Falcas wrote:<br> </div> <blockquote cite="mid:CAMo7R_cgPTu7Qv5uuDHLeHqA8JO2xcRrGeT0g7VXk6DFz3riww@mail.gmail.com" type="cite">Hi,<br> <br> I'm trying to add some users to ovirt using an AD.<br> <br> This is the configuration I used for a mediawiki site, which is working correctly:<br> $wgAuth = new LdapAuthenticationPlugin();<br> $wgLDAPUseLocal = true;<br> $wgLDAPDomainNames = array( "a_domain");<br> $wgLDAPServerNames = array( "a_domain"=>"<a moz-do-not-send="true" href="http://site.example.com">site.example.com</a>");<br> $wgLDAPEncryptionType = array( "a_domain"=>"clear");<br> $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-NAME");<br> $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=com");<br> <br> Those are the commands I tried using:<br> engine-manage-domains -action=add -domain=<a moz-do-not-send="true" href="http://site.example.com">site.example.com</a> -provider=ActiveDirectory -user=<a moz-do-not-send="true" href="http://user.name">user.name</a> -interactive<br> <br> engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=<a moz-do-not-send="true" href="mailto:user.name@company.com">user.name@company.com</a> -interactive<br> <br> engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=<a moz-do-not-send="true" href="mailto:user.name@site.example.com">user.name@site.example.com</a> -interactive<br> <br> <br> </blockquote> You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.<br> Then you can use the domain within the engine. e.g. search users, add access rights for vms etc.<br> Even login to the engine and assigning rights within the engine you can handle from the engine itself.<br> <br> Regards,<br> <blockquote cite="mid:CAMo7R_cgPTu7Qv5uuDHLeHqA8JO2xcRrGeT0g7VXk6DFz3riww@mail.gmail.com" type="cite">And the output on all tries:<br> Enter password:<br> <br> Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command<br> Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.<br> <br> Can someone help me with the correct parameters?<br> <br> <br> Best regards,<br> Cristian Falcas<br> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a> <a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a> </pre> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Regards, Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 IRC: vfeenstr or evilissimo Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com</pre> </body> </html> --------------060405070304010603070504--
------=_Part_33148007_2049661839.1353320129416 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit + LdapEncryptionType clear is not understandable. What did you mean by that? ----- Original Message -----
From: "Vinzenz Feenstra" <vfeenstr@redhat.com> To: users@ovirt.org Sent: Monday, November 19, 2012 11:29:42 AM Subject: Re: [Users] I don't know how to add AD users
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly:
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPUseLocal = true;
$wgLDAPDomainNames = array( "a_domain");
$wgLDAPServerNames = array( "a_domain"=>" site.example.com ");
$wgLDAPEncryptionType = array( "a_domain"=>"clear");
$wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-NAME");
$wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=com");
Those are the commands I tried using:
engine-manage-domains -action=add -domain= site.example.com -provider=ActiveDirectory -user= user.name -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user= user.name@company.com -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user= user.name@site.example.com -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password. Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries:
Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command
Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards,
Cristian Falcas
_______________________________________________
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
------=_Part_33148007_2049661839.1353320129416 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit <html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: times new roman,new york,times,serif; font-size: 12pt; color: #000000'>+ LdapEncryptionType clear is not understandable.<br>What did you mean by that?<br><br><br><hr id="zwchr"><blockquote style="border-left:2px solid rgb(16, 16, 255);margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Vinzenz Feenstra" <vfeenstr@redhat.com><br><b>To: </b>users@ovirt.org<br><b>Sent: </b>Monday, November 19, 2012 11:29:42 AM<br><b>Subject: </b>Re: [Users] I don't know how to add AD users<br><br> <div class="moz-cite-prefix">On 11/19/2012 10:01 AM, Cristian Falcas wrote:<br> </div> <blockquote cite="mid:CAMo7R_cgPTu7Qv5uuDHLeHqA8JO2xcRrGeT0g7VXk6DFz3riww@mail.gmail.com">Hi,<br> <br> I'm trying to add some users to ovirt using an AD.<br> <br> This is the configuration I used for a mediawiki site, which is working correctly:<br> $wgAuth = new LdapAuthenticationPlugin();<br> $wgLDAPUseLocal = true;<br> $wgLDAPDomainNames = array( "a_domain");<br> $wgLDAPServerNames = array( "a_domain"=>"<a href="http://site.example.com" target="_blank">site.example.com</a>");<br> $wgLDAPEncryptionType = array( "a_domain"=>"clear");<br> $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-NAME");<br> $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=com");<br> <br> Those are the commands I tried using:<br> engine-manage-domains -action=add -domain=<a href="http://site.example.com" target="_blank">site.example.com</a> -provider=ActiveDirectory -user=<a href="http://user.name" target="_blank">user.name</a> -interactive<br> <br> engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=<a href="mailto:user.name@company.com" target="_blank">user.name@company.com</a> -interactive<br> <br> engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=<a href="mailto:user.name@site.example.com" target="_blank">user.name@site.example.com</a> -interactive<br> <br> <br> </blockquote> You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.<br> Then you can use the domain within the engine. e.g. search users, add access rights for vms etc.<br> Even login to the engine and assigning rights within the engine you can handle from the engine itself.<br> <br> Regards,<br> <blockquote cite="mid:CAMo7R_cgPTu7Qv5uuDHLeHqA8JO2xcRrGeT0g7VXk6DFz3riww@mail.gmail.com">And the output on all tries:<br> Enter password:<br> <br> Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command<br> Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.<br> <br> Can someone help me with the correct parameters?<br> <br> <br> Best regards,<br> Cristian Falcas<br> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre>_______________________________________________ Users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a> <a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a> </pre> </blockquote> <br> <br> <pre class="moz-signature">-- Regards, Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 IRC: vfeenstr or evilissimo Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com</pre> <br>_______________________________________________<br>Users mailing list<br>Users@ovirt.org<br>http://lists.ovirt.org/mailman/listinfo/users<br></blockquote><br></div></body></html> ------=_Part_33148007_2049661839.1353320129416--
On Mon, Nov 19, 2012 at 12:15 PM, Yair Zaslavsky <yzaslavs@redhat.com>wrote:
+ LdapEncryptionType clear is not understandable. What did you mean by that?
------------------------------
*From: *"Vinzenz Feenstra" <vfeenstr@redhat.com> *To: *users@ovirt.org *Sent: *Monday, November 19, 2012 11:29:42 AM *Subject: *Re: [Users] I don't know how to add AD users
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com"); $wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=com");
Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com-provider=ActiveDirectory -user= user.name -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@company.com -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example.com -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password. Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
_______________________________________________ Users mailing listUsers@ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
That was the configuration needed for the wiki extension used for ldap authentication. So the admin users is needed in order to retrieve the list of users only? Can someone recommend the simplest ldap server installation I could use for this? I was thinking first at freeipa, but it's not compatible with mod_ssl, which is required by ovirt. Best regards, Cristian Falcas
On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com <http://site.example.com>"); $wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=com");
Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com <http://site.example.com> -provider=ActiveDirectory -user=user.name <http://user.name> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@company.com <mailto:user.name@company.com> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example.com <mailto:user.name@site.example.com> -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.
any domain user will do, doesn't have to be an admin. what does the log say?
Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim@redhat.com> wrote:
On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com <http://site.example.com>");
$wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-**NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=**com");
Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com <http://site.example.com> -provider=ActiveDirectory -user=user.name <http://user.name> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@company.com <mailto:user.name@company.com> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example.**com<user.name@site.example.com> <mailto:user.name@site.**example.com <user.name@site.example.com>> -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.
any domain user will do, doesn't have to be an admin. what does the log say?
Then you can use the domain within the engine. e.g. search users, add
access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
______________________________**_________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
______________________________**_________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
______________________________**_________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
Hi, This is the command I used (the same error is with -interactive parameter): engine-manage-domains -action=add -domain=example.com-provider=ActiveDirectory -user=user.name@a_domain-passwordFile=/tmp/pass [root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]# This is the log: 2012-11-20 00:30:40,443 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): example.com 2012-11-20 00:30:40,525 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): example.com 2012-11-20 00:30:40,526 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: example.com 2012-11-20 00:30:40,830 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while testing domain example.com. Details: Kerberos error. Please check log for further details. This is the ldapsearch command that works (it retrieves users) from the same machine: ldapsearch -H ldap://example.com -b dc=example,dc=com -D user.name@a_domain-w qwerty Best regards, Cristian Falcas
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com>> wrote:
On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com <http://site.example.com> <http://site.example.com>");
$wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-__NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=__com");
Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com <http://site.example.com> <http://site.example.com> -provider=ActiveDirectory -user=user.name <http://user.name> <http://user.name> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example.__com <mailto:user.name@site.example.com> <mailto:user.name@site.__example.com <mailto:user.name@site.example.com>> -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.
any domain user will do, doesn't have to be an admin. what does the log say?
Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
_________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com <http://redhat.com>
_________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>
_________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>
Hi,
This is the command I used (the same error is with -interactive parameter):
engine-manage-domains -action=add -domain=example.com <http://example.com> -provider=ActiveDirectory -user=user.name@a_domain -passwordFile=/tmp/pass
[root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]#
This is the log:
2012-11-20 00:30:40,443 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): example.com <http://example.com> 2012-11-20 00:30:40,525 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): example.com <http://example.com> 2012-11-20 00:30:40,526 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: example.com <http://example.com> 2012-11-20 00:30:40,830 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while testing domain example.com <http://example.com>. Details: Kerberos error. Please check log for further details.
Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well).
This is the ldapsearch command that works (it retrieves users) from the same machine:
ldapsearch -H ldap://example.com <http://example.com> -b dc=example,dc=com -D user.name@a_domain -w qwerty
Best regards, Cristian Falcas
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com>> wrote:
On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com <http://site.example.com> <http://site.example.com>");
$wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-**__NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=__**com");
Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com <http://site.example.com> <http://site.example.com> -provider=ActiveDirectory -user=user.name <http://user.name> <http://user.name> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com
<mailto:user.name@company.com>**> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example._** _com <mailto:user.name@site.**example.com<user.name@site.example.com>
<mailto:user.name@site.__examp**le.com <http://example.com>
<mailto:user.name@site.**example.com<user.name@site.example.com>>> -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.
any domain user will do, doesn't have to be an admin. what does the log say?
Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
______________________________**___________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625>
IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com <http://redhat.com>
______________________________**___________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
______________________________**___________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
Hi,
This is the command I used (the same error is with -interactive parameter):
engine-manage-domains -action=add -domain=example.com <http://example.com> -provider=ActiveDirectory -user=user.name@a_domain
-passwordFile=/tmp/pass
[root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]#
This is the log:
2012-11-20 00:30:40,443 INFO [org.ovirt.engine.core.utils.**kerberos.ManageDomains] Creating kerberos configuration for domain(s): example.com <http://example.com>
2012-11-20 00:30:40,525 INFO [org.ovirt.engine.core.utils.**kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): example.com <http://example.com>
2012-11-20 00:30:40,526 INFO [org.ovirt.engine.core.utils.**kerberos.ManageDomains] Testing kerberos configuration for domain: example.com <http://example.com>
2012-11-20 00:30:40,830 ERROR [org.ovirt.engine.core.utils.**kerberos.KerberosConfigCheck] Error: exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR [org.ovirt.engine.core.utils.**kerberos.ManageDomains] Failure while testing domain example.com <http://example.com>. Details: Kerberos
error. Please check log for further details.
Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well).
This is the ldapsearch command that works (it retrieves users) from the
same machine:
ldapsearch -H ldap://example.com <http://example.com> -b
dc=example,dc=com -D user.name@a_domain -w qwerty
Best regards, Cristian Falcas
______________________________**_________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
Hi, I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains? Cristian.
On 11/20/2012 09:05 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>> wrote:
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>> wrote:
On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com>");
$wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-____NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=____com");
Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> -provider=ActiveDirectory -user=user.name <http://user.name> <http://user.name> <http://user.name> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>> <mailto:user.name@company.com <mailto:user.name@company.com>
<mailto:user.name@company.com <mailto:user.name@company.com>>__> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example.____com <mailto:user.name@site.__example.com <mailto:user.name@site.example.com>> <mailto:user.name@site. <mailto:user.name@site.>__examp__le.com <http://example.com>
<mailto:user.name@site.__example.com <mailto:user.name@site.example.com>>> -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.
any domain user will do, doesn't have to be an admin. what does the log say?
Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
___________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625>
IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com <http://redhat.com> <http://redhat.com>
___________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>
___________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>
Hi,
This is the command I used (the same error is with -interactive parameter):
engine-manage-domains -action=add -domain=example.com <http://example.com> <http://example.com> -provider=ActiveDirectory -user=user.name@a_domain
-passwordFile=/tmp/pass
[root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]#
This is the log:
2012-11-20 00:30:40,443 INFO [org.ovirt.engine.core.utils.__kerberos.ManageDomains] Creating kerberos configuration for domain(s): example.com <http://example.com> <http://example.com>
2012-11-20 00:30:40,525 INFO [org.ovirt.engine.core.utils.__kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): example.com <http://example.com> <http://example.com>
2012-11-20 00:30:40,526 INFO [org.ovirt.engine.core.utils.__kerberos.ManageDomains] Testing kerberos configuration for domain: example.com <http://example.com> <http://example.com>
2012-11-20 00:30:40,830 ERROR [org.ovirt.engine.core.utils.__kerberos.KerberosConfigCheck] Error: exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR [org.ovirt.engine.core.utils.__kerberos.ManageDomains] Failure while testing domain example.com <http://example.com> <http://example.com>. Details: Kerberos
error. Please check log for further details.
Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well).
This is the ldapsearch command that works (it retrieves users) from the same machine:
ldapsearch -H ldap://example.com <http://example.com> <http://example.com> -b
dc=example,dc=com -D user.name@a_domain -w qwerty
Best regards, Cristian Falcas
_________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>
Hi,
I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains?
Cristian
Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that
On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
On 11/20/2012 09:05 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>> wrote:
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>> wrote:
On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com>");
$wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-**____NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=___**_com");
Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> -provider=ActiveDirectory -user=user.name <http://user.name> <http://user.name
<http://user.name> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**> <mailto:user.name@company.com <mailto:user.name@company.com>
<mailto:user.name@company.com <mailto:user.name@company.com>**>__> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example._**___com <mailto:user.name@site.__examp**le.com<http://example.com> <mailto:user.name@site.**example.com <user.name@site.example.com>
<mailto:user.name@site. <mailto:user.name@site.>__exam**p__le.com <http://examp__le.com><; http://example.com>
<mailto:user.name@site.__examp**le.com<http://example.com> <mailto:user.name@site.**example.com <user.name@site.example.com>>>> -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.
any domain user will do, doesn't have to be an admin. what does the log say?
Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
______________________________** _____________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625>
IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com <http://redhat.com> <http://redhat.com>
______________________________**_____________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
______________________________**_____________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
Hi,
This is the command I used (the same error is with -interactive parameter):
engine-manage-domains -action=add -domain=example.com <http://example.com> <http://example.com> -provider=ActiveDirectory -user=user.name@a_domain
-passwordFile=/tmp/pass
[root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]#
This is the log:
2012-11-20 00:30:40,443 INFO [org.ovirt.engine.core.utils._**_kerberos.ManageDomains] Creating
kerberos configuration for domain(s): example.com <http://example.com> <http://example.com>
2012-11-20 00:30:40,525 INFO [org.ovirt.engine.core.utils._**_kerberos.ManageDomains] Successfully
created kerberos configuration for domain(s): example.com <http://example.com> <http://example.com>
2012-11-20 00:30:40,526 INFO [org.ovirt.engine.core.utils._**_kerberos.ManageDomains] Testing
kerberos configuration for domain: example.com <http://example.com> <http://example.com>
2012-11-20 00:30:40,830 ERROR [org.ovirt.engine.core.utils._**_kerberos.KerberosConfigCheck] Error:
exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR [org.ovirt.engine.core.utils._**_kerberos.ManageDomains] Failure while
testing domain example.com <http://example.com> <http://example.com>. Details: Kerberos
error. Please check log for further details.
Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well).
This is the ldapsearch command that works (it retrieves users) from the same machine:
ldapsearch -H ldap://example.com <http://example.com> <http://example.com> -b
dc=example,dc=com -D user.name@a_domain -w qwerty
Best regards, Cristian Falcas
______________________________**___________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
Hi,
I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains?
Cristian
Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that
Hi, The server is a Microfost AD 2003. Best regards, Cristian Falcas
On 11/20/2012 09:56 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>> wrote:
On 11/20/2012 09:05 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>> wrote:
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>>> wrote:
On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com>");
$wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-______NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=______com");
Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com> -provider=ActiveDirectory -user=user.name <http://user.name> <http://user.name> <http://user.name> <http://user.name> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>>__> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>>
<mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>>__>__> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example.______com <mailto:user.name@site. <mailto:user.name@site.>__examp__le.com <http://example.com> <mailto:user.name@site.__example.com <mailto:user.name@site.example.com>>> <mailto:user.name@site <mailto:user.name@site>. <mailto:user.name@site <mailto:user.name@site>.>__exam__p__le.com <http://examp__le.com> <http://example.com>
<mailto:user.name@site. <mailto:user.name@site.>__examp__le.com <http://example.com> <mailto:user.name@site.__example.com <mailto:user.name@site.example.com>>>> -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.
any domain user will do, doesn't have to be an admin. what does the log say?
Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
_____________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>>
<http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>>
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625>
IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com <http://redhat.com> <http://redhat.com> <http://redhat.com>
_____________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>>
<http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>>
_____________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>>
<http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>>
Hi,
This is the command I used (the same error is with -interactive parameter):
engine-manage-domains -action=add -domain=example.com <http://example.com> <http://example.com> <http://example.com> -provider=ActiveDirectory -user=user.name@a_domain
-passwordFile=/tmp/pass
[root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]#
This is the log:
2012-11-20 00:30:40,443 INFO
[org.ovirt.engine.core.utils.____kerberos.ManageDomains] Creating
kerberos configuration for domain(s): example.com <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,525 INFO
[org.ovirt.engine.core.utils.____kerberos.ManageDomains] Successfully
created kerberos configuration for domain(s): example.com <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,526 INFO
[org.ovirt.engine.core.utils.____kerberos.ManageDomains] Testing
kerberos configuration for domain: example.com <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,830 ERROR
[org.ovirt.engine.core.utils.____kerberos.KerberosConfigCheck] Error:
exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR
[org.ovirt.engine.core.utils.____kerberos.ManageDomains] Failure while
testing domain example.com <http://example.com> <http://example.com> <http://example.com>. Details: Kerberos
error. Please check log for further details.
Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well).
This is the ldapsearch command that works (it retrieves users) from the same machine:
ldapsearch -H ldap://example.com <http://example.com> <http://example.com> <http://example.com> -b
dc=example,dc=com -D user.name@a_domain -w qwerty
Best regards, Cristian Falcas
___________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>
Hi,
I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains?
Cristian
Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that
Hi,
The server is a Microfost AD 2003.
Best regards, Cristian Falcas
this should work, is the AD also the DNS server for the ovirt engine machine?
On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <iheim@redhat.com> wrote:
On 11/20/2012 09:56 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>> wrote:
On 11/20/2012 09:05 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>> wrote:
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>>> wrote:
On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com>");
$wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-** ______NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=___**___com");
Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com> -provider=ActiveDirectory -user=user.name <http://user.name> <http://user.name> <http://user.name> <http://user.name> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**>__> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**>
<mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**>__>__> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example._**_____com
<mailto:user.name@site. <mailto:user.name@site.>__exam**p__le.com <http://examp__le.com><; http://example.com> <mailto:user.name@site.__examp**le.com<http://example.com> <mailto:user.name@site.**example.com <user.name@site.example.com>
<mailto:user.name@site <mailto:user.name@site>. <mailto:user.name@site <mailto:user.name@site>.>__exa**m__p__le.com<http://exam__p__le.com> <http://examp__le.com> <http://example.com>
<mailto:user.name@site. <mailto:user.name@site.>__exam**p__le.com <http://examp__le.com><; http://example.com> <mailto:user.name@site.__examp**le.com<http://example.com> <mailto:user.name@site.**example.com <user.name@site.example.com>>>>> -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.
any domain user will do, doesn't have to be an admin. what does the log say?
Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
______________________________**_______________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625>
IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com <http://redhat.com> <http://redhat.com> <http://redhat.com>
______________________________**_______________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
______________________________** _______________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/____** mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
Hi,
This is the command I used (the same error is with -interactive parameter):
engine-manage-domains -action=add -domain=example.com <http://example.com> <http://example.com> <http://example.com> -provider=ActiveDirectory -user=user.name@a_domain
-passwordFile=/tmp/pass
[root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]#
This is the log:
2012-11-20 00:30:40,443 INFO
[org.ovirt.engine.core.utils._**___kerberos.ManageDomains] Creating
kerberos configuration for domain(s): example.com <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,525 INFO
[org.ovirt.engine.core.utils._**___kerberos.ManageDomains]
Successfully
created kerberos configuration for domain(s): example.com <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,526 INFO
[org.ovirt.engine.core.utils._**___kerberos.ManageDomains] Testing
kerberos configuration for domain: example.com <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,830 ERROR
[org.ovirt.engine.core.utils._**___kerberos.** KerberosConfigCheck]
Error:
exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR
[org.ovirt.engine.core.utils._**___kerberos.ManageDomains] Failure
while
testing domain example.com <http://example.com> <http://example.com> <http://example.com>. Details: Kerberos
error. Please check log for further details.
Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well).
This is the ldapsearch command that works (it retrieves users) from the same machine:
ldapsearch -H ldap://example.com <http://example.com> <http://example.com> <http://example.com> -b
dc=example,dc=com -D user.name@a_domain -w qwerty
Best regards, Cristian Falcas
______________________________**_____________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
Hi,
I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains?
Cristian
Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that
Hi,
The server is a Microfost AD 2003.
Best regards, Cristian Falcas
this should work, is the AD also the DNS server for the ovirt engine machine?
yes
Hi, So there is no way to use the domain I have at work, right? I will need to make a freeipa installation in order to add new users. Cristian On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas <cristi.falcas@gmail.com>wrote:
On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <iheim@redhat.com> wrote:
On 11/20/2012 09:56 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>> wrote:
On 11/20/2012 09:05 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>> wrote:
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>>> wrote:
On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com>");
$wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array( "a_domain"=>"rom_domain\\USER-** ______NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=___**___com");
Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com> -provider=ActiveDirectory -user=user.name <http://user.name> <http://user.name> <http://user.name> <http://user.name> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**>__> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**>
<mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**>__>__> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example._**_____com
<mailto:user.name@site. <mailto:user.name@site.>__exam**p__le.com <http://examp__le.com><; http://example.com> <mailto:user.name@site.__examp**le.com<http://example.com> <mailto:user.name@site.**example.com<user.name@site.example.com>
<mailto:user.name@site <mailto:user.name@site>. <mailto:user.name@site <mailto:user.name@site>.>__exa**m__p__le.com<http://exam__p__le.com> <http://examp__le.com> <http://example.com>
<mailto:user.name@site. <mailto:user.name@site.>__exam**p__le.com <http://examp__le.com><; http://example.com> <mailto:user.name@site.__examp**le.com<http://example.com> <mailto:user.name@site.**example.com<user.name@site.example.com>>>>> -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.
any domain user will do, doesn't have to be an admin. what does the log say?
Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
______________________________**_______________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625>
IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com <http://redhat.com> <http://redhat.com> <http://redhat.com>
______________________________**_______________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
______________________________** _______________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/____** mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
Hi,
This is the command I used (the same error is with -interactive parameter):
engine-manage-domains -action=add -domain=example.com <http://example.com> <http://example.com> <http://example.com> -provider=ActiveDirectory -user=user.name@a_domain
-passwordFile=/tmp/pass
[root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]#
This is the log:
2012-11-20 00:30:40,443 INFO
[org.ovirt.engine.core.utils._**___kerberos.ManageDomains] Creating
kerberos configuration for domain(s): example.com <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,525 INFO
[org.ovirt.engine.core.utils._**___kerberos.ManageDomains]
Successfully
created kerberos configuration for domain(s): example.com <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,526 INFO
[org.ovirt.engine.core.utils._**___kerberos.ManageDomains] Testing
kerberos configuration for domain: example.com <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,830 ERROR
[org.ovirt.engine.core.utils._**___kerberos.** KerberosConfigCheck]
Error:
exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR
[org.ovirt.engine.core.utils._**___kerberos.ManageDomains] Failure
while
testing domain example.com <http://example.com> <http://example.com> <http://example.com>. Details: Kerberos
error. Please check log for further details.
Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well).
This is the ldapsearch command that works (it retrieves users) from the same machine:
ldapsearch -H ldap://example.com <http://example.com> <http://example.com> <http://example.com> -b
dc=example,dc=com -D user.name@a_domain -w qwerty
Best regards, Cristian Falcas
______________________________**_____________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
Hi,
I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains?
Cristian
Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that
Hi,
The server is a Microfost AD 2003.
Best regards, Cristian Falcas
this should work, is the AD also the DNS server for the ovirt engine machine?
yes
On 11/20/2012 03:00 PM, Cristian Falcas wrote:
Hi,
So there is no way to use the domain I have at work, right?
I will need to make a freeipa installation in order to add new users.
there is no reason this shouldn't work with active directory 2003 (assuming its forest level isn't still in AD 2000 compatibility mode?). tcpdump for the traffic during engine-manage-domains should help diagnosing why.
Cristian
On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas <cristi.falcas@gmail.com <mailto:cristi.falcas@gmail.com>> wrote:
On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com>> wrote:
On 11/20/2012 09:56 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>> wrote:
On 11/20/2012 09:05 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>>> wrote:
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>>>> wrote:
On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com>");
$wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array(
"a_domain"=>"rom_domain\\USER-________NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=________com");
Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com> -provider=ActiveDirectory -user=user.name <http://user.name> <http://user.name> <http://user.name> <http://user.name> <http://user.name> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>>__> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>>__>__> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>>__>
<mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>>__>__>__> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example.________com
<mailto:user.name@site <mailto:user.name@site>. <mailto:user.name@site <mailto:user.name@site>.>__exam__p__le.com <http://examp__le.com> <http://example.com> <mailto:user.name@site. <mailto:user.name@site.>__examp__le.com <http://example.com> <mailto:user.name@site.__example.com <mailto:user.name@site.example.com>>>> <mailto:user.name@site <mailto:user.name@site> <mailto:user.name@site <mailto:user.name@site>>. <mailto:user.name@site <mailto:user.name@site> <mailto:user.name@site <mailto:user.name@site>>.>__exa__m__p__le.com <http://exam__p__le.com> <http://examp__le.com> <http://example.com>
<mailto:user.name@site <mailto:user.name@site>. <mailto:user.name@site <mailto:user.name@site>.>__exam__p__le.com <http://examp__le.com> <http://example.com> <mailto:user.name@site. <mailto:user.name@site.>__examp__le.com <http://example.com> <mailto:user.name@site.__example.com <mailto:user.name@site.example.com>>>>> -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.
any domain user will do, doesn't have to be an admin. what does the log say?
Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
_______________________________________________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>> http://lists.ovirt.org/________mailman/listinfo/users <http://lists.ovirt.org/______mailman/listinfo/users>
<http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users>>
<http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>>>
<http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>>
<http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>>>
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625>
IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com <http://redhat.com> <http://redhat.com> <http://redhat.com> <http://redhat.com>
_______________________________________________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>> http://lists.ovirt.org/________mailman/listinfo/users <http://lists.ovirt.org/______mailman/listinfo/users>
<http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users>>
<http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>>>
<http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>>
<http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>>>
_______________________________________________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>> http://lists.ovirt.org/________mailman/listinfo/users <http://lists.ovirt.org/______mailman/listinfo/users>
<http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users>>
<http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>>>
<http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>>
<http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>>>
Hi,
This is the command I used (the same error is with -interactive parameter):
engine-manage-domains -action=add -domain=example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com> -provider=ActiveDirectory -user=user.name@a_domain
-passwordFile=/tmp/pass
[root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]#
This is the log:
2012-11-20 00:30:40,443 INFO
[org.ovirt.engine.core.utils.______kerberos.ManageDomains] Creating
kerberos configuration for domain(s): example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,525 INFO
[org.ovirt.engine.core.utils.______kerberos.ManageDomains]
Successfully
created kerberos configuration for domain(s): example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,526 INFO
[org.ovirt.engine.core.utils.______kerberos.ManageDomains] Testing
kerberos configuration for domain: example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,830 ERROR
[org.ovirt.engine.core.utils.______kerberos.__KerberosConfigCheck]
Error:
exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR
[org.ovirt.engine.core.utils.______kerberos.ManageDomains] Failure
while
testing domain example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com>. Details: Kerberos
error. Please check log for further details.
Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well).
This is the ldapsearch command that works (it retrieves users) from the same machine:
ldapsearch -H ldap://example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com> -b
dc=example,dc=com -D user.name@a_domain -w qwerty
Best regards, Cristian Falcas
_____________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>>
<http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>>
Hi,
I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains?
Cristian
Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that
Hi,
The server is a Microfost AD 2003.
Best regards, Cristian Falcas
this should work, is the AD also the DNS server for the ovirt engine machine?
yes
On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim <iheim@redhat.com> wrote:
On 11/20/2012 03:00 PM, Cristian Falcas wrote:
Hi,
So there is no way to use the domain I have at work, right?
I will need to make a freeipa installation in order to add new users.
there is no reason this shouldn't work with active directory 2003 (assuming its forest level isn't still in AD 2000 compatibility mode?). tcpdump for the traffic during engine-manage-domains should help diagnosing why.
Cristian
On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas <cristi.falcas@gmail.com <mailto:cristi.falcas@gmail.**com<cristi.falcas@gmail.com>>> wrote:
On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com>> wrote:
On 11/20/2012 09:56 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>> wrote:
On 11/20/2012 09:05 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>>**> wrote:
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>>>> wrote:
On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com>");
$wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array(
"a_domain"=>"rom_domain\\USER-**________NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=___**_____com");
Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com> -provider=ActiveDirectory -user=user.name <http://user.name> <http://user.name> <http://user.name> <http://user.name> <http://user.name> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**>__> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**>__>__> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**>__>
<mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**>__>__>__> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example._**_______com
<mailto:user.name@site <mailto:user.name@site>. <mailto:user.name@site <mailto:user.name@site>.>__exa**m__p__le.com<http://exam__p__le.com> <http://examp__le.com> <http://example.com> <mailto:user.name@site. <mailto:user.name@site.>__exam**p__le.com<http://examp__le.com><; http://example.com> <mailto:user.name@site.__examp**le.com<http://example.com> <mailto:user.name@site.**example.com<user.name@site.example.com>
<mailto:user.name@site <mailto:user.name@site>
<mailto:user.name@site <mailto:user.name@site>>. <mailto:user.name@site <mailto: user.name@site> <mailto:user.name@site <mailto:user.name@site>>.>__ex**a__m__p__le.com<http://exa__m__p__le.com> <http://exam__p__le.com>
<http://examp__le.com> <http://example.com>
<mailto:user.name@site <mailto:user.name@site>. <mailto:user.name@site <mailto:user.name@site>.>__exa**m__p__le.com<http://exam__p__le.com> <http://examp__le.com> <http://example.com> <mailto:user.name@site. <mailto:user.name@site.>__exam**p__le.com<http://examp__le.com><; http://example.com> <mailto:user.name@site.__examp**le.com<http://example.com> <mailto:user.name@site.**example.com<user.name@site.example.com>>>>>> -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.
any domain user will do, doesn't have to be an admin. what does the log say?
Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
______________________________**_________________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>> http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.ovirt.org/________mailman/listinfo/users> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625>
IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com <http://redhat.com> <http://redhat.com> <http://redhat.com> <http://redhat.com>
______________________________**_________________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>> http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.ovirt.org/________mailman/listinfo/users> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
______________________________**_________________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>> http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.ovirt.org/________mailman/listinfo/users> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
Hi,
This is the command I used (the same error is with -interactive parameter):
engine-manage-domains -action=add -domain=example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com> -provider=ActiveDirectory -user=user.name@a_domain
-passwordFile=/tmp/pass
[root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]#
This is the log:
2012-11-20 00:30:40,443 INFO
[org.ovirt.engine.core.utils._**_____kerberos.ManageDomains]
Creating
kerberos configuration for domain(s): example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,525 INFO
[org.ovirt.engine.core.utils._**_____kerberos.ManageDomains]
Successfully
created kerberos configuration for domain(s): example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,526 INFO
[org.ovirt.engine.core.utils._**_____kerberos.ManageDomains]
Testing
kerberos configuration for domain: example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,830 ERROR
[org.ovirt.engine.core.utils._**_____kerberos.__** KerberosConfigCheck]
Error:
exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR
[org.ovirt.engine.core.utils._**_____kerberos.ManageDomains]
Failure
while
testing domain example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com>. Details: Kerberos
error. Please check log for further details.
Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well).
This is the ldapsearch command that works (it retrieves users) from the same machine:
ldapsearch -H ldap://example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com> -b
dc=example,dc=com -D user.name@a_domain -w qwerty
Best regards, Cristian Falcas
______________________________**_______________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
Hi,
I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains?
Cristian
Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that
Hi,
The server is a Microfost AD 2003.
Best regards, Cristian Falcas
this should work, is the AD also the DNS server for the ovirt engine machine?
yes
Could you take a look at the tcp dump? There are only 2 messages relevant to this (let me know if you want the full dump): - 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV _kerberos._tcp.EXAMPLE.COM - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response SRV 0 100 88 site1.example.com SRV 0 100 88 site2.example.comSRV 0 100 88 site3.example.com Also, I tries to run ldapsearch with -Y gssapi: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found Best regards, Cristian Falcas
------=_Part_35338608_979479843.1353467130356 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit ----- Original Message -----
From: "Cristian Falcas" <cristi.falcas@gmail.com> To: "Itamar Heim" <iheim@redhat.com> Cc: "Yair Zaslavsky" <yzaslavs@redhat.com>, users@ovirt.org Sent: Tuesday, November 20, 2012 7:33:39 PM Subject: Re: [Users] I don't know how to add AD users
On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim < iheim@redhat.com > wrote:
On 11/20/2012 03:00 PM, Cristian Falcas wrote:
Hi,
So there is no way to use the domain I have at work, right?
I will need to make a freeipa installation in order to add new users.
there is no reason this shouldn't work with active directory 2003 (assuming its forest level isn't still in AD 2000 compatibility mode?).
tcpdump for the traffic during engine-manage-domains should help diagnosing why.
Cristian
On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas
< cristi.falcas@gmail.com <mailto: cristi.falcas@gmail. com >> wrote:
On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim < iheim@redhat.com
<mailto: iheim@redhat.com >> wrote:
On 11/20/2012 09:56 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky
< yzaslavs@redhat.com <mailto: yzaslavs@redhat.com >
<mailto: yzaslavs@redhat.com <mailto: yzaslavs@redhat.com >>>
wrote:
On 11/20/2012 09:05 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky
< yzaslavs@redhat.com <mailto: yzaslavs@redhat.com >
<mailto: yzaslavs@redhat.com <mailto: yzaslavs@redhat.com >>
<mailto: yzaslavs@redhat.com
<mailto: yzaslavs@redhat.com > <mailto: yzaslavs@redhat.com
<mailto: yzaslavs@redhat.com >>> > wrote:
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim
< iheim@redhat.com <mailto: iheim@redhat.com >
<mailto: iheim@redhat.com <mailto: iheim@redhat.com >>
<mailto: iheim@redhat.com
<mailto: iheim@redhat.com > <mailto: iheim@redhat.com
<mailto: iheim@redhat.com >>>
<mailto: iheim@redhat.com
<mailto: iheim@redhat.com > <mailto: iheim@redhat.com
<mailto: iheim@redhat.com >>
<mailto: iheim@redhat.com <mailto: iheim@redhat.com >
<mailto: iheim@redhat.com <mailto: iheim@redhat.com >>>>> wrote:
On 11/19/2012 11:29 AM, Vinzenz
Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian
Falcas wrote:
Hi,
I'm trying to add some users
to ovirt
using an AD.
This is the configuration I
used for a
mediawiki
site, which is
working correctly:
$wgAuth = new
LdapAuthenticationPlugin();
$wgLDAPUseLocal = true;
$wgLDAPDomainNames = array(
"a_domain");
$wgLDAPServerNames = array(
"a_domain"=>" site.example.com
< http://site.example.com >");
$wgLDAPEncryptionType = array(
"a_domain"=>"clear");
$wgLDAPSearchStrings = array(
"a_domain"=>"rom_domain\\USER- ________NAME");
$wgLDAPBaseDNs = array(
"a_domain"=>"dc=company,dc=___ _____com");
Those are the commands I
tried using:
engine-manage-domains -action=add
-domain= site.example.com
-provider=ActiveDirectory
-user= user.name
< http://user.name > < http://user.name >
< http://user.name > < http://user.name >
< http://user.name > -interactive
engine-manage-domains -action=add
-domain=a_domain
-provider=ActiveDirectory
-user= user.name@company.com
<mailto: user.name@company.com >
<mailto: user.name@company.com
<mailto: user.name@company.com > >
<mailto: user.name@company.com <mailto: user.name@company.com >
<mailto: user.name@company.com
<mailto: user.name@company.com > >__>
<mailto: user.name@company.com
<mailto: user.name@company.com >
<mailto: user.name@company.com
<mailto: user.name@company.com > >
<mailto: user.name@company.com
<mailto: user.name@company.com >
<mailto: user.name@company.com
<mailto: user.name@company.com > >__>__>
<mailto: user.name@company.com
<mailto: user.name@company.com >
<mailto: user.name@company.com
<mailto: user.name@company.com > >
<mailto: user.name@company.com
<mailto: user.name@company.com >
<mailto: user.name@company.com
<mailto: user.name@company.com > >__>
<mailto: user.name@company.com
<mailto: user.name@company.com >
<mailto: user.name@company.com
<mailto: user.name@company.com > >
<mailto: user.name@company.com
<mailto: user.name@company.com >
<mailto: user.name@company.com
<mailto: user.name@company.com > >__>__>__> -interactive
engine-manage-domains -action=add
-domain=a_domain
-provider=ActiveDirectory
-user=user.name@site.example._ _______com
<mailto: user.name@site
<mailto: user.name@site >.
<mailto: user.name@site
<mailto: user.name@site >.>__ exa m__p__le.com
<mailto: user.name@site .
<mailto: user.name@site .>__ exam p__le.com < http://example.com
<mailto: user.name@site. __ examp le.com
<mailto: user.name@site. example.com >>>>
<mailto: user.name@site
<mailto: user.name@site >
<mailto: user.name@site <mailto: user.name@site >>.
<mailto: user.name@site <mailto: user.name@site >
<mailto: user.name@site
<mailto: user.name@site >>.>__ ex a__m__p__le.com
<mailto: user.name@site
<mailto: user.name@site >.
<mailto: user.name@site
<mailto: user.name@site >.>__ exa m__p__le.com
<mailto: user.name@site .
<mailto: user.name@site .>__ exam p__le.com < http://example.com
<mailto: user.name@site. __ examp le.com
<mailto: user.name@site. example.com >>>>> -interactive
You don't add an user this way.
You add the
domain. You
have to
pass the
domain admin user and the domain
admin password.
any domain user will do, doesn't have
to be an admin.
what does the log say?
Then you can use the domain
within the engine.
e.g. search
users, add
access rights for vms etc.
Even login to the engine and
assigning rights
within
the engine
you can
handle from the engine itself.
Regards,
And the output on all tries:
Enter password:
Error: Authentication Failed.
Please
verify the fully
qualified domain
name that is used for
authentication is
correct..
Problematic domain
is: domain_used_in_command
Failure while applying Kerberos
configuration. Details:
Authentication
Failed. Please verify the
fully qualified
domain
name that
is used for
authentication is correct.
Can someone help me with the
correct
parameters?
Best regards,
Cristian Falcas
______________________________ _________________________
Users mailing list
Users@ovirt.org <mailto: Users@ovirt.org >
<mailto: Users@ovirt.org <mailto: Users@ovirt.org >>
<mailto: Users@ovirt.org <mailto: Users@ovirt.org >
<mailto: Users@ovirt.org <mailto: Users@ovirt.org >>>
<mailto: Users@ovirt.org <mailto: Users@ovirt.org >
<mailto: Users@ovirt.org <mailto: Users@ovirt.org >>
<mailto: Users@ovirt.org
<mailto: Users@ovirt.org > <mailto: Users@ovirt.org
<mailto: Users@ovirt.org >>>>
http://lists.ovirt.org/_______ _mailman/listinfo/users
< http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users
< http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users
< http://lists.ovirt.org/____ mailman/listinfo/users >
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users
< http://lists.ovirt.org/____ mailman/listinfo/users >
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >
< http://lists.ovirt.org/__ mailman/listinfo/users
< http://lists.ovirt.org/ mailman/listinfo/users >>>>
--
Regards,
Vinzenz Feenstra | Senior
Software Engineer
RedHat Engineering Virtualization
R & D
Phone: +420 532 294 625
<tel:%2B420%20532%20294%20625>
<tel:%2B420%20532%20294%20625>
<tel:%2B420%20532%20294%20625>
<tel:%2B420%20532%20294%20625>
IRC: vfeenstr or evilissimo
Better technology. Faster
innovation. Powered
by community
collaboration.
See how it works at redhat.com
< http://redhat.com > < http://redhat.com >
______________________________ _________________________
Users mailing list
Users@ovirt.org <mailto: Users@ovirt.org >
<mailto: Users@ovirt.org <mailto: Users@ovirt.org >>
<mailto: Users@ovirt.org <mailto: Users@ovirt.org >
<mailto: Users@ovirt.org <mailto: Users@ovirt.org >>>
<mailto: Users@ovirt.org <mailto: Users@ovirt.org >
<mailto: Users@ovirt.org <mailto: Users@ovirt.org >>
<mailto: Users@ovirt.org
<mailto: Users@ovirt.org > <mailto: Users@ovirt.org
<mailto: Users@ovirt.org >>>>
http://lists.ovirt.org/_______ _mailman/listinfo/users
< http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users
< http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users
< http://lists.ovirt.org/____ mailman/listinfo/users >
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users
< http://lists.ovirt.org/____ mailman/listinfo/users >
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >
< http://lists.ovirt.org/__ mailman/listinfo/users
< http://lists.ovirt.org/ mailman/listinfo/users >>>>
______________________________ _________________________
Users mailing list
Users@ovirt.org <mailto: Users@ovirt.org >
<mailto: Users@ovirt.org <mailto: Users@ovirt.org >>
<mailto: Users@ovirt.org <mailto: Users@ovirt.org >
<mailto: Users@ovirt.org <mailto: Users@ovirt.org >>>
<mailto: Users@ovirt.org <mailto: Users@ovirt.org >
<mailto: Users@ovirt.org <mailto: Users@ovirt.org >>
<mailto: Users@ovirt.org
<mailto: Users@ovirt.org > <mailto: Users@ovirt.org
<mailto: Users@ovirt.org >>>>
http://lists.ovirt.org/_______ _mailman/listinfo/users
< http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users
< http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users
< http://lists.ovirt.org/____ mailman/listinfo/users >
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users
< http://lists.ovirt.org/____ mailman/listinfo/users >
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >
< http://lists.ovirt.org/__ mailman/listinfo/users
< http://lists.ovirt.org/ mailman/listinfo/users >>>>
Hi,
This is the command I used (the same error
is with
-interactive
parameter):
engine-manage-domains -action=add
-domain= example.com < http://example.com >
< http://example.com > -provider=ActiveDirectory
-user=user.name@a_domain
-passwordFile=/tmp/pass
[root@localhost ~]# cat /tmp/pass
qwerty[root@localhost ~]#
This is the log:
2012-11-20 00:30:40,443 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Creating
kerberos
configuration for domain(s): example.com
< http://example.com > < http://example.com >
2012-11-20 00:30:40,525 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Successfully
created kerberos configuration for domain(s):
example.com < http://example.com > < http://example.com >
2012-11-20 00:30:40,526 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Testing
kerberos
configuration for domain: example.com
< http://example.com > < http://example.com >
2012-11-20 00:30:40,830 ERROR
[org.ovirt.engine.core.utils._ _____kerberos.__ KerberosConfigCheck]
Error:
exception message: Cannot locate KDC
2012-11-20 00:30:40,851 ERROR
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Failure
while
testing domain example.com
< http://example.com > < http://example.com >
< http://example.com >. Details: Kerberos
error. Please check log for further details.
Hi, the error indicates you don't have
kerberos configured.
manage-domains validates by default using
GSSAPI/Kerberos (if I
understand correctly, this is equivalent to
run ldapsearch
with -Y
gssapi option).
I wonder if -x (simple authentication) will
work for you as
well (as
manage-domains contains code for simple
authentication as
well).
This is the ldapsearch command that works
(it retrieves
users)
from the
same machine:
ldapsearch -H ldap:// example.com
< http://example.com > < http://example.com >
< http://example.com > -b
dc=example,dc=com -D user.name@a_domain -w
qwerty
Best regards,
Cristian Falcas
______________________________ _______________________
Users mailing list
Users@ovirt.org <mailto: Users@ovirt.org >
<mailto: Users@ovirt.org <mailto: Users@ovirt.org >>
<mailto: Users@ovirt.org <mailto: Users@ovirt.org >
<mailto: Users@ovirt.org <mailto: Users@ovirt.org >>>
http://lists.ovirt.org/______ mailman/listinfo/users
< http://lists.ovirt.org/____ mailman/listinfo/users >
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users
< http://lists.ovirt.org/__ mailman/listinfo/users >
< http://lists.ovirt.org/__ mailman/listinfo/users
< http://lists.ovirt.org/ mailman/listinfo/users >>>
Hi,
I used "-x" for ldapsearch and the result is the
same: list
retrieved.
Is there any equivalent for engine-manage-domains?
Cristian
Hi Christian, there is no code allowing to add
simple-authentication
domains to Manage-Domains.
In the past we did have the ability to do that, but
there are
several problematic issues.
What ldap server are you working against? Maybe I
missed that
Hi,
The server is a Microfost AD 2003.
Best regards,
Cristian Falcas
this should work, is the AD also the DNS server for the ovirt
engine machine?
yes
Could you take a look at the tcp dump? There are only 2 messages relevant to this (let me know if you want the full dump):
- 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV _kerberos._ tcp.EXAMPLE.COM - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response SRV 0 100 88 site1.example.com SRV 0 100 88 site2.example.com SRV 0 100 88 site3.example.com
Also, I tries to run ldapsearch with -Y gssapi: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found
Best regards, Cristian Falcas
</div><div><div class=3D"h5"> <mailto:<a href=3D"mailto:yzas= lavs@redhat.com" target=3D"_blank">yzaslavs@redhat.com</a> <mailto:<a hr= ef=3D"mailto:yzaslavs@redhat.com" target=3D"_blank">yzaslavs@redhat.com</a>= >>><br> wrote:<br> <br> <br> <br> On 11/20/2012= 09:05 AM, Cristian Falcas wrote:<br> <br> <br> <br> <br> = ;On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky<br> = ;<<a href=3D"mailto:yzaslavs@redhat.com" target=3D"_blank">yzaslavs@redh= at.com</a> <mailto:<a href=3D"mailto:yzaslavs@redhat.com" target=3D"_bla= nk">yzaslavs@redhat.com</a>><br> <mailto:<a href=3D"mailto:yzas= lavs@redhat.com" target=3D"_blank">yzaslavs@redhat.com</a> <mailto:<a hr= ef=3D"mailto:yzaslavs@redhat.com" target=3D"_blank">yzaslavs@redhat.com</a>= >><br> = ;<mailto:<a href=3D"mailto:yzaslavs@redhat.com" target=3D"_blank">yzasla= vs@redhat.com</a><br> <mailto:<a href=3D"mailto:yzas= lavs@redhat.com" target=3D"_blank">yzaslavs@redhat.com</a>> <mailto:<= a href=3D"mailto:yzaslavs@redhat.com" target=3D"_blank">yzaslavs@redhat.com= </a><br> <mailto:<a href=3D"mailto:yzas= lavs@redhat.com" target=3D"_blank">yzaslavs@redhat.com</a>>>><u></= u>> wrote:<br> <br> <br> <br> = ; On 11/20/2012 12:39 AM, Cristian Falcas wrote:<br> <br> <br> <br> = ; On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim= <br> = ;<<a href=3D"mailto:iheim@redhat.com" target=3D"_blank">iheim@redhat.com= </a> <mailto:<a href=3D"mailto:iheim@redhat.com" target=3D"_blank">iheim= @redhat.com</a>><br> <mailto:<a href=3D"mailto:ihei= m@redhat.com" target=3D"_blank">iheim@redhat.com</a> <mailto:<a href=3D"= mailto:iheim@redhat.com" target=3D"_blank">iheim@redhat.com</a>>><br> = ; <mailto:<a href=3D"mailto:iheim@redhat.com= " target=3D"_blank">iheim@redhat.com</a><br> <mailto:<a href=3D"mailto:ihei= m@redhat.com" target=3D"_blank">iheim@redhat.com</a>> <mailto:<a href= =3D"mailto:iheim@redhat.com" target=3D"_blank">iheim@redhat.com</a><br> <mailto:<a href=3D"mailto:ihei= m@redhat.com" target=3D"_blank">iheim@redhat.com</a>>>><br> = ; <mailto:<a href=3D"mailto:iheim@redhat.com= " target=3D"_blank">iheim@redhat.com</a><br> <mailto:<a href=3D"mailto:ihei= m@redhat.com" target=3D"_blank">iheim@redhat.com</a>> <mailto:<a href= =3D"mailto:iheim@redhat.com" target=3D"_blank">iheim@redhat.com</a><br> <mailto:<a href=3D"mailto:ihei= m@redhat.com" target=3D"_blank">iheim@redhat.com</a>>><br> = ;<mailto:<a href=3D"mailto:iheim@redhat.com" target=3D"_blank">iheim@red= hat.com</a> <mailto:<a href=3D"mailto:iheim@redhat.com" target=3D"_blank= ">iheim@redhat.com</a>><br> <mailto:<a href=3D"mailto:ihei= m@redhat.com" target=3D"_blank">iheim@redhat.com</a> <mailto:<a href=3D"= mailto:iheim@redhat.com" target=3D"_blank">iheim@redhat.com</a>>>>= >> wrote:<br> <br> = ; On 11/19/2012 11:29 AM, V= inzenz<br> Feenstra wrote:<br> <br> = ; On 11/19/20= 12 10:01 AM, Cristian<br> Falcas wrote:<br> <br> = ; &nb= sp;Hi,<br> <br> = ; &nb= sp;I'm trying to add some users<br> to ovirt<br> = ;using an AD.<br> <br> = ; &nb= sp;This is the configuration I<br> used for a<br> = ;mediawiki<br> = ; site, which is<br> = ; &nb= sp;working correctly:<br> = ; &nb= sp;$wgAuth =3D new<br> LdapAuthenticationPlugin();<br> = ; &nb= sp;$wgLDAPUseLocal =3D true;<br> = ; &nb= sp;$wgLDAPDomainNames =3D array(<br> "a_domain");<br> = ; &nb= sp;$wgLDAPServerNames =3D array(<br> = ; "a_domain"=3D>"<a href=3D"http://site.exam=
_____com");<div><div class=3D"h5"><br> <br> <br> <br> <br> = ; &nb= sp;Those are the commands I<br> tried using:<br> = ; &nb= sp;engine-manage-domains -action=3Dadd<br> = ; -domain=3D<a href=3D"http://site.example.com"= target=3D"_blank">site.example.com</a><br> <<a href=3D"http://site.exampl= e.com" target=3D"_blank">http://site.example.com</a>>; <<a href=3D"htt=
The SRV records look fine. If I remember correctly, your DNS should have a reverse-resolve PTR record to your engine machine. Does it exists? ------=_Part_35338608_979479843.1353467130356 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><head><style type=3D'text/css'>p { margin: 0; }</style></head><body><= div style=3D'font-family: times new roman,new york,times,serif; font-size: = 12pt; color: #000000'><br><br><hr id=3D"zwchr"><blockquote style=3D"border-= left:2px solid rgb(16, 16, 255);margin-left:5px;padding-left:5px;color:#000= ;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helv= etica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Cristian Falcas" <= cristi.falcas@gmail.com><br><b>To: </b>"Itamar Heim" <iheim@redhat.co= m><br><b>Cc: </b>"Yair Zaslavsky" <yzaslavs@redhat.com>, users@ovi= rt.org<br><b>Sent: </b>Tuesday, November 20, 2012 7:33:39 PM<br><b>Subject:= </b>Re: [Users] I don't know how to add AD users<br><br><br><div class=3D"= gmail_extra"><br><br><div class=3D"gmail_quote">On Tue, Nov 20, 2012 at 3:0= 8 PM, Itamar Heim <span dir=3D"ltr"><<a href=3D"mailto:iheim@redhat.com"= target=3D"_blank">iheim@redhat.com</a>></span> wrote:<br><blockquote cl= ass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid= rgb(204,204,204);padding-left:1ex"> <div class=3D"im">On 11/20/2012 03:00 PM, Cristian Falcas wrote:<br> <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-= left:1px solid rgb(204,204,204);padding-left:1ex"> Hi,<br> <br> So there is no way to use the domain I have at work, right?<br> <br> I will need to make a freeipa installation in order to add new users.<br> </blockquote> <br></div> there is no reason this shouldn't work with active directory 2003 (assuming= its forest level isn't still in AD 2000 compatibility mode?).<br> tcpdump for the traffic during engine-manage-domains should help diagnosing= why.<br> <br> <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-= left:1px solid rgb(204,204,204);padding-left:1ex"><div class=3D"im"> <br> Cristian<br> <br> <br> On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas<br></div><div class=3D"im= "> <<a href=3D"mailto:cristi.falcas@gmail.com" target=3D"_blank">cristi.fal= cas@gmail.com</a> <mailto:<a href=3D"mailto:cristi.falcas@gmail.com" tar= get=3D"_blank">cristi.falcas@gmail.<u></u>com</a>>> wrote:<br> <br> <br> <br> <br> On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <<a href=3D"m= ailto:iheim@redhat.com" target=3D"_blank">iheim@redhat.com</a><br></div><di= v class=3D"im"> <mailto:<a href=3D"mailto:iheim@redhat.com" target=3D"_bla= nk">iheim@redhat.com</a>>> wrote:<br> <br> On 11/20/2012 09:56 AM, Cristian Falcas wrote:<= br> <br> <br> <br> <br> On Tue, Nov 20, 2012 at 9:42 AM, = Yair Zaslavsky<br> <<a href=3D"mailto:yzaslavs@re= dhat.com" target=3D"_blank">yzaslavs@redhat.com</a> <mailto:<a href=3D"m= ailto:yzaslavs@redhat.com" target=3D"_blank">yzaslavs@redhat.com</a>><br= ple.com" target=3D"_blank">site.example.com</a><br> <<a href=3D"http://site.exampl= e.com" target=3D"_blank">http://site.example.com</a>>; <<a href=3D"htt= p://site.example.com" target=3D"_blank">http://site.example.com</a>><br> = ;<<a href=3D"http://site.example.com" target=3D"_blank">http://site.exam= ple.com</a>><br> = ; &nb= sp;<<a href=3D"http://site.example.com" target=3D"_blank">http://site.ex= ample.com</a>><br> = ; &nb= sp;<<a href=3D"http://site.example.com" target=3D"_blank">http://site.ex= ample.com</a>>");<br> <br> = ; &nb= sp;$wgLDAPEncryptionType =3D array(<br> = ;"a_domain"=3D>"clear");<br> = ; &nb= sp;$wgLDAPSearchStrings =3D array(<br> <br></div></div> "a_domain"=3D>"rom_domain\\USE= R-<u></u>________NAME");<br> = ; &nb= sp;$wgLDAPBaseDNs =3D array(<br> = ; "a_domain"=3D>"dc=3Dcompany,dc=3D___<u></u= p://site.example.com" target=3D"_blank">http://site.example.com</a>><br> = ;<<a href=3D"http://site.example.com" target=3D"_blank">http://site.exam= ple.com</a>><br> = ; &nb= sp;<<a href=3D"http://site.example.com" target=3D"_blank">http://site.ex= ample.com</a>><br> = ; &nb= sp;<<a href=3D"http://site.example.com" target=3D"_blank">http://site.ex= ample.com</a>><br> = ;-provider=3DActiveDirectory<br> = ; &nb= sp;-user=3D<a href=3D"http://user.name" target=3D"_blank">user.name</a><br> <<a href=3D"http://user.name" = target=3D"_blank">http://user.name</a>>; <<a href=3D"http://user.name"= target=3D"_blank">http://user.name</a>><br> = ;<<a href=3D"http://user.name" target=3D"_blank">http://user.name</a>>= ; <<a href=3D"http://user.name" target=3D"_blank">http://user.name</a>&g= t;<br> = ; &nb= sp;<<a href=3D"http://user.name" target=3D"_blank">http://user.name</a>&= gt; -interactive<br> <br> <br> = ; &nb= sp;engine-manage-domains -action=3Dadd<br> = ;-domain=3Da_domain<br> = ; &nb= sp;-provider=3DActiveDirectory<br> = ; -user=3D<a href=3D"mailto:user.name@company.c= om" target=3D"_blank">user.name@company.com</a><br> <mailto:<a href=3D"mailto:user= .name@company.com" target=3D"_blank">user.name@company.com</a>><br> = ;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">user= .name@company.com</a><br> <mailto:<a href=3D"mailto:user= .name@company.com" target=3D"_blank">user.name@company.com</a>><u></u>&g= t;<br> <mailto:<a href=3D"mailto:user= .name@company.com" target=3D"_blank">user.name@company.com</a> <mailto:<= a href=3D"mailto:user.name@company.com" target=3D"_blank">user.name@company= .com</a>><br> = ;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">user= .name@company.com</a><br> <mailto:<a href=3D"mailto:user= .name@company.com" target=3D"_blank">user.name@company.com</a>><u></u>&g= t;__><br> = ; &nb= sp;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">us= er.name@company.com</a><br> <mailto:<a href=3D"mailto:user= .name@company.com" target=3D"_blank">user.name@company.com</a>><br> = ;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">user= .name@company.com</a><br> <mailto:<a href=3D"mailto:user= .name@company.com" target=3D"_blank">user.name@company.com</a>><u></u>&g= t;<br> = ; <mailto:<a href=3D"mailto:user.name@compan= y.com" target=3D"_blank">user.name@company.com</a><br> <mailto:<a href=3D"mailto:user= .name@company.com" target=3D"_blank">user.name@company.com</a>><br> = ;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">user= .name@company.com</a><br> <mailto:<a href=3D"mailto:user= .name@company.com" target=3D"_blank">user.name@company.com</a>><u></u>&g= t;__>__><br> = ; &nb= sp;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">us= er.name@company.com</a><br> <mailto:<a href=3D"mailto:user= .name@company.com" target=3D"_blank">user.name@company.com</a>><br> = ;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">user= .name@company.com</a><br> <mailto:<a href=3D"mailto:user= .name@company.com" target=3D"_blank">user.name@company.com</a>><u></u>&g= t;<br> = ; <mailto:<a href=3D"mailto:user.name@compan= y.com" target=3D"_blank">user.name@company.com</a><br> <mailto:<a href=3D"mailto:user= .name@company.com" target=3D"_blank">user.name@company.com</a>><br> = ;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">user= .name@company.com</a><br> <mailto:<a href=3D"mailto:user= .name@company.com" target=3D"_blank">user.name@company.com</a>><u></u>&g= t;__><br> <br> = ; &nb= sp;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">us= er.name@company.com</a><br> <mailto:<a href=3D"mailto:user= .name@company.com" target=3D"_blank">user.name@company.com</a>><br> = ;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">user= .name@company.com</a><br> <mailto:<a href=3D"mailto:user= .name@company.com" target=3D"_blank">user.name@company.com</a>><u></u>&g= t;<br> = ; <mailto:<a href=3D"mailto:user.name@compan= y.com" target=3D"_blank">user.name@company.com</a><br> <mailto:<a href=3D"mailto:user= .name@company.com" target=3D"_blank">user.name@company.com</a>><br> = ;<mailto:<a href=3D"mailto:user.name@company.com" target=3D"_blank">user= .name@company.com</a><br></div></div> <mailto:<a href=3D"mailto:user= .name@company.com" target=3D"_blank">user.name@company.com</a>><u></u>&g= t;__>__>__> -interactive<br> <br> <br> = ; &nb= sp;engine-manage-domains -action=3Dadd<br> = ;-domain=3Da_domain<br> = ; &nb= sp;-provider=3DActiveDirectory<br> = ; -user=3Duser.name@site.example._<u></u>______= _com<div class=3D"im"><br> <br> = ; &nb= sp;<mailto:<a href=3D"mailto:user.name@site" target=3D"_blank">user.name= @site</a><br> <mailto:<a href=3D"mailto:user= .name@site" target=3D"_blank">user.name@site</a>>.<br> = ;<mailto:<a href=3D"mailto:user.name@site" target=3D"_blank">user.name@s= ite</a><br> <mailto:<a href=3D"mailto:user= .name@site" target=3D"_blank">user.name@site</a>>.>__<a href=3D"http:= //exam__p__le.com" target=3D"_blank">exa<u></u>m__p__le.com</a><br> <<a href=3D"http://examp__le.c= om" target=3D"_blank">http://examp__le.com</a>>; <<a href=3D"http://ex= ample.com" target=3D"_blank">http://example.com</a>><br> = ; <mailto:<a href=3D"mailto:user.name@site" = target=3D"_blank">user.name@site</a>.<br> <mailto:<a href=3D"mailto:user= .name@site" target=3D"_blank">user.name@site</a>.>__<a href=3D"http://ex= amp__le.com" target=3D"_blank">exam<u></u>p__le.com</a> <<a href=3D"http= ://example.com" target=3D"_blank">http://example.com</a>><br> = ;<mailto:<a href=3D"mailto:user.name@site." target=3D"_blank">user.name@= site.</a>__<a href=3D"http://example.com" target=3D"_blank">examp<u></u>le.= com</a><br> <mailto:<a href=3D"mailto:user= .name@site.example.com" target=3D"_blank">user.name@site.<u></u>example.com= </a>>>>><br></div> = ; &nb= sp;<mailto:<a href=3D"mailto:user.name@site" target=3D"_blank">user.name= @site</a><br> <mailto:<a href=3D"mailto:user= .name@site" target=3D"_blank">user.name@site</a>><div class=3D"im"><br> = ;<mailto:<a href=3D"mailto:user.name@site" target=3D"_blank">user.name@s= ite</a> <mailto:<a href=3D"mailto:user.name@site" target=3D"_blank">user= .name@site</a>>>.<br> = ; <mailto:<a href=3D"mailto:user.name@site" = target=3D"_blank">user.name@site</a> <mailto:<a href=3D"mailto:user.name= @site" target=3D"_blank">user.name@site</a>><br> = ;<mailto:<a href=3D"mailto:user.name@site" target=3D"_blank">user.name@s= ite</a><br></div> <mailto:<a href=3D"mailto:user= .name@site" target=3D"_blank">user.name@site</a>>>.>__<a href=3D"h= ttp://exa__m__p__le.com" target=3D"_blank">ex<u></u>a__m__p__le.com</a><br> <<a href=3D"http://exam__p__le= .com" target=3D"_blank">http://exam__p__le.com</a>><div><div class=3D"h5= "><br> = ;<<a href=3D"http://examp__le.com" target=3D"_blank">http://examp__le.co= m</a>> <<a href=3D"http://example.com" target=3D"_blank">http://examp= le.com</a>><br> <br> <br> <br> = ; &nb= sp;<mailto:<a href=3D"mailto:user.name@site" target=3D"_blank">user.name= @site</a><br> <mailto:<a href=3D"mailto:user= .name@site" target=3D"_blank">user.name@site</a>>.<br> = ;<mailto:<a href=3D"mailto:user.name@site" target=3D"_blank">user.name@s= ite</a><br> <mailto:<a href=3D"mailto:user= .name@site" target=3D"_blank">user.name@site</a>>.>__<a href=3D"http:= //exam__p__le.com" target=3D"_blank">exa<u></u>m__p__le.com</a><br> <<a href=3D"http://examp__le.c= om" target=3D"_blank">http://examp__le.com</a>>; <<a href=3D"http://ex= ample.com" target=3D"_blank">http://example.com</a>><br> = ; <mailto:<a href=3D"mailto:user.name@site" = target=3D"_blank">user.name@site</a>.<br> <mailto:<a href=3D"mailto:user= .name@site" target=3D"_blank">user.name@site</a>.>__<a href=3D"http://ex= amp__le.com" target=3D"_blank">exam<u></u>p__le.com</a> <<a href=3D"http= ://example.com" target=3D"_blank">http://example.com</a>><br> = ;<mailto:<a href=3D"mailto:user.name@site." target=3D"_blank">user.name@= site.</a>__<a href=3D"http://example.com" target=3D"_blank">examp<u></u>le.= com</a><br> <mailto:<a href=3D"mailto:user= .name@site.example.com" target=3D"_blank">user.name@site.<u></u>example.com= </a>>>>>> -interactive<br> <br> <br> = ; You don't a= dd an user this way.<br> You add the<br> = ;domain. You<br> = ; have to<br> = ; pass the<br=
= ; domain admi= n user and the domain<br> admin password.<br> <br> <br> = ; any domain user will do, = doesn't have<br> to be an admin.<br> = ; what does the log say?<br=
<br> <br> = ; Then you ca= n use the domain<br> within the engine.<br> = ;e.g. search<br> = ; users, add<= br> = ; access righ= ts for vms etc.<br> = ; Even login = to the engine and<br> assigning rights<br> = ;within<br> = ; the engine<br> = ; you can<br> = ; handle from= the engine itself.<br> <br> = ; Regards,<br=
<br> = ; &nb= sp;And the output on all tries:<br> = ; &nb= sp;Enter password:<br> <br> = ; &nb= sp;Error: Authentication Failed.<br> Please<br> = ;verify the fully<br> = ; &nb= sp;qualified domain<br> = ; &nb= sp;name that is used for<br> authentication is<br> = ;correct..<br> = ; &nb= sp;Problematic domain<br> = ; &nb= sp;is: domain_used_in_command<br> = ; &nb= sp;Failure while applying Kerberos<br> = ;configuration. Details:<br> = ; &nb= sp;Authentication<br> = ; &nb= sp;Failed. Please verify the<br> fully qualified<br> = ;domain<br> = ; name that<br> = ; &nb= sp;is used for<br> = ; &nb= sp;authentication is correct.<br> <br> = ; &nb= sp;Can someone help me with the<br> correct<br> = ;parameters?<br> <br> <br> = ; &nb= sp;Best regards,<br> = ; &nb= sp;Cristian Falcas<br> <br> <br> <br> <br></div></div> ______________________________<u>= </u>_________________________<div class=3D"im"><br> <br> = ; &nb= sp;Users mailing list<br> <a href=3D"mailto:Users@ovirt.org= " target=3D"_blank">Users@ovirt.org</a> <mailto:<a href=3D"mailto:Users@= ovirt.org" target=3D"_blank">Users@ovirt.org</a>><br> <mailto:<a href=3D"mailto:User= s@ovirt.org" target=3D"_blank">Users@ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users@ovirt.org</a>>><br> <mailto:<a href=3D"mailto:User= s@ovirt.org" target=3D"_blank">Users@ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users@ovirt.org</a>><br> = ;<mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">Users@ovir= t.org</a> <mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">U= sers@ovirt.org</a>>>><br> <mailto:<a href=3D"mailto:User= s@ovirt.org" target=3D"_blank">Users@ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users@ovirt.org</a>><br> = ;<mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">Users@ovir= t.org</a> <mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">U= sers@ovirt.org</a>>><br> = ; <mailto:<a href=3D"mailto:Users@ovirt.org"= target=3D"_blank">Users@ovirt.org</a><br> <mailto:<a href=3D"mailto:User= s@ovirt.org" target=3D"_blank">Users@ovirt.org</a>> <mailto:<a href= =3D"mailto:Users@ovirt.org" target=3D"_blank">Users@ovirt.org</a><br></div> <mailto:<a href=3D"mailto:User= s@ovirt.org" target=3D"_blank">Users@ovirt.org</a>>>>><br> <a href=3D"http://lists.ovirt.org= /________mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ______<u></u>_mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/______mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org= /______<u></u>mailman/listinfo/users</a>><div><div class=3D"h5"><br> <br> <<a href=3D"http://lists.ovirt= .org/______mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org= /______<u></u>mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ___<u></u>mailman/listinfo/users</a>>><br> <br> <br> <<a href=3D"http://list= s.ovirt.org/______mailman/listinfo/users" target=3D"_blank">http://lists.ov= irt.org/______<u></u>mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ___<u></u>mailman/listinfo/users</a>><br> = ;<<a href=3D"http://lists.ovirt.org/____mailman/listinfo/users" target= =3D"_blank">http://lists.ovirt.org/____<u></u>mailman/listinfo/users</a><br=
<<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>>>><br> <br> <br> <br> <br> <<a href=3D"http://lists.ovirt= .org/______mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org= /______<u></u>mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ___<u></u>mailman/listinfo/users</a>><br> = ;<<a href=3D"http://lists.ovirt.org/____mailman/listinfo/users" target= =3D"_blank">http://lists.ovirt.org/____<u></u>mailman/listinfo/users</a><br=
<<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>>><br> <br> <<a href=3D"http://list= s.ovirt.org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovir= t.org/____<u></u>mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>><br> = ;<<a href=3D"http://lists.ovirt.org/__mailman/listinfo/users" target=3D"= _blank">http://lists.ovirt.org/__<u></u>mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/<u></= u>mailman/listinfo/users</a>>>>><br> <br> <br> <br> = ; --<br> = ; Regards,<br=
<br> = ; Vinzenz Fee= nstra | Senior<br> Software Engineer<br> = ; RedHat Engi= neering Virtualization<br> R & D<br> = ; Phone: <a h= ref=3D"tel:%2B420%20532%20294%20625" target=3D"_blank">+420 532 294 625</a>= <br> <tel:%2B420%20532%20294%20625&= gt;<br> = ;<tel:%2B420%20532%20294%20625><br> <tel:%2B420%20532%20294%20625&= gt;<br> = ; <tel:%2B420%20532%20294%20625><br> <br> = ; IRC: vfeens= tr or evilissimo<br> <br> = ; Better tech= nology. Faster<br> innovation. Powered<br> = ;by community<br> = ; collaborati= on.<br> = ; See how it = works at <a href=3D"http://redhat.com" target=3D"_blank">redhat.com</a><br> <<a href=3D"http://redhat.com"= target=3D"_blank">http://redhat.com</a>><br> = ;<<a href=3D"http://redhat.com" target=3D"_blank">http://redhat.com</a>&= gt; <<a href=3D"http://redhat.com" target=3D"_blank">http://redhat.com</= a>><br></div></div> = ; <<a href=3D"http://redhat.com" target=3D"_= blank">http://redhat.com</a>><br> <br> <br> <br> <br> <br> ______________________________<u>= </u>_________________________<div class=3D"im"><br> <br> = ; Users maili= ng list<br> <a href=3D"mailto:Users@ovirt.org= " target=3D"_blank">Users@ovirt.org</a> <mailto:<a href=3D"mailto:Users@= ovirt.org" target=3D"_blank">Users@ovirt.org</a>><br> <mailto:<a href=3D"mailto:User= s@ovirt.org" target=3D"_blank">Users@ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users@ovirt.org</a>>><br> <mailto:<a href=3D"mailto:User= s@ovirt.org" target=3D"_blank">Users@ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users@ovirt.org</a>><br> = ;<mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">Users@ovir= t.org</a> <mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">U= sers@ovirt.org</a>>>><br> <mailto:<a href=3D"mailto:User= s@ovirt.org" target=3D"_blank">Users@ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users@ovirt.org</a>><br> = ;<mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">Users@ovir= t.org</a> <mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">U= sers@ovirt.org</a>>><br> = ; <mailto:<a href=3D"mailto:Users@ovirt.org"= target=3D"_blank">Users@ovirt.org</a><br> <mailto:<a href=3D"mailto:User= s@ovirt.org" target=3D"_blank">Users@ovirt.org</a>> <mailto:<a href= =3D"mailto:Users@ovirt.org" target=3D"_blank">Users@ovirt.org</a><br></div> <mailto:<a href=3D"mailto:User= s@ovirt.org" target=3D"_blank">Users@ovirt.org</a>>>>><br> <a href=3D"http://lists.ovirt.org= /________mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ______<u></u>_mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/______mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org= /______<u></u>mailman/listinfo/users</a>><div class=3D"im"><br> <br> <<a href=3D"http://lists.ovirt= .org/______mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org= /______<u></u>mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ___<u></u>mailman/listinfo/users</a>>><br> <br> <br> <<a href=3D"http://list= s.ovirt.org/______mailman/listinfo/users" target=3D"_blank">http://lists.ov= irt.org/______<u></u>mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ___<u></u>mailman/listinfo/users</a>><br> = ;<<a href=3D"http://lists.ovirt.org/____mailman/listinfo/users" target= =3D"_blank">http://lists.ovirt.org/____<u></u>mailman/listinfo/users</a><br=
<<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>>>><br> <br> <br> <<a href=3D"http://lists.ovirt= .org/______mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org= /______<u></u>mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ___<u></u>mailman/listinfo/users</a>><br> = ;<<a href=3D"http://lists.ovirt.org/____mailman/listinfo/users" target= =3D"_blank">http://lists.ovirt.org/____<u></u>mailman/listinfo/users</a><br=
<<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>>><br> <br> <<a href=3D"http://list= s.ovirt.org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovir= t.org/____<u></u>mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>><br> = ;<<a href=3D"http://lists.ovirt.org/__mailman/listinfo/users" target=3D"= _blank">http://lists.ovirt.org/__<u></u>mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/<u></= u>mailman/listinfo/users</a>>>>><br> <br> <br> <br> <br></div> ______________________________<u>= </u>_________________________<div class=3D"im"><br> <br> = ; Users mailing list<br> <a href=3D"mailto:Users@ovirt.org= " target=3D"_blank">Users@ovirt.org</a> <mailto:<a href=3D"mailto:Users@= ovirt.org" target=3D"_blank">Users@ovirt.org</a>><br> <mailto:<a href=3D"mailto:User= s@ovirt.org" target=3D"_blank">Users@ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users@ovirt.org</a>>><br> <mailto:<a href=3D"mailto:User= s@ovirt.org" target=3D"_blank">Users@ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users@ovirt.org</a>><br> = ;<mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">Users@ovir= t.org</a> <mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">U= sers@ovirt.org</a>>>><br> <mailto:<a href=3D"mailto:User= s@ovirt.org" target=3D"_blank">Users@ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users@ovirt.org</a>><br> = ;<mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">Users@ovir= t.org</a> <mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">U= sers@ovirt.org</a>>><br> = ; <mailto:<a href=3D"mailto:Users@ovirt.org"= target=3D"_blank">Users@ovirt.org</a><br> <mailto:<a href=3D"mailto:User= s@ovirt.org" target=3D"_blank">Users@ovirt.org</a>> <mailto:<a href= =3D"mailto:Users@ovirt.org" target=3D"_blank">Users@ovirt.org</a><br></div> <mailto:<a href=3D"mailto:User= s@ovirt.org" target=3D"_blank">Users@ovirt.org</a>>>>><br> <a href=3D"http://lists.ovirt.org= /________mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ______<u></u>_mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/______mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org= /______<u></u>mailman/listinfo/users</a>><div class=3D"im"><br> <br> <<a href=3D"http://lists.ovirt= .org/______mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org= /______<u></u>mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ___<u></u>mailman/listinfo/users</a>>><br> <br> <<a href=3D"http://list= s.ovirt.org/______mailman/listinfo/users" target=3D"_blank">http://lists.ov= irt.org/______<u></u>mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ___<u></u>mailman/listinfo/users</a>><br> = ;<<a href=3D"http://lists.ovirt.org/____mailman/listinfo/users" target= =3D"_blank">http://lists.ovirt.org/____<u></u>mailman/listinfo/users</a><br=
<<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>>>><br> <br> <br> <br></div><div class=3D"im"> <<a href=3D"http://lists.ovirt= .org/______mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org= /______<u></u>mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ___<u></u>mailman/listinfo/users</a>><br> = ;<<a href=3D"http://lists.ovirt.org/____mailman/listinfo/users" target= =3D"_blank">http://lists.ovirt.org/____<u></u>mailman/listinfo/users</a><br=
<<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>>><br> <br> <<a href=3D"http://list= s.ovirt.org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovir= t.org/____<u></u>mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>><br> = ;<<a href=3D"http://lists.ovirt.org/__mailman/listinfo/users" target=3D"= _blank">http://lists.ovirt.org/__<u></u>mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/<u></= u>mailman/listinfo/users</a>>>>><br> <br> <br> <br> <br> = ; Hi,<br> <br> = ; This is the command I used (the same error<br=
is with<br> = ;-interactive<br> = ; parameter):<br> <br> = ; engine-manage-domains -action=3Dadd<br> -domain=3D<a href=3D"http://examp= le.com" target=3D"_blank">example.com</a> <<a href=3D"http://example.com= " target=3D"_blank">http://example.com</a>><br> = ;<<a href=3D"http://example.com" target=3D"_blank">http://example.com</a=
><br> = ; <<a href=3D"http://example.com" target=3D"= _blank">http://example.com</a>><br> = ; <<a href=3D"http://example.com" target=3D"= _blank">http://example.com</a>>; -provider=3DActiveDirectory<br> = ; -user=3Duser.name@a_domain<br> <br> = ; -passwordFile=3D/tmp/pass<br> <br> = ; [root@localhost ~]# cat /tmp/pass<br> = ; qwerty[root@localhost ~]#<br> <br> = ; This is the log:<br> <br> = ; 2012-11-20 00:30:40,443 INFO<br> <br> <br></div> [org.ovirt.engine.core.utils._<u>= </u>_____kerberos.ManageDomains]<div class=3D"im"><br> Creating<br> <br> <br> = ; kerberos<br> = ; configuration for domain(s): <a href=3D"http:= //example.com" target=3D"_blank">example.com</a><br> <<a href=3D"http://example.com= " target=3D"_blank">http://example.com</a>><br> = ;<<a href=3D"http://example.com" target=3D"_blank">http://example.com</a= > <<a href=3D"http://example.com" target=3D"_blank">http://example.c= om</a>><br> = ; <<a href=3D"http://example.com" target=3D"= _blank">http://example.com</a>><br> <br> = ; 2012-11-20 00:30:40,525 INFO<br> <br> <br></div> [org.ovirt.engine.core.utils._<u>= </u>_____kerberos.ManageDomains]<div class=3D"im"><br> <br> = ;Successfully<br> <br> = ; created kerberos configuration for domain(s):= <br> <a href=3D"http://example.com" ta= rget=3D"_blank">example.com</a> <<a href=3D"http://example.com" target= =3D"_blank">http://example.com</a>>; <<a href=3D"http://example.com" t= arget=3D"_blank">http://example.com</a>><br>
= ; <<a href=3D"http://example.com" target=3D"= _blank">http://example.com</a>><br> = ; <<a href=3D"http://example.com" target=3D"= _blank">http://example.com</a>><br> <br> = ; 2012-11-20 00:30:40,526 INFO<br> <br> <br></div> [org.ovirt.engine.core.utils._<u>= </u>_____kerberos.ManageDomains]<div class=3D"im"><br> Testing<br> <br> <br> = ; kerberos<br> = ; configuration for domain: <a href=3D"http://e= xample.com" target=3D"_blank">example.com</a><br> <<a href=3D"http://example.com= " target=3D"_blank">http://example.com</a>><br> = ;<<a href=3D"http://example.com" target=3D"_blank">http://example.com</a=
> <<a href=3D"http://example.com" target=3D"_blank">http://example.c= om</a>><br> = ; <<a href=3D"http://example.com" target=3D"= _blank">http://example.com</a>><br> <br> = ; 2012-11-20 00:30:40,830 ERROR<br> <br> <br></div> [org.ovirt.engine.core.utils._<u>= </u>_____kerberos.__<u></u>KerberosConfigCheck]<div class=3D"im"><br> <br> = ;Error:<br> <br> = ; exception message: Cannot locate KDC<br> = ; 2012-11-20 00:30:40,851 ERROR<br> <br> <br></div> [org.ovirt.engine.core.utils._<u>= </u>_____kerberos.ManageDomains]<div><div class=3D"h5"><br> Failure<br> <br> = ;while<br> <br> = ; testing domain <a href=3D"http://example.com"= target=3D"_blank">example.com</a><br> <<a href=3D"http://example.com= " target=3D"_blank">http://example.com</a>>; <<a href=3D"http://exampl= e.com" target=3D"_blank">http://example.com</a>><br> = ;<<a href=3D"http://example.com" target=3D"_blank">http://example.com</a= ><br> = ; <<a href=3D"http://example.com" target=3D"= _blank">http://example.com</a>>;. Details: Kerberos<br> <br> = ; error. Please check log for further details.<= br> <br> <br> = ; Hi, the error indicates you don't have<br> kerberos configured.<br> = ; manage-domains validates by default using<br> GSSAPI/Kerberos (if I<br> = ; understand correctly, this is equivalent to<br> run ldapsearch<br> = ;with -Y<br> = ; gssapi option).<br> = ; I wonder if -x (simple authentication) will<br> work for you as<br> = ;well (as<br> = ; manage-domains contains code for simple<br> authentication as<br> = ;well).<br> <br> <br> <br> = ; This is the ldapsearch command that works<br> (it retrieves<br> = ;users)<br> = ; from the<br> = ; same machine:<br> <br> <br> <br> = ; ldapsearch -H ldap://<a href=3D"http://exampl= e.com" target=3D"_blank">example.com</a><br> <<a href=3D"http://example.com= " target=3D"_blank">http://example.com</a>>; <<a href=3D"http://exampl= e.com" target=3D"_blank">http://example.com</a>><br> = ;<<a href=3D"http://example.com" target=3D"_blank">http://example.com</a= ><br> = ; <<a href=3D"http://example.com" target=3D"= _blank">http://example.com</a>>; -b<br> <br> = ; dc=3Dexample,dc=3Dcom -D user.name@a_domain -= w<br> qwerty<br> <br> <br> = ; Best regards,<br> = ; Cristian Falcas<br> <br> <br> <br> <br></div></div><div class=3D"im"> __________________________= ____<u></u>_______________________<br> = ; Users mailing list<br> <a href=3D"mailto:Users@ovirt.org= " target=3D"_blank">Users@ovirt.org</a> <mailto:<a href=3D"mailto:Users@= ovirt.org" target=3D"_blank">Users@ovirt.org</a>><br> <mailto:<a href=3D"mailto:User= s@ovirt.org" target=3D"_blank">Users@ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users@ovirt.org</a>>><br> <mailto:<a href=3D"mailto:User= s@ovirt.org" target=3D"_blank">Users@ovirt.org</a> <mailto:<a href=3D"ma= ilto:Users@ovirt.org" target=3D"_blank">Users@ovirt.org</a>><br> = ;<mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">Users@ovir= t.org</a> <mailto:<a href=3D"mailto:Users@ovirt.org" target=3D"_blank">U= sers@ovirt.org</a>>>><br> <a href=3D"http://lists.ovirt.org= /______mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/___= ___<u></u>mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/_= ___<u></u>mailman/listinfo/users</a>><br> = ;<<a href=3D"http://lists.ovirt.org/____mailman/listinfo/users" target= =3D"_blank">http://lists.ovirt.org/____<u></u>mailman/listinfo/users</a><br=
<<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>>><br> <br> <<a href=3D"http://list= s.ovirt.org/____mailman/listinfo/users" target=3D"_blank">http://lists.ovir= t.org/____<u></u>mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/__mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/__<= u></u>mailman/listinfo/users</a>><br> = ;<<a href=3D"http://lists.ovirt.org/__mailman/listinfo/users" target=3D"= _blank">http://lists.ovirt.org/__<u></u>mailman/listinfo/users</a><br> <<a href=3D"http://lists.ovirt= .org/mailman/listinfo/users" target=3D"_blank">http://lists.ovirt.org/<u></= u>mailman/listinfo/users</a>>>><br> <br> <br> <br> <br> = ;Hi,<br> <br></div><div class=3D"im"> = ;I used "-x" for ldapsearch and the result is the<br> same: list<br> = ;retrieved.<br> = ;Is there any equivalent for engine-manage-domains?<br> <br> = ;Cristian<br> <br> Hi Christian,= there is no code allowing to add<br> simple-authentication<br> domains to Ma= nage-Domains.<br> In the past w= e did have the ability to do that, but<br> there are<br> several probl= ematic issues.<br> What ldap ser= ver are you working against? Maybe I<br> missed that<br> <br> <br> <br> <br> Hi,<br> <br> The server is a Microfost AD 2003= .<br> <br> Best regards,<br> Cristian Falcas<br> <br> <br> this should work, is the AD also the DNS server= for the ovirt<br> engine machine?<br> <br> <br> <br> yes<br> <br> <br> </div></blockquote> <br> <br> </blockquote></div><br>Could you take a look at the tcp dump? There are onl= y 2 messages relevant to this (let me know if you want the full dump):<br><= br>- 2091 12.423634 10.0.0.xx &nb= sp; 10.0.0.yyy DNS 87 Stan= dard query SRV _kerberos._<a href=3D"http://tcp.EXAMPLE.COM" target=3D"_bla= nk">tcp.EXAMPLE.COM</a><br> - 2092 12.424357 10.0.0.yyy = ; 10.0.0.xx DNS 245 Standa= rd query response SRV 0 100 88 <a href=3D"http://site1.example.com" target= =3D"_blank">site1.example.com</a> SRV 0 100 88 <a href=3D"http://site2.exam= ple.com" target=3D"_blank">site2.example.com</a> SRV 0 100 88 <a href=3D"ht= tp://site3.example.com" target=3D"_blank">site3.example.com</a><br> <br>Also, I tries to run ldapsearch with -Y gssapi:<br>ldap_sasl_interactiv= e_bind_s: Unknown authentication method (-6)<br> &nb= sp; additional info: SASL(-4): no mechanism available: No worth= y mechs found<br><br>Best regards, <br> Cristian Falcas<br></div> </blockquote>The SRV records look fine.<div>If I remember correctly, your D= NS should have a reverse-resolve PTR record to your engine machine. Does it= exists?</div><div><br></div></div></body></html> ------=_Part_35338608_979479843.1353467130356--
On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
------------------------------
*From: *"Cristian Falcas" <cristi.falcas@gmail.com> *To: *"Itamar Heim" <iheim@redhat.com> *Cc: *"Yair Zaslavsky" <yzaslavs@redhat.com>, users@ovirt.org *Sent: *Tuesday, November 20, 2012 7:33:39 PM
*Subject: *Re: [Users] I don't know how to add AD users
On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim <iheim@redhat.com> wrote:
On 11/20/2012 03:00 PM, Cristian Falcas wrote:
Hi,
So there is no way to use the domain I have at work, right?
I will need to make a freeipa installation in order to add new users.
there is no reason this shouldn't work with active directory 2003 (assuming its forest level isn't still in AD 2000 compatibility mode?). tcpdump for the traffic during engine-manage-domains should help diagnosing why.
Cristian
On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas <cristi.falcas@gmail.com <mailto:cristi.falcas@gmail.**com<cristi.falcas@gmail.com>>> wrote:
On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com>> wrote:
On 11/20/2012 09:56 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>> wrote:
On 11/20/2012 09:05 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto:yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>>>**> wrote:
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>> <mailto:iheim@redhat.com <mailto:iheim@redhat.com> <mailto:iheim@redhat.com <mailto:iheim@redhat.com>>>>> wrote:
On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>"site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com>");
$wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array(
"a_domain"=>"rom_domain\\USER-**________NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=___** _____com");
Those are the commands I tried using: engine-manage-domains -action=add -domain=site.example.com <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com> <http://site.example.com> -provider=ActiveDirectory -user=user.name <http://user.name> <http://user.name> <http://user.name> <http://user.name> <http://user.name> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**>__> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**>__>__> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**>__>
<mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**> <mailto:user.name@company.com <mailto:user.name@company.com> <mailto:user.name@company.com <mailto:user.name@company.com>**>__>__>__> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example._**_______com
<mailto:user.name@site <mailto:user.name@site>. <mailto:user.name@site <mailto:user.name@site>.>__exa**m__p__le.com<http://exam__p__le.com> <http://examp__le.com> <http://example.com> <mailto:user.name@site. <mailto:user.name@site.>__exam**p__le.com<http://examp__le.com><; http://example.com> <mailto:user.name@site.__examp**le.com<http://example.com> <mailto:user.name@site.**example.com<user.name@site.example.com>
> <mailto:user.name@site <mailto:user.name@site>
<mailto:user.name@site <mailto:user.name@site>>. <mailto:user.name@site <mailto: user.name@site> <mailto:user.name@site <mailto:user.name@site>>.>__ex**a__m__p__le.com<http://exa__m__p__le.com> <http://exam__p__le.com>
<http://examp__le.com> <http://example.com>
<mailto:user.name@site <mailto:user.name@site>. <mailto:user.name@site <mailto:user.name@site>.>__exa**m__p__le.com<http://exam__p__le.com> <http://examp__le.com> <http://example.com> <mailto:user.name@site. <mailto:user.name@site.>__exam**p__le.com<http://examp__le.com><; http://example.com> <mailto:user.name@site.__examp**le.com<http://example.com> <mailto:user.name@site.**example.com<user.name@site.example.com>>>>>> -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.
any domain user will do, doesn't have to be an admin. what does the log say?
Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
______________________________**_________________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>> http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.ovirt.org/________mailman/listinfo/users> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____** mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____** mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625>
IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com <http://redhat.com> <http://redhat.com> <http://redhat.com> <http://redhat.com>
______________________________**_________________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>> http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.ovirt.org/________mailman/listinfo/users> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____** mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____** mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>
______________________________**_________________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>> http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.ovirt.org/________mailman/listinfo/users> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____** mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____** mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>
Hi,
This is the command I used (the same error is with -interactive parameter):
engine-manage-domains -action=add -domain=example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com> -provider=ActiveDirectory -user=user.name@a_domain
-passwordFile=/tmp/pass
[root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]#
This is the log:
2012-11-20 00:30:40,443 INFO
[org.ovirt.engine.core.utils._**_____kerberos.ManageDomains]
Creating
kerberos configuration for domain(s): example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,525 INFO
[org.ovirt.engine.core.utils._**_____kerberos.ManageDomains]
Successfully
created kerberos configuration for domain(s): example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,526 INFO
[org.ovirt.engine.core.utils._**_____kerberos.ManageDomains]
Testing
kerberos configuration for domain: example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com>
2012-11-20 00:30:40,830 ERROR
[org.ovirt.engine.core.utils._**_____kerberos.__** KerberosConfigCheck]
Error:
exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR
[org.ovirt.engine.core.utils._**_____kerberos.ManageDomains]
Failure
while
testing domain example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com>. Details: Kerberos
error. Please check log for further details.
Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well).
This is the ldapsearch command that works (it retrieves users) from the same machine:
ldapsearch -H ldap://example.com <http://example.com> <http://example.com> <http://example.com> <http://example.com> -b
dc=example,dc=com -D user.name@a_domain -w qwerty
Best regards, Cristian Falcas
______________________________**_______________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
<http://lists.ovirt.org/____** mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
<http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
Hi,
I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains?
Cristian
Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that
Hi,
The server is a Microfost AD 2003.
Best regards, Cristian Falcas
this should work, is the AD also the DNS server for the ovirt engine machine?
yes
Could you take a look at the tcp dump? There are only 2 messages relevant to this (let me know if you want the full dump):
- 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV _kerberos._tcp.EXAMPLE.COM - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response SRV 0 100 88 site1.example.com SRV 0 100 88 site2.example.com SRV 0 100 88 site3.example.com
Also, I tries to run ldapsearch with -Y gssapi: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found
Best regards, Cristian Falcas
The SRV records look fine. If I remember correctly, your DNS should have a reverse-resolve PTR record to your engine machine. Does it exists?
I don't think so (10.0.0.xx is engine machine, 10.0.0.yyy is dns): [root@localhost ~]# nslookup 10.0.0.xx Server: 10.0.0.yyy Address: 10.0.0.yyy#53 ** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN [root@localhost ~]# host 10.0.0.xx Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN) I will ask them to add a DNS record for the machine.
----- Original Message -----
From: "Cristian Falcas" <cristi.falcas@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: users@ovirt.org Sent: Wednesday, November 21, 2012 6:40:34 AM Subject: Re: [Users] I don't know how to add AD users
On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky < yzaslavs@redhat.com
wrote:
From: "Cristian Falcas" < cristi.falcas@gmail.com > To: "Itamar Heim" < iheim@redhat.com > Cc: "Yair Zaslavsky" < yzaslavs@redhat.com >, users@ovirt.org Sent: Tuesday, November 20, 2012 7:33:39 PM
Subject: Re: [Users] I don't know how to add AD users
On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim < iheim@redhat.com > wrote:
On 11/20/2012 03:00 PM, Cristian Falcas wrote:
Hi,
So there is no way to use the domain I have at work, right?
I will need to make a freeipa installation in order to add new users.
there is no reason this shouldn't work with active directory 2003 (assuming its forest level isn't still in AD 2000 compatibility mode?). tcpdump for the traffic during engine-manage-domains should help diagnosing why.
Cristian
On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas
< cristi.falcas@gmail.com <mailto: cristi.falcas@gmail. com >> wrote:
On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim < iheim@redhat.com
<mailto: iheim@redhat.com >> wrote:
On 11/20/2012 09:56 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky < yzaslavs@redhat.com <mailto: yzaslavs@redhat.com >
<mailto: yzaslavs@redhat.com <mailto: yzaslavs@redhat.com >>> wrote:
On 11/20/2012 09:05 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky < yzaslavs@redhat.com <mailto: yzaslavs@redhat.com > <mailto: yzaslavs@redhat.com <mailto: yzaslavs@redhat.com >> <mailto: yzaslavs@redhat.com <mailto: yzaslavs@redhat.com > <mailto: yzaslavs@redhat.com <mailto: yzaslavs@redhat.com >>> > wrote:
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim < iheim@redhat.com <mailto: iheim@redhat.com > <mailto: iheim@redhat.com <mailto: iheim@redhat.com >> <mailto: iheim@redhat.com <mailto: iheim@redhat.com > <mailto: iheim@redhat.com <mailto: iheim@redhat.com >>> <mailto: iheim@redhat.com <mailto: iheim@redhat.com > <mailto: iheim@redhat.com <mailto: iheim@redhat.com >> <mailto: iheim@redhat.com <mailto: iheim@redhat.com > <mailto: iheim@redhat.com <mailto: iheim@redhat.com >>>>> wrote:
On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>" site.example.com < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com >");
$wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array(
"a_domain"=>"rom_domain\\USER- ________NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=___ _____com");
Those are the commands I tried using: engine-manage-domains -action=add -domain= site.example.com < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > -provider=ActiveDirectory -user= user.name < http://user.name > < http://user.name > < http://user.name > < http://user.name > < http://user.name > -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user= user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > > <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > >__> <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > > <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > >__>__> <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > > <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > >__>
<mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > > <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > >__>__>__> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example._ _______com
<mailto: user.name@site <mailto: user.name@site >. <mailto: user.name@site <mailto: user.name@site >.>__ exa m__p__le.com < http://examp__le.com > < http://example.com > <mailto: user.name@site . <mailto: user.name@site .>__ exam p__le.com < http://example.com > <mailto: user.name@site. __ examp le.com <mailto: user.name@site. example.com >>>> <mailto: user.name@site <mailto: user.name@site >
<mailto: user.name@site <mailto: user.name@site >>. <mailto: user.name@site <mailto: user.name@site > <mailto: user.name@site <mailto: user.name@site >>.>__ ex a__m__p__le.com < http://exam__p__le.com >
< http://examp__le.com > < http://example.com >
<mailto: user.name@site <mailto: user.name@site >. <mailto: user.name@site <mailto: user.name@site >.>__ exa m__p__le.com < http://examp__le.com > < http://example.com > <mailto: user.name@site . <mailto: user.name@site .>__ exam p__le.com < http://example.com > <mailto: user.name@site. __ examp le.com <mailto: user.name@site. example.com >>>>> -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.
any domain user will do, doesn't have to be an admin. what does the log say?
Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
______________________________ _________________________
Users mailing list Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>>
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625>
IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com < http://redhat.com > < http://redhat.com > < http://redhat.com > < http://redhat.com >
______________________________ _________________________
Users mailing list Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>>
______________________________ _________________________
Users mailing list Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>>
Hi,
This is the command I used (the same error is with -interactive parameter):
engine-manage-domains -action=add -domain= example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com > -provider=ActiveDirectory -user=user.name@a_domain
-passwordFile=/tmp/pass
[root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]#
This is the log:
2012-11-20 00:30:40,443 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Creating
kerberos configuration for domain(s): example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com >
2012-11-20 00:30:40,525 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Successfully
created kerberos configuration for domain(s): example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com >
2012-11-20 00:30:40,526 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Testing
kerberos configuration for domain: example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com >
2012-11-20 00:30:40,830 ERROR
[org.ovirt.engine.core.utils._ _____kerberos.__ KerberosConfigCheck]
Error:
exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Failure
while
testing domain example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com >. Details: Kerberos
error. Please check log for further details.
Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well).
This is the ldapsearch command that works (it retrieves users) from the same machine:
ldapsearch -H ldap:// example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com > -b
dc=example,dc=com -D user.name@a_domain -w qwerty
Best regards, Cristian Falcas
______________________________ _______________________ Users mailing list Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>> http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>
Hi,
I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains?
Cristian
Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that
Hi,
The server is a Microfost AD 2003.
Best regards, Cristian Falcas
this should work, is the AD also the DNS server for the ovirt engine machine?
yes
Could you take a look at the tcp dump? There are only 2 messages relevant to this (let me know if you want the full dump):
- 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV _kerberos._ tcp.EXAMPLE.COM - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response SRV 0 100 88 site1.example.com SRV 0 100 88 site2.example.com SRV 0 100 88 site3.example.com
Also, I tries to run ldapsearch with -Y gssapi: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found
Best regards, Cristian Falcas The SRV records look fine. If I remember correctly, your DNS should have a reverse-resolve PTR record to your engine machine. Does it exists?
I don't think so (10.0.0.xx is engine machine, 10.0.0.yyy is dns):
[root@localhost ~]# nslookup 10.0.0.xx Server: 10.0.0.yyy Address: 10.0.0.yyy#53
** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN
[root@localhost ~]# host 10.0.0.xx Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN)
I will ask them to add a DNS record for the machine.
Indeed do that. In the engine we require both reverse-resolve PTR record, Kerberos SRV record and LDAP SRV record. Make sure you have all three in the DNS. The PTR + Kerberos records are used for the kerberos authentication (and constructing the krb5.conf file in the engine-manage-domains utility). The LDAP SRV record is used for the directory queries (it is used in the utility + the ovirt engine, to look for LDAP servers).
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 11/21/2012 08:09 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Cristian Falcas" <cristi.falcas@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: users@ovirt.org Sent: Wednesday, November 21, 2012 6:40:34 AM Subject: Re: [Users] I don't know how to add AD users
On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky < yzaslavs@redhat.com
wrote:
From: "Cristian Falcas" < cristi.falcas@gmail.com > To: "Itamar Heim" < iheim@redhat.com > Cc: "Yair Zaslavsky" < yzaslavs@redhat.com >, users@ovirt.org Sent: Tuesday, November 20, 2012 7:33:39 PM
Subject: Re: [Users] I don't know how to add AD users
On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim < iheim@redhat.com > wrote:
On 11/20/2012 03:00 PM, Cristian Falcas wrote:
Hi,
So there is no way to use the domain I have at work, right?
I will need to make a freeipa installation in order to add new users.
there is no reason this shouldn't work with active directory 2003 (assuming its forest level isn't still in AD 2000 compatibility mode?). tcpdump for the traffic during engine-manage-domains should help diagnosing why.
Cristian
On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas
< cristi.falcas@gmail.com <mailto: cristi.falcas@gmail. com >> wrote:
On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim < iheim@redhat.com
<mailto: iheim@redhat.com >> wrote:
On 11/20/2012 09:56 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky < yzaslavs@redhat.com <mailto: yzaslavs@redhat.com >
<mailto: yzaslavs@redhat.com <mailto: yzaslavs@redhat.com >>> wrote:
On 11/20/2012 09:05 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky < yzaslavs@redhat.com <mailto: yzaslavs@redhat.com > <mailto: yzaslavs@redhat.com <mailto: yzaslavs@redhat.com >> <mailto: yzaslavs@redhat.com <mailto: yzaslavs@redhat.com > <mailto: yzaslavs@redhat.com <mailto: yzaslavs@redhat.com >>> > wrote:
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim < iheim@redhat.com <mailto: iheim@redhat.com > <mailto: iheim@redhat.com <mailto: iheim@redhat.com >> <mailto: iheim@redhat.com <mailto: iheim@redhat.com > <mailto: iheim@redhat.com <mailto: iheim@redhat.com >>> <mailto: iheim@redhat.com <mailto: iheim@redhat.com > <mailto: iheim@redhat.com <mailto: iheim@redhat.com >> <mailto: iheim@redhat.com <mailto: iheim@redhat.com > <mailto: iheim@redhat.com <mailto: iheim@redhat.com >>>>> wrote:
On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>" site.example.com < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com >");
$wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array(
"a_domain"=>"rom_domain\\USER- ________NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=___ _____com");
Those are the commands I tried using: engine-manage-domains -action=add -domain= site.example.com < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > -provider=ActiveDirectory -user= user.name < http://user.name > < http://user.name > < http://user.name > < http://user.name > < http://user.name > -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user= user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > > <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > >__> <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > > <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > >__>__> <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > > <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > >__>
<mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > > <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > >__>__>__> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example._ _______com
<mailto: user.name@site <mailto: user.name@site >. <mailto: user.name@site <mailto: user.name@site >.>__ exa m__p__le.com < http://examp__le.com > < http://example.com > <mailto: user.name@site . <mailto: user.name@site .>__ exam p__le.com < http://example.com > <mailto: user.name@site. __ examp le.com <mailto: user.name@site. example.com >>>> <mailto: user.name@site <mailto: user.name@site >
<mailto: user.name@site <mailto: user.name@site >>. <mailto: user.name@site <mailto: user.name@site > <mailto: user.name@site <mailto: user.name@site >>.>__ ex a__m__p__le.com < http://exam__p__le.com >
< http://examp__le.com > < http://example.com >
<mailto: user.name@site <mailto: user.name@site >. <mailto: user.name@site <mailto: user.name@site >.>__ exa m__p__le.com < http://examp__le.com > < http://example.com > <mailto: user.name@site . <mailto: user.name@site .>__ exam p__le.com < http://example.com > <mailto: user.name@site. __ examp le.com <mailto: user.name@site. example.com >>>>> -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.
any domain user will do, doesn't have to be an admin. what does the log say?
Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
______________________________ _________________________
Users mailing list Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>>
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625>
IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com < http://redhat.com > < http://redhat.com > < http://redhat.com > < http://redhat.com >
______________________________ _________________________
Users mailing list Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>>
______________________________ _________________________
Users mailing list Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>>
Hi,
This is the command I used (the same error is with -interactive parameter):
engine-manage-domains -action=add -domain= example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com > -provider=ActiveDirectory -user=user.name@a_domain
-passwordFile=/tmp/pass
[root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]#
This is the log:
2012-11-20 00:30:40,443 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Creating
kerberos configuration for domain(s): example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com >
2012-11-20 00:30:40,525 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Successfully
created kerberos configuration for domain(s): example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com >
2012-11-20 00:30:40,526 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Testing
kerberos configuration for domain: example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com >
2012-11-20 00:30:40,830 ERROR
[org.ovirt.engine.core.utils._ _____kerberos.__ KerberosConfigCheck]
Error:
exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Failure
while
testing domain example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com >. Details: Kerberos
error. Please check log for further details.
Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well).
This is the ldapsearch command that works (it retrieves users) from the same machine:
ldapsearch -H ldap:// example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com > -b
dc=example,dc=com -D user.name@a_domain -w qwerty
Best regards, Cristian Falcas
______________________________ _______________________ Users mailing list Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>> http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>
Hi,
I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains?
Cristian
Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that
Hi,
The server is a Microfost AD 2003.
Best regards, Cristian Falcas
this should work, is the AD also the DNS server for the ovirt engine machine?
yes
Could you take a look at the tcp dump? There are only 2 messages relevant to this (let me know if you want the full dump):
- 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV _kerberos._ tcp.EXAMPLE.COM - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response SRV 0 100 88 site1.example.com SRV 0 100 88 site2.example.com SRV 0 100 88 site3.example.com
Also, I tries to run ldapsearch with -Y gssapi: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found
Best regards, Cristian Falcas The SRV records look fine. If I remember correctly, your DNS should have a reverse-resolve PTR record to your engine machine. Does it exists?
I don't think so (10.0.0.xx is engine machine, 10.0.0.yyy is dns):
[root@localhost ~]# nslookup 10.0.0.xx Server: 10.0.0.yyy Address: 10.0.0.yyy#53
** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN
[root@localhost ~]# host 10.0.0.xx Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN)
I will ask them to add a DNS record for the machine.
Indeed do that. In the engine we require both reverse-resolve PTR record, Kerberos SRV record and LDAP SRV record. Make sure you have all three in the DNS. The PTR + Kerberos records are used for the kerberos authentication (and constructing the krb5.conf file in the engine-manage-domains utility). The LDAP SRV record is used for the directory queries (it is used in the utility + the ovirt engine, to look for LDAP servers).
Yair - sounds like we need a how to troubleshoot AD issues?
On Wed, Nov 21, 2012 at 8:10 AM, Itamar Heim <iheim@redhat.com> wrote:
On 11/21/2012 08:09 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Cristian Falcas" <cristi.falcas@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: users@ovirt.org Sent: Wednesday, November 21, 2012 6:40:34 AM Subject: Re: [Users] I don't know how to add AD users
On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky < yzaslavs@redhat.com
wrote:
From: "Cristian Falcas" < cristi.falcas@gmail.com > To: "Itamar Heim" < iheim@redhat.com > Cc: "Yair Zaslavsky" < yzaslavs@redhat.com >, users@ovirt.org Sent: Tuesday, November 20, 2012 7:33:39 PM
Subject: Re: [Users] I don't know how to add AD users
On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim < iheim@redhat.com > wrote:
On 11/20/2012 03:00 PM, Cristian Falcas wrote:
Hi,
So there is no way to use the domain I have at work, right?
I will need to make a freeipa installation in order to add new users.
there is no reason this shouldn't work with active directory 2003 (assuming its forest level isn't still in AD 2000 compatibility mode?). tcpdump for the traffic during engine-manage-domains should help diagnosing why.
Cristian
On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas
< cristi.falcas@gmail.com <mailto: cristi.falcas@gmail. com >> wrote:
On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim < iheim@redhat.com
<mailto: iheim@redhat.com >> wrote:
On 11/20/2012 09:56 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky < yzaslavs@redhat.com <mailto: yzaslavs@redhat.com >
<mailto: yzaslavs@redhat.com <mailto: yzaslavs@redhat.com >>> wrote:
On 11/20/2012 09:05 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky < yzaslavs@redhat.com <mailto: yzaslavs@redhat.com > <mailto: yzaslavs@redhat.com <mailto: yzaslavs@redhat.com >> <mailto: yzaslavs@redhat.com <mailto: yzaslavs@redhat.com > <mailto: yzaslavs@redhat.com <mailto: yzaslavs@redhat.com >>> > wrote:
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim < iheim@redhat.com <mailto: iheim@redhat.com > <mailto: iheim@redhat.com <mailto: iheim@redhat.com >> <mailto: iheim@redhat.com <mailto: iheim@redhat.com > <mailto: iheim@redhat.com <mailto: iheim@redhat.com >>> <mailto: iheim@redhat.com <mailto: iheim@redhat.com > <mailto: iheim@redhat.com <mailto: iheim@redhat.com >> <mailto: iheim@redhat.com <mailto: iheim@redhat.com > <mailto: iheim@redhat.com <mailto: iheim@redhat.com >>>>> wrote:
On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>" site.example.com < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com >");
$wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array(
"a_domain"=>"rom_domain\\USER- ________NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=___ _____com");
Those are the commands I tried using: engine-manage-domains -action=add -domain= site.example.com < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > -provider=ActiveDirectory -user= user.name < http://user.name > < http://user.name > < http://user.name > < http://user.name > < http://user.name > -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user= user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > > <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > >__> <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > > <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > >__>__> <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > > <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > >__>
<mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > > <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > >__>__>__> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example._ _______com
<mailto: user.name@site <mailto: user.name@site >. <mailto: user.name@site <mailto: user.name@site >.>__ exa m__p__le.com < http://examp__le.com > < http://example.com > <mailto: user.name@site . <mailto: user.name@site .>__ exam p__le.com < http://example.com > <mailto: user.name@site. __ examp le.com <mailto: user.name@site. example.com >>>> <mailto: user.name@site <mailto: user.name@site >
<mailto: user.name@site <mailto: user.name@site >>. <mailto: user.name@site <mailto: user.name@site > <mailto: user.name@site <mailto: user.name@site >>.>__ ex a__m__p__le.com < http://exam__p__le.com >
< http://examp__le.com > < http://example.com >
<mailto: user.name@site <mailto: user.name@site >. <mailto: user.name@site <mailto: user.name@site >.>__ exa m__p__le.com < http://examp__le.com > < http://example.com > <mailto: user.name@site . <mailto: user.name@site .>__ exam p__le.com < http://example.com > <mailto: user.name@site. __ examp le.com <mailto: user.name@site. example.com >>>>> -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.
any domain user will do, doesn't have to be an admin. what does the log say?
Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
______________________________ _________________________
Users mailing list Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>>
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625>
IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com < http://redhat.com > < http://redhat.com > < http://redhat.com > < http://redhat.com >
______________________________ _________________________
Users mailing list Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>>
______________________________ _________________________
Users mailing list Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>>
Hi,
This is the command I used (the same error is with -interactive parameter):
engine-manage-domains -action=add -domain= example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com > -provider=ActiveDirectory -user=user.name@a_domain
-passwordFile=/tmp/pass
[root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]#
This is the log:
2012-11-20 00:30:40,443 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Creating
kerberos configuration for domain(s): example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com >
2012-11-20 00:30:40,525 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Successfully
created kerberos configuration for domain(s): example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com >
2012-11-20 00:30:40,526 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Testing
kerberos configuration for domain: example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com >
2012-11-20 00:30:40,830 ERROR
[org.ovirt.engine.core.utils._ _____kerberos.__ KerberosConfigCheck]
Error:
exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Failure
while
testing domain example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com >. Details: Kerberos
error. Please check log for further details.
Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well).
This is the ldapsearch command that works (it retrieves users) from the same machine:
ldapsearch -H ldap:// example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com > -b
dc=example,dc=com -D user.name@a_domain -w qwerty
Best regards, Cristian Falcas
______________________________ _______________________ Users mailing list Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>> http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>
Hi,
I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains?
Cristian
Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that
Hi,
The server is a Microfost AD 2003.
Best regards, Cristian Falcas
this should work, is the AD also the DNS server for the ovirt engine machine?
yes
Could you take a look at the tcp dump? There are only 2 messages relevant to this (let me know if you want the full dump):
- 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV _kerberos._ tcp.EXAMPLE.COM - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response SRV 0 100 88 site1.example.com SRV 0 100 88 site2.example.com SRV 0 100 88 site3.example.com
Also, I tries to run ldapsearch with -Y gssapi: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found
Best regards, Cristian Falcas The SRV records look fine. If I remember correctly, your DNS should have a reverse-resolve PTR record to your engine machine. Does it exists?
I don't think so (10.0.0.xx is engine machine, 10.0.0.yyy is dns):
[root@localhost ~]# nslookup 10.0.0.xx Server: 10.0.0.yyy Address: 10.0.0.yyy#53
** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN
[root@localhost ~]# host 10.0.0.xx Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN)
I will ask them to add a DNS record for the machine.
Indeed do that. In the engine we require both reverse-resolve PTR record, Kerberos SRV record and LDAP SRV record. Make sure you have all three in the DNS. The PTR + Kerberos records are used for the kerberos authentication (and constructing the krb5.conf file in the engine-manage-domains utility). The LDAP SRV record is used for the directory queries (it is used in the utility + the ovirt engine, to look for LDAP servers).
Yair - sounds like we need a how to troubleshoot AD issues?
Hi, So, after all, I was using the wrong domain. In my company we use everywhere (web, email, etc) as the domain "a_domain" instead of the usual company.com. So it worked with: engine-manage-domains -action=add -domain=company.com-provider=ActiveDirectory -user= user.name -passwordFile=/tmp/pass Some steps I did for my investigation: 1. test if the domain has a kerberos service: host -t srv _kerberos._tcp.company.com 2. use kinit instead of engine-manage-domains (mush faster) cp /etc/ovirt-engine/krb5.conf /etc/ 3. test with: kinit user.name@company.com -V Just to let others know what errors I had and how I fixed them: 1. Client not found in Kerberos database while getting initial credentials: wrong user name 2. Cannot find KDC for requested realm: the realm you are using in the command line is not define in krb5.conf file. - at the beginning I was using kinit user.name@a_domain -V, but there was no a_domain realm defined. - check the file and try to update it or correct your kinit command in order to use the correct realm [realms] COMPANY.COM = { kdc = site1.company.com.:88 kdc = site2.company.com.:88 kdc = site3.company.com.:88 } 3. KDC reply did not match expectations while getting initial credentials: you may have the same realm in your command line and in the krb5.conf file, but the server thinks this is not correct. - use wireshark to see what realm the server has: protocol KRB5, messages AS-REQ and AS-REP Thank you for all your help. Cristian
On Wed, Nov 21, 2012 at 9:37 PM, Cristian Falcas <cristi.falcas@gmail.com>wrote:
On Wed, Nov 21, 2012 at 8:10 AM, Itamar Heim <iheim@redhat.com> wrote:
On 11/21/2012 08:09 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Cristian Falcas" <cristi.falcas@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: users@ovirt.org Sent: Wednesday, November 21, 2012 6:40:34 AM Subject: Re: [Users] I don't know how to add AD users
On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky < yzaslavs@redhat.com
wrote:
From: "Cristian Falcas" < cristi.falcas@gmail.com > To: "Itamar Heim" < iheim@redhat.com > Cc: "Yair Zaslavsky" < yzaslavs@redhat.com >, users@ovirt.org Sent: Tuesday, November 20, 2012 7:33:39 PM
Subject: Re: [Users] I don't know how to add AD users
On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim < iheim@redhat.com > wrote:
On 11/20/2012 03:00 PM, Cristian Falcas wrote:
Hi,
So there is no way to use the domain I have at work, right?
I will need to make a freeipa installation in order to add new users.
there is no reason this shouldn't work with active directory 2003 (assuming its forest level isn't still in AD 2000 compatibility mode?). tcpdump for the traffic during engine-manage-domains should help diagnosing why.
Cristian
On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas
< cristi.falcas@gmail.com <mailto: cristi.falcas@gmail. com >> wrote:
On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim < iheim@redhat.com
<mailto: iheim@redhat.com >> wrote:
On 11/20/2012 09:56 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky < yzaslavs@redhat.com <mailto: yzaslavs@redhat.com >
<mailto: yzaslavs@redhat.com <mailto: yzaslavs@redhat.com >>> wrote:
On 11/20/2012 09:05 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky < yzaslavs@redhat.com <mailto: yzaslavs@redhat.com > <mailto: yzaslavs@redhat.com <mailto: yzaslavs@redhat.com >> <mailto: yzaslavs@redhat.com <mailto: yzaslavs@redhat.com > <mailto: yzaslavs@redhat.com <mailto: yzaslavs@redhat.com >>> > wrote:
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim < iheim@redhat.com <mailto: iheim@redhat.com > <mailto: iheim@redhat.com <mailto: iheim@redhat.com >> <mailto: iheim@redhat.com <mailto: iheim@redhat.com > <mailto: iheim@redhat.com <mailto: iheim@redhat.com >>> <mailto: iheim@redhat.com <mailto: iheim@redhat.com > <mailto: iheim@redhat.com <mailto: iheim@redhat.com >> <mailto: iheim@redhat.com <mailto: iheim@redhat.com > <mailto: iheim@redhat.com <mailto: iheim@redhat.com >>>>> wrote:
On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>" site.example.com < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com >");
$wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array(
"a_domain"=>"rom_domain\\USER- ________NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=___ _____com");
Those are the commands I tried using: engine-manage-domains -action=add -domain= site.example.com < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > -provider=ActiveDirectory -user= user.name < http://user.name > < http://user.name > < http://user.name > < http://user.name > < http://user.name > -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user= user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > > <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > >__> <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > > <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > >__>__> <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > > <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > >__>
<mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > > <mailto: user.name@company.com <mailto: user.name@company.com > <mailto: user.name@company.com <mailto: user.name@company.com > >__>__>__> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example._ _______com
<mailto: user.name@site <mailto: user.name@site >. <mailto: user.name@site <mailto: user.name@site >.>__ exa m__p__le.com < http://examp__le.com > < http://example.com > <mailto: user.name@site . <mailto: user.name@site .>__ exam p__le.com < http://example.com > <mailto: user.name@site. __ examp le.com <mailto: user.name@site. example.com >>>> <mailto: user.name@site <mailto: user.name@site >
<mailto: user.name@site <mailto: user.name@site >>. <mailto: user.name@site <mailto: user.name@site > <mailto: user.name@site <mailto: user.name@site >>.>__ ex a__m__p__le.com < http://exam__p__le.com >
< http://examp__le.com > < http://example.com >
<mailto: user.name@site <mailto: user.name@site >. <mailto: user.name@site <mailto: user.name@site >.>__ exa m__p__le.com < http://examp__le.com > < http://example.com > <mailto: user.name@site . <mailto: user.name@site .>__ exam p__le.com < http://example.com > <mailto: user.name@site. __ examp le.com <mailto: user.name@site. example.com >>>>> -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.
any domain user will do, doesn't have to be an admin. what does the log say?
Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
______________________________ _________________________
Users mailing list Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>>
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625>
IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com < http://redhat.com > < http://redhat.com > < http://redhat.com > < http://redhat.com >
______________________________ _________________________
Users mailing list Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>>
______________________________ _________________________
Users mailing list Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>>
Hi,
This is the command I used (the same error is with -interactive parameter):
engine-manage-domains -action=add -domain= example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com > -provider=ActiveDirectory -user=user.name@a_domain
-passwordFile=/tmp/pass
[root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]#
This is the log:
2012-11-20 00:30:40,443 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Creating
kerberos configuration for domain(s): example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com >
2012-11-20 00:30:40,525 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Successfully
created kerberos configuration for domain(s): example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com >
2012-11-20 00:30:40,526 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Testing
kerberos configuration for domain: example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com >
2012-11-20 00:30:40,830 ERROR
[org.ovirt.engine.core.utils._ _____kerberos.__ KerberosConfigCheck]
Error:
exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Failure
while
testing domain example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com >. Details: Kerberos
error. Please check log for further details.
Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well).
This is the ldapsearch command that works (it retrieves users) from the same machine:
ldapsearch -H ldap:// example.com < http://example.com > < http://example.com > < http://example.com > < http://example.com > -b
dc=example,dc=com -D user.name@a_domain -w qwerty
Best regards, Cristian Falcas
______________________________ _______________________ Users mailing list Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >> <mailto: Users@ovirt.org <mailto: Users@ovirt.org > <mailto: Users@ovirt.org <mailto: Users@ovirt.org >>> http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>
Hi,
I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains?
Cristian
Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that
Hi,
The server is a Microfost AD 2003.
Best regards, Cristian Falcas
this should work, is the AD also the DNS server for the ovirt engine machine?
yes
Could you take a look at the tcp dump? There are only 2 messages relevant to this (let me know if you want the full dump):
- 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV _kerberos._ tcp.EXAMPLE.COM - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response SRV 0 100 88 site1.example.com SRV 0 100 88 site2.example.com SRV 0 100 88 site3.example.com
Also, I tries to run ldapsearch with -Y gssapi: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found
Best regards, Cristian Falcas The SRV records look fine. If I remember correctly, your DNS should have a reverse-resolve PTR record to your engine machine. Does it exists?
I don't think so (10.0.0.xx is engine machine, 10.0.0.yyy is dns):
[root@localhost ~]# nslookup 10.0.0.xx Server: 10.0.0.yyy Address: 10.0.0.yyy#53
** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN
[root@localhost ~]# host 10.0.0.xx Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN)
I will ask them to add a DNS record for the machine.
Indeed do that. In the engine we require both reverse-resolve PTR record, Kerberos SRV record and LDAP SRV record. Make sure you have all three in the DNS. The PTR + Kerberos records are used for the kerberos authentication (and constructing the krb5.conf file in the engine-manage-domains utility). The LDAP SRV record is used for the directory queries (it is used in the utility + the ovirt engine, to look for LDAP servers).
Yair - sounds like we need a how to troubleshoot AD issues?
Hi,
So, after all, I was using the wrong domain. In my company we use everywhere (web, email, etc) as the domain "a_domain" instead of the usual company.com. So it worked with:
engine-manage-domains -action=add -domain=company.com-provider=ActiveDirectory -user= user.name -passwordFile=/tmp/pass
Some steps I did for my investigation:
1. test if the domain has a kerberos service:
host -t srv _kerberos._tcp.company.com
2. use kinit instead of engine-manage-domains (mush faster) cp /etc/ovirt-engine/krb5.conf /etc/
3. test with: kinit user.name@company.com -V
Just to let others know what errors I had and how I fixed them:
1. Client not found in Kerberos database while getting initial credentials: wrong user name
2. Cannot find KDC for requested realm: the realm you are using in the command line is not define in krb5.conf file.
- at the beginning I was using kinit user.name@a_domain -V, but there was no a_domain realm defined. - check the file and try to update it or correct your kinit command in order to use the correct realm
[realms] COMPANY.COM = { kdc = site1.company.com.:88 kdc = site2.company.com.:88 kdc = site3.company.com.:88 }
3. KDC reply did not match expectations while getting initial credentials: you may have the same realm in your command line and in the krb5.conf file, but the server thinks this is not correct. - use wireshark to see what realm the server has: protocol KRB5, messages AS-REQ and AS-REP
Thank you for all your help.
Cristian
I forgot. Use this kinit command for tests instead: kinit user.name Because I was using the realm in the command line I had all of the above problems
On 11/21/2012 09:40 PM, Cristian Falcas wrote:
On Wed, Nov 21, 2012 at 9:37 PM, Cristian Falcas <cristi.falcas@gmail.com <mailto:cristi.falcas@gmail.com>> wrote:
On Wed, Nov 21, 2012 at 8:10 AM, Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com>> wrote:
On 11/21/2012 08:09 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Cristian Falcas" <cristi.falcas@gmail.com <mailto:cristi.falcas@gmail.com>> To: "Yair Zaslavsky" <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>> Cc: users@ovirt.org <mailto:users@ovirt.org> Sent: Wednesday, November 21, 2012 6:40:34 AM Subject: Re: [Users] I don't know how to add AD users
On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky < yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>
wrote:
From: "Cristian Falcas" < cristi.falcas@gmail.com <mailto:cristi.falcas@gmail.com> > To: "Itamar Heim" < iheim@redhat.com <mailto:iheim@redhat.com> > Cc: "Yair Zaslavsky" < yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> >, users@ovirt.org <mailto:users@ovirt.org> Sent: Tuesday, November 20, 2012 7:33:39 PM
Subject: Re: [Users] I don't know how to add AD users
On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim < iheim@redhat.com <mailto:iheim@redhat.com> > wrote:
On 11/20/2012 03:00 PM, Cristian Falcas wrote:
Hi,
So there is no way to use the domain I have at work, right?
I will need to make a freeipa installation in order to add new users.
there is no reason this shouldn't work with active directory 2003 (assuming its forest level isn't still in AD 2000 compatibility mode?). tcpdump for the traffic during engine-manage-domains should help diagnosing why.
Cristian
On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas
< cristi.falcas@gmail.com <mailto:cristi.falcas@gmail.com> <mailto: cristi.falcas@gmail. com >> wrote:
On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim < iheim@redhat.com <mailto:iheim@redhat.com>
<mailto: iheim@redhat.com <mailto:iheim@redhat.com> >> wrote:
On 11/20/2012 09:56 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky < yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> >
<mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> >>> wrote:
On 11/20/2012 09:05 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky < yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> > <mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> >> <mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> > <mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> >>> > wrote:
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim < iheim@redhat.com <mailto:iheim@redhat.com> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> > <mailto: iheim@redhat.com <mailto:iheim@redhat.com> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> >> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> > <mailto: iheim@redhat.com <mailto:iheim@redhat.com> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> >>> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> > <mailto: iheim@redhat.com <mailto:iheim@redhat.com> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> >> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> > <mailto: iheim@redhat.com <mailto:iheim@redhat.com> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> >>>>> wrote:
On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>" site.example.com <http://site.example.com> < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com >");
$wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array(
"a_domain"=>"rom_domain\\USER- ________NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=___ _____com");
Those are the commands I tried using: engine-manage-domains -action=add -domain= site.example.com <http://site.example.com> < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > -provider=ActiveDirectory -user= user.name <http://user.name> < http://user.name > < http://user.name > < http://user.name > < http://user.name > < http://user.name > -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user= user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > >__> <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > >__>__> <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > >__>
<mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > >__>__>__> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example._ _______com
<mailto: user.name@site <mailto: user.name@site >. <mailto: user.name@site <mailto: user.name@site >.>__ exa m__p__le.com <http://m__p__le.com> < http://examp__le.com > < http://example.com > <mailto: user.name@site . <mailto: user.name@site .>__ exam p__le.com <http://p__le.com> < http://example.com > <mailto: user.name@site. __ examp le.com <http://le.com> <mailto: user.name@site. example.com <http://example.com> >>>> <mailto: user.name@site <mailto: user.name@site >
<mailto: user.name@site <mailto: user.name@site >>. <mailto: user.name@site <mailto: user.name@site > <mailto: user.name@site <mailto: user.name@site >>.>__ ex a__m__p__le.com <http://a__m__p__le.com> < http://exam__p__le.com >
< http://examp__le.com > < http://example.com >
<mailto: user.name@site <mailto: user.name@site >. <mailto: user.name@site <mailto: user.name@site >.>__ exa m__p__le.com <http://m__p__le.com> < http://examp__le.com > < http://example.com > <mailto: user.name@site . <mailto: user.name@site .>__ exam p__le.com <http://p__le.com> < http://example.com > <mailto: user.name@site. __ examp le.com <http://le.com> <mailto: user.name@site. example.com <http://example.com> >>>>> -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.
any domain user will do, doesn't have to be an admin. what does the log say?
Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
______________________________ _________________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>>
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625>
IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com <http://redhat.com> < http://redhat.com > < http://redhat.com > < http://redhat.com > < http://redhat.com >
______________________________ _________________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>>
______________________________ _________________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>>> http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>>
Hi,
This is the command I used (the same error is with -interactive parameter):
engine-manage-domains -action=add -domain= example.com <http://example.com> < http://example.com > < http://example.com > < http://example.com > < http://example.com > -provider=ActiveDirectory -user=user.name@a_domain
-passwordFile=/tmp/pass
[root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]#
This is the log:
2012-11-20 00:30:40,443 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Creating
kerberos configuration for domain(s): example.com <http://example.com> < http://example.com > < http://example.com > < http://example.com > < http://example.com >
2012-11-20 00:30:40,525 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Successfully
created kerberos configuration for domain(s): example.com <http://example.com> < http://example.com > < http://example.com > < http://example.com > < http://example.com >
2012-11-20 00:30:40,526 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Testing
kerberos configuration for domain: example.com <http://example.com> < http://example.com > < http://example.com > < http://example.com > < http://example.com >
2012-11-20 00:30:40,830 ERROR
[org.ovirt.engine.core.utils._ _____kerberos.__ KerberosConfigCheck]
Error:
exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Failure
while
testing domain example.com <http://example.com> < http://example.com > < http://example.com > < http://example.com > < http://example.com >. Details: Kerberos
error. Please check log for further details.
Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well).
This is the ldapsearch command that works (it retrieves users) from the same machine:
ldapsearch -H ldap:// example.com <http://example.com> < http://example.com > < http://example.com > < http://example.com > < http://example.com > -b
dc=example,dc=com -D user.name@a_domain -w qwerty
Best regards, Cristian Falcas
______________________________ _______________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>> http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>
Hi,
I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains?
Cristian
Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that
Hi,
The server is a Microfost AD 2003.
Best regards, Cristian Falcas
this should work, is the AD also the DNS server for the ovirt engine machine?
yes
Could you take a look at the tcp dump? There are only 2 messages relevant to this (let me know if you want the full dump):
- 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV _kerberos._ tcp.EXAMPLE.COM <http://tcp.EXAMPLE.COM> - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response SRV 0 100 88 site1.example.com <http://site1.example.com> SRV 0 100 88 site2.example.com <http://site2.example.com> SRV 0 100 88 site3.example.com <http://site3.example.com>
Also, I tries to run ldapsearch with -Y gssapi: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found
Best regards, Cristian Falcas The SRV records look fine. If I remember correctly, your DNS should have a reverse-resolve PTR record to your engine machine. Does it exists?
I don't think so (10.0.0.xx is engine machine, 10.0.0.yyy is dns):
[root@localhost ~]# nslookup 10.0.0.xx Server: 10.0.0.yyy Address: 10.0.0.yyy#53
** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN
[root@localhost ~]# host 10.0.0.xx Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN)
I will ask them to add a DNS record for the machine.
Indeed do that. In the engine we require both reverse-resolve PTR record, Kerberos SRV record and LDAP SRV record. Make sure you have all three in the DNS. The PTR + Kerberos records are used for the kerberos authentication (and constructing the krb5.conf file in the engine-manage-domains utility). The LDAP SRV record is used for the directory queries (it is used in the utility + the ovirt engine, to look for LDAP servers).
Yair - sounds like we need a how to troubleshoot AD issues?
Hi,
So, after all, I was using the wrong domain. In my company we use everywhere (web, email, etc) as the domain "a_domain" instead of the usual company.com <http://company.com>. So it worked with:
engine-manage-domains -action=add -domain=company.com <http://company.com> -provider=ActiveDirectory -user=user.name <http://user.name> -passwordFile=/tmp/pass
Some steps I did for my investigation:
1. test if the domain has a kerberos service:
host -t srv _kerberos._tcp.company.com <http://tcp.company.com>
2. use kinit instead of engine-manage-domains (mush faster) cp /etc/ovirt-engine/krb5.conf /etc/
3. test with: kinit user.name@company.com <mailto:user.name@company.com> -V
Just to let others know what errors I had and how I fixed them:
1. Client not found in Kerberos database while getting initial credentials: wrong user name
2. Cannot find KDC for requested realm: the realm you are using in the command line is not define in krb5.conf file.
- at the beginning I was using kinit user.name@a_domain -V, but there was no a_domain realm defined. - check the file and try to update it or correct your kinit command in order to use the correct realm
[realms] COMPANY.COM <http://COMPANY.COM> = { kdc = site1.company.com.:88 kdc = site2.company.com.:88 kdc = site3.company.com.:88 }
3. KDC reply did not match expectations while getting initial credentials: you may have the same realm in your command line and in the krb5.conf file, but the server thinks this is not correct. - use wireshark to see what realm the server has: protocol KRB5, messages AS-REQ and AS-REP
Thank you for all your help.
Cristian
I forgot. Use this kinit command for tests instead:
kinit user.name <http://user.name>
Because I was using the realm in the command line I had all of the above problems
do you mind adding these to a wiki for steps to troubleshoot for the next one to tackle this? thanks, Itamar
On Wed, Nov 21, 2012 at 10:49 PM, Itamar Heim <iheim@redhat.com> wrote:
On 11/21/2012 09:40 PM, Cristian Falcas wrote:
On Wed, Nov 21, 2012 at 9:37 PM, Cristian Falcas <cristi.falcas@gmail.com <mailto:cristi.falcas@gmail.**com<cristi.falcas@gmail.com>>> wrote:
On Wed, Nov 21, 2012 at 8:10 AM, Itamar Heim <iheim@redhat.com <mailto:iheim@redhat.com>> wrote:
On 11/21/2012 08:09 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Cristian Falcas" <cristi.falcas@gmail.com <mailto:cristi.falcas@gmail.**com<cristi.falcas@gmail.com>
To: "Yair Zaslavsky" <yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>> Cc: users@ovirt.org <mailto:users@ovirt.org>
Sent: Wednesday, November 21, 2012 6:40:34 AM Subject: Re: [Users] I don't know how to add AD users
On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky < yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>
wrote:
From: "Cristian Falcas" < cristi.falcas@gmail.com <mailto:cristi.falcas@gmail.**com<cristi.falcas@gmail.com>>
To: "Itamar Heim" < iheim@redhat.com <mailto:iheim@redhat.com> > Cc: "Yair Zaslavsky" < yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> >, users@ovirt.org <mailto:users@ovirt.org>
Sent: Tuesday, November 20, 2012 7:33:39 PM
Subject: Re: [Users] I don't know how to add AD users
On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim < iheim@redhat.com <mailto:iheim@redhat.com> >
wrote:
On 11/20/2012 03:00 PM, Cristian Falcas wrote:
Hi,
So there is no way to use the domain I have at work, right?
I will need to make a freeipa installation in order to add new users.
there is no reason this shouldn't work with active directory 2003 (assuming its forest level isn't still in AD 2000 compatibility mode?). tcpdump for the traffic during engine-manage-domains should help diagnosing why.
Cristian
On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas
< cristi.falcas@gmail.com <mailto:cristi.falcas@gmail.**com<cristi.falcas@gmail.com>> <mailto:
cristi.falcas@gmail. com >> wrote:
On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim < iheim@redhat.com <mailto:iheim@redhat.com>
<mailto: iheim@redhat.com <mailto:iheim@redhat.com> >> wrote:
On 11/20/2012 09:56 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky < yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>
<mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> >>> wrote:
On 11/20/2012 09:05 AM, Cristian Falcas wrote:
On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky < yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com>
<mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> >> <mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> > <mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> <mailto: yzaslavs@redhat.com <mailto:yzaslavs@redhat.com> >>> > wrote:
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim < iheim@redhat.com <mailto:iheim@redhat.com> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> > <mailto: iheim@redhat.com <mailto:iheim@redhat.com> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> >> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> > <mailto: iheim@redhat.com <mailto:iheim@redhat.com> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> >>> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> > <mailto: iheim@redhat.com <mailto:iheim@redhat.com> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> >> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> > <mailto: iheim@redhat.com <mailto:iheim@redhat.com> <mailto: iheim@redhat.com <mailto:iheim@redhat.com> >>>>> wrote:
On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
On 11/19/2012 10:01 AM, Cristian Falcas wrote:
Hi,
I'm trying to add some users to ovirt using an AD.
This is the configuration I used for a mediawiki site, which is working correctly: $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = true; $wgLDAPDomainNames = array( "a_domain"); $wgLDAPServerNames = array( "a_domain"=>" site.example.com <http://site.example.com> < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com >");
$wgLDAPEncryptionType = array( "a_domain"=>"clear"); $wgLDAPSearchStrings = array(
"a_domain"=>"rom_domain\\USER- ________NAME"); $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=___ _____com");
Those are the commands I tried using: engine-manage-domains -action=add -domain= site.example.com <http://site.example.com> < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > < http://site.example.com > -provider=ActiveDirectory -user= user.name <http://user.name> < http://user.name > < http://user.name > < http://user.name > < http://user.name > < http://user.name > -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user= user.name@company.com <mailto: user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > >__> <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > >__>__> <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > >__>
<mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > <mailto: user.name@company.com <mailto:user.name@company.com> <mailto: user.name@company.com <mailto:user.name@company.com> > >__>__>__> -interactive
engine-manage-domains -action=add -domain=a_domain -provider=ActiveDirectory -user=user.name@site.example._ _______com
<mailto: user.name@site <mailto: user.name@site >. <mailto: user.name@site <mailto: user.name@site >.>__ exa m__p__le.com <http://m__p__le.com>
< http://examp__le.com > < http://example.com > <mailto: user.name@site . <mailto: user.name@site .>__ exam p__le.com <http://p__le.com> < http://example.com > <mailto: user.name@site. __ examp le.com <http://le.com> <mailto: user.name@site. example.com
<http://example.com> >>>> <mailto: user.name@site <mailto: user.name@site >
<mailto: user.name@site <mailto: user.name@site >>. <mailto: user.name@site <mailto: user.name@site > <mailto: user.name@site <mailto: user.name@site >>.>__ ex a__m__p__le.com <http://a__m__p__le.com>
< http://examp__le.com > < http://example.com >
<mailto: user.name@site <mailto: user.name@site >. <mailto: user.name@site <mailto: user.name@site >.>__ exa m__p__le.com <http://m__p__le.com>
< http://examp__le.com > < http://example.com > <mailto: user.name@site . <mailto: user.name@site .>__ exam p__le.com <http://p__le.com> < http://example.com > <mailto: user.name@site. __ examp le.com <http://le.com> <mailto: user.name@site. example.com <http://example.com> >>>>> -interactive
You don't add an user this way. You add the domain. You have to pass the domain admin user and the domain admin password.
any domain user will do, doesn't have to be an admin. what does the log say?
Then you can use the domain within the engine. e.g. search users, add access rights for vms etc. Even login to the engine and assigning rights within the engine you can handle from the engine itself.
Regards,
And the output on all tries: Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: domain_used_in_command Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Can someone help me with the correct parameters?
Best regards, Cristian Falcas
______________________________ _________________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>>>
http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>>
-- Regards,
Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625>
IRC: vfeenstr or evilissimo
Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com <http://redhat.com> < http://redhat.com > < http://redhat.com > < http://redhat.com > < http://redhat.com >
______________________________ _________________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>>>
http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>>
______________________________ _________________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>>>
http://lists.ovirt.org/_______ _mailman/listinfo/users < http://lists.ovirt.org/______ mailman/listinfo/users >
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users >>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>>
< http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>>
Hi,
This is the command I used (the same error is with -interactive parameter):
engine-manage-domains -action=add -domain= example.com <http://example.com> < http://example.com > < http://example.com > < http://example.com > < http://example.com > -provider=ActiveDirectory -user=user.name@a_domain
-passwordFile=/tmp/pass
[root@localhost ~]# cat /tmp/pass qwerty[root@localhost ~]#
This is the log:
2012-11-20 00:30:40,443 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Creating
kerberos configuration for domain(s): example.com <http://example.com> < http://example.com > < http://example.com > < http://example.com > < http://example.com >
2012-11-20 00:30:40,525 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Successfully
created kerberos configuration for domain(s): example.com <http://example.com> < http://example.com > < http://example.com > < http://example.com > < http://example.com >
2012-11-20 00:30:40,526 INFO
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Testing
kerberos configuration for domain: example.com <http://example.com
< http://example.com > < http://example.com > < http://example.com > < http://example.com >
2012-11-20 00:30:40,830 ERROR
[org.ovirt.engine.core.utils._ _____kerberos.__ KerberosConfigCheck]
Error:
exception message: Cannot locate KDC 2012-11-20 00:30:40,851 ERROR
[org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
Failure
while
testing domain example.com <http://example.com> < http://example.com > < http://example.com > < http://example.com > < http://example.com >. Details: Kerberos
error. Please check log for further details.
Hi, the error indicates you don't have kerberos configured. manage-domains validates by default using GSSAPI/Kerberos (if I understand correctly, this is equivalent to run ldapsearch with -Y gssapi option). I wonder if -x (simple authentication) will work for you as well (as manage-domains contains code for simple authentication as well).
This is the ldapsearch command that works (it retrieves users) from the same machine:
ldapsearch -H ldap:// example.com <http://example.com> < http://example.com > < http://example.com > < http://example.com > < http://example.com > -b
dc=example,dc=com -D user.name@a_domain -w qwerty
Best regards, Cristian Falcas
______________________________ _______________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> > <mailto: Users@ovirt.org <mailto:Users@ovirt.org> <mailto: Users@ovirt.org <mailto:Users@ovirt.org> >>> http://lists.ovirt.org/______ mailman/listinfo/users < http://lists.ovirt.org/____ mailman/listinfo/users > < http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users >>
< http://lists.ovirt.org/____ mailman/listinfo/users < http://lists.ovirt.org/__ mailman/listinfo/users > < http://lists.ovirt.org/__ mailman/listinfo/users < http://lists.ovirt.org/ mailman/listinfo/users >>>
Hi,
I used "-x" for ldapsearch and the result is the same: list retrieved. Is there any equivalent for engine-manage-domains?
Cristian
Hi Christian, there is no code allowing to add simple-authentication domains to Manage-Domains. In the past we did have the ability to do that, but there are several problematic issues. What ldap server are you working against? Maybe I missed that
Hi,
The server is a Microfost AD 2003.
Best regards, Cristian Falcas
this should work, is the AD also the DNS server for the ovirt engine machine?
yes
Could you take a look at the tcp dump? There are only 2 messages relevant to this (let me know if you want the full dump):
- 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV _kerberos._ tcp.EXAMPLE.COM <http://tcp.EXAMPLE.COM>
- 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response SRV 0 100 88 site1.example.com <http://site1.example.com> SRV 0 100 88 site2.example.com <http://site2.example.com> SRV 0 100 88 site3.example.com <http://site3.example.com>
Also, I tries to run ldapsearch with -Y gssapi: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found
Best regards, Cristian Falcas The SRV records look fine. If I remember correctly, your DNS should have a reverse-resolve PTR record to your engine machine. Does it exists?
I don't think so (10.0.0.xx is engine machine, 10.0.0.yyy is dns):
[root@localhost ~]# nslookup 10.0.0.xx Server: 10.0.0.yyy Address: 10.0.0.yyy#53
** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN
[root@localhost ~]# host 10.0.0.xx Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN)
I will ask them to add a DNS record for the machine.
Indeed do that. In the engine we require both reverse-resolve PTR record, Kerberos SRV record and LDAP SRV record. Make sure you have all three in the DNS. The PTR + Kerberos records are used for the kerberos authentication (and constructing the krb5.conf file in the engine-manage-domains utility). The LDAP SRV record is used for the directory queries (it is used in the utility + the ovirt engine, to look for LDAP servers).
Yair - sounds like we need a how to troubleshoot AD issues?
Hi,
So, after all, I was using the wrong domain. In my company we use everywhere (web, email, etc) as the domain "a_domain" instead of the usual company.com <http://company.com>. So it worked with:
engine-manage-domains -action=add -domain=company.com <http://company.com> -provider=ActiveDirectory -user=user.name <http://user.name> -passwordFile=/tmp/pass
Some steps I did for my investigation:
1. test if the domain has a kerberos service:
host -t srv _kerberos._tcp.company.com <http://tcp.company.com>
2. use kinit instead of engine-manage-domains (mush faster) cp /etc/ovirt-engine/krb5.conf /etc/
3. test with: kinit user.name@company.com <mailto:user.name@company.com> -V
Just to let others know what errors I had and how I fixed them:
1. Client not found in Kerberos database while getting initial credentials: wrong user name
2. Cannot find KDC for requested realm: the realm you are using in the command line is not define in krb5.conf file.
- at the beginning I was using kinit user.name@a_domain -V, but there was no a_domain realm defined. - check the file and try to update it or correct your kinit command in order to use the correct realm
[realms] COMPANY.COM <http://COMPANY.COM> = {
kdc = site1.company.com.:88 kdc = site2.company.com.:88 kdc = site3.company.com.:88 }
3. KDC reply did not match expectations while getting initial credentials: you may have the same realm in your command line and in the krb5.conf file, but the server thinks this is not correct. - use wireshark to see what realm the server has: protocol KRB5, messages AS-REQ and AS-REP
Thank you for all your help.
Cristian
I forgot. Use this kinit command for tests instead:
kinit user.name <http://user.name>
Because I was using the realm in the command line I had all of the above problems
do you mind adding these to a wiki for steps to troubleshoot for the next one to tackle this?
thanks, Itamar
I'm glad to help. Can someone help me with an account?
On 11/21/2012 10:58 PM, Cristian Falcas wrote:
...
I'm glad to help. Can someone help me with an account?
participants (5)
-
Cristian Falcas -
Itamar Heim -
Oved Ourfalli -
Vinzenz Feenstra -
Yair Zaslavsky