[Users] engine-manage-domains can't add user , domain

Oved Ourfalli ovedo at redhat.com
Tue May 15 05:47:08 UTC 2012



----- Original Message -----
> From: "Yair Zaslavsky" <yzaslavs at redhat.com>
> To: "Oved Ourfalli" <ovedo at redhat.com>
> Cc: "T-Sinjon" <tscbj1989 at gmail.com>, users at ovirt.org
> Sent: Tuesday, May 15, 2012 8:48:26 AM
> Subject: Re: [Users] engine-manage-domains can't add user , domain
> 
> On 05/15/2012 08:35 AM, Oved Ourfalli wrote:
> > 
> > 
> > ----- Original Message -----
> >> From: "T-Sinjon" <tscbj1989 at gmail.com>
> >> To: "Oved Ourfalli" <ovedo at redhat.com>
> >> Cc: users at ovirt.org
> >> Sent: Tuesday, May 15, 2012 5:53:16 AM
> >> Subject: Re: [Users] engine-manage-domains can't add user , domain
> >>
> >> after use kinit login tsinjon ,  the error changes to , why this
> >> happened?
> >>
> >> [root at ovirt-engine ~]# engine-manage-domains -action=add
> >> -domain='local' -user='tsinjon' -interactive
> >> Enter password:
> >>
> >> No user in Directory was found for tsinjon at LOCAL. Trying next LDAP
> >> server in list
> >> Failure while testing domain local. Details: No user information
> >> was
> >> found for user
> >>
> > Can't see why kinit matters here, but looking at your command I
> > noticed you used single quotes for the user and domain name.
> > I'm not sure it knows to handle this correctly.
> > Did you try without the quotes?
> > 
> > Also, what version are you working with?
> > We had a problem a few weeks ago, of identifying the correct ldap
> > provider. To fix that we added an option to specify the ldap
> > provider type. It determines which query will be used in order to
> > get the user details.
> > 
> > cc-ing Roy, which added this. iirc it is mandatory to provide this
> > option, so you probably don't have this option in your
> > environment.
> > Roy - is there an upstream release with this fix?
> 
> Oved - this was merged upstream.
> T-Sinjon - have you cloned the git repo and compiled or are you using
> RPMs?
> 
Yair - he is probably using the RPMs, as it is harder to run the utility from the git repo.
> 
> > 
> > Regards,
> > Oved
> >> On 15 May, 2012, at 10:47 AM, T-Sinjon wrote:
> >>
> >>>
> >>> I have added those SRV info into my zone file , and it did go ,
> >>>  the log looks fine , but engine-manage-domains still return
> >>>  error
> >>>
> >>> 2012-05-15 10:45:19,222 INFO
> >>>  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
> >>> kerberos configuration for domain(s): local
> >>> 2012-05-15 10:45:19,258 INFO
> >>>  [org.ovirt.engine.core.utils.kerberos.ManageDomains]
> >>>  Successfully
> >>> created kerberos configuration for domain(s): local
> >>> 2012-05-15 10:45:19,259 INFO
> >>>  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing
> >>> kerberos configuration for domain: local
> >>>
> >>> [root at ovirt-engine ~]# engine-manage-domains -action=add
> >>> -domain='local' -user='tsinjon' -interactive
> >>> Enter password:
> >>>
> >>> Error:  exception message: Integrity check on decrypted field
> >>> failed (31) - PREAUTH_FAILED
> >>> Failure while testing domain local. Details: Kerberos error.
> >>> Please
> >>> check log for further details.
> >>>
> >>>
> >>> On 14 May, 2012, at 10:12 PM, Oved Ourfalli wrote:
> >>>
> >>>>
> >>>>
> >>>> ----- Original Message -----
> >>>>> From: "T-Sinjon" <tscbj1989 at gmail.com>
> >>>>> To: users at ovirt.org
> >>>>> Sent: Monday, May 14, 2012 5:07:46 PM
> >>>>> Subject: [Users] engine-manage-domains can't add user , domain
> >>>>>
> >>>>>
> >>>>> I use FreeIPA to authenticate users,  ipa user-add has no
> >>>>> problem,
> >>>>> but when i do :
> >>>>>
> >>>>> [root at ovirt-engine ~]# engine-manage-domains -action=add
> >>>>> -domain='local' -user='tsinjon' -interactive
> >>>>>
> >>>>> Error: Authentication Failed. Please verify the fully qualified
> >>>>> domain name that is used for authentication is correct..
> >>>>> Problematic
> >>>>> domain is: local
> >>>>> Failure while applying Kerberos configuration. Details:
> >>>>> Authentication Failed. Please verify the fully qualified domain
> >>>>> name
> >>>>> that is used for authentication is correct.
> >>>>>
> >>>>> and log from engine-manage-domains.log :
> >>>>>
> >>>>> 2012-05-14 21:58:47,892 INFO
> >>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
> >>>>> kerberos configuration for domain(s): local
> >>>>> 2012-05-14 21:58:47,923 ERROR
> >>>>> [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting SRV
> >>>>> list
> >>>>> for protocol _tcp and domain LOCAL Exception message is DNS
> >>>>> name
> >>>>> not
> >>>>> found [response code 3]
> >>>>>
> >>>>> my domain is 'local'   , like ovirt-engine.local
> >>>>> 、ovirt-node-1.local
> >>>>> …etc
> >>>>>
> >>>>> What can i do to get through it?
> >>>>>
> >>>> The utility (and also the ovirt engine) are relying on DNS SRV
> >>>> records in order to find LDAP and kerberos servers (supporting
> >>>> Active directory, IPA or RHDS).
> >>>> So, in order to work with it you must have the following in the
> >>>> DNS
> >>>> 1. PTR record for your LDAP server
> >>>> 2. LDAP SRV record for your LDAP server
> >>>> 3. LDAP kerberos record for your LDAP server
> >>>>
> >>>> If you don't really have access to the DNS you can install a
> >>>> package called "dnsmasq", and perform this changes by yourself
> >>>> in
> >>>> its config file.
> >>>>
> >>>> Oved
> >>>>>
> >>>>> _______________________________________________
> >>>>> Users mailing list
> >>>>> Users at ovirt.org
> >>>>> http://lists.ovirt.org/mailman/listinfo/users
> >>>>>
> >>>
> >>
> >>
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 



More information about the Users mailing list