[Users] engine-manage-domains can't add user , domain

T-Sinjon tscbj1989 at gmail.com
Tue May 15 06:24:20 UTC 2012 

help info like this

[root at ovirt-engine ~]# engine-manage-domains
engine-manage-domains: add/edit/delete/validate/list domains
USAGE:
	engine-manage-domains -action=ACTION [-domain=DOMAIN -user=USER -passwordFile=PASSWORD_FILE -interactive -configFile=PATH] -report
Where:
	ACTION             action to perform (add/edit/delete/validate/list). See details below.
	DOMAIN             	(mandatory for add, edit and delete) the domain you wish to perform the action on.
	USER   			 (optional for edit, mandatory for add) the domain user.
	PASSWORD_FILE   		 (optional for edit, mandatory for add) a file containing the password in the first line.
	interactive        alternative for using -passwordFile - read the password interactively.
	PATH               (optional) use the given alternate configuration file.

	Available actions:
	add
	Examples:
		-action=add -domain=example.com -user=admin -passwordFile=/tmp/.pwd
			Add a domain called example.com, using user admin and read the password from /tmp/.pwd.
		-action=edit -domain=example.com -passwordFile=/tmp/.new_password
			Edit the domain example.com, using another password file.
		-action=delete -domain=example.com
			Delete the domain example.com.
		-action=validate
			Validate the current configuration (go over all the domains, try to authenticate to each domain using the configured user/password.).
		-report In combination with -action=validate will report all validation error, if occured.
			Default behaviour is to exit when a validation error occurs.
		-action=list
			Lists the current configuration.
		-h
			Show this help.

On 15 May, 2012, at 2:22 PM, Yair Zaslavsky wrote:

> On 05/15/2012 09:17 AM, T-Sinjon wrote:
>> Oved:
>> 1,Yes , I used RPMs 
>> 
>> ovirt-engine-restapi-3.0.0_0001-1.6.fc16.x86_64
>> ovirt-engine-dbscripts-3.0.0_0001-1.6.fc16.x86_64
>> ovirt-engine-notification-service-3.0.0_0001-1.6.fc16.x86_64
>> ovirt-engine-backend-3.0.0_0001-1.6.fc16.x86_64
>> ovirt-engine-jboss-deps-3.0.0_0001-1.6.fc16.x86_64
>> ovirt-engine-config-3.0.0_0001-1.6.fc16.x86_64
>> ovirt-engine-webadmin-portal-3.0.0_0001-1.6.fc16.x86_64
>> ovirt-engine-sdk-1.3-1.fc16.noarch
>> ovirt-engine-jbossas-1.2-2.fc16.x86_64
>> ovirt-engine-iso-uploader-3.0.0_0001-1.6.fc16.x86_64
>> ovirt-engine-setup-3.0.0_0001-1.6.fc16.x86_64
>> ovirt-engine-userportal-3.0.0_0001-1.6.fc16.x86_64
>> ovirt-node-2.2.2-2.fc16.noarch
>> ovirt-engine-genericapi-3.0.0_0001-1.6.fc16.x86_64
>> ovirt-engine-tools-common-3.0.0_0001-1.6.fc16.x86_64
>> ovirt-node-tools-2.2.2-2.fc16.noarch
>> ovirt-engine-log-collector-3.0.0_0001-1.6.fc16.x86_64
>> ovirt-engine-3.0.0_0001-1.6.fc16.x86_64
>> 
>> 2,they are same whether use single quota or not 
>> 
>> [root at ovirt-engine ~]# engine-manage-domains -action=add -domain=local -user=tsinjon -passwordFile=/root/tsinjon 
>> No user in Directory was found for tsinjon at LOCAL. Trying next LDAP server in list
>> Failure while testing domain local. Details: No user information was found for user
> 
> When you run engine-manage-domains without parameters, what do you get?
> 
>> 
>> On 15 May, 2012, at 1:47 PM, Oved Ourfalli wrote:
>> 
>>> 
>>> 
>>> ----- Original Message -----
>>>> From: "Yair Zaslavsky" <yzaslavs at redhat.com>
>>>> To: "Oved Ourfalli" <ovedo at redhat.com>
>>>> Cc: "T-Sinjon" <tscbj1989 at gmail.com>, users at ovirt.org
>>>> Sent: Tuesday, May 15, 2012 8:48:26 AM
>>>> Subject: Re: [Users] engine-manage-domains can't add user , domain
>>>> 
>>>> On 05/15/2012 08:35 AM, Oved Ourfalli wrote:
>>>>> 
>>>>> 
>>>>> ----- Original Message -----
>>>>>> From: "T-Sinjon" <tscbj1989 at gmail.com>
>>>>>> To: "Oved Ourfalli" <ovedo at redhat.com>
>>>>>> Cc: users at ovirt.org
>>>>>> Sent: Tuesday, May 15, 2012 5:53:16 AM
>>>>>> Subject: Re: [Users] engine-manage-domains can't add user , domain
>>>>>> 
>>>>>> after use kinit login tsinjon ,  the error changes to , why this
>>>>>> happened?
>>>>>> 
>>>>>> [root at ovirt-engine ~]# engine-manage-domains -action=add
>>>>>> -domain='local' -user='tsinjon' -interactive
>>>>>> Enter password:
>>>>>> 
>>>>>> No user in Directory was found for tsinjon at LOCAL. Trying next LDAP
>>>>>> server in list
>>>>>> Failure while testing domain local. Details: No user information
>>>>>> was
>>>>>> found for user
>>>>>> 
>>>>> Can't see why kinit matters here, but looking at your command I
>>>>> noticed you used single quotes for the user and domain name.
>>>>> I'm not sure it knows to handle this correctly.
>>>>> Did you try without the quotes?
>>>>> 
>>>>> Also, what version are you working with?
>>>>> We had a problem a few weeks ago, of identifying the correct ldap
>>>>> provider. To fix that we added an option to specify the ldap
>>>>> provider type. It determines which query will be used in order to
>>>>> get the user details.
>>>>> 
>>>>> cc-ing Roy, which added this. iirc it is mandatory to provide this
>>>>> option, so you probably don't have this option in your
>>>>> environment.
>>>>> Roy - is there an upstream release with this fix?
>>>> 
>>>> Oved - this was merged upstream.
>>>> T-Sinjon - have you cloned the git repo and compiled or are you using
>>>> RPMs?
>>>> 
>>> Yair - he is probably using the RPMs, as it is harder to run the utility from the git repo.
>>>> 
>>>>> 
>>>>> Regards,
>>>>> Oved
>>>>>> On 15 May, 2012, at 10:47 AM, T-Sinjon wrote:
>>>>>> 
>>>>>>> 
>>>>>>> I have added those SRV info into my zone file , and it did go ,
>>>>>>> the log looks fine , but engine-manage-domains still return
>>>>>>> error
>>>>>>> 
>>>>>>> 2012-05-15 10:45:19,222 INFO
>>>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
>>>>>>> kerberos configuration for domain(s): local
>>>>>>> 2012-05-15 10:45:19,258 INFO
>>>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains]
>>>>>>> Successfully
>>>>>>> created kerberos configuration for domain(s): local
>>>>>>> 2012-05-15 10:45:19,259 INFO
>>>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing
>>>>>>> kerberos configuration for domain: local
>>>>>>> 
>>>>>>> [root at ovirt-engine ~]# engine-manage-domains -action=add
>>>>>>> -domain='local' -user='tsinjon' -interactive
>>>>>>> Enter password:
>>>>>>> 
>>>>>>> Error:  exception message: Integrity check on decrypted field
>>>>>>> failed (31) - PREAUTH_FAILED
>>>>>>> Failure while testing domain local. Details: Kerberos error.
>>>>>>> Please
>>>>>>> check log for further details.
>>>>>>> 
>>>>>>> 
>>>>>>> On 14 May, 2012, at 10:12 PM, Oved Ourfalli wrote:
>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> ----- Original Message -----
>>>>>>>>> From: "T-Sinjon" <tscbj1989 at gmail.com>
>>>>>>>>> To: users at ovirt.org
>>>>>>>>> Sent: Monday, May 14, 2012 5:07:46 PM
>>>>>>>>> Subject: [Users] engine-manage-domains can't add user , domain
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> I use FreeIPA to authenticate users,  ipa user-add has no
>>>>>>>>> problem,
>>>>>>>>> but when i do :
>>>>>>>>> 
>>>>>>>>> [root at ovirt-engine ~]# engine-manage-domains -action=add
>>>>>>>>> -domain='local' -user='tsinjon' -interactive
>>>>>>>>> 
>>>>>>>>> Error: Authentication Failed. Please verify the fully qualified
>>>>>>>>> domain name that is used for authentication is correct..
>>>>>>>>> Problematic
>>>>>>>>> domain is: local
>>>>>>>>> Failure while applying Kerberos configuration. Details:
>>>>>>>>> Authentication Failed. Please verify the fully qualified domain
>>>>>>>>> name
>>>>>>>>> that is used for authentication is correct.
>>>>>>>>> 
>>>>>>>>> and log from engine-manage-domains.log :
>>>>>>>>> 
>>>>>>>>> 2012-05-14 21:58:47,892 INFO
>>>>>>>>> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating
>>>>>>>>> kerberos configuration for domain(s): local
>>>>>>>>> 2012-05-14 21:58:47,923 ERROR
>>>>>>>>> [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting SRV
>>>>>>>>> list
>>>>>>>>> for protocol _tcp and domain LOCAL Exception message is DNS
>>>>>>>>> name
>>>>>>>>> not
>>>>>>>>> found [response code 3]
>>>>>>>>> 
>>>>>>>>> my domain is 'local'   , like ovirt-engine.local
>>>>>>>>> 、ovirt-node-1.local
>>>>>>>>> …etc
>>>>>>>>> 
>>>>>>>>> What can i do to get through it?
>>>>>>>>> 
>>>>>>>> The utility (and also the ovirt engine) are relying on DNS SRV
>>>>>>>> records in order to find LDAP and kerberos servers (supporting
>>>>>>>> Active directory, IPA or RHDS).
>>>>>>>> So, in order to work with it you must have the following in the
>>>>>>>> DNS
>>>>>>>> 1. PTR record for your LDAP server
>>>>>>>> 2. LDAP SRV record for your LDAP server
>>>>>>>> 3. LDAP kerberos record for your LDAP server
>>>>>>>> 
>>>>>>>> If you don't really have access to the DNS you can install a
>>>>>>>> package called "dnsmasq", and perform this changes by yourself
>>>>>>>> in
>>>>>>>> its config file.
>>>>>>>> 
>>>>>>>> Oved
>>>>>>>>> 
>>>>>>>>> _______________________________________________
>>>>>>>>> Users mailing list
>>>>>>>>> Users at ovirt.org
>>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at ovirt.org
>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>> 
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>> 
>> 
>

More information about the Users mailing list