[Users] I don't know how to add AD users
Yair Zaslavsky
yzaslavs at redhat.com
Tue Nov 20 06:36:25 UTC 2012
On 11/20/2012 12:39 AM, Cristian Falcas wrote:
>
>
> On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim at redhat.com
> <mailto:iheim at redhat.com>> wrote:
>
> On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
>
> On 11/19/2012 10:01 AM, Cristian Falcas wrote:
>
> Hi,
>
> I'm trying to add some users to ovirt using an AD.
>
> This is the configuration I used for a mediawiki site, which is
> working correctly:
> $wgAuth = new LdapAuthenticationPlugin();
> $wgLDAPUseLocal = true;
> $wgLDAPDomainNames = array( "a_domain");
> $wgLDAPServerNames = array( "a_domain"=>"site.example.com
> <http://site.example.com>
> <http://site.example.com>");
>
> $wgLDAPEncryptionType = array( "a_domain"=>"clear");
> $wgLDAPSearchStrings = array(
> "a_domain"=>"rom_domain\\USER-__NAME");
> $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=__com");
>
> Those are the commands I tried using:
> engine-manage-domains -action=add -domain=site.example.com
> <http://site.example.com>
> <http://site.example.com> -provider=ActiveDirectory
> -user=user.name <http://user.name>
> <http://user.name> -interactive
>
>
> engine-manage-domains -action=add -domain=a_domain
> -provider=ActiveDirectory -user=user.name at company.com
> <mailto:user.name at company.com>
> <mailto:user.name at company.com
> <mailto:user.name at company.com>> -interactive
>
>
> engine-manage-domains -action=add -domain=a_domain
> -provider=ActiveDirectory -user=user.name at site.example.__com
> <mailto:user.name at site.example.com>
> <mailto:user.name at site.__example.com
> <mailto:user.name at site.example.com>> -interactive
>
>
> You don't add an user this way. You add the domain. You have to
> pass the
> domain admin user and the domain admin password.
>
>
> any domain user will do, doesn't have to be an admin.
> what does the log say?
>
>
> Then you can use the domain within the engine. e.g. search
> users, add
> access rights for vms etc.
> Even login to the engine and assigning rights within the engine
> you can
> handle from the engine itself.
>
> Regards,
>
> And the output on all tries:
> Enter password:
>
> Error: Authentication Failed. Please verify the fully
> qualified domain
> name that is used for authentication is correct..
> Problematic domain
> is: domain_used_in_command
> Failure while applying Kerberos configuration. Details:
> Authentication
> Failed. Please verify the fully qualified domain name that
> is used for
> authentication is correct.
>
> Can someone help me with the correct parameters?
>
>
> Best regards,
> Cristian Falcas
>
>
> _________________________________________________
> Users mailing list
> Users at ovirt.org <mailto:Users at ovirt.org>
> http://lists.ovirt.org/__mailman/listinfo/users
> <http://lists.ovirt.org/mailman/listinfo/users>
>
>
>
> --
> Regards,
>
> Vinzenz Feenstra | Senior Software Engineer
> RedHat Engineering Virtualization R & D
> Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625>
> IRC: vfeenstr or evilissimo
>
> Better technology. Faster innovation. Powered by community
> collaboration.
> See how it works at redhat.com <http://redhat.com>
>
>
>
> _________________________________________________
> Users mailing list
> Users at ovirt.org <mailto:Users at ovirt.org>
> http://lists.ovirt.org/__mailman/listinfo/users
> <http://lists.ovirt.org/mailman/listinfo/users>
>
>
>
> _________________________________________________
> Users mailing list
> Users at ovirt.org <mailto:Users at ovirt.org>
> http://lists.ovirt.org/__mailman/listinfo/users
> <http://lists.ovirt.org/mailman/listinfo/users>
>
>
>
>
> Hi,
>
> This is the command I used (the same error is with -interactive parameter):
>
> engine-manage-domains -action=add -domain=example.com
> <http://example.com> -provider=ActiveDirectory -user=user.name at a_domain
> -passwordFile=/tmp/pass
>
> [root at localhost ~]# cat /tmp/pass
> qwerty[root at localhost ~]#
>
> This is the log:
>
> 2012-11-20 00:30:40,443 INFO
> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos
> configuration for domain(s): example.com <http://example.com>
> 2012-11-20 00:30:40,525 INFO
> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully
> created kerberos configuration for domain(s): example.com
> <http://example.com>
> 2012-11-20 00:30:40,526 INFO
> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos
> configuration for domain: example.com <http://example.com>
> 2012-11-20 00:30:40,830 ERROR
> [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:
> exception message: Cannot locate KDC
> 2012-11-20 00:30:40,851 ERROR
> [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while
> testing domain example.com <http://example.com>. Details: Kerberos
> error. Please check log for further details.
>
Hi, the error indicates you don't have kerberos configured.
manage-domains validates by default using GSSAPI/Kerberos (if I
understand correctly, this is equivalent to run ldapsearch with -Y
gssapi option).
I wonder if -x (simple authentication) will work for you as well (as
manage-domains contains code for simple authentication as well).
> This is the ldapsearch command that works (it retrieves users) from the
> same machine:
>
> ldapsearch -H ldap://example.com <http://example.com> -b
> dc=example,dc=com -D user.name at a_domain -w qwerty
>
>
> Best regards,
> Cristian Falcas
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
More information about the Users
mailing list