[Users] I don't know how to add AD users

Cristian Falcas cristi.falcas at gmail.com
Tue Nov 20 07:05:23 UTC 2012 

On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky <yzaslavs at redhat.com> wrote:

>
>
> On 11/20/2012 12:39 AM, Cristian Falcas wrote:
>
>>
>>
>> On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim at redhat.com
>> <mailto:iheim at redhat.com>> wrote:
>>
>>     On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
>>
>>         On 11/19/2012 10:01 AM, Cristian Falcas wrote:
>>
>>             Hi,
>>
>>             I'm trying to add some users to ovirt using an AD.
>>
>>             This is the configuration I used for a mediawiki site, which
>> is
>>             working correctly:
>>             $wgAuth = new LdapAuthenticationPlugin();
>>             $wgLDAPUseLocal = true;
>>             $wgLDAPDomainNames = array( "a_domain");
>>             $wgLDAPServerNames = array( "a_domain"=>"site.example.com
>>             <http://site.example.com>
>>             <http://site.example.com>");
>>
>>             $wgLDAPEncryptionType = array( "a_domain"=>"clear");
>>             $wgLDAPSearchStrings = array(
>>             "a_domain"=>"rom_domain\\USER-**__NAME");
>>             $wgLDAPBaseDNs = array( "a_domain"=>"dc=company,dc=__**com");
>>
>>
>>             Those are the commands I tried using:
>>             engine-manage-domains -action=add -domain=site.example.com
>>             <http://site.example.com>
>>             <http://site.example.com> -provider=ActiveDirectory
>>             -user=user.name <http://user.name>
>>             <http://user.name> -interactive
>>
>>
>>             engine-manage-domains -action=add -domain=a_domain
>>             -provider=ActiveDirectory -user=user.name at company.com
>>             <mailto:user.name at company.com>
>>             <mailto:user.name at company.com
>>
>>             <mailto:user.name at company.com>**> -interactive
>>
>>
>>             engine-manage-domains -action=add -domain=a_domain
>>             -provider=ActiveDirectory -user=user.name at site.example._**
>> _com
>>             <mailto:user.name at site.**example.com<user.name at site.example.com>
>> >
>>             <mailto:user.name at site.__examp**le.com <http://example.com>
>>
>>             <mailto:user.name at site.**example.com<user.name at site.example.com>>>
>> -interactive
>>
>>
>>         You don't add an user this way. You add the domain. You have to
>>         pass the
>>         domain admin user and the domain admin password.
>>
>>
>>     any domain user will do, doesn't have to be an admin.
>>     what does the log say?
>>
>>
>>         Then you can use the domain within the engine. e.g. search
>>         users, add
>>         access rights for vms etc.
>>         Even login to the engine and assigning rights within the engine
>>         you can
>>         handle from the engine itself.
>>
>>         Regards,
>>
>>             And the output on all tries:
>>             Enter password:
>>
>>             Error: Authentication Failed. Please verify the fully
>>             qualified domain
>>             name that is used for authentication is correct..
>>             Problematic domain
>>             is: domain_used_in_command
>>             Failure while applying Kerberos configuration. Details:
>>             Authentication
>>             Failed. Please verify the fully qualified domain name that
>>             is used for
>>             authentication is correct.
>>
>>             Can someone help me with the correct parameters?
>>
>>
>>             Best regards,
>>             Cristian Falcas
>>
>>
>>             ______________________________**___________________
>>             Users mailing list
>>             Users at ovirt.org <mailto:Users at ovirt.org>
>>             http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>>
>>             <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>> >
>>
>>
>>
>>         --
>>         Regards,
>>
>>         Vinzenz Feenstra | Senior Software Engineer
>>         RedHat Engineering Virtualization R & D
>>         Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625>
>>
>>         IRC: vfeenstr or evilissimo
>>
>>         Better technology. Faster innovation. Powered by community
>>         collaboration.
>>         See how it works at redhat.com <http://redhat.com>
>>
>>
>>
>>         ______________________________**___________________
>>         Users mailing list
>>         Users at ovirt.org <mailto:Users at ovirt.org>
>>         http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>>         <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>> >
>>
>>
>>
>>     ______________________________**___________________
>>     Users mailing list
>>     Users at ovirt.org <mailto:Users at ovirt.org>
>>     http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>>
>>     <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>> >
>>
>>
>>
>>
>> Hi,
>>
>> This is the command I used (the same error is with -interactive
>> parameter):
>>
>> engine-manage-domains -action=add -domain=example.com
>> <http://example.com> -provider=ActiveDirectory -user=user.name at a_domain
>>
>> -passwordFile=/tmp/pass
>>
>> [root at localhost ~]# cat /tmp/pass
>> qwerty[root at localhost ~]#
>>
>> This is the log:
>>
>> 2012-11-20 00:30:40,443 INFO
>> [org.ovirt.engine.core.utils.**kerberos.ManageDomains] Creating kerberos
>> configuration for domain(s): example.com <http://example.com>
>>
>> 2012-11-20 00:30:40,525 INFO
>> [org.ovirt.engine.core.utils.**kerberos.ManageDomains] Successfully
>> created kerberos configuration for domain(s): example.com
>> <http://example.com>
>>
>> 2012-11-20 00:30:40,526 INFO
>> [org.ovirt.engine.core.utils.**kerberos.ManageDomains] Testing kerberos
>> configuration for domain: example.com <http://example.com>
>>
>> 2012-11-20 00:30:40,830 ERROR
>> [org.ovirt.engine.core.utils.**kerberos.KerberosConfigCheck] Error:
>> exception message: Cannot locate KDC
>> 2012-11-20 00:30:40,851 ERROR
>> [org.ovirt.engine.core.utils.**kerberos.ManageDomains] Failure while
>> testing domain example.com <http://example.com>. Details: Kerberos
>>
>> error. Please check log for further details.
>>
>>
> Hi, the error indicates you don't have kerberos configured.
> manage-domains validates by default using GSSAPI/Kerberos (if I understand
> correctly, this is equivalent to run ldapsearch with -Y gssapi option).
> I wonder if -x (simple authentication) will work for you as well (as
> manage-domains contains code for simple authentication as well).
>
>
>
>  This is the ldapsearch command that works (it retrieves users) from the
>> same machine:
>>
>
>
>> ldapsearch -H ldap://example.com <http://example.com> -b
>>
>> dc=example,dc=com -D user.name at a_domain -w qwerty
>>
>>
>> Best regards,
>> Cristian Falcas
>>
>>
>>
>> ______________________________**_________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>>
>>


Hi,

I used "-x" for ldapsearch and the result is the same: list retrieved. Is
there any equivalent for engine-manage-domains?

Cristian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20121120/7fcce500/attachment-0001.html>

More information about the Users mailing list