[Users] I don't know how to add AD users

Tue Nov 20 07:56:59 UTC 2012

On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky <yzaslavs at redhat.com> wrote:

>
>
> On 11/20/2012 09:05 AM, Cristian Falcas wrote:
>
>>
>>
>>
>> On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky <yzaslavs at redhat.com
>> <mailto:yzaslavs at redhat.com>> wrote:
>>
>>
>>
>>     On 11/20/2012 12:39 AM, Cristian Falcas wrote:
>>
>>
>>
>>         On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim <iheim at redhat.com
>>         <mailto:iheim at redhat.com>
>>         <mailto:iheim at redhat.com <mailto:iheim at redhat.com>>> wrote:
>>
>>              On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
>>
>>                  On 11/19/2012 10:01 AM, Cristian Falcas wrote:
>>
>>                      Hi,
>>
>>                      I'm trying to add some users to ovirt using an AD.
>>
>>                      This is the configuration I used for a mediawiki
>>         site, which is
>>                      working correctly:
>>                      $wgAuth = new LdapAuthenticationPlugin();
>>                      $wgLDAPUseLocal = true;
>>                      $wgLDAPDomainNames = array( "a_domain");
>>                      $wgLDAPServerNames = array(
>>         "a_domain"=>"site.example.com <http://site.example.com>
>>                      <http://site.example.com>
>>                      <http://site.example.com>");
>>
>>                      $wgLDAPEncryptionType = array( "a_domain"=>"clear");
>>                      $wgLDAPSearchStrings = array(
>>                      "a_domain"=>"rom_domain\\USER-**____NAME");
>>                      $wgLDAPBaseDNs = array(
>>         "a_domain"=>"dc=company,dc=___**_com");
>>
>>
>>
>>                      Those are the commands I tried using:
>>                      engine-manage-domains -action=add
>>         -domain=site.example.com <http://site.example.com>
>>                      <http://site.example.com>
>>                      <http://site.example.com> -provider=ActiveDirectory
>>                      -user=user.name <http://user.name> <http://user.name
>> >
>>                      <http://user.name> -interactive
>>
>>
>>                      engine-manage-domains -action=add -domain=a_domain
>>                      -provider=ActiveDirectory
>>         -user=user.name at company.com <mailto:user.name at company.com>
>>                      <mailto:user.name at company.com
>>         <mailto:user.name at company.com>**>
>>                      <mailto:user.name at company.com
>>         <mailto:user.name at company.com>
>>
>>                      <mailto:user.name at company.com
>>         <mailto:user.name at company.com>**>__> -interactive
>>
>>
>>                      engine-manage-domains -action=add -domain=a_domain
>>                      -provider=ActiveDirectory
>>         -user=user.name at site.example._**___com
>>                      <mailto:user.name at site.__examp**le.com<http://example.com>
>>         <mailto:user.name at site.**example.com <user.name at site.example.com>
>> >>
>>                      <mailto:user.name at site.
>>         <mailto:user.name at site.>__exam**p__le.com <http://examp__le.com><
>> http://example.com>
>>
>>
>>                      <mailto:user.name at site.__examp**le.com<http://example.com>
>>         <mailto:user.name at site.**example.com <user.name at site.example.com>>>>
>> -interactive
>>
>>
>>                  You don't add an user this way. You add the domain. You
>>         have to
>>                  pass the
>>                  domain admin user and the domain admin password.
>>
>>
>>              any domain user will do, doesn't have to be an admin.
>>              what does the log say?
>>
>>
>>                  Then you can use the domain within the engine. e.g.
>> search
>>                  users, add
>>                  access rights for vms etc.
>>                  Even login to the engine and assigning rights within
>>         the engine
>>                  you can
>>                  handle from the engine itself.
>>
>>                  Regards,
>>
>>                      And the output on all tries:
>>                      Enter password:
>>
>>                      Error: Authentication Failed. Please verify the fully
>>                      qualified domain
>>                      name that is used for authentication is correct..
>>                      Problematic domain
>>                      is: domain_used_in_command
>>                      Failure while applying Kerberos configuration.
>> Details:
>>                      Authentication
>>                      Failed. Please verify the fully qualified domain
>>         name that
>>                      is used for
>>                      authentication is correct.
>>
>>                      Can someone help me with the correct parameters?
>>
>>
>>                      Best regards,
>>                      Cristian Falcas
>>
>>
>>                      ______________________________**
>> _____________________
>>                      Users mailing list
>>         Users at ovirt.org <mailto:Users at ovirt.org> <mailto:Users at ovirt.org
>>         <mailto:Users at ovirt.org>>
>>         http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>>         <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >
>>
>>
>>                      <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>>         <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>> >>
>>
>>
>>
>>                  --
>>                  Regards,
>>
>>                  Vinzenz Feenstra | Senior Software Engineer
>>                  RedHat Engineering Virtualization R & D
>>                  Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625>
>>         <tel:%2B420%20532%20294%20625>
>>
>>                  IRC: vfeenstr or evilissimo
>>
>>                  Better technology. Faster innovation. Powered by
>> community
>>                  collaboration.
>>                  See how it works at redhat.com <http://redhat.com>
>>         <http://redhat.com>
>>
>>
>>
>>                  ______________________________**_____________________
>>                  Users mailing list
>>         Users at ovirt.org <mailto:Users at ovirt.org> <mailto:Users at ovirt.org
>>         <mailto:Users at ovirt.org>>
>>         http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>>         <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >
>>                  <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>>         <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>> >>
>>
>>
>>
>>              ______________________________**_____________________
>>              Users mailing list
>>         Users at ovirt.org <mailto:Users at ovirt.org> <mailto:Users at ovirt.org
>>         <mailto:Users at ovirt.org>>
>>         http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>>         <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >
>>
>>
>>              <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>>         <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>> >>
>>
>>
>>
>>
>>         Hi,
>>
>>         This is the command I used (the same error is with -interactive
>>         parameter):
>>
>>         engine-manage-domains -action=add -domain=example.com
>>         <http://example.com>
>>         <http://example.com> -provider=ActiveDirectory
>>         -user=user.name at a_domain
>>
>>         -passwordFile=/tmp/pass
>>
>>         [root at localhost ~]# cat /tmp/pass
>>         qwerty[root at localhost ~]#
>>
>>         This is the log:
>>
>>         2012-11-20 00:30:40,443 INFO
>>         [org.ovirt.engine.core.utils._**_kerberos.ManageDomains] Creating
>>
>>         kerberos
>>         configuration for domain(s): example.com <http://example.com>
>>         <http://example.com>
>>
>>         2012-11-20 00:30:40,525 INFO
>>         [org.ovirt.engine.core.utils._**_kerberos.ManageDomains]
>> Successfully
>>
>>         created kerberos configuration for domain(s): example.com
>>         <http://example.com>
>>         <http://example.com>
>>
>>         2012-11-20 00:30:40,526 INFO
>>         [org.ovirt.engine.core.utils._**_kerberos.ManageDomains] Testing
>>
>>         kerberos
>>         configuration for domain: example.com <http://example.com>
>>         <http://example.com>
>>
>>         2012-11-20 00:30:40,830 ERROR
>>         [org.ovirt.engine.core.utils._**_kerberos.KerberosConfigCheck]
>> Error:
>>
>>         exception message: Cannot locate KDC
>>         2012-11-20 00:30:40,851 ERROR
>>         [org.ovirt.engine.core.utils._**_kerberos.ManageDomains] Failure
>> while
>>
>>         testing domain example.com <http://example.com>
>>         <http://example.com>. Details: Kerberos
>>
>>         error. Please check log for further details.
>>
>>
>>     Hi, the error indicates you don't have kerberos configured.
>>     manage-domains validates by default using GSSAPI/Kerberos (if I
>>     understand correctly, this is equivalent to run ldapsearch with -Y
>>     gssapi option).
>>     I wonder if -x (simple authentication) will work for you as well (as
>>     manage-domains contains code for simple authentication as well).
>>
>>
>>
>>         This is the ldapsearch command that works (it retrieves users)
>>         from the
>>         same machine:
>>
>>
>>
>>         ldapsearch -H ldap://example.com <http://example.com>
>>         <http://example.com> -b
>>
>>         dc=example,dc=com -D user.name at a_domain -w qwerty
>>
>>
>>         Best regards,
>>         Cristian Falcas
>>
>>
>>
>>         ______________________________**___________________
>>         Users mailing list
>>         Users at ovirt.org <mailto:Users at ovirt.org>
>>         http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>>         <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>> >
>>
>>
>>
>>
>> Hi,
>>
>> I used "-x" for ldapsearch and the result is the same: list retrieved.
>> Is there any equivalent for engine-manage-domains?
>>
>> Cristian
>>
> Hi Christian, there is no code allowing to add simple-authentication
> domains to Manage-Domains.
> In the past we did have the ability to do that, but there are several
> problematic issues.
> What ldap server are you working against? Maybe I missed that
>
>
>

Hi,

The server is a Microfost AD 2003.

Best regards,
Cristian Falcas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20121120/d6480f35/attachment-0001.html>