[Users] I don't know how to add AD users
Cristian Falcas
cristi.falcas at gmail.com
Tue Nov 20 08:11:37 UTC 2012
On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <iheim at redhat.com> wrote:
> On 11/20/2012 09:56 AM, Cristian Falcas wrote:
>
>>
>>
>>
>> On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky <yzaslavs at redhat.com
>> <mailto:yzaslavs at redhat.com>> wrote:
>>
>>
>>
>> On 11/20/2012 09:05 AM, Cristian Falcas wrote:
>>
>>
>>
>>
>> On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky
>> <yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>
>> <mailto:yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>>> wrote:
>>
>>
>>
>> On 11/20/2012 12:39 AM, Cristian Falcas wrote:
>>
>>
>>
>> On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim
>> <iheim at redhat.com <mailto:iheim at redhat.com>
>> <mailto:iheim at redhat.com <mailto:iheim at redhat.com>>
>> <mailto:iheim at redhat.com <mailto:iheim at redhat.com>
>> <mailto:iheim at redhat.com <mailto:iheim at redhat.com>>>> wrote:
>>
>> On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
>>
>> On 11/19/2012 10:01 AM, Cristian Falcas wrote:
>>
>> Hi,
>>
>> I'm trying to add some users to ovirt
>> using an AD.
>>
>> This is the configuration I used for a
>> mediawiki
>> site, which is
>> working correctly:
>> $wgAuth = new LdapAuthenticationPlugin();
>> $wgLDAPUseLocal = true;
>> $wgLDAPDomainNames = array( "a_domain");
>> $wgLDAPServerNames = array(
>> "a_domain"=>"site.example.com <http://site.example.com>
>> <http://site.example.com>
>> <http://site.example.com>
>> <http://site.example.com>");
>>
>> $wgLDAPEncryptionType = array(
>> "a_domain"=>"clear");
>> $wgLDAPSearchStrings = array(
>> "a_domain"=>"rom_domain\\USER-**
>> ______NAME");
>> $wgLDAPBaseDNs = array(
>> "a_domain"=>"dc=company,dc=___**___com");
>>
>>
>>
>>
>> Those are the commands I tried using:
>> engine-manage-domains -action=add
>> -domain=site.example.com <http://site.example.com>
>> <http://site.example.com>
>> <http://site.example.com>
>> <http://site.example.com>
>> -provider=ActiveDirectory
>> -user=user.name <http://user.name>
>> <http://user.name> <http://user.name>
>> <http://user.name> -interactive
>>
>>
>> engine-manage-domains -action=add
>> -domain=a_domain
>> -provider=ActiveDirectory
>> -user=user.name at company.com
>> <mailto:user.name at company.com> <mailto:user.name at company.com
>> <mailto:user.name at company.com>**>
>> <mailto:user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto:user.name at company.com
>> <mailto:user.name at company.com>**>__>
>> <mailto:user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto:user.name at company.com
>> <mailto:user.name at company.com>**>
>>
>> <mailto:user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto:user.name at company.com
>> <mailto:user.name at company.com>**>__>__> -interactive
>>
>>
>> engine-manage-domains -action=add
>> -domain=a_domain
>> -provider=ActiveDirectory
>> -user=user.name at site.example._**_____com
>>
>> <mailto:user.name at site.
>> <mailto:user.name at site.>__exam**p__le.com <http://examp__le.com><
>> http://example.com>
>> <mailto:user.name at site.__examp**le.com<http://example.com>
>> <mailto:user.name at site.**example.com <user.name at site.example.com>
>> >>>
>> <mailto:user.name at site
>> <mailto:user.name at site>.
>> <mailto:user.name at site
>> <mailto:user.name at site>.>__exa**m__p__le.com<http://exam__p__le.com>
>> <http://examp__le.com> <http://example.com>
>>
>>
>>
>> <mailto:user.name at site.
>> <mailto:user.name at site.>__exam**p__le.com <http://examp__le.com><
>> http://example.com>
>> <mailto:user.name at site.__examp**le.com<http://example.com>
>> <mailto:user.name at site.**example.com <user.name at site.example.com>>>>>
>> -interactive
>>
>>
>> You don't add an user this way. You add the
>> domain. You
>> have to
>> pass the
>> domain admin user and the domain admin password.
>>
>>
>> any domain user will do, doesn't have to be an
>> admin.
>> what does the log say?
>>
>>
>> Then you can use the domain within the engine.
>> e.g. search
>> users, add
>> access rights for vms etc.
>> Even login to the engine and assigning rights
>> within
>> the engine
>> you can
>> handle from the engine itself.
>>
>> Regards,
>>
>> And the output on all tries:
>> Enter password:
>>
>> Error: Authentication Failed. Please
>> verify the fully
>> qualified domain
>> name that is used for authentication is
>> correct..
>> Problematic domain
>> is: domain_used_in_command
>> Failure while applying Kerberos
>> configuration. Details:
>> Authentication
>> Failed. Please verify the fully qualified
>> domain
>> name that
>> is used for
>> authentication is correct.
>>
>> Can someone help me with the correct
>> parameters?
>>
>>
>> Best regards,
>> Cristian Falcas
>>
>>
>>
>> ______________________________**_______________________
>>
>> Users mailing list
>> Users at ovirt.org <mailto:Users at ovirt.org> <mailto:Users at ovirt.org
>> <mailto:Users at ovirt.org>> <mailto:Users at ovirt.org
>> <mailto:Users at ovirt.org>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>
>> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> >
>>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >>
>>
>>
>>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>> >>>
>>
>>
>>
>> --
>> Regards,
>>
>> Vinzenz Feenstra | Senior Software Engineer
>> RedHat Engineering Virtualization R & D
>> Phone: +420 532 294 625
>> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625>
>> <tel:%2B420%20532%20294%20625>
>>
>> IRC: vfeenstr or evilissimo
>>
>> Better technology. Faster innovation. Powered
>> by community
>> collaboration.
>> See how it works at redhat.com
>> <http://redhat.com> <http://redhat.com>
>> <http://redhat.com>
>>
>>
>>
>>
>> ______________________________**_______________________
>>
>> Users mailing list
>> Users at ovirt.org <mailto:Users at ovirt.org> <mailto:Users at ovirt.org
>> <mailto:Users at ovirt.org>> <mailto:Users at ovirt.org
>> <mailto:Users at ovirt.org>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>
>> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> >
>>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >>
>>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>> >>>
>>
>>
>>
>> ______________________________**
>> _______________________
>>
>> Users mailing list
>> Users at ovirt.org <mailto:Users at ovirt.org> <mailto:Users at ovirt.org
>> <mailto:Users at ovirt.org>> <mailto:Users at ovirt.org
>> <mailto:Users at ovirt.org>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>
>> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> >
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >>
>>
>>
>> <http://lists.ovirt.org/____**
>> mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>> >>>
>>
>>
>>
>>
>> Hi,
>>
>> This is the command I used (the same error is with
>> -interactive
>> parameter):
>>
>> engine-manage-domains -action=add -domain=example.com
>> <http://example.com>
>> <http://example.com>
>> <http://example.com> -provider=ActiveDirectory
>> -user=user.name at a_domain
>>
>> -passwordFile=/tmp/pass
>>
>> [root at localhost ~]# cat /tmp/pass
>> qwerty[root at localhost ~]#
>>
>> This is the log:
>>
>> 2012-11-20 00:30:40,443 INFO
>>
>> [org.ovirt.engine.core.utils._**___kerberos.ManageDomains]
>> Creating
>>
>>
>> kerberos
>> configuration for domain(s): example.com
>> <http://example.com> <http://example.com>
>> <http://example.com>
>>
>> 2012-11-20 00:30:40,525 INFO
>>
>> [org.ovirt.engine.core.utils._**___kerberos.ManageDomains]
>>
>> Successfully
>>
>> created kerberos configuration for domain(s):
>> example.com <http://example.com>
>> <http://example.com>
>> <http://example.com>
>>
>> 2012-11-20 00:30:40,526 INFO
>>
>> [org.ovirt.engine.core.utils._**___kerberos.ManageDomains]
>> Testing
>>
>>
>> kerberos
>> configuration for domain: example.com
>> <http://example.com> <http://example.com>
>> <http://example.com>
>>
>> 2012-11-20 00:30:40,830 ERROR
>>
>> [org.ovirt.engine.core.utils._**___kerberos.**
>> KerberosConfigCheck]
>>
>> Error:
>>
>> exception message: Cannot locate KDC
>> 2012-11-20 00:30:40,851 ERROR
>>
>> [org.ovirt.engine.core.utils._**___kerberos.ManageDomains]
>> Failure
>>
>> while
>>
>> testing domain example.com <http://example.com>
>> <http://example.com>
>> <http://example.com>. Details: Kerberos
>>
>> error. Please check log for further details.
>>
>>
>> Hi, the error indicates you don't have kerberos configured.
>> manage-domains validates by default using GSSAPI/Kerberos
>> (if I
>> understand correctly, this is equivalent to run ldapsearch
>> with -Y
>> gssapi option).
>> I wonder if -x (simple authentication) will work for you as
>> well (as
>> manage-domains contains code for simple authentication as
>> well).
>>
>>
>>
>> This is the ldapsearch command that works (it retrieves
>> users)
>> from the
>> same machine:
>>
>>
>>
>> ldapsearch -H ldap://example.com <http://example.com>
>> <http://example.com>
>> <http://example.com> -b
>>
>> dc=example,dc=com -D user.name at a_domain -w qwerty
>>
>>
>> Best regards,
>> Cristian Falcas
>>
>>
>>
>> ______________________________**_____________________
>> Users mailing list
>> Users at ovirt.org <mailto:Users at ovirt.org> <mailto:Users at ovirt.org
>> <mailto:Users at ovirt.org>>
>> http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>> >>
>>
>>
>>
>>
>> Hi,
>>
>> I used "-x" for ldapsearch and the result is the same: list
>> retrieved.
>> Is there any equivalent for engine-manage-domains?
>>
>> Cristian
>>
>> Hi Christian, there is no code allowing to add simple-authentication
>> domains to Manage-Domains.
>> In the past we did have the ability to do that, but there are
>> several problematic issues.
>> What ldap server are you working against? Maybe I missed that
>>
>>
>>
>>
>> Hi,
>>
>> The server is a Microfost AD 2003.
>>
>> Best regards,
>> Cristian Falcas
>>
>
> this should work, is the AD also the DNS server for the ovirt engine
> machine?
>
>
yes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20121120/96ced7c4/attachment-0001.html>
More information about the Users
mailing list