[Users] I don't know how to add AD users
Cristian Falcas
cristi.falcas at gmail.com
Tue Nov 20 13:00:53 UTC 2012
Hi,
So there is no way to use the domain I have at work, right?
I will need to make a freeipa installation in order to add new users.
Cristian
On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas
<cristi.falcas at gmail.com>wrote:
>
>
>
> On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <iheim at redhat.com> wrote:
>
>> On 11/20/2012 09:56 AM, Cristian Falcas wrote:
>>
>>>
>>>
>>>
>>> On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky <yzaslavs at redhat.com
>>> <mailto:yzaslavs at redhat.com>> wrote:
>>>
>>>
>>>
>>> On 11/20/2012 09:05 AM, Cristian Falcas wrote:
>>>
>>>
>>>
>>>
>>> On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky
>>> <yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>
>>> <mailto:yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>>>
>>> wrote:
>>>
>>>
>>>
>>> On 11/20/2012 12:39 AM, Cristian Falcas wrote:
>>>
>>>
>>>
>>> On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim
>>> <iheim at redhat.com <mailto:iheim at redhat.com>
>>> <mailto:iheim at redhat.com <mailto:iheim at redhat.com>>
>>> <mailto:iheim at redhat.com <mailto:iheim at redhat.com>
>>> <mailto:iheim at redhat.com <mailto:iheim at redhat.com>>>> wrote:
>>>
>>> On 11/19/2012 11:29 AM, Vinzenz Feenstra wrote:
>>>
>>> On 11/19/2012 10:01 AM, Cristian Falcas wrote:
>>>
>>> Hi,
>>>
>>> I'm trying to add some users to ovirt
>>> using an AD.
>>>
>>> This is the configuration I used for a
>>> mediawiki
>>> site, which is
>>> working correctly:
>>> $wgAuth = new LdapAuthenticationPlugin();
>>> $wgLDAPUseLocal = true;
>>> $wgLDAPDomainNames = array( "a_domain");
>>> $wgLDAPServerNames = array(
>>> "a_domain"=>"site.example.com <http://site.example.com>
>>> <http://site.example.com>
>>> <http://site.example.com>
>>> <http://site.example.com>");
>>>
>>> $wgLDAPEncryptionType = array(
>>> "a_domain"=>"clear");
>>> $wgLDAPSearchStrings = array(
>>> "a_domain"=>"rom_domain\\USER-**
>>> ______NAME");
>>> $wgLDAPBaseDNs = array(
>>> "a_domain"=>"dc=company,dc=___**___com");
>>>
>>>
>>>
>>>
>>> Those are the commands I tried using:
>>> engine-manage-domains -action=add
>>> -domain=site.example.com <http://site.example.com>
>>> <http://site.example.com>
>>> <http://site.example.com>
>>> <http://site.example.com>
>>> -provider=ActiveDirectory
>>> -user=user.name <http://user.name>
>>> <http://user.name> <http://user.name>
>>> <http://user.name> -interactive
>>>
>>>
>>> engine-manage-domains -action=add
>>> -domain=a_domain
>>> -provider=ActiveDirectory
>>> -user=user.name at company.com
>>> <mailto:user.name at company.com> <mailto:user.name at company.com
>>> <mailto:user.name at company.com>**>
>>> <mailto:user.name at company.com
>>> <mailto:user.name at company.com>
>>> <mailto:user.name at company.com
>>> <mailto:user.name at company.com>**>__>
>>> <mailto:user.name at company.com
>>> <mailto:user.name at company.com>
>>> <mailto:user.name at company.com
>>> <mailto:user.name at company.com>**>
>>>
>>> <mailto:user.name at company.com
>>> <mailto:user.name at company.com>
>>> <mailto:user.name at company.com
>>> <mailto:user.name at company.com>**>__>__> -interactive
>>>
>>>
>>> engine-manage-domains -action=add
>>> -domain=a_domain
>>> -provider=ActiveDirectory
>>> -user=user.name at site.example._**_____com
>>>
>>> <mailto:user.name at site.
>>> <mailto:user.name at site.>__exam**p__le.com <http://examp__le.com><
>>> http://example.com>
>>> <mailto:user.name at site.__examp**le.com<http://example.com>
>>> <mailto:user.name at site.**example.com<user.name at site.example.com>
>>> >>>
>>> <mailto:user.name at site
>>> <mailto:user.name at site>.
>>> <mailto:user.name at site
>>> <mailto:user.name at site>.>__exa**m__p__le.com<http://exam__p__le.com>
>>> <http://examp__le.com> <http://example.com>
>>>
>>>
>>>
>>> <mailto:user.name at site.
>>> <mailto:user.name at site.>__exam**p__le.com <http://examp__le.com><
>>> http://example.com>
>>> <mailto:user.name at site.__examp**le.com<http://example.com>
>>> <mailto:user.name at site.**example.com<user.name at site.example.com>>>>>
>>> -interactive
>>>
>>>
>>> You don't add an user this way. You add the
>>> domain. You
>>> have to
>>> pass the
>>> domain admin user and the domain admin
>>> password.
>>>
>>>
>>> any domain user will do, doesn't have to be an
>>> admin.
>>> what does the log say?
>>>
>>>
>>> Then you can use the domain within the engine.
>>> e.g. search
>>> users, add
>>> access rights for vms etc.
>>> Even login to the engine and assigning rights
>>> within
>>> the engine
>>> you can
>>> handle from the engine itself.
>>>
>>> Regards,
>>>
>>> And the output on all tries:
>>> Enter password:
>>>
>>> Error: Authentication Failed. Please
>>> verify the fully
>>> qualified domain
>>> name that is used for authentication is
>>> correct..
>>> Problematic domain
>>> is: domain_used_in_command
>>> Failure while applying Kerberos
>>> configuration. Details:
>>> Authentication
>>> Failed. Please verify the fully qualified
>>> domain
>>> name that
>>> is used for
>>> authentication is correct.
>>>
>>> Can someone help me with the correct
>>> parameters?
>>>
>>>
>>> Best regards,
>>> Cristian Falcas
>>>
>>>
>>>
>>> ______________________________**_______________________
>>>
>>> Users mailing list
>>> Users at ovirt.org <mailto:Users at ovirt.org> <mailto:Users at ovirt.org
>>> <mailto:Users at ovirt.org>> <mailto:Users at ovirt.org
>>> <mailto:Users at ovirt.org>
>>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>
>>> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
>>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>>> >
>>>
>>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>>> >>
>>>
>>>
>>>
>>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>>> >
>>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>>> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>>> >>>
>>>
>>>
>>>
>>> --
>>> Regards,
>>>
>>> Vinzenz Feenstra | Senior Software Engineer
>>> RedHat Engineering Virtualization R & D
>>> Phone: +420 532 294 625
>>> <tel:%2B420%20532%20294%20625> <tel:%2B420%20532%20294%20625>
>>> <tel:%2B420%20532%20294%20625>
>>>
>>> IRC: vfeenstr or evilissimo
>>>
>>> Better technology. Faster innovation. Powered
>>> by community
>>> collaboration.
>>> See how it works at redhat.com
>>> <http://redhat.com> <http://redhat.com>
>>> <http://redhat.com>
>>>
>>>
>>>
>>>
>>> ______________________________**_______________________
>>>
>>> Users mailing list
>>> Users at ovirt.org <mailto:Users at ovirt.org> <mailto:Users at ovirt.org
>>> <mailto:Users at ovirt.org>> <mailto:Users at ovirt.org
>>> <mailto:Users at ovirt.org>
>>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>
>>> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
>>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>>> >
>>>
>>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>>> >>
>>>
>>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>>> >
>>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>>> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>>> >>>
>>>
>>>
>>>
>>> ______________________________**
>>> _______________________
>>>
>>> Users mailing list
>>> Users at ovirt.org <mailto:Users at ovirt.org> <mailto:Users at ovirt.org
>>> <mailto:Users at ovirt.org>> <mailto:Users at ovirt.org
>>> <mailto:Users at ovirt.org>
>>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>
>>> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
>>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>>> >
>>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>>> >>
>>>
>>>
>>> <http://lists.ovirt.org/____**
>>> mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>>> >
>>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>>> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>>> >>>
>>>
>>>
>>>
>>>
>>> Hi,
>>>
>>> This is the command I used (the same error is with
>>> -interactive
>>> parameter):
>>>
>>> engine-manage-domains -action=add -domain=example.com
>>> <http://example.com>
>>> <http://example.com>
>>> <http://example.com> -provider=ActiveDirectory
>>> -user=user.name at a_domain
>>>
>>> -passwordFile=/tmp/pass
>>>
>>> [root at localhost ~]# cat /tmp/pass
>>> qwerty[root at localhost ~]#
>>>
>>> This is the log:
>>>
>>> 2012-11-20 00:30:40,443 INFO
>>>
>>> [org.ovirt.engine.core.utils._**___kerberos.ManageDomains]
>>> Creating
>>>
>>>
>>> kerberos
>>> configuration for domain(s): example.com
>>> <http://example.com> <http://example.com>
>>> <http://example.com>
>>>
>>> 2012-11-20 00:30:40,525 INFO
>>>
>>> [org.ovirt.engine.core.utils._**___kerberos.ManageDomains]
>>>
>>> Successfully
>>>
>>> created kerberos configuration for domain(s):
>>> example.com <http://example.com>
>>> <http://example.com>
>>> <http://example.com>
>>>
>>> 2012-11-20 00:30:40,526 INFO
>>>
>>> [org.ovirt.engine.core.utils._**___kerberos.ManageDomains]
>>> Testing
>>>
>>>
>>> kerberos
>>> configuration for domain: example.com
>>> <http://example.com> <http://example.com>
>>> <http://example.com>
>>>
>>> 2012-11-20 00:30:40,830 ERROR
>>>
>>> [org.ovirt.engine.core.utils._**___kerberos.**
>>> KerberosConfigCheck]
>>>
>>> Error:
>>>
>>> exception message: Cannot locate KDC
>>> 2012-11-20 00:30:40,851 ERROR
>>>
>>> [org.ovirt.engine.core.utils._**___kerberos.ManageDomains]
>>> Failure
>>>
>>> while
>>>
>>> testing domain example.com <http://example.com>
>>> <http://example.com>
>>> <http://example.com>. Details: Kerberos
>>>
>>> error. Please check log for further details.
>>>
>>>
>>> Hi, the error indicates you don't have kerberos configured.
>>> manage-domains validates by default using GSSAPI/Kerberos
>>> (if I
>>> understand correctly, this is equivalent to run ldapsearch
>>> with -Y
>>> gssapi option).
>>> I wonder if -x (simple authentication) will work for you as
>>> well (as
>>> manage-domains contains code for simple authentication as
>>> well).
>>>
>>>
>>>
>>> This is the ldapsearch command that works (it retrieves
>>> users)
>>> from the
>>> same machine:
>>>
>>>
>>>
>>> ldapsearch -H ldap://example.com <http://example.com>
>>> <http://example.com>
>>> <http://example.com> -b
>>>
>>> dc=example,dc=com -D user.name at a_domain -w qwerty
>>>
>>>
>>> Best regards,
>>> Cristian Falcas
>>>
>>>
>>>
>>> ______________________________**_____________________
>>> Users mailing list
>>> Users at ovirt.org <mailto:Users at ovirt.org> <mailto:Users at ovirt.org
>>> <mailto:Users at ovirt.org>>
>>> http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>>> >
>>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>>> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>>> >>
>>>
>>>
>>>
>>>
>>> Hi,
>>>
>>> I used "-x" for ldapsearch and the result is the same: list
>>> retrieved.
>>> Is there any equivalent for engine-manage-domains?
>>>
>>> Cristian
>>>
>>> Hi Christian, there is no code allowing to add simple-authentication
>>> domains to Manage-Domains.
>>> In the past we did have the ability to do that, but there are
>>> several problematic issues.
>>> What ldap server are you working against? Maybe I missed that
>>>
>>>
>>>
>>>
>>> Hi,
>>>
>>> The server is a Microfost AD 2003.
>>>
>>> Best regards,
>>> Cristian Falcas
>>>
>>
>> this should work, is the AD also the DNS server for the ovirt engine
>> machine?
>>
>>
>
> yes
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20121120/45602da4/attachment-0001.html>
More information about the Users
mailing list