[Users] I don't know how to add AD users

Itamar Heim iheim at redhat.com
Tue Nov 20 13:08:26 UTC 2012


On 11/20/2012 03:00 PM, Cristian Falcas wrote:
> Hi,
>
> So there is no way to use the domain I have at work, right?
>
> I will need to make a freeipa installation in order to add new users.

there is no reason this shouldn't work with active directory 2003 
(assuming its forest level isn't still in AD 2000 compatibility mode?).
tcpdump for the traffic during engine-manage-domains should help 
diagnosing why.

>
> Cristian
>
>
> On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas
> <cristi.falcas at gmail.com <mailto:cristi.falcas at gmail.com>> wrote:
>
>
>
>
>     On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <iheim at redhat.com
>     <mailto:iheim at redhat.com>> wrote:
>
>         On 11/20/2012 09:56 AM, Cristian Falcas wrote:
>
>
>
>
>             On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky
>             <yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>
>             <mailto:yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>>>
>             wrote:
>
>
>
>                  On 11/20/2012 09:05 AM, Cristian Falcas wrote:
>
>
>
>
>                      On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky
>                      <yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>
>             <mailto:yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>>
>                      <mailto:yzaslavs at redhat.com
>             <mailto:yzaslavs at redhat.com> <mailto:yzaslavs at redhat.com
>             <mailto:yzaslavs at redhat.com>>>> wrote:
>
>
>
>                           On 11/20/2012 12:39 AM, Cristian Falcas wrote:
>
>
>
>                               On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim
>                      <iheim at redhat.com <mailto:iheim at redhat.com>
>             <mailto:iheim at redhat.com <mailto:iheim at redhat.com>>
>                               <mailto:iheim at redhat.com
>             <mailto:iheim at redhat.com> <mailto:iheim at redhat.com
>             <mailto:iheim at redhat.com>>>
>                               <mailto:iheim at redhat.com
>             <mailto:iheim at redhat.com> <mailto:iheim at redhat.com
>             <mailto:iheim at redhat.com>>
>                      <mailto:iheim at redhat.com <mailto:iheim at redhat.com>
>             <mailto:iheim at redhat.com <mailto:iheim at redhat.com>>>>> wrote:
>
>                                    On 11/19/2012 11:29 AM, Vinzenz
>             Feenstra wrote:
>
>                                        On 11/19/2012 10:01 AM, Cristian
>             Falcas wrote:
>
>                                            Hi,
>
>                                            I'm trying to add some users
>             to ovirt
>                      using an AD.
>
>                                            This is the configuration I
>             used for a
>                      mediawiki
>                               site, which is
>                                            working correctly:
>                                            $wgAuth = new
>             LdapAuthenticationPlugin();
>                                            $wgLDAPUseLocal = true;
>                                            $wgLDAPDomainNames = array(
>             "a_domain");
>                                            $wgLDAPServerNames = array(
>                               "a_domain"=>"site.example.com
>             <http://site.example.com> <http://site.example.com>
>                      <http://site.example.com>
>                                            <http://site.example.com>
>                                            <http://site.example.com>");
>
>                                            $wgLDAPEncryptionType = array(
>                      "a_domain"=>"clear");
>                                            $wgLDAPSearchStrings = array(
>
>             "a_domain"=>"rom_domain\\USER-________NAME");
>                                            $wgLDAPBaseDNs = array(
>                               "a_domain"=>"dc=company,dc=________com");
>
>
>
>
>                                            Those are the commands I
>             tried using:
>                                            engine-manage-domains -action=add
>                               -domain=site.example.com
>             <http://site.example.com> <http://site.example.com>
>                      <http://site.example.com>
>                                            <http://site.example.com>
>                                            <http://site.example.com>
>                      -provider=ActiveDirectory
>                                            -user=user.name
>             <http://user.name> <http://user.name>
>                      <http://user.name> <http://user.name>
>                                            <http://user.name> -interactive
>
>
>                                            engine-manage-domains -action=add
>                      -domain=a_domain
>                                            -provider=ActiveDirectory
>                               -user=user.name at company.com
>             <mailto:user.name at company.com>
>                      <mailto:user.name at company.com
>             <mailto:user.name at company.com>>
>             <mailto:user.name at company.com <mailto:user.name at company.com>
>                      <mailto:user.name at company.com
>             <mailto:user.name at company.com>>__>
>                                            <mailto:user.name at company.com
>             <mailto:user.name at company.com>
>                      <mailto:user.name at company.com
>             <mailto:user.name at company.com>>
>                               <mailto:user.name at company.com
>             <mailto:user.name at company.com>
>                      <mailto:user.name at company.com
>             <mailto:user.name at company.com>>__>__>
>                                            <mailto:user.name at company.com
>             <mailto:user.name at company.com>
>                      <mailto:user.name at company.com
>             <mailto:user.name at company.com>>
>                               <mailto:user.name at company.com
>             <mailto:user.name at company.com>
>                      <mailto:user.name at company.com
>             <mailto:user.name at company.com>>__>
>
>                                            <mailto:user.name at company.com
>             <mailto:user.name at company.com>
>                      <mailto:user.name at company.com
>             <mailto:user.name at company.com>>
>                               <mailto:user.name at company.com
>             <mailto:user.name at company.com>
>                      <mailto:user.name at company.com
>             <mailto:user.name at company.com>>__>__>__> -interactive
>
>
>                                            engine-manage-domains -action=add
>                      -domain=a_domain
>                                            -provider=ActiveDirectory
>                               -user=user.name at site.example.________com
>
>                                            <mailto:user.name at site
>             <mailto:user.name at site>.
>                      <mailto:user.name at site
>             <mailto:user.name at site>.>__exam__p__le.com
>             <http://examp__le.com> <http://example.com>
>                               <mailto:user.name at site.
>             <mailto:user.name at site.>__examp__le.com <http://example.com>
>                      <mailto:user.name at site.__example.com
>             <mailto:user.name at site.example.com>>>>
>                                            <mailto:user.name at site
>             <mailto:user.name at site>
>                      <mailto:user.name at site <mailto:user.name at site>>.
>                               <mailto:user.name at site <mailto:user.name at site>
>                      <mailto:user.name at site
>             <mailto:user.name at site>>.>__exa__m__p__le.com
>             <http://exam__p__le.com>
>                      <http://examp__le.com> <http://example.com>
>
>
>
>                                            <mailto:user.name at site
>             <mailto:user.name at site>.
>                      <mailto:user.name at site
>             <mailto:user.name at site>.>__exam__p__le.com
>             <http://examp__le.com> <http://example.com>
>                               <mailto:user.name at site.
>             <mailto:user.name at site.>__examp__le.com <http://example.com>
>                      <mailto:user.name at site.__example.com
>             <mailto:user.name at site.example.com>>>>> -interactive
>
>
>                                        You don't add an user this way.
>             You add the
>                      domain. You
>                               have to
>                                        pass the
>                                        domain admin user and the domain
>             admin password.
>
>
>                                    any domain user will do, doesn't have
>             to be an admin.
>                                    what does the log say?
>
>
>                                        Then you can use the domain
>             within the engine.
>                      e.g. search
>                                        users, add
>                                        access rights for vms etc.
>                                        Even login to the engine and
>             assigning rights
>                      within
>                               the engine
>                                        you can
>                                        handle from the engine itself.
>
>                                        Regards,
>
>                                            And the output on all tries:
>                                            Enter password:
>
>                                            Error: Authentication Failed.
>             Please
>                      verify the fully
>                                            qualified domain
>                                            name that is used for
>             authentication is
>                      correct..
>                                            Problematic domain
>                                            is: domain_used_in_command
>                                            Failure while applying Kerberos
>                      configuration. Details:
>                                            Authentication
>                                            Failed. Please verify the
>             fully qualified
>                      domain
>                               name that
>                                            is used for
>                                            authentication is correct.
>
>                                            Can someone help me with the
>             correct
>                      parameters?
>
>
>                                            Best regards,
>                                            Cristian Falcas
>
>
>
>
>             _______________________________________________________
>
>                                            Users mailing list
>             Users at ovirt.org <mailto:Users at ovirt.org>
>             <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>             <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
>                      <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>
>             <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
>                      <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>                               <mailto:Users at ovirt.org
>             <mailto:Users at ovirt.org> <mailto:Users at ovirt.org
>             <mailto:Users at ovirt.org>>>>
>             http://lists.ovirt.org/________mailman/listinfo/users
>             <http://lists.ovirt.org/______mailman/listinfo/users>
>
>             <http://lists.ovirt.org/______mailman/listinfo/users
>             <http://lists.ovirt.org/____mailman/listinfo/users>>
>
>
>               <http://lists.ovirt.org/______mailman/listinfo/users
>             <http://lists.ovirt.org/____mailman/listinfo/users>
>                      <http://lists.ovirt.org/____mailman/listinfo/users
>             <http://lists.ovirt.org/__mailman/listinfo/users>>>
>
>
>
>
>             <http://lists.ovirt.org/______mailman/listinfo/users
>             <http://lists.ovirt.org/____mailman/listinfo/users>
>                      <http://lists.ovirt.org/____mailman/listinfo/users
>             <http://lists.ovirt.org/__mailman/listinfo/users>>
>
>               <http://lists.ovirt.org/____mailman/listinfo/users
>             <http://lists.ovirt.org/__mailman/listinfo/users>
>                      <http://lists.ovirt.org/__mailman/listinfo/users
>             <http://lists.ovirt.org/mailman/listinfo/users>>>>
>
>
>
>                                        --
>                                        Regards,
>
>                                        Vinzenz Feenstra | Senior
>             Software Engineer
>                                        RedHat Engineering Virtualization
>             R & D
>                                        Phone: +420 532 294 625
>             <tel:%2B420%20532%20294%20625>
>                      <tel:%2B420%20532%20294%20625>
>             <tel:%2B420%20532%20294%20625>
>                               <tel:%2B420%20532%20294%20625>
>
>                                        IRC: vfeenstr or evilissimo
>
>                                        Better technology. Faster
>             innovation. Powered
>                      by community
>                                        collaboration.
>                                        See how it works at redhat.com
>             <http://redhat.com>
>                      <http://redhat.com> <http://redhat.com>
>                               <http://redhat.com>
>
>
>
>
>
>             _______________________________________________________
>
>                                        Users mailing list
>             Users at ovirt.org <mailto:Users at ovirt.org>
>             <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>             <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
>                      <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>
>             <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
>                      <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>                               <mailto:Users at ovirt.org
>             <mailto:Users at ovirt.org> <mailto:Users at ovirt.org
>             <mailto:Users at ovirt.org>>>>
>             http://lists.ovirt.org/________mailman/listinfo/users
>             <http://lists.ovirt.org/______mailman/listinfo/users>
>
>             <http://lists.ovirt.org/______mailman/listinfo/users
>             <http://lists.ovirt.org/____mailman/listinfo/users>>
>
>
>               <http://lists.ovirt.org/______mailman/listinfo/users
>             <http://lists.ovirt.org/____mailman/listinfo/users>
>                      <http://lists.ovirt.org/____mailman/listinfo/users
>             <http://lists.ovirt.org/__mailman/listinfo/users>>>
>
>
>             <http://lists.ovirt.org/______mailman/listinfo/users
>             <http://lists.ovirt.org/____mailman/listinfo/users>
>                      <http://lists.ovirt.org/____mailman/listinfo/users
>             <http://lists.ovirt.org/__mailman/listinfo/users>>
>
>               <http://lists.ovirt.org/____mailman/listinfo/users
>             <http://lists.ovirt.org/__mailman/listinfo/users>
>                      <http://lists.ovirt.org/__mailman/listinfo/users
>             <http://lists.ovirt.org/mailman/listinfo/users>>>>
>
>
>
>
>             _______________________________________________________
>
>                                    Users mailing list
>             Users at ovirt.org <mailto:Users at ovirt.org>
>             <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>             <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
>                      <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>
>             <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
>                      <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>                               <mailto:Users at ovirt.org
>             <mailto:Users at ovirt.org> <mailto:Users at ovirt.org
>             <mailto:Users at ovirt.org>>>>
>             http://lists.ovirt.org/________mailman/listinfo/users
>             <http://lists.ovirt.org/______mailman/listinfo/users>
>
>             <http://lists.ovirt.org/______mailman/listinfo/users
>             <http://lists.ovirt.org/____mailman/listinfo/users>>
>
>               <http://lists.ovirt.org/______mailman/listinfo/users
>             <http://lists.ovirt.org/____mailman/listinfo/users>
>                      <http://lists.ovirt.org/____mailman/listinfo/users
>             <http://lists.ovirt.org/__mailman/listinfo/users>>>
>
>
>
>             <http://lists.ovirt.org/______mailman/listinfo/users
>             <http://lists.ovirt.org/____mailman/listinfo/users>
>                      <http://lists.ovirt.org/____mailman/listinfo/users
>             <http://lists.ovirt.org/__mailman/listinfo/users>>
>
>               <http://lists.ovirt.org/____mailman/listinfo/users
>             <http://lists.ovirt.org/__mailman/listinfo/users>
>                      <http://lists.ovirt.org/__mailman/listinfo/users
>             <http://lists.ovirt.org/mailman/listinfo/users>>>>
>
>
>
>
>                               Hi,
>
>                               This is the command I used (the same error
>             is with
>                      -interactive
>                               parameter):
>
>                               engine-manage-domains -action=add
>             -domain=example.com <http://example.com>
>                      <http://example.com>
>                               <http://example.com>
>                               <http://example.com> -provider=ActiveDirectory
>                               -user=user.name at a_domain
>
>                               -passwordFile=/tmp/pass
>
>                               [root at localhost ~]# cat /tmp/pass
>                               qwerty[root at localhost ~]#
>
>                               This is the log:
>
>                               2012-11-20 00:30:40,443 INFO
>
>
>             [org.ovirt.engine.core.utils.______kerberos.ManageDomains]
>             Creating
>
>
>                               kerberos
>                               configuration for domain(s): example.com
>             <http://example.com>
>                      <http://example.com> <http://example.com>
>                               <http://example.com>
>
>                               2012-11-20 00:30:40,525 INFO
>
>
>             [org.ovirt.engine.core.utils.______kerberos.ManageDomains]
>
>                      Successfully
>
>                               created kerberos configuration for domain(s):
>             example.com <http://example.com> <http://example.com>
>                               <http://example.com>
>                               <http://example.com>
>
>                               2012-11-20 00:30:40,526 INFO
>
>
>             [org.ovirt.engine.core.utils.______kerberos.ManageDomains]
>             Testing
>
>
>                               kerberos
>                               configuration for domain: example.com
>             <http://example.com>
>                      <http://example.com> <http://example.com>
>                               <http://example.com>
>
>                               2012-11-20 00:30:40,830 ERROR
>
>
>             [org.ovirt.engine.core.utils.______kerberos.__KerberosConfigCheck]
>
>                      Error:
>
>                               exception message: Cannot locate KDC
>                               2012-11-20 00:30:40,851 ERROR
>
>
>             [org.ovirt.engine.core.utils.______kerberos.ManageDomains]
>             Failure
>
>                      while
>
>                               testing domain example.com
>             <http://example.com> <http://example.com>
>                      <http://example.com>
>                               <http://example.com>. Details: Kerberos
>
>                               error. Please check log for further details.
>
>
>                           Hi, the error indicates you don't have
>             kerberos configured.
>                           manage-domains validates by default using
>             GSSAPI/Kerberos (if I
>                           understand correctly, this is equivalent to
>             run ldapsearch
>                      with -Y
>                           gssapi option).
>                           I wonder if -x (simple authentication) will
>             work for you as
>                      well (as
>                           manage-domains contains code for simple
>             authentication as
>                      well).
>
>
>
>                               This is the ldapsearch command that works
>             (it retrieves
>                      users)
>                               from the
>                               same machine:
>
>
>
>                               ldapsearch -H ldap://example.com
>             <http://example.com> <http://example.com>
>                      <http://example.com>
>                               <http://example.com> -b
>
>                               dc=example,dc=com -D user.name at a_domain -w
>             qwerty
>
>
>                               Best regards,
>                               Cristian Falcas
>
>
>
>
>               _____________________________________________________
>                               Users mailing list
>             Users at ovirt.org <mailto:Users at ovirt.org>
>             <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>             <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
>                      <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>
>             http://lists.ovirt.org/______mailman/listinfo/users
>             <http://lists.ovirt.org/____mailman/listinfo/users>
>                      <http://lists.ovirt.org/____mailman/listinfo/users
>             <http://lists.ovirt.org/__mailman/listinfo/users>>
>
>               <http://lists.ovirt.org/____mailman/listinfo/users
>             <http://lists.ovirt.org/__mailman/listinfo/users>
>                      <http://lists.ovirt.org/__mailman/listinfo/users
>             <http://lists.ovirt.org/mailman/listinfo/users>>>
>
>
>
>
>                      Hi,
>
>                      I used "-x" for ldapsearch and the result is the
>             same: list
>                      retrieved.
>                      Is there any equivalent for engine-manage-domains?
>
>                      Cristian
>
>                  Hi Christian, there is no code allowing to add
>             simple-authentication
>                  domains to Manage-Domains.
>                  In the past we did have the ability to do that, but
>             there are
>                  several problematic issues.
>                  What ldap server are you working against? Maybe I
>             missed that
>
>
>
>
>             Hi,
>
>             The server is a Microfost AD 2003.
>
>             Best regards,
>             Cristian Falcas
>
>
>         this should work, is the AD also the DNS server for the ovirt
>         engine machine?
>
>
>
>     yes
>
>





More information about the Users mailing list