[Users] I don't know how to add AD users
Cristian Falcas
cristi.falcas at gmail.com
Tue Nov 20 17:33:39 UTC 2012
On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim <iheim at redhat.com> wrote:
> On 11/20/2012 03:00 PM, Cristian Falcas wrote:
>
>> Hi,
>>
>> So there is no way to use the domain I have at work, right?
>>
>> I will need to make a freeipa installation in order to add new users.
>>
>
> there is no reason this shouldn't work with active directory 2003
> (assuming its forest level isn't still in AD 2000 compatibility mode?).
> tcpdump for the traffic during engine-manage-domains should help
> diagnosing why.
>
>
>> Cristian
>>
>>
>> On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas
>> <cristi.falcas at gmail.com <mailto:cristi.falcas at gmail.**com<cristi.falcas at gmail.com>>>
>> wrote:
>>
>>
>>
>>
>> On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <iheim at redhat.com
>> <mailto:iheim at redhat.com>> wrote:
>>
>> On 11/20/2012 09:56 AM, Cristian Falcas wrote:
>>
>>
>>
>>
>> On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky
>> <yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>
>> <mailto:yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>>>
>> wrote:
>>
>>
>>
>> On 11/20/2012 09:05 AM, Cristian Falcas wrote:
>>
>>
>>
>>
>> On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky
>> <yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>
>> <mailto:yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>>
>> <mailto:yzaslavs at redhat.com
>> <mailto:yzaslavs at redhat.com> <mailto:yzaslavs at redhat.com
>> <mailto:yzaslavs at redhat.com>>>**> wrote:
>>
>>
>>
>> On 11/20/2012 12:39 AM, Cristian Falcas wrote:
>>
>>
>>
>> On Mon, Nov 19, 2012 at 10:53 PM, Itamar
>> Heim
>> <iheim at redhat.com <mailto:iheim at redhat.com>
>> <mailto:iheim at redhat.com <mailto:iheim at redhat.com>>
>> <mailto:iheim at redhat.com
>> <mailto:iheim at redhat.com> <mailto:iheim at redhat.com
>> <mailto:iheim at redhat.com>>>
>> <mailto:iheim at redhat.com
>> <mailto:iheim at redhat.com> <mailto:iheim at redhat.com
>> <mailto:iheim at redhat.com>>
>> <mailto:iheim at redhat.com <mailto:iheim at redhat.com>
>> <mailto:iheim at redhat.com <mailto:iheim at redhat.com>>>>> wrote:
>>
>> On 11/19/2012 11:29 AM, Vinzenz
>> Feenstra wrote:
>>
>> On 11/19/2012 10:01 AM, Cristian
>> Falcas wrote:
>>
>> Hi,
>>
>> I'm trying to add some users
>> to ovirt
>> using an AD.
>>
>> This is the configuration I
>> used for a
>> mediawiki
>> site, which is
>> working correctly:
>> $wgAuth = new
>> LdapAuthenticationPlugin();
>> $wgLDAPUseLocal = true;
>> $wgLDAPDomainNames = array(
>> "a_domain");
>> $wgLDAPServerNames = array(
>> "a_domain"=>"site.example.com
>> <http://site.example.com> <http://site.example.com>
>> <http://site.example.com>
>> <http://site.example.com>
>> <http://site.example.com>");
>>
>> $wgLDAPEncryptionType = array(
>> "a_domain"=>"clear");
>> $wgLDAPSearchStrings = array(
>>
>> "a_domain"=>"rom_domain\\USER-**________NAME");
>> $wgLDAPBaseDNs = array(
>> "a_domain"=>"dc=company,dc=___**_____com");
>>
>>
>>
>>
>>
>> Those are the commands I
>> tried using:
>> engine-manage-domains
>> -action=add
>> -domain=site.example.com
>> <http://site.example.com> <http://site.example.com>
>> <http://site.example.com>
>> <http://site.example.com>
>> <http://site.example.com>
>> -provider=ActiveDirectory
>> -user=user.name
>> <http://user.name> <http://user.name>
>> <http://user.name> <http://user.name>
>> <http://user.name>
>> -interactive
>>
>>
>> engine-manage-domains
>> -action=add
>> -domain=a_domain
>> -provider=ActiveDirectory
>> -user=user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto:user.name at company.com
>> <mailto:user.name at company.com>**>
>> <mailto:user.name at company.com <mailto:user.name at company.com>
>> <mailto:user.name at company.com
>> <mailto:user.name at company.com>**>__>
>> <mailto:user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto:user.name at company.com
>> <mailto:user.name at company.com>**>
>> <mailto:user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto:user.name at company.com
>> <mailto:user.name at company.com>**>__>__>
>> <mailto:user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto:user.name at company.com
>> <mailto:user.name at company.com>**>
>> <mailto:user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto:user.name at company.com
>> <mailto:user.name at company.com>**>__>
>>
>> <mailto:user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto:user.name at company.com
>> <mailto:user.name at company.com>**>
>> <mailto:user.name at company.com
>> <mailto:user.name at company.com>
>> <mailto:user.name at company.com
>> <mailto:user.name at company.com>**>__>__>__> -interactive
>>
>>
>> engine-manage-domains
>> -action=add
>> -domain=a_domain
>> -provider=ActiveDirectory
>> -user=user.name at site.example._**_______com
>>
>>
>> <mailto:user.name at site
>> <mailto:user.name at site>.
>> <mailto:user.name at site
>> <mailto:user.name at site>.>__exa**m__p__le.com<http://exam__p__le.com>
>> <http://examp__le.com> <http://example.com>
>> <mailto:user.name at site.
>> <mailto:user.name at site.>__exam**p__le.com<http://examp__le.com><
>> http://example.com>
>> <mailto:user.name at site.__examp**le.com<http://example.com>
>> <mailto:user.name at site.**example.com<user.name at site.example.com>
>> >>>>
>> <mailto:user.name at site
>> <mailto:user.name at site>
>>
>> <mailto:user.name at site <mailto:user.name at site>>.
>> <mailto:user.name at site <mailto:
>> user.name at site>
>> <mailto:user.name at site
>> <mailto:user.name at site>>.>__ex**a__m__p__le.com<http://exa__m__p__le.com>
>> <http://exam__p__le.com>
>>
>> <http://examp__le.com> <http://example.com>
>>
>>
>>
>> <mailto:user.name at site
>> <mailto:user.name at site>.
>> <mailto:user.name at site
>> <mailto:user.name at site>.>__exa**m__p__le.com<http://exam__p__le.com>
>> <http://examp__le.com> <http://example.com>
>> <mailto:user.name at site.
>> <mailto:user.name at site.>__exam**p__le.com<http://examp__le.com><
>> http://example.com>
>> <mailto:user.name at site.__examp**le.com<http://example.com>
>> <mailto:user.name at site.**example.com<user.name at site.example.com>>>>>>
>> -interactive
>>
>>
>> You don't add an user this way.
>> You add the
>> domain. You
>> have to
>> pass the
>> domain admin user and the domain
>> admin password.
>>
>>
>> any domain user will do, doesn't have
>> to be an admin.
>> what does the log say?
>>
>>
>> Then you can use the domain
>> within the engine.
>> e.g. search
>> users, add
>> access rights for vms etc.
>> Even login to the engine and
>> assigning rights
>> within
>> the engine
>> you can
>> handle from the engine itself.
>>
>> Regards,
>>
>> And the output on all tries:
>> Enter password:
>>
>> Error: Authentication Failed.
>> Please
>> verify the fully
>> qualified domain
>> name that is used for
>> authentication is
>> correct..
>> Problematic domain
>> is: domain_used_in_command
>> Failure while applying Kerberos
>> configuration. Details:
>> Authentication
>> Failed. Please verify the
>> fully qualified
>> domain
>> name that
>> is used for
>> authentication is correct.
>>
>> Can someone help me with the
>> correct
>> parameters?
>>
>>
>> Best regards,
>> Cristian Falcas
>>
>>
>>
>>
>> ______________________________**_________________________
>>
>>
>> Users mailing list
>> Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>> <mailto:Users at ovirt.org
>> <mailto:Users at ovirt.org> <mailto:Users at ovirt.org
>> <mailto:Users at ovirt.org>>>>
>> http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.ovirt.org/________mailman/listinfo/users>
>> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
>> >
>>
>>
>> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> >>
>>
>>
>> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> >
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >>>
>>
>>
>>
>>
>> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> >
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >>
>>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>> >>>>
>>
>>
>>
>> --
>> Regards,
>>
>> Vinzenz Feenstra | Senior
>> Software Engineer
>> RedHat Engineering Virtualization
>> R & D
>> Phone: +420 532 294 625
>> <tel:%2B420%20532%20294%20625>
>> <tel:%2B420%20532%20294%20625>
>> <tel:%2B420%20532%20294%20625>
>> <tel:%2B420%20532%20294%20625>
>>
>> IRC: vfeenstr or evilissimo
>>
>> Better technology. Faster
>> innovation. Powered
>> by community
>> collaboration.
>> See how it works at redhat.com
>> <http://redhat.com>
>> <http://redhat.com> <http://redhat.com>
>> <http://redhat.com>
>>
>>
>>
>>
>>
>> ______________________________**_________________________
>>
>>
>> Users mailing list
>> Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>> <mailto:Users at ovirt.org
>> <mailto:Users at ovirt.org> <mailto:Users at ovirt.org
>> <mailto:Users at ovirt.org>>>>
>> http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.ovirt.org/________mailman/listinfo/users>
>> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
>> >
>>
>>
>> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> >>
>>
>>
>> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> >
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >>>
>>
>>
>> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> >
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >>
>>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>> >>>>
>>
>>
>>
>>
>> ______________________________**_________________________
>>
>>
>> Users mailing list
>> Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>> <mailto:Users at ovirt.org
>> <mailto:Users at ovirt.org> <mailto:Users at ovirt.org
>> <mailto:Users at ovirt.org>>>>
>> http://lists.ovirt.org/_______**_mailman/listinfo/users<http://lists.ovirt.org/________mailman/listinfo/users>
>> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
>> >
>>
>>
>> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> >>
>>
>> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> >
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >>>
>>
>>
>>
>> <http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> >
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >>
>>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>> >>>>
>>
>>
>>
>>
>> Hi,
>>
>> This is the command I used (the same error
>> is with
>> -interactive
>> parameter):
>>
>> engine-manage-domains -action=add
>> -domain=example.com <http://example.com>
>> <http://example.com>
>> <http://example.com>
>> <http://example.com>
>> -provider=ActiveDirectory
>> -user=user.name at a_domain
>>
>> -passwordFile=/tmp/pass
>>
>> [root at localhost ~]# cat /tmp/pass
>> qwerty[root at localhost ~]#
>>
>> This is the log:
>>
>> 2012-11-20 00:30:40,443 INFO
>>
>>
>> [org.ovirt.engine.core.utils._**_____kerberos.ManageDomains]
>>
>> Creating
>>
>>
>> kerberos
>> configuration for domain(s): example.com
>> <http://example.com>
>> <http://example.com> <http://example.com>
>> <http://example.com>
>>
>> 2012-11-20 00:30:40,525 INFO
>>
>>
>> [org.ovirt.engine.core.utils._**_____kerberos.ManageDomains]
>>
>>
>> Successfully
>>
>> created kerberos configuration for
>> domain(s):
>> example.com <http://example.com> <http://example.com>
>> <http://example.com>
>> <http://example.com>
>>
>> 2012-11-20 00:30:40,526 INFO
>>
>>
>> [org.ovirt.engine.core.utils._**_____kerberos.ManageDomains]
>>
>> Testing
>>
>>
>> kerberos
>> configuration for domain: example.com
>> <http://example.com>
>> <http://example.com> <http://example.com>
>> <http://example.com>
>>
>> 2012-11-20 00:30:40,830 ERROR
>>
>>
>> [org.ovirt.engine.core.utils._**_____kerberos.__**
>> KerberosConfigCheck]
>>
>>
>> Error:
>>
>> exception message: Cannot locate KDC
>> 2012-11-20 00:30:40,851 ERROR
>>
>>
>> [org.ovirt.engine.core.utils._**_____kerberos.ManageDomains]
>>
>> Failure
>>
>> while
>>
>> testing domain example.com
>> <http://example.com> <http://example.com>
>> <http://example.com>
>> <http://example.com>. Details: Kerberos
>>
>> error. Please check log for further details.
>>
>>
>> Hi, the error indicates you don't have
>> kerberos configured.
>> manage-domains validates by default using
>> GSSAPI/Kerberos (if I
>> understand correctly, this is equivalent to
>> run ldapsearch
>> with -Y
>> gssapi option).
>> I wonder if -x (simple authentication) will
>> work for you as
>> well (as
>> manage-domains contains code for simple
>> authentication as
>> well).
>>
>>
>>
>> This is the ldapsearch command that works
>> (it retrieves
>> users)
>> from the
>> same machine:
>>
>>
>>
>> ldapsearch -H ldap://example.com
>> <http://example.com> <http://example.com>
>> <http://example.com>
>> <http://example.com> -b
>>
>> dc=example,dc=com -D user.name at a_domain -w
>> qwerty
>>
>>
>> Best regards,
>> Cristian Falcas
>>
>>
>>
>>
>> ______________________________**_______________________
>> Users mailing list
>> Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
>> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>
>> http://lists.ovirt.org/______**mailman/listinfo/users<http://lists.ovirt.org/______mailman/listinfo/users>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> >
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >>
>>
>> <http://lists.ovirt.org/____**mailman/listinfo/users<http://lists.ovirt.org/____mailman/listinfo/users>
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> >
>> <http://lists.ovirt.org/__**mailman/listinfo/users<http://lists.ovirt.org/__mailman/listinfo/users>
>> <http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>> >>>
>>
>>
>>
>>
>> Hi,
>>
>> I used "-x" for ldapsearch and the result is the
>> same: list
>> retrieved.
>> Is there any equivalent for engine-manage-domains?
>>
>> Cristian
>>
>> Hi Christian, there is no code allowing to add
>> simple-authentication
>> domains to Manage-Domains.
>> In the past we did have the ability to do that, but
>> there are
>> several problematic issues.
>> What ldap server are you working against? Maybe I
>> missed that
>>
>>
>>
>>
>> Hi,
>>
>> The server is a Microfost AD 2003.
>>
>> Best regards,
>> Cristian Falcas
>>
>>
>> this should work, is the AD also the DNS server for the ovirt
>> engine machine?
>>
>>
>>
>> yes
>>
>>
>>
>
>
Could you take a look at the tcp dump? There are only 2 messages relevant
to this (let me know if you want the full dump):
- 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard
query SRV _kerberos._tcp.EXAMPLE.COM
- 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard
query response SRV 0 100 88 site1.example.com SRV 0 100 88
site2.example.comSRV 0 100 88
site3.example.com
Also, I tries to run ldapsearch with -Y gssapi:
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available: No worthy mechs
found
Best regards,
Cristian Falcas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20121120/3d2efe08/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.pcap
Type: application/octet-stream
Size: 388 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20121120/3d2efe08/attachment-0001.obj>
More information about the Users
mailing list