[Users] I don't know how to add AD users

Yair Zaslavsky yzaslavs at redhat.com
Wed Nov 21 03:05:30 UTC 2012


----- Original Message -----

> From: "Cristian Falcas" <cristi.falcas at gmail.com>
> To: "Itamar Heim" <iheim at redhat.com>
> Cc: "Yair Zaslavsky" <yzaslavs at redhat.com>, users at ovirt.org
> Sent: Tuesday, November 20, 2012 7:33:39 PM
> Subject: Re: [Users] I don't know how to add AD users

> On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim < iheim at redhat.com >
> wrote:

> > On 11/20/2012 03:00 PM, Cristian Falcas wrote:
> 

> > > Hi,
> > 
> 

> > > So there is no way to use the domain I have at work, right?
> > 
> 

> > > I will need to make a freeipa installation in order to add new
> > > users.
> > 
> 

> > there is no reason this shouldn't work with active directory 2003
> > (assuming its forest level isn't still in AD 2000 compatibility
> > mode?).
> 
> > tcpdump for the traffic during engine-manage-domains should help
> > diagnosing why.
> 

> > > Cristian
> > 
> 

> > > On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas
> > 
> 

> > > < cristi.falcas at gmail.com <mailto: cristi.falcas at gmail. com >>
> > > wrote:
> > 
> 

> > > On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim < iheim at redhat.com
> > 
> 

> > > <mailto: iheim at redhat.com >> wrote:
> > 
> 

> > > On 11/20/2012 09:56 AM, Cristian Falcas wrote:
> > 
> 

> > > On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky
> > 
> 
> > > < yzaslavs at redhat.com <mailto: yzaslavs at redhat.com >
> > 
> 

> > > <mailto: yzaslavs at redhat.com <mailto: yzaslavs at redhat.com >>>
> > 
> 
> > > wrote:
> > 
> 

> > > On 11/20/2012 09:05 AM, Cristian Falcas wrote:
> > 
> 

> > > On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky
> > 
> 
> > > < yzaslavs at redhat.com <mailto: yzaslavs at redhat.com >
> > 
> 
> > > <mailto: yzaslavs at redhat.com <mailto: yzaslavs at redhat.com >>
> > 
> 
> > > <mailto: yzaslavs at redhat.com
> > 
> 
> > > <mailto: yzaslavs at redhat.com > <mailto: yzaslavs at redhat.com
> > 
> 
> > > <mailto: yzaslavs at redhat.com >>> > wrote:
> > 
> 

> > > On 11/20/2012 12:39 AM, Cristian Falcas wrote:
> > 
> 

> > > On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim
> > 
> 
> > > < iheim at redhat.com <mailto: iheim at redhat.com >
> > 
> 
> > > <mailto: iheim at redhat.com <mailto: iheim at redhat.com >>
> > 
> 
> > > <mailto: iheim at redhat.com
> > 
> 
> > > <mailto: iheim at redhat.com > <mailto: iheim at redhat.com
> > 
> 
> > > <mailto: iheim at redhat.com >>>
> > 
> 
> > > <mailto: iheim at redhat.com
> > 
> 
> > > <mailto: iheim at redhat.com > <mailto: iheim at redhat.com
> > 
> 
> > > <mailto: iheim at redhat.com >>
> > 
> 
> > > <mailto: iheim at redhat.com <mailto: iheim at redhat.com >
> > 
> 
> > > <mailto: iheim at redhat.com <mailto: iheim at redhat.com >>>>> wrote:
> > 
> 

> > > On 11/19/2012 11:29 AM, Vinzenz
> > 
> 
> > > Feenstra wrote:
> > 
> 

> > > On 11/19/2012 10:01 AM, Cristian
> > 
> 
> > > Falcas wrote:
> > 
> 

> > > Hi,
> > 
> 

> > > I'm trying to add some users
> > 
> 
> > > to ovirt
> > 
> 
> > > using an AD.
> > 
> 

> > > This is the configuration I
> > 
> 
> > > used for a
> > 
> 
> > > mediawiki
> > 
> 
> > > site, which is
> > 
> 
> > > working correctly:
> > 
> 
> > > $wgAuth = new
> > 
> 
> > > LdapAuthenticationPlugin();
> > 
> 
> > > $wgLDAPUseLocal = true;
> > 
> 
> > > $wgLDAPDomainNames = array(
> > 
> 
> > > "a_domain");
> > 
> 
> > > $wgLDAPServerNames = array(
> > 
> 
> > > "a_domain"=>" site.example.com
> > 
> 
> > > < http://site.example.com > < http://site.example.com >
> > 
> 
> > > < http://site.example.com >
> > 
> 
> > > < http://site.example.com >
> > 
> 
> > > < http://site.example.com >");
> > 
> 

> > > $wgLDAPEncryptionType = array(
> > 
> 
> > > "a_domain"=>"clear");
> > 
> 
> > > $wgLDAPSearchStrings = array(
> > 
> 

> > > "a_domain"=>"rom_domain\\USER- ________NAME");
> > 
> 
> > > $wgLDAPBaseDNs = array(
> > 
> 
> > > "a_domain"=>"dc=company,dc=___ _____com");
> > 
> 

> > > Those are the commands I
> > 
> 
> > > tried using:
> > 
> 
> > > engine-manage-domains -action=add
> > 
> 
> > > -domain= site.example.com
> > 
> 
> > > < http://site.example.com > < http://site.example.com >
> > 
> 
> > > < http://site.example.com >
> > 
> 
> > > < http://site.example.com >
> > 
> 
> > > < http://site.example.com >
> > 
> 
> > > -provider=ActiveDirectory
> > 
> 
> > > -user= user.name
> > 
> 
> > > < http://user.name > < http://user.name >
> > 
> 
> > > < http://user.name > < http://user.name >
> > 
> 
> > > < http://user.name > -interactive
> > 
> 

> > > engine-manage-domains -action=add
> > 
> 
> > > -domain=a_domain
> > 
> 
> > > -provider=ActiveDirectory
> > 
> 
> > > -user= user.name at company.com
> > 
> 
> > > <mailto: user.name at company.com >
> > 
> 
> > > <mailto: user.name at company.com
> > 
> 
> > > <mailto: user.name at company.com > >
> > 
> 
> > > <mailto: user.name at company.com <mailto: user.name at company.com >
> > 
> 
> > > <mailto: user.name at company.com
> > 
> 
> > > <mailto: user.name at company.com > >__>
> > 
> 
> > > <mailto: user.name at company.com
> > 
> 
> > > <mailto: user.name at company.com >
> > 
> 
> > > <mailto: user.name at company.com
> > 
> 
> > > <mailto: user.name at company.com > >
> > 
> 
> > > <mailto: user.name at company.com
> > 
> 
> > > <mailto: user.name at company.com >
> > 
> 
> > > <mailto: user.name at company.com
> > 
> 
> > > <mailto: user.name at company.com > >__>__>
> > 
> 
> > > <mailto: user.name at company.com
> > 
> 
> > > <mailto: user.name at company.com >
> > 
> 
> > > <mailto: user.name at company.com
> > 
> 
> > > <mailto: user.name at company.com > >
> > 
> 
> > > <mailto: user.name at company.com
> > 
> 
> > > <mailto: user.name at company.com >
> > 
> 
> > > <mailto: user.name at company.com
> > 
> 
> > > <mailto: user.name at company.com > >__>
> > 
> 

> > > <mailto: user.name at company.com
> > 
> 
> > > <mailto: user.name at company.com >
> > 
> 
> > > <mailto: user.name at company.com
> > 
> 
> > > <mailto: user.name at company.com > >
> > 
> 
> > > <mailto: user.name at company.com
> > 
> 
> > > <mailto: user.name at company.com >
> > 
> 
> > > <mailto: user.name at company.com
> > 
> 
> > > <mailto: user.name at company.com > >__>__>__> -interactive
> > 
> 

> > > engine-manage-domains -action=add
> > 
> 
> > > -domain=a_domain
> > 
> 
> > > -provider=ActiveDirectory
> > 
> 
> > > -user=user.name at site.example._ _______com
> > 
> 

> > > <mailto: user.name at site
> > 
> 
> > > <mailto: user.name at site >.
> > 
> 
> > > <mailto: user.name at site
> > 
> 
> > > <mailto: user.name at site >.>__ exa m__p__le.com
> > 
> 
> > > < http://examp__le.com > < http://example.com >
> > 
> 
> > > <mailto: user.name at site .
> > 
> 
> > > <mailto: user.name at site .>__ exam p__le.com < http://example.com
> > > >
> > 
> 
> > > <mailto: user.name at site. __ examp le.com
> > 
> 
> > > <mailto: user.name at site. example.com >>>>
> > 
> 
> > > <mailto: user.name at site
> > 
> 
> > > <mailto: user.name at site >
> > 
> 

> > > <mailto: user.name at site <mailto: user.name at site >>.
> > 
> 
> > > <mailto: user.name at site <mailto: user.name at site >
> > 
> 
> > > <mailto: user.name at site
> > 
> 
> > > <mailto: user.name at site >>.>__ ex a__m__p__le.com
> > 
> 
> > > < http://exam__p__le.com >
> > 
> 

> > > < http://examp__le.com > < http://example.com >
> > 
> 

> > > <mailto: user.name at site
> > 
> 
> > > <mailto: user.name at site >.
> > 
> 
> > > <mailto: user.name at site
> > 
> 
> > > <mailto: user.name at site >.>__ exa m__p__le.com
> > 
> 
> > > < http://examp__le.com > < http://example.com >
> > 
> 
> > > <mailto: user.name at site .
> > 
> 
> > > <mailto: user.name at site .>__ exam p__le.com < http://example.com
> > > >
> > 
> 
> > > <mailto: user.name at site. __ examp le.com
> > 
> 
> > > <mailto: user.name at site. example.com >>>>> -interactive
> > 
> 

> > > You don't add an user this way.
> > 
> 
> > > You add the
> > 
> 
> > > domain. You
> > 
> 
> > > have to
> > 
> 
> > > pass the
> > 
> 
> > > domain admin user and the domain
> > 
> 
> > > admin password.
> > 
> 

> > > any domain user will do, doesn't have
> > 
> 
> > > to be an admin.
> > 
> 
> > > what does the log say?
> > 
> 

> > > Then you can use the domain
> > 
> 
> > > within the engine.
> > 
> 
> > > e.g. search
> > 
> 
> > > users, add
> > 
> 
> > > access rights for vms etc.
> > 
> 
> > > Even login to the engine and
> > 
> 
> > > assigning rights
> > 
> 
> > > within
> > 
> 
> > > the engine
> > 
> 
> > > you can
> > 
> 
> > > handle from the engine itself.
> > 
> 

> > > Regards,
> > 
> 

> > > And the output on all tries:
> > 
> 
> > > Enter password:
> > 
> 

> > > Error: Authentication Failed.
> > 
> 
> > > Please
> > 
> 
> > > verify the fully
> > 
> 
> > > qualified domain
> > 
> 
> > > name that is used for
> > 
> 
> > > authentication is
> > 
> 
> > > correct..
> > 
> 
> > > Problematic domain
> > 
> 
> > > is: domain_used_in_command
> > 
> 
> > > Failure while applying Kerberos
> > 
> 
> > > configuration. Details:
> > 
> 
> > > Authentication
> > 
> 
> > > Failed. Please verify the
> > 
> 
> > > fully qualified
> > 
> 
> > > domain
> > 
> 
> > > name that
> > 
> 
> > > is used for
> > 
> 
> > > authentication is correct.
> > 
> 

> > > Can someone help me with the
> > 
> 
> > > correct
> > 
> 
> > > parameters?
> > 
> 

> > > Best regards,
> > 
> 
> > > Cristian Falcas
> > 
> 

> > > ______________________________ _________________________
> > 
> 

> > > Users mailing list
> > 
> 
> > > Users at ovirt.org <mailto: Users at ovirt.org >
> > 
> 
> > > <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
> > 
> 
> > > <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
> > 
> 
> > > <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>>
> > 
> 
> > > <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
> > 
> 
> > > <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
> > 
> 
> > > <mailto: Users at ovirt.org
> > 
> 
> > > <mailto: Users at ovirt.org > <mailto: Users at ovirt.org
> > 
> 
> > > <mailto: Users at ovirt.org >>>>
> > 
> 
> > > http://lists.ovirt.org/_______ _mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/______ mailman/listinfo/users >
> > 
> 

> > > < http://lists.ovirt.org/______ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/____ mailman/listinfo/users >>
> > 
> 

> > > < http://lists.ovirt.org/______ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/____ mailman/listinfo/users >
> > 
> 
> > > < http://lists.ovirt.org/____ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/__ mailman/listinfo/users >>>
> > 
> 

> > > < http://lists.ovirt.org/______ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/____ mailman/listinfo/users >
> > 
> 
> > > < http://lists.ovirt.org/____ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/__ mailman/listinfo/users >>
> > 
> 

> > > < http://lists.ovirt.org/____ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/__ mailman/listinfo/users >
> > 
> 
> > > < http://lists.ovirt.org/__ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/ mailman/listinfo/users >>>>
> > 
> 

> > > --
> > 
> 
> > > Regards,
> > 
> 

> > > Vinzenz Feenstra | Senior
> > 
> 
> > > Software Engineer
> > 
> 
> > > RedHat Engineering Virtualization
> > 
> 
> > > R & D
> > 
> 
> > > Phone: +420 532 294 625
> > 
> 
> > > <tel:%2B420%20532%20294%20625>
> > 
> 
> > > <tel:%2B420%20532%20294%20625>
> > 
> 
> > > <tel:%2B420%20532%20294%20625>
> > 
> 
> > > <tel:%2B420%20532%20294%20625>
> > 
> 

> > > IRC: vfeenstr or evilissimo
> > 
> 

> > > Better technology. Faster
> > 
> 
> > > innovation. Powered
> > 
> 
> > > by community
> > 
> 
> > > collaboration.
> > 
> 
> > > See how it works at redhat.com
> > 
> 
> > > < http://redhat.com >
> > 
> 
> > > < http://redhat.com > < http://redhat.com >
> > 
> 
> > > < http://redhat.com >
> > 
> 

> > > ______________________________ _________________________
> > 
> 

> > > Users mailing list
> > 
> 
> > > Users at ovirt.org <mailto: Users at ovirt.org >
> > 
> 
> > > <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
> > 
> 
> > > <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
> > 
> 
> > > <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>>
> > 
> 
> > > <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
> > 
> 
> > > <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
> > 
> 
> > > <mailto: Users at ovirt.org
> > 
> 
> > > <mailto: Users at ovirt.org > <mailto: Users at ovirt.org
> > 
> 
> > > <mailto: Users at ovirt.org >>>>
> > 
> 
> > > http://lists.ovirt.org/_______ _mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/______ mailman/listinfo/users >
> > 
> 

> > > < http://lists.ovirt.org/______ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/____ mailman/listinfo/users >>
> > 
> 

> > > < http://lists.ovirt.org/______ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/____ mailman/listinfo/users >
> > 
> 
> > > < http://lists.ovirt.org/____ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/__ mailman/listinfo/users >>>
> > 
> 

> > > < http://lists.ovirt.org/______ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/____ mailman/listinfo/users >
> > 
> 
> > > < http://lists.ovirt.org/____ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/__ mailman/listinfo/users >>
> > 
> 

> > > < http://lists.ovirt.org/____ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/__ mailman/listinfo/users >
> > 
> 
> > > < http://lists.ovirt.org/__ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/ mailman/listinfo/users >>>>
> > 
> 

> > > ______________________________ _________________________
> > 
> 

> > > Users mailing list
> > 
> 
> > > Users at ovirt.org <mailto: Users at ovirt.org >
> > 
> 
> > > <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
> > 
> 
> > > <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
> > 
> 
> > > <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>>
> > 
> 
> > > <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
> > 
> 
> > > <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
> > 
> 
> > > <mailto: Users at ovirt.org
> > 
> 
> > > <mailto: Users at ovirt.org > <mailto: Users at ovirt.org
> > 
> 
> > > <mailto: Users at ovirt.org >>>>
> > 
> 
> > > http://lists.ovirt.org/_______ _mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/______ mailman/listinfo/users >
> > 
> 

> > > < http://lists.ovirt.org/______ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/____ mailman/listinfo/users >>
> > 
> 

> > > < http://lists.ovirt.org/______ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/____ mailman/listinfo/users >
> > 
> 
> > > < http://lists.ovirt.org/____ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/__ mailman/listinfo/users >>>
> > 
> 

> > > < http://lists.ovirt.org/______ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/____ mailman/listinfo/users >
> > 
> 
> > > < http://lists.ovirt.org/____ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/__ mailman/listinfo/users >>
> > 
> 

> > > < http://lists.ovirt.org/____ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/__ mailman/listinfo/users >
> > 
> 
> > > < http://lists.ovirt.org/__ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/ mailman/listinfo/users >>>>
> > 
> 

> > > Hi,
> > 
> 

> > > This is the command I used (the same error
> > 
> 
> > > is with
> > 
> 
> > > -interactive
> > 
> 
> > > parameter):
> > 
> 

> > > engine-manage-domains -action=add
> > 
> 
> > > -domain= example.com < http://example.com >
> > 
> 
> > > < http://example.com >
> > 
> 
> > > < http://example.com >
> > 
> 
> > > < http://example.com > -provider=ActiveDirectory
> > 
> 
> > > -user=user.name at a_domain
> > 
> 

> > > -passwordFile=/tmp/pass
> > 
> 

> > > [root at localhost ~]# cat /tmp/pass
> > 
> 
> > > qwerty[root at localhost ~]#
> > 
> 

> > > This is the log:
> > 
> 

> > > 2012-11-20 00:30:40,443 INFO
> > 
> 

> > > [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
> > 
> 

> > > Creating
> > 
> 

> > > kerberos
> > 
> 
> > > configuration for domain(s): example.com
> > 
> 
> > > < http://example.com >
> > 
> 
> > > < http://example.com > < http://example.com >
> > 
> 
> > > < http://example.com >
> > 
> 

> > > 2012-11-20 00:30:40,525 INFO
> > 
> 

> > > [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
> > 
> 

> > > Successfully
> > 
> 

> > > created kerberos configuration for domain(s):
> > 
> 
> > > example.com < http://example.com > < http://example.com >
> > 
> 
> > > < http://example.com >
> > 
> 
> > > < http://example.com >
> > 
> 

> > > 2012-11-20 00:30:40,526 INFO
> > 
> 

> > > [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
> > 
> 

> > > Testing
> > 
> 

> > > kerberos
> > 
> 
> > > configuration for domain: example.com
> > 
> 
> > > < http://example.com >
> > 
> 
> > > < http://example.com > < http://example.com >
> > 
> 
> > > < http://example.com >
> > 
> 

> > > 2012-11-20 00:30:40,830 ERROR
> > 
> 

> > > [org.ovirt.engine.core.utils._ _____kerberos.__
> > > KerberosConfigCheck]
> > 
> 

> > > Error:
> > 
> 

> > > exception message: Cannot locate KDC
> > 
> 
> > > 2012-11-20 00:30:40,851 ERROR
> > 
> 

> > > [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
> > 
> 

> > > Failure
> > 
> 

> > > while
> > 
> 

> > > testing domain example.com
> > 
> 
> > > < http://example.com > < http://example.com >
> > 
> 
> > > < http://example.com >
> > 
> 
> > > < http://example.com >. Details: Kerberos
> > 
> 

> > > error. Please check log for further details.
> > 
> 

> > > Hi, the error indicates you don't have
> > 
> 
> > > kerberos configured.
> > 
> 
> > > manage-domains validates by default using
> > 
> 
> > > GSSAPI/Kerberos (if I
> > 
> 
> > > understand correctly, this is equivalent to
> > 
> 
> > > run ldapsearch
> > 
> 
> > > with -Y
> > 
> 
> > > gssapi option).
> > 
> 
> > > I wonder if -x (simple authentication) will
> > 
> 
> > > work for you as
> > 
> 
> > > well (as
> > 
> 
> > > manage-domains contains code for simple
> > 
> 
> > > authentication as
> > 
> 
> > > well).
> > 
> 

> > > This is the ldapsearch command that works
> > 
> 
> > > (it retrieves
> > 
> 
> > > users)
> > 
> 
> > > from the
> > 
> 
> > > same machine:
> > 
> 

> > > ldapsearch -H ldap:// example.com
> > 
> 
> > > < http://example.com > < http://example.com >
> > 
> 
> > > < http://example.com >
> > 
> 
> > > < http://example.com > -b
> > 
> 

> > > dc=example,dc=com -D user.name at a_domain -w
> > 
> 
> > > qwerty
> > 
> 

> > > Best regards,
> > 
> 
> > > Cristian Falcas
> > 
> 

> > > ______________________________ _______________________
> > 
> 
> > > Users mailing list
> > 
> 
> > > Users at ovirt.org <mailto: Users at ovirt.org >
> > 
> 
> > > <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
> > 
> 
> > > <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
> > 
> 
> > > <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>>
> > 
> 
> > > http://lists.ovirt.org/______ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/____ mailman/listinfo/users >
> > 
> 
> > > < http://lists.ovirt.org/____ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/__ mailman/listinfo/users >>
> > 
> 

> > > < http://lists.ovirt.org/____ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/__ mailman/listinfo/users >
> > 
> 
> > > < http://lists.ovirt.org/__ mailman/listinfo/users
> > 
> 
> > > < http://lists.ovirt.org/ mailman/listinfo/users >>>
> > 
> 

> > > Hi,
> > 
> 

> > > I used "-x" for ldapsearch and the result is the
> > 
> 
> > > same: list
> > 
> 
> > > retrieved.
> > 
> 
> > > Is there any equivalent for engine-manage-domains?
> > 
> 

> > > Cristian
> > 
> 

> > > Hi Christian, there is no code allowing to add
> > 
> 
> > > simple-authentication
> > 
> 
> > > domains to Manage-Domains.
> > 
> 
> > > In the past we did have the ability to do that, but
> > 
> 
> > > there are
> > 
> 
> > > several problematic issues.
> > 
> 
> > > What ldap server are you working against? Maybe I
> > 
> 
> > > missed that
> > 
> 

> > > Hi,
> > 
> 

> > > The server is a Microfost AD 2003.
> > 
> 

> > > Best regards,
> > 
> 
> > > Cristian Falcas
> > 
> 

> > > this should work, is the AD also the DNS server for the ovirt
> > 
> 
> > > engine machine?
> > 
> 

> > > yes
> > 
> 

> Could you take a look at the tcp dump? There are only 2 messages
> relevant to this (let me know if you want the full dump):

> - 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV
> _kerberos._ tcp.EXAMPLE.COM
> - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response
> SRV 0 100 88 site1.example.com SRV 0 100 88 site2.example.com SRV 0
> 100 88 site3.example.com

> Also, I tries to run ldapsearch with -Y gssapi:
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL(-4): no mechanism available: No worthy mechs
> found

> Best regards,
> Cristian Falcas

The SRV records look fine. 
If I remember correctly, your DNS should have a reverse-resolve PTR record to your engine machine. Does it exists? 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20121120/5fad8b64/attachment-0001.html>


More information about the Users mailing list