[Users] I don't know how to add AD users

Oved Ourfalli ovedo at redhat.com
Wed Nov 21 06:09:23 UTC 2012



----- Original Message -----
> From: "Cristian Falcas" <cristi.falcas at gmail.com>
> To: "Yair Zaslavsky" <yzaslavs at redhat.com>
> Cc: users at ovirt.org
> Sent: Wednesday, November 21, 2012 6:40:34 AM
> Subject: Re: [Users] I don't know how to add AD users
> 
> 
> 
> 
> 
> 
> 
> On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky < yzaslavs at redhat.com
> > wrote:
> 
> 
> 
> 
> 
> 
> 
> 
> 
> From: "Cristian Falcas" < cristi.falcas at gmail.com >
> To: "Itamar Heim" < iheim at redhat.com >
> Cc: "Yair Zaslavsky" < yzaslavs at redhat.com >, users at ovirt.org
> Sent: Tuesday, November 20, 2012 7:33:39 PM
> 
> Subject: Re: [Users] I don't know how to add AD users
> 
> 
> 
> 
> 
> 
> 
> 
> On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim < iheim at redhat.com >
> wrote:
> 
> 
> 
> On 11/20/2012 03:00 PM, Cristian Falcas wrote:
> 
> 
> Hi,
> 
> So there is no way to use the domain I have at work, right?
> 
> I will need to make a freeipa installation in order to add new users.
> 
> there is no reason this shouldn't work with active directory 2003
> (assuming its forest level isn't still in AD 2000 compatibility
> mode?).
> tcpdump for the traffic during engine-manage-domains should help
> diagnosing why.
> 
> 
> 
> 
> 
> Cristian
> 
> 
> On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas
> 
> < cristi.falcas at gmail.com <mailto: cristi.falcas at gmail. com >> wrote:
> 
> 
> 
> 
> On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim < iheim at redhat.com
> 
> <mailto: iheim at redhat.com >> wrote:
> 
> On 11/20/2012 09:56 AM, Cristian Falcas wrote:
> 
> 
> 
> 
> On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky
> < yzaslavs at redhat.com <mailto: yzaslavs at redhat.com >
> 
> 
> <mailto: yzaslavs at redhat.com <mailto: yzaslavs at redhat.com >>>
> wrote:
> 
> 
> 
> On 11/20/2012 09:05 AM, Cristian Falcas wrote:
> 
> 
> 
> 
> On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky
> < yzaslavs at redhat.com <mailto: yzaslavs at redhat.com >
> <mailto: yzaslavs at redhat.com <mailto: yzaslavs at redhat.com >>
> <mailto: yzaslavs at redhat.com
> <mailto: yzaslavs at redhat.com > <mailto: yzaslavs at redhat.com
> <mailto: yzaslavs at redhat.com >>> > wrote:
> 
> 
> 
> On 11/20/2012 12:39 AM, Cristian Falcas wrote:
> 
> 
> 
> On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim
> < iheim at redhat.com <mailto: iheim at redhat.com >
> <mailto: iheim at redhat.com <mailto: iheim at redhat.com >>
> <mailto: iheim at redhat.com
> <mailto: iheim at redhat.com > <mailto: iheim at redhat.com
> <mailto: iheim at redhat.com >>>
> <mailto: iheim at redhat.com
> <mailto: iheim at redhat.com > <mailto: iheim at redhat.com
> <mailto: iheim at redhat.com >>
> <mailto: iheim at redhat.com <mailto: iheim at redhat.com >
> <mailto: iheim at redhat.com <mailto: iheim at redhat.com >>>>> wrote:
> 
> On 11/19/2012 11:29 AM, Vinzenz
> Feenstra wrote:
> 
> On 11/19/2012 10:01 AM, Cristian
> Falcas wrote:
> 
> Hi,
> 
> I'm trying to add some users
> to ovirt
> using an AD.
> 
> This is the configuration I
> used for a
> mediawiki
> site, which is
> working correctly:
> $wgAuth = new
> LdapAuthenticationPlugin();
> $wgLDAPUseLocal = true;
> $wgLDAPDomainNames = array(
> "a_domain");
> $wgLDAPServerNames = array(
> "a_domain"=>" site.example.com
> < http://site.example.com > < http://site.example.com >
> < http://site.example.com >
> < http://site.example.com >
> < http://site.example.com >");
> 
> $wgLDAPEncryptionType = array(
> "a_domain"=>"clear");
> $wgLDAPSearchStrings = array(
> 
> "a_domain"=>"rom_domain\\USER- ________NAME");
> $wgLDAPBaseDNs = array(
> "a_domain"=>"dc=company,dc=___ _____com");
> 
> 
> 
> 
> 
> 
> Those are the commands I
> tried using:
> engine-manage-domains -action=add
> -domain= site.example.com
> < http://site.example.com > < http://site.example.com >
> < http://site.example.com >
> < http://site.example.com >
> < http://site.example.com >
> -provider=ActiveDirectory
> -user= user.name
> < http://user.name > < http://user.name >
> < http://user.name > < http://user.name >
> < http://user.name > -interactive
> 
> 
> engine-manage-domains -action=add
> -domain=a_domain
> -provider=ActiveDirectory
> -user= user.name at company.com
> <mailto: user.name at company.com >
> <mailto: user.name at company.com
> <mailto: user.name at company.com > >
> <mailto: user.name at company.com <mailto: user.name at company.com >
> <mailto: user.name at company.com
> <mailto: user.name at company.com > >__>
> <mailto: user.name at company.com
> <mailto: user.name at company.com >
> <mailto: user.name at company.com
> <mailto: user.name at company.com > >
> <mailto: user.name at company.com
> <mailto: user.name at company.com >
> <mailto: user.name at company.com
> <mailto: user.name at company.com > >__>__>
> <mailto: user.name at company.com
> <mailto: user.name at company.com >
> <mailto: user.name at company.com
> <mailto: user.name at company.com > >
> <mailto: user.name at company.com
> <mailto: user.name at company.com >
> <mailto: user.name at company.com
> <mailto: user.name at company.com > >__>
> 
> <mailto: user.name at company.com
> <mailto: user.name at company.com >
> <mailto: user.name at company.com
> <mailto: user.name at company.com > >
> <mailto: user.name at company.com
> <mailto: user.name at company.com >
> <mailto: user.name at company.com
> <mailto: user.name at company.com > >__>__>__> -interactive
> 
> 
> engine-manage-domains -action=add
> -domain=a_domain
> -provider=ActiveDirectory
> -user=user.name at site.example._ _______com
> 
> 
> <mailto: user.name at site
> <mailto: user.name at site >.
> <mailto: user.name at site
> <mailto: user.name at site >.>__ exa m__p__le.com
> < http://examp__le.com > < http://example.com >
> <mailto: user.name at site .
> <mailto: user.name at site .>__ exam p__le.com < http://example.com >
> <mailto: user.name at site. __ examp le.com
> <mailto: user.name at site. example.com >>>>
> <mailto: user.name at site
> <mailto: user.name at site >
> 
> <mailto: user.name at site <mailto: user.name at site >>.
> <mailto: user.name at site <mailto: user.name at site >
> <mailto: user.name at site
> <mailto: user.name at site >>.>__ ex a__m__p__le.com
> < http://exam__p__le.com >
> 
> 
> < http://examp__le.com > < http://example.com >
> 
> 
> 
> <mailto: user.name at site
> <mailto: user.name at site >.
> <mailto: user.name at site
> <mailto: user.name at site >.>__ exa m__p__le.com
> < http://examp__le.com > < http://example.com >
> <mailto: user.name at site .
> <mailto: user.name at site .>__ exam p__le.com < http://example.com >
> <mailto: user.name at site. __ examp le.com
> <mailto: user.name at site. example.com >>>>> -interactive
> 
> 
> You don't add an user this way.
> You add the
> domain. You
> have to
> pass the
> domain admin user and the domain
> admin password.
> 
> 
> any domain user will do, doesn't have
> to be an admin.
> what does the log say?
> 
> 
> Then you can use the domain
> within the engine.
> e.g. search
> users, add
> access rights for vms etc.
> Even login to the engine and
> assigning rights
> within
> the engine
> you can
> handle from the engine itself.
> 
> Regards,
> 
> And the output on all tries:
> Enter password:
> 
> Error: Authentication Failed.
> Please
> verify the fully
> qualified domain
> name that is used for
> authentication is
> correct..
> Problematic domain
> is: domain_used_in_command
> Failure while applying Kerberos
> configuration. Details:
> Authentication
> Failed. Please verify the
> fully qualified
> domain
> name that
> is used for
> authentication is correct.
> 
> Can someone help me with the
> correct
> parameters?
> 
> 
> Best regards,
> Cristian Falcas
> 
> 
> 
> 
> ______________________________ _________________________
> 
> 
> Users mailing list
> Users at ovirt.org <mailto: Users at ovirt.org >
> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>>
> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
> <mailto: Users at ovirt.org
> <mailto: Users at ovirt.org > <mailto: Users at ovirt.org
> <mailto: Users at ovirt.org >>>>
> http://lists.ovirt.org/_______ _mailman/listinfo/users
> < http://lists.ovirt.org/______ mailman/listinfo/users >
> 
> 
> 
> < http://lists.ovirt.org/______ mailman/listinfo/users
> < http://lists.ovirt.org/____ mailman/listinfo/users >>
> 
> 
> < http://lists.ovirt.org/______ mailman/listinfo/users
> < http://lists.ovirt.org/____ mailman/listinfo/users >
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >>>
> 
> 
> 
> 
> < http://lists.ovirt.org/______ mailman/listinfo/users
> < http://lists.ovirt.org/____ mailman/listinfo/users >
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >>
> 
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >
> < http://lists.ovirt.org/__ mailman/listinfo/users
> < http://lists.ovirt.org/ mailman/listinfo/users >>>>
> 
> 
> 
> --
> Regards,
> 
> Vinzenz Feenstra | Senior
> Software Engineer
> RedHat Engineering Virtualization
> R & D
> Phone: +420 532 294 625
> <tel:%2B420%20532%20294%20625>
> <tel:%2B420%20532%20294%20625>
> <tel:%2B420%20532%20294%20625>
> <tel:%2B420%20532%20294%20625>
> 
> IRC: vfeenstr or evilissimo
> 
> Better technology. Faster
> innovation. Powered
> by community
> collaboration.
> See how it works at redhat.com
> < http://redhat.com >
> < http://redhat.com > < http://redhat.com >
> < http://redhat.com >
> 
> 
> 
> 
> 
> ______________________________ _________________________
> 
> 
> Users mailing list
> Users at ovirt.org <mailto: Users at ovirt.org >
> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>>
> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
> <mailto: Users at ovirt.org
> <mailto: Users at ovirt.org > <mailto: Users at ovirt.org
> <mailto: Users at ovirt.org >>>>
> http://lists.ovirt.org/_______ _mailman/listinfo/users
> < http://lists.ovirt.org/______ mailman/listinfo/users >
> 
> 
> < http://lists.ovirt.org/______ mailman/listinfo/users
> < http://lists.ovirt.org/____ mailman/listinfo/users >>
> 
> 
> < http://lists.ovirt.org/______ mailman/listinfo/users
> < http://lists.ovirt.org/____ mailman/listinfo/users >
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >>>
> 
> 
> < http://lists.ovirt.org/______ mailman/listinfo/users
> < http://lists.ovirt.org/____ mailman/listinfo/users >
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >>
> 
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >
> < http://lists.ovirt.org/__ mailman/listinfo/users
> < http://lists.ovirt.org/ mailman/listinfo/users >>>>
> 
> 
> 
> 
> ______________________________ _________________________
> 
> 
> Users mailing list
> Users at ovirt.org <mailto: Users at ovirt.org >
> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>>
> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
> <mailto: Users at ovirt.org
> <mailto: Users at ovirt.org > <mailto: Users at ovirt.org
> <mailto: Users at ovirt.org >>>>
> http://lists.ovirt.org/_______ _mailman/listinfo/users
> < http://lists.ovirt.org/______ mailman/listinfo/users >
> 
> 
> < http://lists.ovirt.org/______ mailman/listinfo/users
> < http://lists.ovirt.org/____ mailman/listinfo/users >>
> 
> < http://lists.ovirt.org/______ mailman/listinfo/users
> < http://lists.ovirt.org/____ mailman/listinfo/users >
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >>>
> 
> 
> 
> 
> < http://lists.ovirt.org/______ mailman/listinfo/users
> < http://lists.ovirt.org/____ mailman/listinfo/users >
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >>
> 
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >
> < http://lists.ovirt.org/__ mailman/listinfo/users
> < http://lists.ovirt.org/ mailman/listinfo/users >>>>
> 
> 
> 
> 
> Hi,
> 
> This is the command I used (the same error
> is with
> -interactive
> parameter):
> 
> engine-manage-domains -action=add
> -domain= example.com < http://example.com >
> < http://example.com >
> < http://example.com >
> < http://example.com > -provider=ActiveDirectory
> -user=user.name at a_domain
> 
> -passwordFile=/tmp/pass
> 
> [root at localhost ~]# cat /tmp/pass
> qwerty[root at localhost ~]#
> 
> This is the log:
> 
> 2012-11-20 00:30:40,443 INFO
> 
> 
> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
> 
> Creating
> 
> 
> kerberos
> configuration for domain(s): example.com
> < http://example.com >
> < http://example.com > < http://example.com >
> < http://example.com >
> 
> 2012-11-20 00:30:40,525 INFO
> 
> 
> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
> 
> 
> Successfully
> 
> created kerberos configuration for domain(s):
> example.com < http://example.com > < http://example.com >
> < http://example.com >
> < http://example.com >
> 
> 2012-11-20 00:30:40,526 INFO
> 
> 
> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
> 
> Testing
> 
> 
> kerberos
> configuration for domain: example.com
> < http://example.com >
> < http://example.com > < http://example.com >
> < http://example.com >
> 
> 2012-11-20 00:30:40,830 ERROR
> 
> 
> [org.ovirt.engine.core.utils._ _____kerberos.__ KerberosConfigCheck]
> 
> 
> Error:
> 
> exception message: Cannot locate KDC
> 2012-11-20 00:30:40,851 ERROR
> 
> 
> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
> 
> 
> Failure
> 
> while
> 
> testing domain example.com
> < http://example.com > < http://example.com >
> < http://example.com >
> < http://example.com >. Details: Kerberos
> 
> error. Please check log for further details.
> 
> 
> Hi, the error indicates you don't have
> kerberos configured.
> manage-domains validates by default using
> GSSAPI/Kerberos (if I
> understand correctly, this is equivalent to
> run ldapsearch
> with -Y
> gssapi option).
> I wonder if -x (simple authentication) will
> work for you as
> well (as
> manage-domains contains code for simple
> authentication as
> well).
> 
> 
> 
> This is the ldapsearch command that works
> (it retrieves
> users)
> from the
> same machine:
> 
> 
> 
> ldapsearch -H ldap:// example.com
> < http://example.com > < http://example.com >
> < http://example.com >
> < http://example.com > -b
> 
> dc=example,dc=com -D user.name at a_domain -w
> qwerty
> 
> 
> Best regards,
> Cristian Falcas
> 
> 
> 
> 
> 
> ______________________________ _______________________
> Users mailing list
> Users at ovirt.org <mailto: Users at ovirt.org >
> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>>
> http://lists.ovirt.org/______ mailman/listinfo/users
> < http://lists.ovirt.org/____ mailman/listinfo/users >
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >>
> 
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >
> < http://lists.ovirt.org/__ mailman/listinfo/users
> < http://lists.ovirt.org/ mailman/listinfo/users >>>
> 
> 
> 
> 
> Hi,
> 
> 
> I used "-x" for ldapsearch and the result is the
> same: list
> retrieved.
> Is there any equivalent for engine-manage-domains?
> 
> Cristian
> 
> Hi Christian, there is no code allowing to add
> simple-authentication
> domains to Manage-Domains.
> In the past we did have the ability to do that, but
> there are
> several problematic issues.
> What ldap server are you working against? Maybe I
> missed that
> 
> 
> 
> 
> Hi,
> 
> The server is a Microfost AD 2003.
> 
> Best regards,
> Cristian Falcas
> 
> 
> this should work, is the AD also the DNS server for the ovirt
> engine machine?
> 
> 
> 
> yes
> 
> 
> 
> 
> 
> Could you take a look at the tcp dump? There are only 2 messages
> relevant to this (let me know if you want the full dump):
> 
> - 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV
> _kerberos._ tcp.EXAMPLE.COM
> - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response
> SRV 0 100 88 site1.example.com SRV 0 100 88 site2.example.com SRV 0
> 100 88 site3.example.com
> 
> Also, I tries to run ldapsearch with -Y gssapi:
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL(-4): no mechanism available: No worthy mechs
> found
> 
> Best regards,
> Cristian Falcas
> The SRV records look fine.
> If I remember correctly, your DNS should have a reverse-resolve PTR
> record to your engine machine. Does it exists?
> 
> 
> 
> I don't think so (10.0.0.xx is engine machine, 10.0.0.yyy is dns):
> 
> [root at localhost ~]# nslookup 10.0.0.xx
> Server: 10.0.0.yyy
> Address: 10.0.0.yyy#53
> 
> ** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN
> 
> [root at localhost ~]# host 10.0.0.xx
> Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN)
> 
> I will ask them to add a DNS record for the machine.
> 
Indeed do that.
In the engine we require both reverse-resolve PTR record, Kerberos SRV record and LDAP SRV record.
Make sure you have all three in the DNS.
The PTR + Kerberos records are used for the kerberos authentication (and constructing the krb5.conf file in the engine-manage-domains utility).
The LDAP SRV record is used for the directory queries (it is used in the utility + the ovirt engine, to look for LDAP servers).
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 



More information about the Users mailing list