[Users] I don't know how to add AD users
Cristian Falcas
cristi.falcas at gmail.com
Wed Nov 21 19:40:35 UTC 2012
On Wed, Nov 21, 2012 at 9:37 PM, Cristian Falcas <cristi.falcas at gmail.com>wrote:
>
>
>
> On Wed, Nov 21, 2012 at 8:10 AM, Itamar Heim <iheim at redhat.com> wrote:
>
>> On 11/21/2012 08:09 AM, Oved Ourfalli wrote:
>>
>>>
>>>
>>> ----- Original Message -----
>>>
>>>> From: "Cristian Falcas" <cristi.falcas at gmail.com>
>>>> To: "Yair Zaslavsky" <yzaslavs at redhat.com>
>>>> Cc: users at ovirt.org
>>>> Sent: Wednesday, November 21, 2012 6:40:34 AM
>>>> Subject: Re: [Users] I don't know how to add AD users
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky < yzaslavs at redhat.com
>>>>
>>>>> wrote:
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> From: "Cristian Falcas" < cristi.falcas at gmail.com >
>>>> To: "Itamar Heim" < iheim at redhat.com >
>>>> Cc: "Yair Zaslavsky" < yzaslavs at redhat.com >, users at ovirt.org
>>>> Sent: Tuesday, November 20, 2012 7:33:39 PM
>>>>
>>>> Subject: Re: [Users] I don't know how to add AD users
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim < iheim at redhat.com >
>>>> wrote:
>>>>
>>>>
>>>>
>>>> On 11/20/2012 03:00 PM, Cristian Falcas wrote:
>>>>
>>>>
>>>> Hi,
>>>>
>>>> So there is no way to use the domain I have at work, right?
>>>>
>>>> I will need to make a freeipa installation in order to add new users.
>>>>
>>>> there is no reason this shouldn't work with active directory 2003
>>>> (assuming its forest level isn't still in AD 2000 compatibility
>>>> mode?).
>>>> tcpdump for the traffic during engine-manage-domains should help
>>>> diagnosing why.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Cristian
>>>>
>>>>
>>>> On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas
>>>>
>>>> < cristi.falcas at gmail.com <mailto: cristi.falcas at gmail. com >> wrote:
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim < iheim at redhat.com
>>>>
>>>> <mailto: iheim at redhat.com >> wrote:
>>>>
>>>> On 11/20/2012 09:56 AM, Cristian Falcas wrote:
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky
>>>> < yzaslavs at redhat.com <mailto: yzaslavs at redhat.com >
>>>>
>>>>
>>>> <mailto: yzaslavs at redhat.com <mailto: yzaslavs at redhat.com >>>
>>>> wrote:
>>>>
>>>>
>>>>
>>>> On 11/20/2012 09:05 AM, Cristian Falcas wrote:
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky
>>>> < yzaslavs at redhat.com <mailto: yzaslavs at redhat.com >
>>>> <mailto: yzaslavs at redhat.com <mailto: yzaslavs at redhat.com >>
>>>> <mailto: yzaslavs at redhat.com
>>>> <mailto: yzaslavs at redhat.com > <mailto: yzaslavs at redhat.com
>>>> <mailto: yzaslavs at redhat.com >>> > wrote:
>>>>
>>>>
>>>>
>>>> On 11/20/2012 12:39 AM, Cristian Falcas wrote:
>>>>
>>>>
>>>>
>>>> On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim
>>>> < iheim at redhat.com <mailto: iheim at redhat.com >
>>>> <mailto: iheim at redhat.com <mailto: iheim at redhat.com >>
>>>> <mailto: iheim at redhat.com
>>>> <mailto: iheim at redhat.com > <mailto: iheim at redhat.com
>>>> <mailto: iheim at redhat.com >>>
>>>> <mailto: iheim at redhat.com
>>>> <mailto: iheim at redhat.com > <mailto: iheim at redhat.com
>>>> <mailto: iheim at redhat.com >>
>>>> <mailto: iheim at redhat.com <mailto: iheim at redhat.com >
>>>> <mailto: iheim at redhat.com <mailto: iheim at redhat.com >>>>> wrote:
>>>>
>>>> On 11/19/2012 11:29 AM, Vinzenz
>>>> Feenstra wrote:
>>>>
>>>> On 11/19/2012 10:01 AM, Cristian
>>>> Falcas wrote:
>>>>
>>>> Hi,
>>>>
>>>> I'm trying to add some users
>>>> to ovirt
>>>> using an AD.
>>>>
>>>> This is the configuration I
>>>> used for a
>>>> mediawiki
>>>> site, which is
>>>> working correctly:
>>>> $wgAuth = new
>>>> LdapAuthenticationPlugin();
>>>> $wgLDAPUseLocal = true;
>>>> $wgLDAPDomainNames = array(
>>>> "a_domain");
>>>> $wgLDAPServerNames = array(
>>>> "a_domain"=>" site.example.com
>>>> < http://site.example.com > < http://site.example.com >
>>>> < http://site.example.com >
>>>> < http://site.example.com >
>>>> < http://site.example.com >");
>>>>
>>>> $wgLDAPEncryptionType = array(
>>>> "a_domain"=>"clear");
>>>> $wgLDAPSearchStrings = array(
>>>>
>>>> "a_domain"=>"rom_domain\\USER- ________NAME");
>>>> $wgLDAPBaseDNs = array(
>>>> "a_domain"=>"dc=company,dc=___ _____com");
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Those are the commands I
>>>> tried using:
>>>> engine-manage-domains -action=add
>>>> -domain= site.example.com
>>>> < http://site.example.com > < http://site.example.com >
>>>> < http://site.example.com >
>>>> < http://site.example.com >
>>>> < http://site.example.com >
>>>> -provider=ActiveDirectory
>>>> -user= user.name
>>>> < http://user.name > < http://user.name >
>>>> < http://user.name > < http://user.name >
>>>> < http://user.name > -interactive
>>>>
>>>>
>>>> engine-manage-domains -action=add
>>>> -domain=a_domain
>>>> -provider=ActiveDirectory
>>>> -user= user.name at company.com
>>>> <mailto: user.name at company.com >
>>>> <mailto: user.name at company.com
>>>> <mailto: user.name at company.com > >
>>>> <mailto: user.name at company.com <mailto: user.name at company.com >
>>>> <mailto: user.name at company.com
>>>> <mailto: user.name at company.com > >__>
>>>> <mailto: user.name at company.com
>>>> <mailto: user.name at company.com >
>>>> <mailto: user.name at company.com
>>>> <mailto: user.name at company.com > >
>>>> <mailto: user.name at company.com
>>>> <mailto: user.name at company.com >
>>>> <mailto: user.name at company.com
>>>> <mailto: user.name at company.com > >__>__>
>>>> <mailto: user.name at company.com
>>>> <mailto: user.name at company.com >
>>>> <mailto: user.name at company.com
>>>> <mailto: user.name at company.com > >
>>>> <mailto: user.name at company.com
>>>> <mailto: user.name at company.com >
>>>> <mailto: user.name at company.com
>>>> <mailto: user.name at company.com > >__>
>>>>
>>>> <mailto: user.name at company.com
>>>> <mailto: user.name at company.com >
>>>> <mailto: user.name at company.com
>>>> <mailto: user.name at company.com > >
>>>> <mailto: user.name at company.com
>>>> <mailto: user.name at company.com >
>>>> <mailto: user.name at company.com
>>>> <mailto: user.name at company.com > >__>__>__> -interactive
>>>>
>>>>
>>>> engine-manage-domains -action=add
>>>> -domain=a_domain
>>>> -provider=ActiveDirectory
>>>> -user=user.name at site.example._ _______com
>>>>
>>>>
>>>> <mailto: user.name at site
>>>> <mailto: user.name at site >.
>>>> <mailto: user.name at site
>>>> <mailto: user.name at site >.>__ exa m__p__le.com
>>>> < http://examp__le.com > < http://example.com >
>>>> <mailto: user.name at site .
>>>> <mailto: user.name at site .>__ exam p__le.com < http://example.com >
>>>> <mailto: user.name at site. __ examp le.com
>>>> <mailto: user.name at site. example.com >>>>
>>>> <mailto: user.name at site
>>>> <mailto: user.name at site >
>>>>
>>>> <mailto: user.name at site <mailto: user.name at site >>.
>>>> <mailto: user.name at site <mailto: user.name at site >
>>>> <mailto: user.name at site
>>>> <mailto: user.name at site >>.>__ ex a__m__p__le.com
>>>> < http://exam__p__le.com >
>>>>
>>>>
>>>> < http://examp__le.com > < http://example.com >
>>>>
>>>>
>>>>
>>>> <mailto: user.name at site
>>>> <mailto: user.name at site >.
>>>> <mailto: user.name at site
>>>> <mailto: user.name at site >.>__ exa m__p__le.com
>>>> < http://examp__le.com > < http://example.com >
>>>> <mailto: user.name at site .
>>>> <mailto: user.name at site .>__ exam p__le.com < http://example.com >
>>>> <mailto: user.name at site. __ examp le.com
>>>> <mailto: user.name at site. example.com >>>>> -interactive
>>>>
>>>>
>>>> You don't add an user this way.
>>>> You add the
>>>> domain. You
>>>> have to
>>>> pass the
>>>> domain admin user and the domain
>>>> admin password.
>>>>
>>>>
>>>> any domain user will do, doesn't have
>>>> to be an admin.
>>>> what does the log say?
>>>>
>>>>
>>>> Then you can use the domain
>>>> within the engine.
>>>> e.g. search
>>>> users, add
>>>> access rights for vms etc.
>>>> Even login to the engine and
>>>> assigning rights
>>>> within
>>>> the engine
>>>> you can
>>>> handle from the engine itself.
>>>>
>>>> Regards,
>>>>
>>>> And the output on all tries:
>>>> Enter password:
>>>>
>>>> Error: Authentication Failed.
>>>> Please
>>>> verify the fully
>>>> qualified domain
>>>> name that is used for
>>>> authentication is
>>>> correct..
>>>> Problematic domain
>>>> is: domain_used_in_command
>>>> Failure while applying Kerberos
>>>> configuration. Details:
>>>> Authentication
>>>> Failed. Please verify the
>>>> fully qualified
>>>> domain
>>>> name that
>>>> is used for
>>>> authentication is correct.
>>>>
>>>> Can someone help me with the
>>>> correct
>>>> parameters?
>>>>
>>>>
>>>> Best regards,
>>>> Cristian Falcas
>>>>
>>>>
>>>>
>>>>
>>>> ______________________________ _________________________
>>>>
>>>>
>>>> Users mailing list
>>>> Users at ovirt.org <mailto: Users at ovirt.org >
>>>> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
>>>> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
>>>> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>>
>>>> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
>>>> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
>>>> <mailto: Users at ovirt.org
>>>> <mailto: Users at ovirt.org > <mailto: Users at ovirt.org
>>>> <mailto: Users at ovirt.org >>>>
>>>> http://lists.ovirt.org/_______ _mailman/listinfo/users
>>>> < http://lists.ovirt.org/______ mailman/listinfo/users >
>>>>
>>>>
>>>>
>>>> < http://lists.ovirt.org/______ mailman/listinfo/users
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users >>
>>>>
>>>>
>>>> < http://lists.ovirt.org/______ mailman/listinfo/users
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users >
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users
>>>> < http://lists.ovirt.org/__ mailman/listinfo/users >>>
>>>>
>>>>
>>>>
>>>>
>>>> < http://lists.ovirt.org/______ mailman/listinfo/users
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users >
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users
>>>> < http://lists.ovirt.org/__ mailman/listinfo/users >>
>>>>
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users
>>>> < http://lists.ovirt.org/__ mailman/listinfo/users >
>>>> < http://lists.ovirt.org/__ mailman/listinfo/users
>>>> < http://lists.ovirt.org/ mailman/listinfo/users >>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>>
>>>> Vinzenz Feenstra | Senior
>>>> Software Engineer
>>>> RedHat Engineering Virtualization
>>>> R & D
>>>> Phone: +420 532 294 625
>>>> <tel:%2B420%20532%20294%20625>
>>>> <tel:%2B420%20532%20294%20625>
>>>> <tel:%2B420%20532%20294%20625>
>>>> <tel:%2B420%20532%20294%20625>
>>>>
>>>> IRC: vfeenstr or evilissimo
>>>>
>>>> Better technology. Faster
>>>> innovation. Powered
>>>> by community
>>>> collaboration.
>>>> See how it works at redhat.com
>>>> < http://redhat.com >
>>>> < http://redhat.com > < http://redhat.com >
>>>> < http://redhat.com >
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ______________________________ _________________________
>>>>
>>>>
>>>> Users mailing list
>>>> Users at ovirt.org <mailto: Users at ovirt.org >
>>>> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
>>>> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
>>>> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>>
>>>> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
>>>> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
>>>> <mailto: Users at ovirt.org
>>>> <mailto: Users at ovirt.org > <mailto: Users at ovirt.org
>>>> <mailto: Users at ovirt.org >>>>
>>>> http://lists.ovirt.org/_______ _mailman/listinfo/users
>>>> < http://lists.ovirt.org/______ mailman/listinfo/users >
>>>>
>>>>
>>>> < http://lists.ovirt.org/______ mailman/listinfo/users
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users >>
>>>>
>>>>
>>>> < http://lists.ovirt.org/______ mailman/listinfo/users
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users >
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users
>>>> < http://lists.ovirt.org/__ mailman/listinfo/users >>>
>>>>
>>>>
>>>> < http://lists.ovirt.org/______ mailman/listinfo/users
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users >
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users
>>>> < http://lists.ovirt.org/__ mailman/listinfo/users >>
>>>>
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users
>>>> < http://lists.ovirt.org/__ mailman/listinfo/users >
>>>> < http://lists.ovirt.org/__ mailman/listinfo/users
>>>> < http://lists.ovirt.org/ mailman/listinfo/users >>>>
>>>>
>>>>
>>>>
>>>>
>>>> ______________________________ _________________________
>>>>
>>>>
>>>> Users mailing list
>>>> Users at ovirt.org <mailto: Users at ovirt.org >
>>>> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
>>>> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
>>>> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>>
>>>> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
>>>> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
>>>> <mailto: Users at ovirt.org
>>>> <mailto: Users at ovirt.org > <mailto: Users at ovirt.org
>>>> <mailto: Users at ovirt.org >>>>
>>>> http://lists.ovirt.org/_______ _mailman/listinfo/users
>>>> < http://lists.ovirt.org/______ mailman/listinfo/users >
>>>>
>>>>
>>>> < http://lists.ovirt.org/______ mailman/listinfo/users
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users >>
>>>>
>>>> < http://lists.ovirt.org/______ mailman/listinfo/users
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users >
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users
>>>> < http://lists.ovirt.org/__ mailman/listinfo/users >>>
>>>>
>>>>
>>>>
>>>>
>>>> < http://lists.ovirt.org/______ mailman/listinfo/users
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users >
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users
>>>> < http://lists.ovirt.org/__ mailman/listinfo/users >>
>>>>
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users
>>>> < http://lists.ovirt.org/__ mailman/listinfo/users >
>>>> < http://lists.ovirt.org/__ mailman/listinfo/users
>>>> < http://lists.ovirt.org/ mailman/listinfo/users >>>>
>>>>
>>>>
>>>>
>>>>
>>>> Hi,
>>>>
>>>> This is the command I used (the same error
>>>> is with
>>>> -interactive
>>>> parameter):
>>>>
>>>> engine-manage-domains -action=add
>>>> -domain= example.com < http://example.com >
>>>> < http://example.com >
>>>> < http://example.com >
>>>> < http://example.com > -provider=ActiveDirectory
>>>> -user=user.name at a_domain
>>>>
>>>> -passwordFile=/tmp/pass
>>>>
>>>> [root at localhost ~]# cat /tmp/pass
>>>> qwerty[root at localhost ~]#
>>>>
>>>> This is the log:
>>>>
>>>> 2012-11-20 00:30:40,443 INFO
>>>>
>>>>
>>>> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
>>>>
>>>> Creating
>>>>
>>>>
>>>> kerberos
>>>> configuration for domain(s): example.com
>>>> < http://example.com >
>>>> < http://example.com > < http://example.com >
>>>> < http://example.com >
>>>>
>>>> 2012-11-20 00:30:40,525 INFO
>>>>
>>>>
>>>> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
>>>>
>>>>
>>>> Successfully
>>>>
>>>> created kerberos configuration for domain(s):
>>>> example.com < http://example.com > < http://example.com >
>>>> < http://example.com >
>>>> < http://example.com >
>>>>
>>>> 2012-11-20 00:30:40,526 INFO
>>>>
>>>>
>>>> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
>>>>
>>>> Testing
>>>>
>>>>
>>>> kerberos
>>>> configuration for domain: example.com
>>>> < http://example.com >
>>>> < http://example.com > < http://example.com >
>>>> < http://example.com >
>>>>
>>>> 2012-11-20 00:30:40,830 ERROR
>>>>
>>>>
>>>> [org.ovirt.engine.core.utils._ _____kerberos.__ KerberosConfigCheck]
>>>>
>>>>
>>>> Error:
>>>>
>>>> exception message: Cannot locate KDC
>>>> 2012-11-20 00:30:40,851 ERROR
>>>>
>>>>
>>>> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
>>>>
>>>>
>>>> Failure
>>>>
>>>> while
>>>>
>>>> testing domain example.com
>>>> < http://example.com > < http://example.com >
>>>> < http://example.com >
>>>> < http://example.com >. Details: Kerberos
>>>>
>>>> error. Please check log for further details.
>>>>
>>>>
>>>> Hi, the error indicates you don't have
>>>> kerberos configured.
>>>> manage-domains validates by default using
>>>> GSSAPI/Kerberos (if I
>>>> understand correctly, this is equivalent to
>>>> run ldapsearch
>>>> with -Y
>>>> gssapi option).
>>>> I wonder if -x (simple authentication) will
>>>> work for you as
>>>> well (as
>>>> manage-domains contains code for simple
>>>> authentication as
>>>> well).
>>>>
>>>>
>>>>
>>>> This is the ldapsearch command that works
>>>> (it retrieves
>>>> users)
>>>> from the
>>>> same machine:
>>>>
>>>>
>>>>
>>>> ldapsearch -H ldap:// example.com
>>>> < http://example.com > < http://example.com >
>>>> < http://example.com >
>>>> < http://example.com > -b
>>>>
>>>> dc=example,dc=com -D user.name at a_domain -w
>>>> qwerty
>>>>
>>>>
>>>> Best regards,
>>>> Cristian Falcas
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ______________________________ _______________________
>>>> Users mailing list
>>>> Users at ovirt.org <mailto: Users at ovirt.org >
>>>> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>
>>>> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >
>>>> <mailto: Users at ovirt.org <mailto: Users at ovirt.org >>>
>>>> http://lists.ovirt.org/______ mailman/listinfo/users
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users >
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users
>>>> < http://lists.ovirt.org/__ mailman/listinfo/users >>
>>>>
>>>> < http://lists.ovirt.org/____ mailman/listinfo/users
>>>> < http://lists.ovirt.org/__ mailman/listinfo/users >
>>>> < http://lists.ovirt.org/__ mailman/listinfo/users
>>>> < http://lists.ovirt.org/ mailman/listinfo/users >>>
>>>>
>>>>
>>>>
>>>>
>>>> Hi,
>>>>
>>>>
>>>> I used "-x" for ldapsearch and the result is the
>>>> same: list
>>>> retrieved.
>>>> Is there any equivalent for engine-manage-domains?
>>>>
>>>> Cristian
>>>>
>>>> Hi Christian, there is no code allowing to add
>>>> simple-authentication
>>>> domains to Manage-Domains.
>>>> In the past we did have the ability to do that, but
>>>> there are
>>>> several problematic issues.
>>>> What ldap server are you working against? Maybe I
>>>> missed that
>>>>
>>>>
>>>>
>>>>
>>>> Hi,
>>>>
>>>> The server is a Microfost AD 2003.
>>>>
>>>> Best regards,
>>>> Cristian Falcas
>>>>
>>>>
>>>> this should work, is the AD also the DNS server for the ovirt
>>>> engine machine?
>>>>
>>>>
>>>>
>>>> yes
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Could you take a look at the tcp dump? There are only 2 messages
>>>> relevant to this (let me know if you want the full dump):
>>>>
>>>> - 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard query SRV
>>>> _kerberos._ tcp.EXAMPLE.COM
>>>> - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard query response
>>>> SRV 0 100 88 site1.example.com SRV 0 100 88 site2.example.com SRV 0
>>>> 100 88 site3.example.com
>>>>
>>>> Also, I tries to run ldapsearch with -Y gssapi:
>>>> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>>>> additional info: SASL(-4): no mechanism available: No worthy mechs
>>>> found
>>>>
>>>> Best regards,
>>>> Cristian Falcas
>>>> The SRV records look fine.
>>>> If I remember correctly, your DNS should have a reverse-resolve PTR
>>>> record to your engine machine. Does it exists?
>>>>
>>>>
>>>>
>>>> I don't think so (10.0.0.xx is engine machine, 10.0.0.yyy is dns):
>>>>
>>>> [root at localhost ~]# nslookup 10.0.0.xx
>>>> Server: 10.0.0.yyy
>>>> Address: 10.0.0.yyy#53
>>>>
>>>> ** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN
>>>>
>>>> [root at localhost ~]# host 10.0.0.xx
>>>> Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN)
>>>>
>>>> I will ask them to add a DNS record for the machine.
>>>>
>>>> Indeed do that.
>>> In the engine we require both reverse-resolve PTR record, Kerberos SRV
>>> record and LDAP SRV record.
>>> Make sure you have all three in the DNS.
>>> The PTR + Kerberos records are used for the kerberos authentication (and
>>> constructing the krb5.conf file in the engine-manage-domains utility).
>>> The LDAP SRV record is used for the directory queries (it is used in the
>>> utility + the ovirt engine, to look for LDAP servers).
>>>
>>
>>
>> Yair - sounds like we need a how to troubleshoot AD issues?
>>
>>
>>
>
> Hi,
>
> So, after all, I was using the wrong domain. In my company we use
> everywhere (web, email, etc) as the domain "a_domain" instead of the usual
> company.com. So it worked with:
>
> engine-manage-domains -action=add -domain=company.com-provider=ActiveDirectory -user=
> user.name -passwordFile=/tmp/pass
>
> Some steps I did for my investigation:
>
> 1. test if the domain has a kerberos service:
>
> host -t srv _kerberos._tcp.company.com
>
> 2. use kinit instead of engine-manage-domains (mush faster)
> cp /etc/ovirt-engine/krb5.conf /etc/
>
> 3. test with:
> kinit user.name at company.com -V
>
>
> Just to let others know what errors I had and how I fixed them:
>
> 1. Client not found in Kerberos database while getting initial
> credentials: wrong user name
>
> 2. Cannot find KDC for requested realm: the realm you are using in the
> command line is not define in krb5.conf file.
>
> - at the beginning I was using kinit user.name at a_domain -V, but there was
> no a_domain realm defined.
> - check the file and try to update it or correct your kinit command in
> order to use the correct realm
>
> [realms]
> COMPANY.COM = {
> kdc = site1.company.com.:88
> kdc = site2.company.com.:88
> kdc = site3.company.com.:88
> }
>
>
>
> 3. KDC reply did not match expectations while getting initial credentials:
> you may have the same realm in your command line and in the krb5.conf file,
> but the server thinks this is not correct.
> - use wireshark to see what realm the server has: protocol KRB5, messages
> AS-REQ and AS-REP
>
> Thank you for all your help.
>
> Cristian
>
I forgot. Use this kinit command for tests instead:
kinit user.name
Because I was using the realm in the command line I had all of the above
problems
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20121121/4ce59d52/attachment-0001.html>
More information about the Users
mailing list