[Users] I don't know how to add AD users
Itamar Heim
iheim at redhat.com
Wed Nov 21 20:49:50 UTC 2012
On 11/21/2012 09:40 PM, Cristian Falcas wrote:
>
>
>
> On Wed, Nov 21, 2012 at 9:37 PM, Cristian Falcas
> <cristi.falcas at gmail.com <mailto:cristi.falcas at gmail.com>> wrote:
>
>
>
>
> On Wed, Nov 21, 2012 at 8:10 AM, Itamar Heim <iheim at redhat.com
> <mailto:iheim at redhat.com>> wrote:
>
> On 11/21/2012 08:09 AM, Oved Ourfalli wrote:
>
>
>
> ----- Original Message -----
>
> From: "Cristian Falcas" <cristi.falcas at gmail.com
> <mailto:cristi.falcas at gmail.com>>
> To: "Yair Zaslavsky" <yzaslavs at redhat.com
> <mailto:yzaslavs at redhat.com>>
> Cc: users at ovirt.org <mailto:users at ovirt.org>
> Sent: Wednesday, November 21, 2012 6:40:34 AM
> Subject: Re: [Users] I don't know how to add AD users
>
>
>
>
>
>
>
> On Wed, Nov 21, 2012 at 5:05 AM, Yair Zaslavsky <
> yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>
>
> wrote:
>
>
>
>
>
>
>
>
>
>
> From: "Cristian Falcas" < cristi.falcas at gmail.com
> <mailto:cristi.falcas at gmail.com> >
> To: "Itamar Heim" < iheim at redhat.com
> <mailto:iheim at redhat.com> >
> Cc: "Yair Zaslavsky" < yzaslavs at redhat.com
> <mailto:yzaslavs at redhat.com> >, users at ovirt.org
> <mailto:users at ovirt.org>
> Sent: Tuesday, November 20, 2012 7:33:39 PM
>
> Subject: Re: [Users] I don't know how to add AD users
>
>
>
>
>
>
>
>
> On Tue, Nov 20, 2012 at 3:08 PM, Itamar Heim <
> iheim at redhat.com <mailto:iheim at redhat.com> >
> wrote:
>
>
>
> On 11/20/2012 03:00 PM, Cristian Falcas wrote:
>
>
> Hi,
>
> So there is no way to use the domain I have at work, right?
>
> I will need to make a freeipa installation in order to
> add new users.
>
> there is no reason this shouldn't work with active
> directory 2003
> (assuming its forest level isn't still in AD 2000
> compatibility
> mode?).
> tcpdump for the traffic during engine-manage-domains
> should help
> diagnosing why.
>
>
>
>
>
> Cristian
>
>
> On Tue, Nov 20, 2012 at 10:11 AM, Cristian Falcas
>
> < cristi.falcas at gmail.com
> <mailto:cristi.falcas at gmail.com> <mailto:
> cristi.falcas at gmail. com >> wrote:
>
>
>
>
> On Tue, Nov 20, 2012 at 9:58 AM, Itamar Heim <
> iheim at redhat.com <mailto:iheim at redhat.com>
>
> <mailto: iheim at redhat.com <mailto:iheim at redhat.com> >>
> wrote:
>
> On 11/20/2012 09:56 AM, Cristian Falcas wrote:
>
>
>
>
> On Tue, Nov 20, 2012 at 9:42 AM, Yair Zaslavsky
> < yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>
> <mailto: yzaslavs at redhat.com <mailto:yzaslavs at redhat.com> >
>
>
> <mailto: yzaslavs at redhat.com
> <mailto:yzaslavs at redhat.com> <mailto:
> yzaslavs at redhat.com <mailto:yzaslavs at redhat.com> >>>
> wrote:
>
>
>
> On 11/20/2012 09:05 AM, Cristian Falcas wrote:
>
>
>
>
> On Tue, Nov 20, 2012 at 8:36 AM, Yair Zaslavsky
> < yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>
> <mailto: yzaslavs at redhat.com <mailto:yzaslavs at redhat.com> >
> <mailto: yzaslavs at redhat.com
> <mailto:yzaslavs at redhat.com> <mailto:
> yzaslavs at redhat.com <mailto:yzaslavs at redhat.com> >>
> <mailto: yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>
> <mailto: yzaslavs at redhat.com
> <mailto:yzaslavs at redhat.com> > <mailto:
> yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>
> <mailto: yzaslavs at redhat.com
> <mailto:yzaslavs at redhat.com> >>> > wrote:
>
>
>
> On 11/20/2012 12:39 AM, Cristian Falcas wrote:
>
>
>
> On Mon, Nov 19, 2012 at 10:53 PM, Itamar Heim
> < iheim at redhat.com <mailto:iheim at redhat.com> <mailto:
> iheim at redhat.com <mailto:iheim at redhat.com> >
> <mailto: iheim at redhat.com <mailto:iheim at redhat.com>
> <mailto: iheim at redhat.com <mailto:iheim at redhat.com> >>
> <mailto: iheim at redhat.com <mailto:iheim at redhat.com>
> <mailto: iheim at redhat.com <mailto:iheim at redhat.com> >
> <mailto: iheim at redhat.com <mailto:iheim at redhat.com>
> <mailto: iheim at redhat.com <mailto:iheim at redhat.com> >>>
> <mailto: iheim at redhat.com <mailto:iheim at redhat.com>
> <mailto: iheim at redhat.com <mailto:iheim at redhat.com> >
> <mailto: iheim at redhat.com <mailto:iheim at redhat.com>
> <mailto: iheim at redhat.com <mailto:iheim at redhat.com> >>
> <mailto: iheim at redhat.com <mailto:iheim at redhat.com>
> <mailto: iheim at redhat.com <mailto:iheim at redhat.com> >
> <mailto: iheim at redhat.com <mailto:iheim at redhat.com>
> <mailto: iheim at redhat.com <mailto:iheim at redhat.com>
> >>>>> wrote:
>
> On 11/19/2012 11:29 AM, Vinzenz
> Feenstra wrote:
>
> On 11/19/2012 10:01 AM, Cristian
> Falcas wrote:
>
> Hi,
>
> I'm trying to add some users
> to ovirt
> using an AD.
>
> This is the configuration I
> used for a
> mediawiki
> site, which is
> working correctly:
> $wgAuth = new
> LdapAuthenticationPlugin();
> $wgLDAPUseLocal = true;
> $wgLDAPDomainNames = array(
> "a_domain");
> $wgLDAPServerNames = array(
> "a_domain"=>" site.example.com <http://site.example.com>
> < http://site.example.com > < http://site.example.com >
> < http://site.example.com >
> < http://site.example.com >
> < http://site.example.com >");
>
> $wgLDAPEncryptionType = array(
> "a_domain"=>"clear");
> $wgLDAPSearchStrings = array(
>
> "a_domain"=>"rom_domain\\USER- ________NAME");
> $wgLDAPBaseDNs = array(
> "a_domain"=>"dc=company,dc=___ _____com");
>
>
>
>
>
>
> Those are the commands I
> tried using:
> engine-manage-domains -action=add
> -domain= site.example.com <http://site.example.com>
> < http://site.example.com > < http://site.example.com >
> < http://site.example.com >
> < http://site.example.com >
> < http://site.example.com >
> -provider=ActiveDirectory
> -user= user.name <http://user.name>
> < http://user.name > < http://user.name >
> < http://user.name > < http://user.name >
> < http://user.name > -interactive
>
>
> engine-manage-domains -action=add
> -domain=a_domain
> -provider=ActiveDirectory
> -user= user.name at company.com <mailto:user.name at company.com>
> <mailto: user.name at company.com
> <mailto:user.name at company.com> >
> <mailto: user.name at company.com
> <mailto:user.name at company.com>
> <mailto: user.name at company.com
> <mailto:user.name at company.com> > >
> <mailto: user.name at company.com
> <mailto:user.name at company.com> <mailto:
> user.name at company.com <mailto:user.name at company.com> >
> <mailto: user.name at company.com
> <mailto:user.name at company.com>
> <mailto: user.name at company.com
> <mailto:user.name at company.com> > >__>
> <mailto: user.name at company.com
> <mailto:user.name at company.com>
> <mailto: user.name at company.com
> <mailto:user.name at company.com> >
> <mailto: user.name at company.com
> <mailto:user.name at company.com>
> <mailto: user.name at company.com
> <mailto:user.name at company.com> > >
> <mailto: user.name at company.com
> <mailto:user.name at company.com>
> <mailto: user.name at company.com
> <mailto:user.name at company.com> >
> <mailto: user.name at company.com
> <mailto:user.name at company.com>
> <mailto: user.name at company.com
> <mailto:user.name at company.com> > >__>__>
> <mailto: user.name at company.com
> <mailto:user.name at company.com>
> <mailto: user.name at company.com
> <mailto:user.name at company.com> >
> <mailto: user.name at company.com
> <mailto:user.name at company.com>
> <mailto: user.name at company.com
> <mailto:user.name at company.com> > >
> <mailto: user.name at company.com
> <mailto:user.name at company.com>
> <mailto: user.name at company.com
> <mailto:user.name at company.com> >
> <mailto: user.name at company.com
> <mailto:user.name at company.com>
> <mailto: user.name at company.com
> <mailto:user.name at company.com> > >__>
>
> <mailto: user.name at company.com
> <mailto:user.name at company.com>
> <mailto: user.name at company.com
> <mailto:user.name at company.com> >
> <mailto: user.name at company.com
> <mailto:user.name at company.com>
> <mailto: user.name at company.com
> <mailto:user.name at company.com> > >
> <mailto: user.name at company.com
> <mailto:user.name at company.com>
> <mailto: user.name at company.com
> <mailto:user.name at company.com> >
> <mailto: user.name at company.com
> <mailto:user.name at company.com>
> <mailto: user.name at company.com
> <mailto:user.name at company.com> > >__>__>__> -interactive
>
>
> engine-manage-domains -action=add
> -domain=a_domain
> -provider=ActiveDirectory
> -user=user.name at site.example._ _______com
>
>
> <mailto: user.name at site
> <mailto: user.name at site >.
> <mailto: user.name at site
> <mailto: user.name at site >.>__ exa m__p__le.com
> <http://m__p__le.com>
> < http://examp__le.com > < http://example.com >
> <mailto: user.name at site .
> <mailto: user.name at site .>__ exam p__le.com
> <http://p__le.com> < http://example.com >
> <mailto: user.name at site. __ examp le.com <http://le.com>
> <mailto: user.name at site. example.com
> <http://example.com> >>>>
> <mailto: user.name at site
> <mailto: user.name at site >
>
> <mailto: user.name at site <mailto: user.name at site >>.
> <mailto: user.name at site <mailto: user.name at site >
> <mailto: user.name at site
> <mailto: user.name at site >>.>__ ex a__m__p__le.com
> <http://a__m__p__le.com>
> < http://exam__p__le.com >
>
>
> < http://examp__le.com > < http://example.com >
>
>
>
> <mailto: user.name at site
> <mailto: user.name at site >.
> <mailto: user.name at site
> <mailto: user.name at site >.>__ exa m__p__le.com
> <http://m__p__le.com>
> < http://examp__le.com > < http://example.com >
> <mailto: user.name at site .
> <mailto: user.name at site .>__ exam p__le.com
> <http://p__le.com> < http://example.com >
> <mailto: user.name at site. __ examp le.com <http://le.com>
> <mailto: user.name at site. example.com
> <http://example.com> >>>>> -interactive
>
>
> You don't add an user this way.
> You add the
> domain. You
> have to
> pass the
> domain admin user and the domain
> admin password.
>
>
> any domain user will do, doesn't have
> to be an admin.
> what does the log say?
>
>
> Then you can use the domain
> within the engine.
> e.g. search
> users, add
> access rights for vms etc.
> Even login to the engine and
> assigning rights
> within
> the engine
> you can
> handle from the engine itself.
>
> Regards,
>
> And the output on all tries:
> Enter password:
>
> Error: Authentication Failed.
> Please
> verify the fully
> qualified domain
> name that is used for
> authentication is
> correct..
> Problematic domain
> is: domain_used_in_command
> Failure while applying Kerberos
> configuration. Details:
> Authentication
> Failed. Please verify the
> fully qualified
> domain
> name that
> is used for
> authentication is correct.
>
> Can someone help me with the
> correct
> parameters?
>
>
> Best regards,
> Cristian Falcas
>
>
>
>
> ______________________________ _________________________
>
>
> Users mailing list
> Users at ovirt.org <mailto:Users at ovirt.org> <mailto:
> Users at ovirt.org <mailto:Users at ovirt.org> >
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>>>
> http://lists.ovirt.org/_______ _mailman/listinfo/users
> < http://lists.ovirt.org/______ mailman/listinfo/users >
>
>
>
> < http://lists.ovirt.org/______ mailman/listinfo/users
> < http://lists.ovirt.org/____ mailman/listinfo/users >>
>
>
> < http://lists.ovirt.org/______ mailman/listinfo/users
> < http://lists.ovirt.org/____ mailman/listinfo/users >
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >>>
>
>
>
>
> < http://lists.ovirt.org/______ mailman/listinfo/users
> < http://lists.ovirt.org/____ mailman/listinfo/users >
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >>
>
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >
> < http://lists.ovirt.org/__ mailman/listinfo/users
> < http://lists.ovirt.org/ mailman/listinfo/users >>>>
>
>
>
> --
> Regards,
>
> Vinzenz Feenstra | Senior
> Software Engineer
> RedHat Engineering Virtualization
> R & D
> Phone: +420 532 294 625 <tel:%2B420%20532%20294%20625>
> <tel:%2B420%20532%20294%20625>
> <tel:%2B420%20532%20294%20625>
> <tel:%2B420%20532%20294%20625>
> <tel:%2B420%20532%20294%20625>
>
> IRC: vfeenstr or evilissimo
>
> Better technology. Faster
> innovation. Powered
> by community
> collaboration.
> See how it works at redhat.com <http://redhat.com>
> < http://redhat.com >
> < http://redhat.com > < http://redhat.com >
> < http://redhat.com >
>
>
>
>
>
> ______________________________ _________________________
>
>
> Users mailing list
> Users at ovirt.org <mailto:Users at ovirt.org> <mailto:
> Users at ovirt.org <mailto:Users at ovirt.org> >
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>>>
> http://lists.ovirt.org/_______ _mailman/listinfo/users
> < http://lists.ovirt.org/______ mailman/listinfo/users >
>
>
> < http://lists.ovirt.org/______ mailman/listinfo/users
> < http://lists.ovirt.org/____ mailman/listinfo/users >>
>
>
> < http://lists.ovirt.org/______ mailman/listinfo/users
> < http://lists.ovirt.org/____ mailman/listinfo/users >
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >>>
>
>
> < http://lists.ovirt.org/______ mailman/listinfo/users
> < http://lists.ovirt.org/____ mailman/listinfo/users >
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >>
>
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >
> < http://lists.ovirt.org/__ mailman/listinfo/users
> < http://lists.ovirt.org/ mailman/listinfo/users >>>>
>
>
>
>
> ______________________________ _________________________
>
>
> Users mailing list
> Users at ovirt.org <mailto:Users at ovirt.org> <mailto:
> Users at ovirt.org <mailto:Users at ovirt.org> >
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>>>
> http://lists.ovirt.org/_______ _mailman/listinfo/users
> < http://lists.ovirt.org/______ mailman/listinfo/users >
>
>
> < http://lists.ovirt.org/______ mailman/listinfo/users
> < http://lists.ovirt.org/____ mailman/listinfo/users >>
>
> < http://lists.ovirt.org/______ mailman/listinfo/users
> < http://lists.ovirt.org/____ mailman/listinfo/users >
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >>>
>
>
>
>
> < http://lists.ovirt.org/______ mailman/listinfo/users
> < http://lists.ovirt.org/____ mailman/listinfo/users >
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >>
>
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >
> < http://lists.ovirt.org/__ mailman/listinfo/users
> < http://lists.ovirt.org/ mailman/listinfo/users >>>>
>
>
>
>
> Hi,
>
> This is the command I used (the same error
> is with
> -interactive
> parameter):
>
> engine-manage-domains -action=add
> -domain= example.com <http://example.com> <
> http://example.com >
> < http://example.com >
> < http://example.com >
> < http://example.com > -provider=ActiveDirectory
> -user=user.name at a_domain
>
> -passwordFile=/tmp/pass
>
> [root at localhost ~]# cat /tmp/pass
> qwerty[root at localhost ~]#
>
> This is the log:
>
> 2012-11-20 00:30:40,443 INFO
>
>
> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
>
> Creating
>
>
> kerberos
> configuration for domain(s): example.com
> <http://example.com>
> < http://example.com >
> < http://example.com > < http://example.com >
> < http://example.com >
>
> 2012-11-20 00:30:40,525 INFO
>
>
> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
>
>
> Successfully
>
> created kerberos configuration for domain(s):
> example.com <http://example.com> < http://example.com >
> < http://example.com >
> < http://example.com >
> < http://example.com >
>
> 2012-11-20 00:30:40,526 INFO
>
>
> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
>
> Testing
>
>
> kerberos
> configuration for domain: example.com <http://example.com>
> < http://example.com >
> < http://example.com > < http://example.com >
> < http://example.com >
>
> 2012-11-20 00:30:40,830 ERROR
>
>
> [org.ovirt.engine.core.utils._ _____kerberos.__
> KerberosConfigCheck]
>
>
> Error:
>
> exception message: Cannot locate KDC
> 2012-11-20 00:30:40,851 ERROR
>
>
> [org.ovirt.engine.core.utils._ _____kerberos.ManageDomains]
>
>
> Failure
>
> while
>
> testing domain example.com <http://example.com>
> < http://example.com > < http://example.com >
> < http://example.com >
> < http://example.com >. Details: Kerberos
>
> error. Please check log for further details.
>
>
> Hi, the error indicates you don't have
> kerberos configured.
> manage-domains validates by default using
> GSSAPI/Kerberos (if I
> understand correctly, this is equivalent to
> run ldapsearch
> with -Y
> gssapi option).
> I wonder if -x (simple authentication) will
> work for you as
> well (as
> manage-domains contains code for simple
> authentication as
> well).
>
>
>
> This is the ldapsearch command that works
> (it retrieves
> users)
> from the
> same machine:
>
>
>
> ldapsearch -H ldap:// example.com <http://example.com>
> < http://example.com > < http://example.com >
> < http://example.com >
> < http://example.com > -b
>
> dc=example,dc=com -D user.name at a_domain -w
> qwerty
>
>
> Best regards,
> Cristian Falcas
>
>
>
>
>
> ______________________________ _______________________
> Users mailing list
> Users at ovirt.org <mailto:Users at ovirt.org> <mailto:
> Users at ovirt.org <mailto:Users at ovirt.org> >
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto: Users at ovirt.org <mailto:Users at ovirt.org> >>>
> http://lists.ovirt.org/______ mailman/listinfo/users
> < http://lists.ovirt.org/____ mailman/listinfo/users >
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >>
>
> < http://lists.ovirt.org/____ mailman/listinfo/users
> < http://lists.ovirt.org/__ mailman/listinfo/users >
> < http://lists.ovirt.org/__ mailman/listinfo/users
> < http://lists.ovirt.org/ mailman/listinfo/users >>>
>
>
>
>
> Hi,
>
>
> I used "-x" for ldapsearch and the result is the
> same: list
> retrieved.
> Is there any equivalent for engine-manage-domains?
>
> Cristian
>
> Hi Christian, there is no code allowing to add
> simple-authentication
> domains to Manage-Domains.
> In the past we did have the ability to do that, but
> there are
> several problematic issues.
> What ldap server are you working against? Maybe I
> missed that
>
>
>
>
> Hi,
>
> The server is a Microfost AD 2003.
>
> Best regards,
> Cristian Falcas
>
>
> this should work, is the AD also the DNS server for the
> ovirt
> engine machine?
>
>
>
> yes
>
>
>
>
>
> Could you take a look at the tcp dump? There are only 2
> messages
> relevant to this (let me know if you want the full dump):
>
> - 2091 12.423634 10.0.0.xx 10.0.0.yyy DNS 87 Standard
> query SRV
> _kerberos._ tcp.EXAMPLE.COM <http://tcp.EXAMPLE.COM>
> - 2092 12.424357 10.0.0.yyy 10.0.0.xx DNS 245 Standard
> query response
> SRV 0 100 88 site1.example.com
> <http://site1.example.com> SRV 0 100 88
> site2.example.com <http://site2.example.com> SRV 0
> 100 88 site3.example.com <http://site3.example.com>
>
> Also, I tries to run ldapsearch with -Y gssapi:
> ldap_sasl_interactive_bind_s: Unknown authentication
> method (-6)
> additional info: SASL(-4): no mechanism available: No
> worthy mechs
> found
>
> Best regards,
> Cristian Falcas
> The SRV records look fine.
> If I remember correctly, your DNS should have a
> reverse-resolve PTR
> record to your engine machine. Does it exists?
>
>
>
> I don't think so (10.0.0.xx is engine machine,
> 10.0.0.yyy is dns):
>
> [root at localhost ~]# nslookup 10.0.0.xx
> Server: 10.0.0.yyy
> Address: 10.0.0.yyy#53
>
> ** server can't find xx.0.0.10.in-addr.arpa.: NXDOMAIN
>
> [root at localhost ~]# host 10.0.0.xx
> Host xx.0.0.10.in-addr.arpa. not found: 3(NXDOMAIN)
>
> I will ask them to add a DNS record for the machine.
>
> Indeed do that.
> In the engine we require both reverse-resolve PTR record,
> Kerberos SRV record and LDAP SRV record.
> Make sure you have all three in the DNS.
> The PTR + Kerberos records are used for the kerberos
> authentication (and constructing the krb5.conf file in the
> engine-manage-domains utility).
> The LDAP SRV record is used for the directory queries (it is
> used in the utility + the ovirt engine, to look for LDAP
> servers).
>
>
>
> Yair - sounds like we need a how to troubleshoot AD issues?
>
>
>
>
> Hi,
>
> So, after all, I was using the wrong domain. In my company we use
> everywhere (web, email, etc) as the domain "a_domain" instead of the
> usual company.com <http://company.com>. So it worked with:
>
> engine-manage-domains -action=add -domain=company.com
> <http://company.com> -provider=ActiveDirectory -user=user.name
> <http://user.name> -passwordFile=/tmp/pass
>
> Some steps I did for my investigation:
>
> 1. test if the domain has a kerberos service:
>
> host -t srv _kerberos._tcp.company.com <http://tcp.company.com>
>
> 2. use kinit instead of engine-manage-domains (mush faster)
> cp /etc/ovirt-engine/krb5.conf /etc/
>
> 3. test with:
> kinit user.name at company.com <mailto:user.name at company.com> -V
>
>
> Just to let others know what errors I had and how I fixed them:
>
> 1. Client not found in Kerberos database while getting initial
> credentials: wrong user name
>
> 2. Cannot find KDC for requested realm: the realm you are using in
> the command line is not define in krb5.conf file.
>
> - at the beginning I was using kinit user.name at a_domain -V, but
> there was no a_domain realm defined.
> - check the file and try to update it or correct your kinit command
> in order to use the correct realm
>
> [realms]
> COMPANY.COM <http://COMPANY.COM> = {
> kdc = site1.company.com.:88
> kdc = site2.company.com.:88
> kdc = site3.company.com.:88
> }
>
>
>
> 3. KDC reply did not match expectations while getting initial
> credentials: you may have the same realm in your command line and in
> the krb5.conf file, but the server thinks this is not correct.
> - use wireshark to see what realm the server has: protocol KRB5,
> messages AS-REQ and AS-REP
>
> Thank you for all your help.
>
> Cristian
>
>
>
> I forgot. Use this kinit command for tests instead:
>
> kinit user.name <http://user.name>
>
> Because I was using the realm in the command line I had all of the above
> problems
do you mind adding these to a wiki for steps to troubleshoot for the
next one to tackle this?
thanks,
Itamar
More information about the Users
mailing list