[Users] ActiveDirectory problems

Yair Zaslavsky yzaslavs at redhat.com
Sun Sep 16 06:55:13 UTC 2012



On 09/16/2012 09:01 AM, Oved Ourfalli wrote:
> <top posting>
>
> Hey,
>
> According to the call stack, it looks like something is wrong in the root DSE attributes (whether due to a bug in the engine, or some configuration that can be done in AD).
>
> Please provide us this information by using the following commands:
>
> ldapsearch -LLL -D user at example.com -h <AD-SERVER> -b "" -s base objectClass=*
>
> Oved

In addition to Oved's words -
When looking at history of ADRootDSE I see it's probably something with 
the domainControllerFunctionality attribute (the attributes that we're 
checking are domainControllerFunctionality, domainFunctionality and 
defaultNamingContext)

However - the best approach is indeed to run the ldapsearch and provide 
its output

Yair

>
> ----- Original Message -----
>> From: "Joop" <jvdwege at xs4all.nl>
>> To: "<users at ovirt.org>" <users at ovirt.org>
>> Sent: Saturday, September 15, 2012 1:07:06 AM
>> Subject: [Users] ActiveDirectory problems
>>
>> Hi List,
>>
>> I have been reading the list for quite sometime and I have a question
>> because I can't find the problem myself.
>> I have an oVirt-3.1 setup with 3 nodes (Fed17 install from LiveCD +
>> vdsm) and an engine install. Sofar this all works. Can create VM's,
>> can
>> migrate them, no problems ( well one but thats for another post,
>> vdsmd
>> doesn't start at system start).
>> Version of oVirt thats installed:
>> Installed Packages
>> ovirt-engine.noarch 3.1.0-2.fc17                          @ovirt-beta
>> ovirt-engine-backend.noarch 3.1.0-2.fc17
>> @ovirt-beta
>> ovirt-engine-cli.noarch 3.1.0.6-1.fc17
>>                         @ovirt-beta
>> ovirt-engine-config.noarch 3.1.0-2.fc17
>> @ovirt-beta
>> ovirt-engine-dbscripts.noarch 3.1.0-2.fc17
>> @ovirt-beta
>> ovirt-engine-genericapi.noarch 3.1.0-2.fc17
>> @ovirt-beta
>> ovirt-engine-notification-service.noarch
>> 3.1.0-2.fc17                          @ovirt-beta
>> ovirt-engine-restapi.noarch 3.1.0-2.fc17
>> @ovirt-beta
>> ovirt-engine-sdk.noarch 3.1.0.4-1.fc17
>>                         @ovirt-beta
>> ovirt-engine-setup.noarch 3.1.0-2.fc17
>>                           @ovirt-beta
>> ovirt-engine-tools-common.noarch 3.1.0-2.fc17
>> @ovirt-beta
>> ovirt-engine-userportal.noarch 3.1.0-2.fc17
>> @ovirt-beta
>> ovirt-engine-webadmin-portal.noarch
>> 3.1.0-2.fc17                          @ovirt-beta
>> ovirt-image-uploader.noarch 3.1.0-0.git9c42c8.fc17
>> @ovirt-beta
>> ovirt-iso-uploader.noarch 3.1.0-0.git1841d9.fc17
>>                 @ovirt-beta
>> ovirt-log-collector.noarch 3.1.0-0.git10d719.fc17
>> @ovirt-beta
>>
>> Next step is integrating with our AD setup. Ran engine-manage-domains
>> -action=add -provider=ActiveDirectory -domain=nieuwland.local
>> -user=admin -interactive
>> Message is:
>> WARNING: No permissions were added to the Engine. Login either with
>> the
>> internal admin user or with another configured user
>> Successfully added domain nieuwland.local. oVirt Engine restart is
>> required in order for the changes to take place (service
>> Manage Domains completed successfully
>>
>> The specified admin is an DomainAdministrator.
>>
>> The logfile in /var/log/engine/engine-manage-domains also says OK.
>> The
>> resulting krb5.conf in /etc/ovirt-engine looks also OK. The AD
>> servers
>> are resolvable forward and backward.
>> Then I'm lost because when I log into the Admin portal with the
>> internal
>> admin account and goto the Users tab and want to add a user from the
>> nieuwland.local, myself (jvandewege) realm it won't work and I get
>> the
>> following in engine.log
>>
>> 2012-09-14 12:55:26,104 ERROR
>> [org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
>> (ajp--0.0.0.0-8009-12) Failed ldap search server
>> LDAP://digit.nieuwland.local:389 due to
>> java.lang.NullPointerException.
>> We should try the next server: java.lang.NullPointerException
>>      at
>> org.ovirt.engine.core.bll.adbroker.ADRootDSE.<init>(ADRootDSE.java:26)
>> [engine-bll.jar:]
>>      at
>> org.ovirt.engine.core.bll.adbroker.RootDSEFactory.get(RootDSEFactory.java:14)
>> [engine-bll.jar:]
>>      at
>> org.ovirt.engine.core.bll.adbroker.GetRootDSETask.setRootDSE(GetRootDSETask.java:97)
>> [engine-bll.jar:]
>>      at
>> org.ovirt.engine.core.bll.adbroker.GetRootDSETask.call(GetRootDSETask.java:68)
>> [engine-bll.jar:]
>>      at
>> org.ovirt.engine.core.bll.adbroker.DirectorySearcher.find(DirectorySearcher.java:91)
>> [engine-bll.jar:]
>>      at
>> org.ovirt.engine.core.bll.adbroker.DirectorySearcher.FindOne(DirectorySearcher.java:39)
>> [engine-bll.jar:]
>>      at
>> org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand.executeQuery(LdapAuthenticateUserCommand.java:44)
>> [engine-bll.jar:]
>>      at
>> org.ovirt.engine.core.bll.adbroker.LdapBrokerCommandBase.Execute(LdapBrokerCommandBase.java:68)
>> [engine-bll.jar:]
>>      at
>> org.ovirt.engine.core.bll.adbroker.LdapBrokerBase.RunAdAction(LdapBrokerBase.java:18)
>> [engine-bll.jar:]
>>      at
>> org.ovirt.engine.core.bll.LoginUserCommand.authenticateUser(LoginUserCommand.java:30)
>> [engine-bll.jar:]
>>      at
>> org.ovirt.engine.core.bll.LoginBaseCommand.isUserCanBeAuthenticated(LoginBaseCommand.java:177)
>> [engine-bll.jar:]
>>      at
>> org.ovirt.engine.core.bll.LoginAdminUserCommand.canDoAction(LoginAdminUserCommand.java:14)
>> [engine-bll.jar:]
>>      at
>> org.ovirt.engine.core.bll.CommandBase.InternalCanDoAction(CommandBase.java:486)
>> [engine-bll.jar:]
>>      at
>> org.ovirt.engine.core.bll.CommandBase.ExecuteAction(CommandBase.java:261)
>> [engine-bll.jar:]
>>      at org.ovirt.engine.core.bll.Backend.Login(Backend.java:481)
>> [engine-bll.jar:]
>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> [rt.jar:1.7.0_05-icedtea]
>>      at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>> [rt.jar:1.7.0_05-icedtea]
>>      at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> [rt.jar:1.7.0_05-icedtea]
>>      at java.lang.reflect.Method.invoke(Method.java:601)
>> [rt.jar:1.7.0_05-icedtea]
>>      at
>> org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72)
>> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>>      at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
>> [jboss-invocation.jar:1.1.1.Final]
>>      at
>> org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:374)
>> [jboss-invocation.jar:1.1.1.Final]
>>      at
>> org.ovirt.engine.core.utils.ThreadLocalSessionCleanerInterceptor.injectWebContextToThreadLocal(ThreadLocalSessionCleanerInterceptor.java:11)
>> [engine-utils.jar:]
>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> [rt.jar:1.7.0_05-icedtea]
>>      at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>> [rt.jar:1.7.0_05-icedtea]
>>      at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> [rt.jar:1.7.0_05-icedtea]
>>      at java.lang.reflect.Method.invoke(Method.java:601)
>> [rt.jar:1.7.0_05-icedtea]
>>      at
>> org.jboss.as.ee.component.ManagedReferenceLifecycleMethodInterceptorFactory$ManagedReferenceLifecycleMethodInterceptor.processInvocation(ManagedReferenceLifecycleMethodInterceptorFactory.java:123)
>> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>>      at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
>> [jboss-invocation.jar:1.1.1.Final]
>>      at
>> org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53)
>> [jboss-invocation.jar:1.1.1.Final]
>>      at
>> org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36)
>> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>>      at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
>> [jboss-invocation.jar:1.1.1.Final]
>>      at
>> org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21)
>> [jboss-invocation.jar:1.1.1.Final]
>>      at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
>> [jboss-invocation.jar:1.1.1.Final]
>>      at
>> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
>> [jboss-invocation.jar:1.1.1.Final]
>>      at
>> org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53)
>> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>>      at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
>> [jboss-invocation.jar:1.1.1.Final]
>>      at
>> org.jboss.as.ejb3.component.singleton.SingletonComponentInstanceAssociationInterceptor.processInvocation(SingletonComponentInstanceAssociationInterceptor.java:53)
>> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
>>      at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
>> [jboss-invocation.jar:1.1.1.Final]
>>      at
>> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInNoTx(CMTTxInterceptor.java:211)
>> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
>>      at
>> org.jboss.as.ejb3.tx.CMTTxInterceptor.supports(CMTTxInterceptor.java:363)
>> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
>>      at
>> org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:194)
>> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
>>      at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
>> [jboss-invocation.jar:1.1.1.Final]
>>      at
>> org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
>> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
>>      at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
>> [jboss-invocation.jar:1.1.1.Final]
>>      at
>> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
>> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
>>      at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
>> [jboss-invocation.jar:1.1.1.Final]
>>      at
>> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
>> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>>      at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
>> [jboss-invocation.jar:1.1.1.Final]
>>      at
>> org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)
>> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>>      at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
>> [jboss-invocation.jar:1.1.1.Final]
>>      at
>> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
>> [jboss-invocation.jar:1.1.1.Final]
>>      at
>> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165)
>> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>>      at
>> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173)
>> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>>      at
>> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
>> [jboss-invocation.jar:1.1.1.Final]
>>      at
>> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
>> [jboss-invocation.jar:1.1.1.Final]
>>      at
>> org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72)
>> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>>      at
>> org.ovirt.engine.core.common.interfaces.BackendLocal$$$view9.Login(Unknown
>> Source) [engine-common.jar:]
>>      at
>> org.ovirt.engine.ui.frontend.server.gwt.GenericApiGWTServiceImpl.Login(GenericApiGWTServiceImpl.java:157)
>>
>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> [rt.jar:1.7.0_05-icedtea]
>>      at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>> [rt.jar:1.7.0_05-icedtea]
>>      at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> [rt.jar:1.7.0_05-icedtea]
>>      at java.lang.reflect.Method.invoke(Method.java:601)
>> [rt.jar:1.7.0_05-icedtea]
>>      at
>>      com.google.gwt.rpc.server.RPC.invokeAndStreamResponse(RPC.java:196)
>>      at
>> com.google.gwt.rpc.server.RpcServlet.processCall(RpcServlet.java:161)
>>      at
>> com.google.gwt.rpc.server.RpcServlet.processPost(RpcServlet.java:222)
>>      at
>> com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
>>
>>      at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
>> [jboss-servlet-3.0-api.jar:1.0.1.Final]
>>      at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>> [jboss-servlet-3.0-api.jar:1.0.1.Final]
>>      at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329)
>>
>>      at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
>>
>>      at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
>>
>>      at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)
>>
>>      at
>> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
>>
>>      at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
>>
>>      at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>
>>      at
>>      org.jboss.web.rewrite.RewriteValve.invoke(RewriteValve.java:466)
>>      at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>
>>      at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
>>      at
>>      org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:505)
>>      at
>> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:445)
>>
>>      at
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
>>      at java.lang.Thread.run(Thread.java:722)
>>      [rt.jar:1.7.0_05-icedtea]
>>
>> 2012-09-14 12:55:26,124 ERROR
>> [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand]
>> (ajp--0.0.0.0-8009-12) Failed authenticating user: admin to domain
>> nieuwland.local. Ldap Query Type is getUserByName
>> 2012-09-14 12:55:26,125 ERROR
>> [org.ovirt.engine.core.bll.LoginAdminUserCommand]
>> (ajp--0.0.0.0-8009-12)
>> USER_FAILED_TO_AUTHENTICATE : admin
>> 2012-09-14 12:55:26,125 WARN
>> [org.ovirt.engine.core.bll.LoginAdminUserCommand]
>> (ajp--0.0.0.0-8009-12)
>> CanDoAction of action LoginAdminUser failed.
>> Reasons:USER_FAILED_TO_AUTHENTICATE
>> 2012-09-14 12:57:07,027 INFO
>> [org.ovirt.engine.core.bll.LoginAdminUserCommand]
>> (ajp--0.0.0.0-8009-5)
>> Checking if user admin at internal is an admin, result true
>> 2012-09-14 12:57:07,029 INFO
>> [org.ovirt.engine.core.bll.LoginAdminUserCommand]
>> (ajp--0.0.0.0-8009-5)
>> Running command: LoginAdminUserCommand internal: false.
>>
>> Using Wireshark I don't see what I expected namely a well formed ldap
>> search and a result. Can provide the dmp if needed.
>>
>> Anyone had any luck and is willing to help me out?
>>
>> Thanks in advance,
>>
>> Joop
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>



More information about the Users mailing list