[Users] Problem running engine-manage-domain on oVirt 3.1.0-4

Itamar Heim iheim at redhat.com
Fri Jul 26 09:29:28 EDT 2013


On 07/26/2013 03:54 PM, Trevor Galloway wrote:
> Thanks Itamar for the suggestion - however the `-action=edit` fails
> since the currently configured user account is inactive within the
> active directory - it looks as if there is an initial authentication
> that needs to validate before the edit can proceed ... :(
> Hence my query about being able to reset the underlying username that
> engine-manage-domains uses?

you can delete the domain, then add it.
(and i'd expect edit allows you to set the new user and use it, strange 
it will fail you)

> Thanks
> Trevor
>
>
> On 26 July 2013 12:01, Itamar Heim <iheim at redhat.com
> <mailto:iheim at redhat.com>> wrote:
>
>     On 07/26/2013 01:55 PM, Trevor Galloway wrote:
>
>         Thanks Yair,
>         I made the changes to the engine-manage-domains script as
>         suggested in
>         the gerrit link - that now works just fine, and also confirms what I
>         thought the problem was all along - namely that the configured
>         username
>         returned on a `engine-manage-domains --action=list` is that of the
>         previous admin.
>         The problem being that their account is no longer valid within the
>         active directory, hence validation fails.
>         I've trawled the various ovirt config directories but can't find a
>         resource that holds the username to use on the LDAP query.
>         Presumably
>         this is something that gets setup at install time?
>         Is there a way to re-configure the underlying username?
>
>
>     engine-manage-domains should allow you to set the user used in the
>     ldap query via -action=list.
>     then you can use -action=edit to update it
>
>         Many thanks,
>         Trevor
>
>
>         On 25 July 2013 22:29, Yair Zaslavsky <yzaslavs at redhat.com
>         <mailto:yzaslavs at redhat.com>
>         <mailto:yzaslavs at redhat.com <mailto:yzaslavs at redhat.com>>> wrote:
>
>
>
>              ----- Original Message -----
>               > From: "Trevor Galloway" <trevgall at googlemail.com
>         <mailto:trevgall at googlemail.com>
>              <mailto:trevgall at googlemail.__com
>         <mailto:trevgall at googlemail.com>>>
>               > To: users at ovirt.org <mailto:users at ovirt.org>
>         <mailto:users at ovirt.org <mailto:users at ovirt.org>>
>               > Sent: Thursday, July 25, 2013 7:51:56 PM
>               > Subject: [Users] Problem running engine-manage-domain on
>         oVirt
>              3.1.0-4
>               >
>               > Hello oVirt Users,
>               >
>               >
>               >
>               > Just signed up to the user mailing list and have a question
>              regarding an
>               > error being reported to stdout when running
>         engine-manage-domains.
>               >
>               >
>               >
>               > When running the `engine-manage-domains` utility from
>         the command
>              line I
>               > see the following error reported:
>               >
>               >
>               >
>               > *[root at hive ovirt-engine]# engine-manage-domains
>         -action=list*
>               >
>               > *Failed reading current configuration. Details: Error
>         "Key for add
>               > operation must be defined!" while reading configuration
>         value
>              AdUserName.*
>               >
>               >
>               >
>               > A quick Google on this leads directly to Bugzilla – Bug
>         883846 –
>              which
>               > looks like it’s fixed in the 3.2 version. Can anyone confirm
>              that? I’ve
>               > inherited a DL580 running oVirt Manager and a bunch of
>         VM’s, and
>              don’t
>               > really want to undertake an upgrade just now if I don’t
>         have to.
>
>              This is indeed the issue.
>
>               >
>               >
>               >
>               >
>               >
>               > The real problem seems to be that I can’t assign a user
>         with any
>              roles
>               > since the ldap lookup to the active server fails – due,
>         I think,
>              to the
>               > fact that the query is configured to authenticate with the
>              previous admins
>               > credentials – they left and the account is now disabled. J
>               >
>               >
>               >
>               > From the /var/log/ovirt-engine/engine.__log
>               >
>               >  *2013-07-25 11:32:15,574 ERROR
>               >
>
>         [org.ovirt.engine.core.bll.__adbroker.__GSSAPIDirContextAuthentication__Strategy]
>               > (ajp--0.0.0.0-8009-1) Authentication failed. The user is
>         either
>              locked or
>               > disabled*
>               >
>               > *2013-07-25 11:32:15,575 ERROR
>               > [org.ovirt.engine.core.bll.__adbroker.DirectorySearcher]
>               > (ajp--0.0.0.0-8009-1) Failed ldap search server
>               > LDAP://<my_active_directory>:__389 due to
>               >
>
>         org.ovirt.engine.core.bll.__adbroker.__EngineDirectoryServiceExceptio__n.
>         We
>               > should not try the next server:
>               >
>         org.ovirt.engine.core.bll.__adbroker.__EngineDirectoryServiceExceptio__n*
>               >
>               > * *
>               >
>               > The above gets written out as soon as I hit the Go
>         button in the
>              Add System
>               > Permission to User dialogue window.
>
>              engine-manage-domains uses engine-config and provides its a
>              configuration (after the above bug fix) with keys in form
>         of "key=".
>              If you really don't want to upgrade, maybe you should consider
>              editing the engine-manage-domains script, as in
>
>         http://gerrit.ovirt.org/#/c/__9743/3/backend/manager/conf/__kerberos/engine-manage-domains
>         <http://gerrit.ovirt.org/#/c/9743/3/backend/manager/conf/kerberos/engine-manage-domains>
>              ?
>
>              You will have to do that for any altering operations on
>         domains and
>              their associated users.
>
>              Please let us know if it worked for you
>
>              Many thanks,
>              Yair
>
>
>               >
>               >
>               >
>               > Thanks in advance for any advice!
>               >
>               > _________________________________________________
>               > Users mailing list
>               > Users at ovirt.org <mailto:Users at ovirt.org>
>         <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>               > http://lists.ovirt.org/__mailman/listinfo/users
>         <http://lists.ovirt.org/mailman/listinfo/users>
>
>               >
>
>
>
>
>         _________________________________________________
>         Users mailing list
>         Users at ovirt.org <mailto:Users at ovirt.org>
>         http://lists.ovirt.org/__mailman/listinfo/users
>         <http://lists.ovirt.org/mailman/listinfo/users>
>
>
>



More information about the Users mailing list