[Users] Problem running engine-manage-domain on oVirt 3.1.0-4

Trevor Galloway trevgall at googlemail.com
Fri Jul 26 12:54:35 UTC 2013


Thanks Itamar for the suggestion - however the `-action=edit` fails since
the currently configured user account is inactive within the active
directory - it looks as if there is an initial authentication that needs to
validate before the edit can proceed ... :(

Hence my query about being able to reset the underlying username that
engine-manage-domains uses?

Thanks
Trevor




On 26 July 2013 12:01, Itamar Heim <iheim at redhat.com> wrote:

> On 07/26/2013 01:55 PM, Trevor Galloway wrote:
>
>> Thanks Yair,
>> I made the changes to the engine-manage-domains script as suggested in
>> the gerrit link - that now works just fine, and also confirms what I
>> thought the problem was all along - namely that the configured username
>> returned on a `engine-manage-domains --action=list` is that of the
>> previous admin.
>> The problem being that their account is no longer valid within the
>> active directory, hence validation fails.
>> I've trawled the various ovirt config directories but can't find a
>> resource that holds the username to use on the LDAP query. Presumably
>> this is something that gets setup at install time?
>> Is there a way to re-configure the underlying username?
>>
>
> engine-manage-domains should allow you to set the user used in the ldap
> query via -action=list.
> then you can use -action=edit to update it
>
>  Many thanks,
>> Trevor
>>
>>
>> On 25 July 2013 22:29, Yair Zaslavsky <yzaslavs at redhat.com
>> <mailto:yzaslavs at redhat.com>> wrote:
>>
>>
>>
>>     ----- Original Message -----
>>      > From: "Trevor Galloway" <trevgall at googlemail.com
>>     <mailto:trevgall at googlemail.**com <trevgall at googlemail.com>>>
>>      > To: users at ovirt.org <mailto:users at ovirt.org>
>>      > Sent: Thursday, July 25, 2013 7:51:56 PM
>>      > Subject: [Users] Problem running engine-manage-domain on oVirt
>>     3.1.0-4
>>      >
>>      > Hello oVirt Users,
>>      >
>>      >
>>      >
>>      > Just signed up to the user mailing list and have a question
>>     regarding an
>>      > error being reported to stdout when running engine-manage-domains.
>>      >
>>      >
>>      >
>>      > When running the `engine-manage-domains` utility from the command
>>     line I
>>      > see the following error reported:
>>      >
>>      >
>>      >
>>      > *[root at hive ovirt-engine]# engine-manage-domains -action=list*
>>      >
>>      > *Failed reading current configuration. Details: Error "Key for add
>>      > operation must be defined!" while reading configuration value
>>     AdUserName.*
>>      >
>>      >
>>      >
>>      > A quick Google on this leads directly to Bugzilla – Bug 883846 –
>>     which
>>      > looks like it’s fixed in the 3.2 version. Can anyone confirm
>>     that? I’ve
>>      > inherited a DL580 running oVirt Manager and a bunch of VM’s, and
>>     don’t
>>      > really want to undertake an upgrade just now if I don’t have to.
>>
>>     This is indeed the issue.
>>
>>      >
>>      >
>>      >
>>      >
>>      >
>>      > The real problem seems to be that I can’t assign a user with any
>>     roles
>>      > since the ldap lookup to the active server fails – due, I think,
>>     to the
>>      > fact that the query is configured to authenticate with the
>>     previous admins
>>      > credentials – they left and the account is now disabled. J
>>      >
>>      >
>>      >
>>      > From the /var/log/ovirt-engine/engine.**log
>>      >
>>      >  *2013-07-25 11:32:15,574 ERROR
>>      >
>>     [org.ovirt.engine.core.bll.**adbroker.**
>> GSSAPIDirContextAuthentication**Strategy]
>>      > (ajp--0.0.0.0-8009-1) Authentication failed. The user is either
>>     locked or
>>      > disabled*
>>      >
>>      > *2013-07-25 11:32:15,575 ERROR
>>      > [org.ovirt.engine.core.bll.**adbroker.DirectorySearcher]
>>      > (ajp--0.0.0.0-8009-1) Failed ldap search server
>>      > LDAP://<my_active_directory>:**389 due to
>>      >
>>     org.ovirt.engine.core.bll.**adbroker.**EngineDirectoryServiceExceptio
>> **n. We
>>      > should not try the next server:
>>      > org.ovirt.engine.core.bll.**adbroker.**
>> EngineDirectoryServiceExceptio**n*
>>      >
>>      > * *
>>      >
>>      > The above gets written out as soon as I hit the Go button in the
>>     Add System
>>      > Permission to User dialogue window.
>>
>>     engine-manage-domains uses engine-config and provides its a
>>     configuration (after the above bug fix) with keys in form of "key=".
>>     If you really don't want to upgrade, maybe you should consider
>>     editing the engine-manage-domains script, as in
>>
>>     http://gerrit.ovirt.org/#/c/**9743/3/backend/manager/conf/**
>> kerberos/engine-manage-domains<http://gerrit.ovirt.org/#/c/9743/3/backend/manager/conf/kerberos/engine-manage-domains>
>>     ?
>>
>>     You will have to do that for any altering operations on domains and
>>     their associated users.
>>
>>     Please let us know if it worked for you
>>
>>     Many thanks,
>>     Yair
>>
>>
>>      >
>>      >
>>      >
>>      > Thanks in advance for any advice!
>>      >
>>      > ______________________________**_________________
>>      > Users mailing list
>>      > Users at ovirt.org <mailto:Users at ovirt.org>
>>      > http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>>
>>      >
>>
>>
>>
>>
>> ______________________________**_________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20130726/fa561109/attachment-0001.html>


More information about the Users mailing list