[ovirt-users] oVirt 3.6 Migrated from Legacy AD Authentication - Previously Used AD Users Can't Log In

Ondra Machacek omachace at redhat.com
Thu Oct 27 06:14:41 EDT 2016

Unfortunatelly no, we decided to use UPN instead of SAM account name,
because SAM account name is limit IIRC to 15 characters, while UPN is
not limited.

On 10/26/2016 08:58 PM, Beckman, Daniel wrote:
> That’s it! Some background: within our IT department most of us have a regular user account and an administrative account. For the later account type, the UPN and SAM account name happen to be the same (e.g. jdoeadmin at example.com) whereas for regular users UPN is something like John.Doe at example..com.  When I used the UPN name (e.g. john.doe) the login worked fine.
> We can work with that. But is there a way to change it to using SAM account name?
> Thanks,
> Daniel
> On 10/26/16, 12:58 PM, "Ondra Machacek" <omachace at redhat.com> wrote:
>     On 10/26/2016 06:31 PM, Beckman, Daniel wrote:
>     > I have been updating our oVirt 3.6 ( environment in
>     > preparation for upgrading to oVirt 4.
>     >
>     >
>     >
>     > We had been using the legacy AD connection (via engine-manage-domains),
>     > and since that’s no longer available in oVirt 4, this was a priorty. (I
>     > put this off as long as I could – I found the new method a step back in
>     > ease of use.)
>     >
>     >
>     >
>     > So following the documentation I setup
>     > ‘ovirt-engine-extension-aaa-ldap’, connecting to the same Active
>     > Directory forest. It seemed to work; I was able to look up users. But
>     > none of the existing AD users that we had been using in oVirt were able
>     > to log in to the admin or user portal, using the new extension. The
>     > error is “General command validation failure.”. (Whereas if you enter a
>     > wrong password, you get the expected wrong password error.)* *Here’s
>     > what /var/log/ovirt-engine/engine.log shows for “myuser”:
>     >
>     > {Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
>     > org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
>     > java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
>     > Extkey[name=EXTENSION_LICENSE;type=class
>     > java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
>     > 2.0, Extkey[name=EXTENSION_NOTES;type=class
>     > java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display
>     > name: ovirt-engine-extension-aaa-ldap-1.1.4-1.el7,
>     > Extkey[name=EXTENSION_HOME_URL;type=class
>     > java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=http://www.ovirt.org,
>     > Extkey[name=EXTENSION_LOCALE;type=class
>     > java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
>     > Extkey[name=EXTENSION_NAME;type=class
>     > java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authz,
>     > Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
>     > java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
>     > Extkey[name=EXTENSION_CONFIGURATION;type=class
>     > java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
>     > Extkey[name=EXTENSION_AUTHOR;type=class
>     > java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
>     > oVirt Project, Extkey[name=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE;type=class
>     > java.lang.Integer;uuid=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE[2eb1f541-0f65-44a1-a6e3-014e247595f5];]=50,
>     > Extkey[name=EXTENSION_INSTANCE_NAME;type=class
>     > java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=ingramcontent.com,
>     > Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
>     > java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
>     > Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
>     > java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
>     > Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
>     > org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
>     > Extkey[name=EXTENSION_VERSION;type=class
>     > java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.1.4,
>     > Extkey[name=AAA_AUTHZ_AVAILABLE_NAMESPACES;type=interface
>     > java.util.Collection;uuid=AAA_AUTHZ_AVAILABLE_NAMESPACES[6dffa34c-955f-486a-bd35-0a272b45a711];]=[DC=ingramcontent,DC=com],
>     > Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
>     > org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authz.ingramcontent.com),
>     > Extkey[name=EXTENSION_PROVIDES;type=interface
>     > java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authz],
>     > Extkey[name=EXTENSION_CONFIGURATION_FILE;type=class
>     > java.lang.String;uuid=EXTENSION_CONFIGURATION_FILE[4fb0ffd3-983c-4f3f-98ff-9660bd67af6a];]=/etc/ovirt-engine/extensions.d/INGRAMCONTENT.COM.properties},
>     > Extkey[name=AAA_AUTHZ_QUERY_FLAGS;type=class
>     > java.lang.Integer;uuid=AAA_AUTHZ_QUERY_FLAGS[97d226e9-8d87-49a0-9a7f-af689320907b];]=3,
>     > Extkey[name=AAA_AUTHZ_PRINCIPAL;type=class
>     > java.lang.String;uuid=AAA_AUTHZ_PRINCIPAL[a3c1d5ca-f1ea-131c-86ae-a1ecbcadd6b7];]=myuser at ingramcontent.com,
>     > Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
>     > org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHZ_FETCH_PRINCIPAL_RECORD[5a5bf9bb-9336-4376-a823-26efe1ba26df],
>     > Extkey[name=AAA_AUTHN_AUTH_RECORD;type=class
>     > org.ovirt.engine.api.extensions.ExtMap;uuid=AAA_AUTHN_AUTH_RECORD[e9462168-b53b-44ac-9af5-f25e1697173e];]={Extkey[name=AAA_AUTHN_AUTH_RECORD_PRINCIPAL;type=class
>     > java.lang.String;uuid=AAA_AUTHN_AUTH_RECORD_PRINCIPAL[c3498f07-11fe-464c-958c-8bd7490b119a];]=myuser at ingramcontent.com}}
>     >
>     > {Extkey[name=EXTENSION_INVOKE_RESULT;type=class
>     > java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2,
>     > Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
>     > java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=Cannot
>     > resolve principal 'myuser at ingramcontent.com'}
>     "Cannot resolve principal 'myuser at ingramcontent.com'"
>     ^ This error usually means that 'myuser' has different UPN than
>     'myuser at ingramcontent.com'. ovirt-engine-extension-aaa-ldap uses UPN to
>     login instead of SAM account name. So you should check what UPN the user
>     'myuser' has and login with it.
>     >
>     >
>     >
>     > I logged in with the local ‘admin’ account and added some additional
>     > users from AD. Then I found that those newly added users **could** log
>     > in just fine. It’s only a problem with users that we had previously
>     > added when the legacy
>     >
>     > LDAP provider was used. I’ve tried removing and re-adding those existing
>     > users, but that doesn’t fix it. My hunch is that there is something left
>     > over associated with those accounts that’s breaking this. To be clear,
>     > I’ve already removed the legacy provider:
>     >
>     >
>     >
>     > engine-manage-domains list
>     >
>     > Legacy kerberos/ldap directory integration is obsoleted and will be
>     > removed in 4.0 version along with the engine-manage-domains utility.
>     > Please migrate to ovirt-engine-extension-aaa-ldap provider or contact
>     > support for assistance.
>     >
>     >
>     >
>     > Manage Domains completed successfully
>     >
>     >
>     >
>     > Where else should I look to troubleshoot? Any suggestions appreciated.
>     > Thanks!
>     >
>     >
>     >
>     > Best,
>     >
>     > Daniel
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > Users mailing list
>     > Users at ovirt.org
>     > http://lists.ovirt.org/mailman/listinfo/users
>     >

More information about the Users mailing list