Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
- Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com, Yair Zaslavsky yzasl...@redhat.com Sent: Wednesday, December 10, 2014 12:30:34 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon and Yair, Many thanks for your help, finally It works properly. My problem, after last Alon indications was that my user Juanjo was defined with SuperUser role in the previous domain configuration. I have loggen in with admin user from internal and I have removed old configuration and I have configured my user Juanjo with all administrators roles in folder Permission and I can log in in administration portal without problems and it works properly. My final configuration I have is an emulated *AD based on Samba 4* and the final configuration files are: Good! So samba is not emulating active directory entirely :) But good to know it is working. Please also checkout group membership. ovirt-engine-extension-aaa-ldap.noarch 1.0.1-0.0.master.20141209141731.git0437701.el6 this fix for samba ad will be released in 1.0.1. */etc/ovirt-engine/extensions.d/siee-local-authn.properties*: ovirt.engine.extension.name = siee-local-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = siee ovirt.engine.aaa.authn.authz.plugin = siee-local-authz config.profile.file.1 = /etc/ovirt-engine/aaa/siee.properties */etc/ovirt-engine/extensions.d/siee-local-authz.properties*: ovirt.engine.extension.name = siee-local-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/siee.properties */etc/ovirt-engine/aaa/siee.properties*: include = ad.properties # # Active directory domain name. # vars.domain = siee.local # # Search user and its password. # vars.user = searcher@${global:vars.domain} vars.password = # # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain} pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} # Uncomment if using custom DNS #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} #pool.default.socketfactory.resolver.uRL = ${global:vars.dns} # Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.domain}.jks #pool.default.ssl.truststore.password = changeit You should enable SSL for production use... as you do not want passwords to be transmitted in clear. Not sure how you install ssl on the samba ldap... but once you do, follow the README instructions[1] [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l141 */etc/krb5.conf*: You are not using kerberos, so there is no reason to configure it for setup to work. [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = SIEE.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = no default_tkt_enctypes = arcfour-hmac-md5 udp_preference_limit = 1 #[realms] #[domain_realm] # .siee.local = SIEE.LOCAL # siee.local = SIEE.LOCAL Many thanks again to everybody, Juanjo. On Tue, Dec 9, 2014 at 5:31 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com, Yair Zaslavsky yzasl...@redhat.com Sent: Tuesday, December 9, 2014 5:42:56 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon, In my firsts e-mails I had already said that I have an emulation of AD based on Samba 4. I have tested the last version ov ovirt-engine-extension-aaa-ldap package and I think the problem is the same although the error is User is not authorized to perform this action. I attach the enginle.log. USER_NOT_AUTHORIZED_TO_PERFORM_ACTION means user is not superuser or can manage objects as far as I
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
We start over... This is not active directory... it is samba. Attribute(name=vendorName, values={'Samba Team (http://samba.org)'}) Only now I realized this, maybe you mentioned it earlier not sure. Of course this was never tested, so probably not working. I see that samba does not return a list of extended operations, I will workaround this and we can see what's else differ from active directory. Thanks, Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
- Original Message - From: Alon Bar-Lev alo...@redhat.com To: Juan Jose jj197...@gmail.com Cc: users users@ovirt.org Sent: Tuesday, December 9, 2014 3:59:33 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue We start over... This is not active directory... it is samba. Attribute(name=vendorName, values={'Samba Team (http://samba.org)'}) Only now I realized this, maybe you mentioned it earlier not sure. Of course this was never tested, so probably not working. I see that samba does not return a list of extended operations, I will workaround this and we can see what's else differ from active directory. Can you please checkout the following rpm[1]? [1] http://jenkins.ovirt.org/job/ovirt-engine-extension-aaa-ldap_master_create-rpms-el6-x86_64_merged/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Alon, I have done what you have said. My new configuration files are: /etc/ovirt-engine/extensions.d/siee-local-authn.properties: ovirt.engine.extension.name = siee-local-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = siee ovirt.engine.aaa.authn.authz.plugin = siee-local-authz config.profile.file.1 = aaa/siee.properties /etc/ovirt-engine/extensions.d/siee-local-authz.properties: ovirt.engine.extension.name = siee-local-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = aaa/siee.properties /etc/ovirt-engine/extensions.d/aaa/siee.properties: include = ad.properties # # Active directory domain name. # vars.domain = siee.local # # Search user and its password. # vars.user = searcher@${global:vars.domain} vars.password = xxx # # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain} pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} # Uncomment if using custom DNS #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} #pool.default.socketfactory.resolver.uRL = ${global:vars.dns} # Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.domain}.jks #pool.default.ssl.truststore.password = changeit After reconfigure my files with ovirt-engine stopped I have started ovirt-engine and I have tried to log in. The error persist, General command validation failure. and after that I have stopped ovirt-engine again. I attach my engine.log file. Many thanks again, Juanjo. On Tue, Dec 2, 2014 at 3:46 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Tuesday, December 2, 2014 3:48:54 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon and everybody, I have installed package ovirt-engine-extension-aaa-ldap and configure my files as the documentation says. The files are: /etc/ovirt-engine/extensions.d/siee.local-authn.properties: ovirt.engine.extension.name = siee.local-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = siee.local ovirt.engine.aaa.authn.authz.plugin = siee.local-authz config.profile.file.1 = aaa/siee.local.properties please use absolute file name for 3.5.0 relative will be available in 3.5.1 /etc/ovirt-engine/extensions.d/siee.local-authz.properties: ovirt.engine.extension.name = siee.local-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = aaa/siee.local.properties please use absolute file name for 3.5.0 relative will be available in 3.5.1 /etc/ovirt-engine/extensions.d/aaa/siee.local.properties: include = ad.properties # # Active directory domain name. # vars.domain = siee.local # # Search user and its password. # vars.user = juanjo@${global:vars.domain} vars.password = this should be dedicate user for search not your private user. # # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain} pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hi! You have the following errors: 2014-12-05 09:32:31,778 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-5) Loading extension 'siee-local-authn' 2014-12-05 09:32:31,819 ERROR [org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (MSC service thread 1-5) Could not load extension based on configuration file '/etc/ovirt-engine/extensions.d/siee-local-authn.properties'. Please check the configuration file is valid. Exception message is: Error loading extension 'siee-local-authn': /aaa/siee.properties (No such file or directory) 2014-12-05 09:32:31,823 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-5) Loading extension 'siee-local-authz' 2014-12-05 09:32:31,824 ERROR [org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (MSC service thread 1-5) Could not load extension based on configuration file '/etc/ovirt-engine/extensions.d/siee-local-authz.properties'. Please check the configuration file is valid. Exception message is: Error loading extension 'siee-local-authz': /aaa/siee.properties (No such file or directory) Per my last message, you should provide absolute file names if you use 3.5.0. Please see inline comments bellow. Also, you are trying to authenticate with the legacy provider: 2014-12-05 09:33:04,871 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server Can you please use engine-manage-domains to remove the legacy (old) domain, so we reduce confusion? Thanks! - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Friday, December 5, 2014 10:43:01 AM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon, I have done what you have said. My new configuration files are: /etc/ovirt-engine/extensions.d/siee-local-authn.properties: ovirt.engine.extension.name = siee-local-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = siee ovirt.engine.aaa.authn.authz.plugin = siee-local-authz config.profile.file.1 = aaa/siee.properties should be: /etc/ovirt-engine/extensions.d/aaa/siee.properties in 3.5.0 or can be ../aaa/siee.properties in 3.5.1. /etc/ovirt-engine/extensions.d/siee-local-authz.properties: ovirt.engine.extension.name = siee-local-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = aaa/siee.properties should be: /etc/ovirt-engine/extensions.d/aaa/siee.properties in 3.5.0 or can be ../aaa/siee.properties in 3.5.1. /etc/ovirt-engine/extensions.d/aaa/siee.properties: include = ad.properties # # Active directory domain name. # vars.domain = siee.local # # Search user and its password. # vars.user = searcher@${global:vars.domain} vars.password = xxx # # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain} pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} # Uncomment if using custom DNS #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} #pool.default.socketfactory.resolver.uRL = ${global:vars.dns} # Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.domain}.jks #pool.default.ssl.truststore.password = changeit After reconfigure my files with ovirt-engine stopped I have started ovirt-engine and I have tried to log in. The error persist, General command validation failure. and after that I have stopped ovirt-engine again. I attach my engine.log file. Many thanks again, Juanjo. On Tue, Dec 2, 2014 at 3:46 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Juan Jose jj197...@gmail.com To: Alon
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Alon, I have deleted Legacy domain with engine-manage-domain, and I have changed configuration to absolute file name as you can see: /etc/ovirt-engine/extensions.d/siee-local-authn.properties: ovirt.engine.extension.name = siee-local-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = siee ovirt.engine.aaa.authn.authz.plugin = siee-local-authz config.profile.file.1 = /etc/ovirt-engine/extensions.d/aaa/siee.properties /etc/ovirt-engine/extensions.d/siee-local-authz.properties: ovirt.engine.extension.name = siee-local-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/extensions.d/aaa/siee.properties I had configured relative file name because the example /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/extensions.d/domain1-authz.properties has a relative file name. I have done the same: delete engine.log, restart ovirt-engine and try log in and the same error is showed, General command validation failure. Attach engine.log file. Thanks, Juanjo. On Fri, Dec 5, 2014 at 9:52 AM, Alon Bar-Lev alo...@redhat.com wrote: Hi! You have the following errors: 2014-12-05 09:32:31,778 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-5) Loading extension 'siee-local-authn' 2014-12-05 09:32:31,819 ERROR [org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (MSC service thread 1-5) Could not load extension based on configuration file '/etc/ovirt-engine/extensions.d/siee-local-authn.properties'. Please check the configuration file is valid. Exception message is: Error loading extension 'siee-local-authn': /aaa/siee.properties (No such file or directory) 2014-12-05 09:32:31,823 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-5) Loading extension 'siee-local-authz' 2014-12-05 09:32:31,824 ERROR [org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (MSC service thread 1-5) Could not load extension based on configuration file '/etc/ovirt-engine/extensions.d/siee-local-authz.properties'. Please check the configuration file is valid. Exception message is: Error loading extension 'siee-local-authz': /aaa/siee.properties (No such file or directory) Per my last message, you should provide absolute file names if you use 3.5.0. Please see inline comments bellow. Also, you are trying to authenticate with the legacy provider: 2014-12-05 09:33:04,871 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server Can you please use engine-manage-domains to remove the legacy (old) domain, so we reduce confusion? Thanks! - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Friday, December 5, 2014 10:43:01 AM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon, I have done what you have said. My new configuration files are: /etc/ovirt-engine/extensions.d/siee-local-authn.properties: ovirt.engine.extension.name = siee-local-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = siee ovirt.engine.aaa.authn.authz.plugin = siee-local-authz config.profile.file.1 = aaa/siee.properties should be: /etc/ovirt-engine/extensions.d/aaa/siee.properties in 3.5.0 or can be ../aaa/siee.properties in 3.5.1. /etc/ovirt-engine/extensions.d/siee-local-authz.properties: ovirt.engine.extension.name = siee-local-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
We will also need log of the generic ldap extensin, can you please provide it? Thanks! - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Friday, December 5, 2014 1:10:06 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon, I have deleted Legacy domain with engine-manage-domain, and I have changed configuration to absolute file name as you can see: /etc/ovirt-engine/extensions.d/siee-local-authn.properties: ovirt.engine.extension.name = siee-local-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = siee ovirt.engine.aaa.authn.authz.plugin = siee-local-authz config.profile.file.1 = /etc/ovirt-engine/extensions.d/aaa/siee.properties /etc/ovirt-engine/extensions.d/siee-local-authz.properties: ovirt.engine.extension.name = siee-local-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/extensions.d/aaa/siee.properties I had configured relative file name because the example /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/extensions.d/domain1-authz.properties has a relative file name. I have done the same: delete engine.log, restart ovirt-engine and try log in and the same error is showed, General command validation failure. Attach engine.log file. Thanks, Juanjo. On Fri, Dec 5, 2014 at 9:52 AM, Alon Bar-Lev alo...@redhat.com wrote: Hi! You have the following errors: 2014-12-05 09:32:31,778 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-5) Loading extension 'siee-local-authn' 2014-12-05 09:32:31,819 ERROR [org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (MSC service thread 1-5) Could not load extension based on configuration file '/etc/ovirt-engine/extensions.d/siee-local-authn.properties'. Please check the configuration file is valid. Exception message is: Error loading extension 'siee-local-authn': /aaa/siee.properties (No such file or directory) 2014-12-05 09:32:31,823 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-5) Loading extension 'siee-local-authz' 2014-12-05 09:32:31,824 ERROR [org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (MSC service thread 1-5) Could not load extension based on configuration file '/etc/ovirt-engine/extensions.d/siee-local-authz.properties'. Please check the configuration file is valid. Exception message is: Error loading extension 'siee-local-authz': /aaa/siee.properties (No such file or directory) Per my last message, you should provide absolute file names if you use 3.5.0. Please see inline comments bellow. Also, you are trying to authenticate with the legacy provider: 2014-12-05 09:33:04,871 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server Can you please use engine-manage-domains to remove the legacy (old) domain, so we reduce confusion? Thanks! - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Friday, December 5, 2014 10:43:01 AM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon, I have done what you have said. My new configuration files are: /etc/ovirt-engine/extensions.d/siee-local-authn.properties: ovirt.engine.extension.name = siee-local-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = siee ovirt.engine.aaa.authn.authz.plugin = siee-local-authz config.profile.file.1 = aaa/siee.properties should be: /etc/ovirt-engine
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hi! I tested the configuration and it worked properly. - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Friday, December 5, 2014 1:10:06 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon, I have deleted Legacy domain with engine-manage-domain, and I have changed configuration to absolute file name as you can see: /etc/ovirt-engine/extensions.d/siee-local-authn.properties: ovirt.engine.extension.name = siee-local-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = siee ovirt.engine.aaa.authn.authz.plugin = siee-local-authz config.profile.file.1 = /etc/ovirt-engine/extensions.d/aaa/siee.properties Please move this file to /etc/ovirt-engine/aaa/siee.properties, it should not reside within the extensions.d /etc/ovirt-engine/extensions.d/siee-local-authz.properties: ovirt.engine.extension.name = siee-local-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/extensions.d/aaa/siee.properties Same. I had configured relative file name because the example /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/extensions.d/domain1-authz.properties has a relative file name. Yes, as I wrote, this relative is coming int 3.5.1. I have done the same: delete engine.log, restart ovirt-engine and try log in and the same error is showed, General command validation failure. Please first refer the startup errors, there is no much sense to try login if startup fails... :) In your case: 2014-12-05 11:25:05,575 ERROR [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authz::siee-local-authz] Cannot initialize LDAP framework, deferring initialization. Error: null Which is as if something missing. I took your configuration as-is and it does work, in the exception of moving /etc/ovirt-engine/extensions.d/aaa to /etc/ovirt-engine/aaa as it should be, please perform this change and modify the file locations within extension properties file. I need to figure out what is happening, so from README[1], please follow the following instructions and restart engine so we get more verbose logs. Update: /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in Make sure handle level name is ALL for ENGINE, if not set like I am unsure if in 3.5.0 this was the case: --- file-handler name=ENGINE autoflush=true level name=ALL/ --- Add the following before the root-logger line: --- logger category=org.ovirt.engineextensions.aaa.ldap level name=ALL/ /logger --- Restart the engine and send the engine.log, this way I can see what happening during initialization. Thanks for checking it out, hopefully something trivial is missing, Alon [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l230 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Alon and everybody, I have installed package ovirt-engine-extension-aaa-ldap and configure my files as the documentation says. The files are: /etc/ovirt-engine/extensions.d/siee.local-authn.properties: ovirt.engine.extension.name = siee.local-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = siee.local ovirt.engine.aaa.authn.authz.plugin = siee.local-authz config.profile.file.1 = aaa/siee.local.properties /etc/ovirt-engine/extensions.d/siee.local-authz.properties: ovirt.engine.extension.name = siee.local-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = aaa/siee.local.properties /etc/ovirt-engine/extensions.d/aaa/siee.local.properties: include = ad.properties # # Active directory domain name. # vars.domain = siee.local # # Search user and its password. # vars.user = juanjo@${global:vars.domain} vars.password = # # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain} pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} # Uncomment if using custom DNS #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} #pool.default.socketfactory.resolver.uRL = ${global:vars.dns} # Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.domain}.jks #pool.default.ssl.truststore.password = changeit And after this configuration I restart ovirt-engine service. When I try to login in administrator portal I can see the error The user name or password is incorrect.. In /var/log/ovirt-engine/engine.log I have the errors: 2014-12-02 14:02:21,983 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-8) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User juanjo cannot login, please verify the username and password. 2014-12-02 14:02:21,991 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-8) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User juanjo failed to log in. I'm using correct user and password becuase I can login in a Windows client machine which is inside siee.local domain with this user and its correct password. What do you think it could be the problem? If you need more information or I have to configure any other parameters, please tell me. Many thanks in advanced, Juanjo. On Wed, Nov 26, 2014 at 3:19 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Wednesday, November 26, 2014 3:04:14 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon and everybody, Check in my ovirt-engine machine for ovirt-engine-aaa-ldap package and it is not available: yum list ovirt-engine* Loaded plugins: fastestmirror, refresh-packagekit, security, versionlock Loading mirror speeds from cached hostfile * base: ftp.udl.es * epel: mirror.uv.es * extras: ftp.udl.es * ovirt-3.5: ftp.nluug.nl * ovirt-3.5-epel: mirror.uv.es * ovirt-3.5-jpackage-6.0-generic: mirror.ibcp.fr * ovirt-epel: mirror.uv.es * ovirt-jpackage-6.0-generic: mirror.ibcp.fr * updates: ftp.udl.es Installed Packages ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-backend.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-cli.noarch 3.3.0.6-1.el6 @ovirt-3.3.3 ovirt-engine-dbscripts.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-extensions-api-impl.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-jboss-as.x86_64 7.1.1-1.el6 @ovirt-3.5 ovirt-engine-lib.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-restapi.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-sdk-python.noarch 3.5.0.8-1.el6
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
- Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Tuesday, December 2, 2014 3:48:54 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon and everybody, I have installed package ovirt-engine-extension-aaa-ldap and configure my files as the documentation says. The files are: /etc/ovirt-engine/extensions.d/siee.local-authn.properties: ovirt.engine.extension.name = siee.local-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = siee.local ovirt.engine.aaa.authn.authz.plugin = siee.local-authz config.profile.file.1 = aaa/siee.local.properties please use absolute file name for 3.5.0 relative will be available in 3.5.1 /etc/ovirt-engine/extensions.d/siee.local-authz.properties: ovirt.engine.extension.name = siee.local-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = aaa/siee.local.properties please use absolute file name for 3.5.0 relative will be available in 3.5.1 /etc/ovirt-engine/extensions.d/aaa/siee.local.properties: include = ad.properties # # Active directory domain name. # vars.domain = siee.local # # Search user and its password. # vars.user = juanjo@${global:vars.domain} vars.password = this should be dedicate user for search not your private user. # # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain} pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} # Uncomment if using custom DNS #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} #pool.default.socketfactory.resolver.uRL = ${global:vars.dns} # Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.domain}.jks #pool.default.ssl.truststore.password = changeit And after this configuration I restart ovirt-engine service. When I try to login in administrator portal I can see the error The user name or password is incorrect.. In /var/log/ovirt-engine/engine.log I have the errors: 2014-12-02 14:02:21,983 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-8) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User juanjo cannot login, please verify the username and password. 2014-12-02 14:02:21,991 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-8) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User juanjo failed to log in. I'm using correct user and password becuase I can login in a Windows client machine which is inside siee.local domain with this user and its correct password. What do you think it could be the problem? If you need more information or I have to configure any other parameters, please tell me. please attach full engine.log, more correctly, stop engine, remove engine.log start engine, try to login and send log. please make sure you select the siee.local domain in dropdown of login screen. when I get the engine.log I will be able to understand who to progress. thanks! Many thanks in advanced, Juanjo. On Wed, Nov 26, 2014 at 3:19 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Wednesday, November 26, 2014 3:04:14 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon and everybody, Check in my ovirt-engine machine for ovirt-engine-aaa-ldap package and it is not available: yum list ovirt-engine* Loaded plugins: fastestmirror, refresh-packagekit, security, versionlock Loading mirror speeds from cached hostfile * base: ftp.udl.es * epel: mirror.uv.es * extras: ftp.udl.es
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello everybody, I will try this package shortly, but I would like to know why I can't use my AD as I was doing in ovirt 3.4 before upgrade to ovirt 3.5. I have executed kinit without problems after some modification in my /etc/krb5.conf file, as I said in before mail but the error with portal persists. Any suggestion? Many thanks in advanced, Juanjo. On Wed, Nov 26, 2014 at 3:19 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Wednesday, November 26, 2014 3:04:14 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon and everybody, Check in my ovirt-engine machine for ovirt-engine-aaa-ldap package and it is not available: yum list ovirt-engine* Loaded plugins: fastestmirror, refresh-packagekit, security, versionlock Loading mirror speeds from cached hostfile * base: ftp.udl.es * epel: mirror.uv.es * extras: ftp.udl.es * ovirt-3.5: ftp.nluug.nl * ovirt-3.5-epel: mirror.uv.es * ovirt-3.5-jpackage-6.0-generic: mirror.ibcp.fr * ovirt-epel: mirror.uv.es * ovirt-jpackage-6.0-generic: mirror.ibcp.fr * updates: ftp.udl.es Installed Packages ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-backend.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-cli.noarch 3.3.0.6-1.el6 @ovirt-3.3.3 ovirt-engine-dbscripts.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-extensions-api-impl.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-jboss-as.x86_64 7.1.1-1.el6 @ovirt-3.5 ovirt-engine-lib.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-restapi.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-sdk-python.noarch 3.5.0.8-1.el6 @ovirt-3.5 ovirt-engine-setup.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-base.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-ovirt-engine-common.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-websocket-proxy.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-tools.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-userportal.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-webadmin-portal.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-websocket-proxy.noarch 3.5.0.1-1.el6 @ovirt-3.5 Available Packages ovirt-engine-cli.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-dwh.noarch 3.5.0-1.el6 ovirt-3.5 ovirt-engine-dwh-setup.noarch 3.5.0-1.el6 ovirt-3.5 ovirt-engine-extensions-api-impl-javadoc.noarch 3.5.0.1-1.el6 ovirt-3.5 ovirt-engine-reports.noarch 3.5.1-0.1.el6 ovirt-3.5 ovirt-engine-reports-setup.noarch 3.5.1-0.1.el6 ovirt-3.5 ovirt-engine-sdk-java.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-sdk-java-javadoc.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-setup-plugin-allinone.noarch How can I get this package? Thanks for trying! Package is available at ovirt-3.5-snapshot[1]. [1] http://resources.ovirt.org/pub/ovirt-3.5-snapshot/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
- Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Friday, November 28, 2014 2:03:30 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello everybody, I will try this package shortly, but I would like to know why I can't use my AD as I was doing in ovirt 3.4 before upgrade to ovirt 3.5. I have executed kinit without problems after some modification in my /etc/krb5.conf file, as I said in before mail but the error with portal persists. Any suggestion? I leave this for yair/oved to determine. You difficulties is the main reason why we wrote a new implementation. The current one is too complex, has almost no customization and very difficult for problem determination. Many thanks in advanced, Juanjo. On Wed, Nov 26, 2014 at 3:19 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Wednesday, November 26, 2014 3:04:14 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon and everybody, Check in my ovirt-engine machine for ovirt-engine-aaa-ldap package and it is not available: yum list ovirt-engine* Loaded plugins: fastestmirror, refresh-packagekit, security, versionlock Loading mirror speeds from cached hostfile * base: ftp.udl.es * epel: mirror.uv.es * extras: ftp.udl.es * ovirt-3.5: ftp.nluug.nl * ovirt-3.5-epel: mirror.uv.es * ovirt-3.5-jpackage-6.0-generic: mirror.ibcp.fr * ovirt-epel: mirror.uv.es * ovirt-jpackage-6.0-generic: mirror.ibcp.fr * updates: ftp.udl.es Installed Packages ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-backend.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-cli.noarch 3.3.0.6-1.el6 @ovirt-3.3.3 ovirt-engine-dbscripts.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-extensions-api-impl.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-jboss-as.x86_64 7.1.1-1.el6 @ovirt-3.5 ovirt-engine-lib.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-restapi.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-sdk-python.noarch 3.5.0.8-1.el6 @ovirt-3.5 ovirt-engine-setup.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-base.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-ovirt-engine-common.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-websocket-proxy.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-tools.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-userportal.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-webadmin-portal.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-websocket-proxy.noarch 3.5.0.1-1.el6 @ovirt-3.5 Available Packages ovirt-engine-cli.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-dwh.noarch 3.5.0-1.el6 ovirt-3.5 ovirt-engine-dwh-setup.noarch 3.5.0-1.el6 ovirt-3.5 ovirt-engine-extensions-api-impl-javadoc.noarch 3.5.0.1-1.el6 ovirt-3.5 ovirt-engine-reports.noarch 3.5.1-0.1.el6 ovirt-3.5 ovirt-engine-reports-setup.noarch 3.5.1-0.1.el6 ovirt-3.5 ovirt-engine-sdk-java.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-sdk-java-javadoc.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-setup-plugin-allinone.noarch How can I get this package? Thanks for trying! Package is available at ovirt-3.5-snapshot[1]. [1] http://resources.ovirt.org/pub/ovirt-3.5-snapshot/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hi, can you please take a look into windows AD logs, what's the message when you try to login in ovirt? Or can you please use tcpdump and see what's sent when you do login? Also would you please tell what's your AD version, I'll try to reproduce. Thanks, Ondra - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Friday, November 28, 2014 1:03:30 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello everybody, I will try this package shortly, but I would like to know why I can't use my AD as I was doing in ovirt 3.4 before upgrade to ovirt 3.5. I have executed kinit without problems after some modification in my /etc/krb5.conf file, as I said in before mail but the error with portal persists. Any suggestion? Many thanks in advanced, Juanjo. On Wed, Nov 26, 2014 at 3:19 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Wednesday, November 26, 2014 3:04:14 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon and everybody, Check in my ovirt-engine machine for ovirt-engine-aaa-ldap package and it is not available: yum list ovirt-engine* Loaded plugins: fastestmirror, refresh-packagekit, security, versionlock Loading mirror speeds from cached hostfile * base: ftp.udl.es * epel: mirror.uv.es * extras: ftp.udl.es * ovirt-3.5: ftp.nluug.nl * ovirt-3.5-epel: mirror.uv.es * ovirt-3.5-jpackage-6.0-generic: mirror.ibcp.fr * ovirt-epel: mirror.uv.es * ovirt-jpackage-6.0-generic: mirror.ibcp.fr * updates: ftp.udl.es Installed Packages ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-backend.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-cli.noarch 3.3.0.6-1.el6 @ovirt-3.3.3 ovirt-engine-dbscripts.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-extensions-api-impl.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-jboss-as.x86_64 7.1.1-1.el6 @ovirt-3.5 ovirt-engine-lib.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-restapi.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-sdk-python.noarch 3.5.0.8-1.el6 @ovirt-3.5 ovirt-engine-setup.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-base.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-ovirt-engine-common.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-websocket-proxy.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-tools.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-userportal.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-webadmin-portal.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-websocket-proxy.noarch 3.5.0.1-1.el6 @ovirt-3.5 Available Packages ovirt-engine-cli.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-dwh.noarch 3.5.0-1.el6 ovirt-3.5 ovirt-engine-dwh-setup.noarch 3.5.0-1.el6 ovirt-3.5 ovirt-engine-extensions-api-impl-javadoc.noarch 3.5.0.1-1.el6 ovirt-3.5 ovirt-engine-reports.noarch 3.5.1-0.1.el6 ovirt-3.5 ovirt-engine-reports-setup.noarch 3.5.1-0.1.el6 ovirt-3.5 ovirt-engine-sdk-java.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-sdk-java-javadoc.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-setup-plugin-allinone.noarch How can I get this package? Thanks for trying! Package is available at ovirt-3.5-snapshot[1]. [1] http://resources.ovirt.org/pub/ovirt-3.5-snapshot/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
- Original Message - From: Juan Jose jj197...@gmail.com To: Yair Zaslavsky yzasl...@redhat.com, Ondra Machacek omach...@redhat.com, alo...@redhat.com, users@ovirt.org Sent: Wednesday, November 26, 2014 1:01:37 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello everybody, I will try to configure ovirt-engine-extension-aaa-ldap package as Alon says. +1 please do. By other side, I have executed the command kinit and the response is: kinit: Client not found in Kerberos database while getting initial credentials I am sure you did tht, but just to be on the safe side - did u perform kinit principal@REALM? My /etc/krb5.conf files is (adserver.siee.local is my AD server based in Samba 4), I have modified this file to exchange EXAMPLE.COM by siee.local and adserver.siee.local: /etc/krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = SIEE.LOCAL dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] SIEE.LOCAL = { kdc = adserver.siee.local admin_server = adserver.siee.local } [domain_realm] .siee.local = SIEE.LOCAL siee.local = SIEE.LOCAL My /etc/ovirt-engine/krb5.conf: [libdefaults] default_realm = SIEE.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = no default_tkt_enctypes = arcfour-hmac-md5 udp_preference_limit = 1 #realms #domain_realm This last file is the same that I had before my upgrade to oVirt 3.5. Many thanks again, Juanjo. On Wed, Nov 26, 2014 at 5:37 AM, Yair Zaslavsky yzasl...@redhat.com wrote: - Original Message - From: Juan Jose jj197...@gmail.com To: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, alo...@redhat.com, users@ovirt.org Sent: Tuesday, November 25, 2014 6:09:18 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello again, Yes the password is correct, I can login in a Windows machine to my domain siee.local with the user Juanjo. Moreover I have chanbged this user password to simpler one and the result is the same. I have logged in administration portal with internal admin user and I try to navigate through the domain to find user to assign some user in a VM but nothing is showed as you can see in the attached screen image and any error is faced in administration portal, but the /var/log/ovirt-engine/engine.log show this: 2014-11-25 17:02:05,355 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was invalid (24) 2014-11-25 17:02:05,356 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username and password. 2014-11-25 17:02:05,357 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server 2014-11-25 17:02:05,359 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-5) Failed to run command LdapSearchUserByQueryCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL. 2014-11-25 17:02:05,402 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was invalid (24) 2014-11-25 17:02:05,404 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username and password. 2014-11-25 17:02:05,406 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server 2014-11-25 17:02:05,408 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-5) Failed to run command LdapSearchGroupsByQueryCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL. every time I click Go button. Moreover I haven't changed anything from my Samba4 AD and it is working handling my siee.local domain. This error is showed since oVirt 3.5 upgrade. Many thanks in advance, Juanjo
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Alon, I have tried to find this package: yum list ovirt-engine-extension-aaa-ldap or yum list ovirt-engine-extension-* and always I receive: Error: No matching Packages to list Is it possible that I need some special repository? Many thanks again, Juanjo. On Tue, Nov 25, 2014 at 6:32 PM, Alon Bar-Lev alo...@redhat.com wrote: Hello Juan, Do you want to give a chance to the new provider? In this provider I can help? Package is ovirt-engine-extension-aaa-ldap. Documentation is available here[1]. The chances to make it work are higher, and this is the future of LDAP support. Alon [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Alon and everybody, Check in my ovirt-engine machine for ovirt-engine-aaa-ldap package and it is not available: yum list ovirt-engine* Loaded plugins: fastestmirror, refresh-packagekit, security, versionlock Loading mirror speeds from cached hostfile * base: ftp.udl.es * epel: mirror.uv.es * extras: ftp.udl.es * ovirt-3.5: ftp.nluug.nl * ovirt-3.5-epel: mirror.uv.es * ovirt-3.5-jpackage-6.0-generic: mirror.ibcp.fr * ovirt-epel: mirror.uv.es * ovirt-jpackage-6.0-generic: mirror.ibcp.fr * updates: ftp.udl.es Installed Packages ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-backend.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-cli.noarch 3.3.0.6-1.el6 @ovirt-3.3.3 ovirt-engine-dbscripts.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-extensions-api-impl.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-jboss-as.x86_64 7.1.1-1.el6 @ovirt-3.5 ovirt-engine-lib.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-restapi.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-sdk-python.noarch 3.5.0.8-1.el6 @ovirt-3.5 ovirt-engine-setup.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-base.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-ovirt-engine-common.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-websocket-proxy.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-tools.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-userportal.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-webadmin-portal.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-websocket-proxy.noarch 3.5.0.1-1.el6 @ovirt-3.5 Available Packages ovirt-engine-cli.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-dwh.noarch 3.5.0-1.el6 ovirt-3.5 ovirt-engine-dwh-setup.noarch 3.5.0-1.el6 ovirt-3.5 ovirt-engine-extensions-api-impl-javadoc.noarch 3.5.0.1-1.el6 ovirt-3.5 ovirt-engine-reports.noarch 3.5.1-0.1.el6 ovirt-3.5 ovirt-engine-reports-setup.noarch 3.5.1-0.1.el6 ovirt-3.5 ovirt-engine-sdk-java.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-sdk-java-javadoc.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-setup-plugin-allinone.noarch How can I get this package? Many thanks in advanced, Juanjo. On Tue, Nov 25, 2014 at 6:32 PM, Alon Bar-Lev alo...@redhat.com wrote: Hello Juan, Do you want to give a chance to the new provider? In this provider I can help? Package is ovirt-engine-extension-aaa-ldap. Documentation is available here[1]. The chances to make it work are higher, and this is the future of LDAP support. Alon [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
- Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Wednesday, November 26, 2014 3:04:14 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon and everybody, Check in my ovirt-engine machine for ovirt-engine-aaa-ldap package and it is not available: yum list ovirt-engine* Loaded plugins: fastestmirror, refresh-packagekit, security, versionlock Loading mirror speeds from cached hostfile * base: ftp.udl.es * epel: mirror.uv.es * extras: ftp.udl.es * ovirt-3.5: ftp.nluug.nl * ovirt-3.5-epel: mirror.uv.es * ovirt-3.5-jpackage-6.0-generic: mirror.ibcp.fr * ovirt-epel: mirror.uv.es * ovirt-jpackage-6.0-generic: mirror.ibcp.fr * updates: ftp.udl.es Installed Packages ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-backend.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-cli.noarch 3.3.0.6-1.el6 @ovirt-3.3.3 ovirt-engine-dbscripts.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-extensions-api-impl.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-jboss-as.x86_64 7.1.1-1.el6 @ovirt-3.5 ovirt-engine-lib.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-restapi.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-sdk-python.noarch 3.5.0.8-1.el6 @ovirt-3.5 ovirt-engine-setup.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-base.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-ovirt-engine-common.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-websocket-proxy.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-tools.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-userportal.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-webadmin-portal.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-websocket-proxy.noarch 3.5.0.1-1.el6 @ovirt-3.5 Available Packages ovirt-engine-cli.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-dwh.noarch 3.5.0-1.el6 ovirt-3.5 ovirt-engine-dwh-setup.noarch 3.5.0-1.el6 ovirt-3.5 ovirt-engine-extensions-api-impl-javadoc.noarch 3.5.0.1-1.el6 ovirt-3.5 ovirt-engine-reports.noarch 3.5.1-0.1.el6 ovirt-3.5 ovirt-engine-reports-setup.noarch 3.5.1-0.1.el6 ovirt-3.5 ovirt-engine-sdk-java.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-sdk-java-javadoc.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-setup-plugin-allinone.noarch How can I get this package? Thanks for trying! Package is available at ovirt-3.5-snapshot[1]. [1] http://resources.ovirt.org/pub/ovirt-3.5-snapshot/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello everybody, Ondra you are right, I removed the domain. I have already tried to execute the command with lower case the domain name and the result is the same engine-manage-domains add --domain=siee.local --provider=ad --user=Administrator --add-permissions Enter password: No user in Directory was found for Administrator@SIEE.LOCAL. Trying next LDAP server in list Failure while testing domain siee.local. Details: No user information was found for user the result to the command psql -U engine -d engine -c select * from vdc_options where option_name='LDAPSecurityAuthentication' is: psql: FATAL: Ident authentication failed for user engine And for second command psql -U engine -d engine -c update vdc_options set option_value='siee.local:GSSAPI' where option_name='LDAPSecurityAuthentication', I receive the same response: psql: FATAL: Ident authentication failed for user engine Is there any problem? Many thanks in advanced, Juanjo. On Mon, Nov 24, 2014 at 1:57 PM, Ondra Machacek omach...@redhat.com wrote: I understood that domain can be deleted, but can't be added, so there won't be needed values to update in vdc_options. Juanjo - Can you please provide us what's the result of command: $ psql -U engine -d engine -c select * from vdc_options where option_name='LDAPSecurityAuthentication' If it's empty or if the domain name is upper case or lower case? If it's upper, than please lower case it. $ psql -U engine -d engine -c update vdc_options set option_value='siee.local:GSSAPI' where option_name='LDAPSecurityAuthentication' - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Ondra Machacek omach...@redhat.com Cc: jj197...@gmail.com, users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com Sent: Monday, November 24, 2014 1:49:11 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue - Original Message - From: Ondra Machacek omach...@redhat.com To: jj197...@gmail.com Cc: users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Alon Bar-Lev alo...@redhat.com Sent: Monday, November 24, 2014 2:46:20 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Please try to run your command with domain in lower case: engine-manage-domains add --domain=siee.local --provider=ad --user=Administrator it is already added, won't it simpler to modify the vdc_options? - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Juan Jose jj197...@gmail.com Cc: users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Ondra Machacek omach...@redhat.com Sent: Monday, November 24, 2014 1:27:39 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Yes, I think we just fixed this[1]. We can fix this manually, yair, ondra what is the easiest fix? BTW: you can also checkout the new ldap provider (ovirt-engine-extension-aaa-ldap) in 3.5 which should be much more robust[1], I can help you set it up. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1167211 [2] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD - Original Message - From: Juan Jose jj197...@gmail.com To: users@ovirt.org Sent: Monday, November 24, 2014 2:22:44 PM Subject: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello everybody, I have upgraded my oVirt 3.4 to 3.5 version without any problem apparently. After finish the upgrade I have tried to login with any of my AD users from my Samba 4, like I used to do in oVirt 3.4 but I received authentication errors as below error: 2014-11-21 14:06:02,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-3) Kerberos error: Pre-authentication information was invalid (24) 2014-11-21 14:06:02,683 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-3) Authentication Failed. Please verify the username and password. 2014-11-21 14:06:02,685 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server 2014-11-21 14:06:02,688 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-3) Failed to run command LdapGetAdUserByUserNameCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL. 2014-11-21 14:06:02,690 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hi, can you please try different account than Administrator? - Original Message - From: Juan Jose jj197...@gmail.com To: omach...@redhat.com, alo...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Tuesday, November 25, 2014 11:01:13 AM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello everybody, Ondra you are right, I removed the domain. I have already tried to execute the command with lower case the domain name and the result is the same engine-manage-domains add --domain=siee.local --provider=ad --user=Administrator --add-permissions Enter password: No user in Directory was found for Administrator@SIEE.LOCAL. Trying next LDAP server in list Failure while testing domain siee.local. Details: No user information was found for user the result to the command psql -U engine -d engine -c select * from vdc_options where option_name='LDAPSecurityAuthentication' is: psql: FATAL: Ident authentication failed for user engine And for second command psql -U engine -d engine -c update vdc_options set option_value='siee.local:GSSAPI' where option_name='LDAPSecurityAuthentication', I receive the same response: psql: FATAL: Ident authentication failed for user engine Is there any problem? Many thanks in advanced, Juanjo. On Mon, Nov 24, 2014 at 1:57 PM, Ondra Machacek omach...@redhat.com wrote: I understood that domain can be deleted, but can't be added, so there won't be needed values to update in vdc_options. Juanjo - Can you please provide us what's the result of command: $ psql -U engine -d engine -c select * from vdc_options where option_name='LDAPSecurityAuthentication' If it's empty or if the domain name is upper case or lower case? If it's upper, than please lower case it. $ psql -U engine -d engine -c update vdc_options set option_value='siee.local:GSSAPI' where option_name='LDAPSecurityAuthentication' - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Ondra Machacek omach...@redhat.com Cc: jj197...@gmail.com, users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com Sent: Monday, November 24, 2014 1:49:11 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue - Original Message - From: Ondra Machacek omach...@redhat.com To: jj197...@gmail.com Cc: users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Alon Bar-Lev alo...@redhat.com Sent: Monday, November 24, 2014 2:46:20 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Please try to run your command with domain in lower case: engine-manage-domains add --domain=siee.local --provider=ad --user=Administrator it is already added, won't it simpler to modify the vdc_options? - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Juan Jose jj197...@gmail.com Cc: users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Ondra Machacek omach...@redhat.com Sent: Monday, November 24, 2014 1:27:39 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Yes, I think we just fixed this[1]. We can fix this manually, yair, ondra what is the easiest fix? BTW: you can also checkout the new ldap provider (ovirt-engine-extension-aaa-ldap) in 3.5 which should be much more robust[1], I can help you set it up. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1167211 [2] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD - Original Message - From: Juan Jose jj197...@gmail.com To: users@ovirt.org Sent: Monday, November 24, 2014 2:22:44 PM Subject: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello everybody, I have upgraded my oVirt 3.4 to 3.5 version without any problem apparently. After finish the upgrade I have tried to login with any of my AD users from my Samba 4, like I used to do in oVirt 3.4 but I received authentication errors as below error: 2014-11-21 14:06:02,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-3) Kerberos error: Pre-authentication information was invalid (24) 2014-11-21 14:06:02,683 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-3) Authentication Failed. Please verify the username and password. 2014-11-21 14:06:02,685 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
2014-11-25 12:54:10,687 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server - Original Message - From: Juan Jose jj197...@gmail.com To: Ondra Machacek omach...@redhat.com, alo...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Tuesday, November 25, 2014 2:29:26 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Ondra and everybody, It works with my other user: engine-manage-domains add --domain=siee.local --provider=ad --user=juanjo --add-permissions Enter password: Successfully added domain siee.local. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart). Manage Domains completed successfully But after restarted ovirt-engine if I try to loging with juanjo in the administrator portal and I receive the error General command validation failure, as you can see in the attached image. I'm showing below the engine.log lines with the error: 2014-11-25 12:54:10,680 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was invalid (24) 2014-11-25 12:54:10,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username and password. 2014-11-25 12:54:10,687 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server 2014-11-25 12:54:10,688 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-5) Failed to run command LdapGetAdUserByUserNameCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL. 2014-11-25 12:54:10,689 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-5) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException Input: {Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]= http://www.ovirt.org, Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=Kerberos/Ldap Authz (Built-in), Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE;type=class java.lang.Integer;uuid=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE[2eb1f541-0f65-44a1-a6e3-014e247595f5];]=100, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=siee.local, Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=AAA_AUTHZ_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHZ_CAPABILITIES[6106d1fb-9291-4351-a947-b897b9540a23];]=1, Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=N/A, Extkey[name=AAA_AUTHZ_AVAILABLE_NAMESPACES;type=interface java.util.Collection;uuid=AAA_AUTHZ_AVAILABLE_NAMESPACES[6dffa34c-955f-486a-bd35
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Are you sure you use correct password? See[1] 0x18 - This indicates failure to obtain ticket, possibly due to the client providing the wrong password. If you are sure, then please also check AD logs. [1] - http://support.microsoft.com/kb/230476 - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Juan Jose jj197...@gmail.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Tuesday, November 25, 2014 1:49:20 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue 2014-11-25 12:54:10,687 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server - Original Message - From: Juan Jose jj197...@gmail.com To: Ondra Machacek omach...@redhat.com, alo...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Tuesday, November 25, 2014 2:29:26 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Ondra and everybody, It works with my other user: engine-manage-domains add --domain=siee.local --provider=ad --user=juanjo --add-permissions Enter password: Successfully added domain siee.local. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart). Manage Domains completed successfully But after restarted ovirt-engine if I try to loging with juanjo in the administrator portal and I receive the error General command validation failure, as you can see in the attached image. I'm showing below the engine.log lines with the error: 2014-11-25 12:54:10,680 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was invalid (24) 2014-11-25 12:54:10,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username and password. 2014-11-25 12:54:10,687 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server 2014-11-25 12:54:10,688 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-5) Failed to run command LdapGetAdUserByUserNameCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL. 2014-11-25 12:54:10,689 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-5) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException Input: {Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]= http://www.ovirt.org, Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=Kerberos/Ldap Authz (Built-in), Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE;type=class java.lang.Integer;uuid=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE[2eb1f541-0f65-44a1-a6e3-014e247595f5];]=100, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=siee.local, Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=AAA_AUTHZ_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHZ_CAPABILITIES[6106d1fb-9291-4351-a947
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Also, can you please try to search within this domain, not only login to it? Does it fail or works good? (in webadmin go to users tab and click add, select your domain and search for users). - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Juan Jose jj197...@gmail.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Tuesday, November 25, 2014 1:49:20 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue 2014-11-25 12:54:10,687 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server - Original Message - From: Juan Jose jj197...@gmail.com To: Ondra Machacek omach...@redhat.com, alo...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Tuesday, November 25, 2014 2:29:26 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Ondra and everybody, It works with my other user: engine-manage-domains add --domain=siee.local --provider=ad --user=juanjo --add-permissions Enter password: Successfully added domain siee.local. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart). Manage Domains completed successfully But after restarted ovirt-engine if I try to loging with juanjo in the administrator portal and I receive the error General command validation failure, as you can see in the attached image. I'm showing below the engine.log lines with the error: 2014-11-25 12:54:10,680 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was invalid (24) 2014-11-25 12:54:10,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username and password. 2014-11-25 12:54:10,687 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server 2014-11-25 12:54:10,688 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-5) Failed to run command LdapGetAdUserByUserNameCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL. 2014-11-25 12:54:10,689 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-5) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException Input: {Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]= http://www.ovirt.org, Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=Kerberos/Ldap Authz (Built-in), Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE;type=class java.lang.Integer;uuid=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE[2eb1f541-0f65-44a1-a6e3-014e247595f5];]=100, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=siee.local, Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=AAA_AUTHZ_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHZ_CAPABILITIES[6106d1fb-9291-4351-a947-b897b9540a23];]=1, Extkey[name
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Juan, Do you want to give a chance to the new provider? In this provider I can help? Package is ovirt-engine-extension-aaa-ldap. Documentation is available here[1]. The chances to make it work are higher, and this is the future of LDAP support. Alon [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Did you recently update Cyrus SASL?-- Sent from my HP Pre3On Nov 25, 2014 11:09 AM, Juan Jose jj197...@gmail.com wrote: Hello again,Yes the password is correct, I can login in a Windows machine to my domain siee.local with the user Juanjo. Moreover I have chanbged this user password to simpler one and the result is the same.I have logged in administration portal with internal admin user and I try to navigate through the domain to find user to assign some user in a VM but nothing is showed as you can see in the attached screen image and any error is faced in administration portal, but the /var/log/ovirt-engine/engine.log show this:2014-11-25 17:02:05,355 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was invalid (24)2014-11-25 17:02:05,356 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username and password.2014-11-25 17:02:05,357 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server2014-11-25 17:02:05,359 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-5) Failed to run command LdapSearchUserByQueryCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL.2014-11-25 17:02:05,402 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was invalid (24)2014-11-25 17:02:05,404 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username and password.2014-11-25 17:02:05,406 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server2014-11-25 17:02:05,408 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-5) Failed to run command LdapSearchGroupsByQueryCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL.every time I click Go button. Moreover I havent changed anything from my Samba4 AD and it is working handling my siee.local domain. This error is showed since oVirt 3.5 upgrade.Many thanks in advance,Juanjo.On Tue, Nov 25, 2014 at 2:29 PM, Ondra Machacek omach...@redhat.com wrote:Also, can you please try to search within this domain, not only login to it? Does it fail or works good? (in webadmin go to users tab and click add, select your domain and search for users). - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Juan Jose jj197...@gmail.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Tuesday, November 25, 2014 1:49:20 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue 2014-11-25 12:54:10,687 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server - Original Message - From: Juan Jose jj197...@gmail.com To: Ondra Machacek omach...@redhat.com, alo...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Tuesday, November 25, 2014 2:29:26 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Ondra and everybody, It works with my other user: engine-manage-domains add --domain=siee.local --provider=ad --user=juanjo --add-permissions Enter password: Successfully added domain siee.local. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart). Manage Domains completed successfully But after restarted ovirt-engine if I try to loging with juanjo in the administrator portal and I receive the error General command validation failure, as you can see in the attached image. Im showing below the engine.log lines with the error: 2014-11-25 12:54:10,680 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was invalid (24) 2014-11-25 12:54:10,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Authentication
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
- Original Message - From: Juan Jose jj197...@gmail.com To: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, alo...@redhat.com, users@ovirt.org Sent: Tuesday, November 25, 2014 6:09:18 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello again, Yes the password is correct, I can login in a Windows machine to my domain siee.local with the user Juanjo. Moreover I have chanbged this user password to simpler one and the result is the same. I have logged in administration portal with internal admin user and I try to navigate through the domain to find user to assign some user in a VM but nothing is showed as you can see in the attached screen image and any error is faced in administration portal, but the /var/log/ovirt-engine/engine.log show this: 2014-11-25 17:02:05,355 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was invalid (24) 2014-11-25 17:02:05,356 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username and password. 2014-11-25 17:02:05,357 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server 2014-11-25 17:02:05,359 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-5) Failed to run command LdapSearchUserByQueryCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL. 2014-11-25 17:02:05,402 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was invalid (24) 2014-11-25 17:02:05,404 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username and password. 2014-11-25 17:02:05,406 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server 2014-11-25 17:02:05,408 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-5) Failed to run command LdapSearchGroupsByQueryCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL. every time I click Go button. Moreover I haven't changed anything from my Samba4 AD and it is working handling my siee.local domain. This error is showed since oVirt 3.5 upgrade. Many thanks in advance, Juanjo. As Alon suggested, you can try the next provider for 3.5 However, until you do so, can you use kinit in order to perform kerberos authentication with the problematic user? Cheers, Yair On Tue, Nov 25, 2014 at 2:29 PM, Ondra Machacek omach...@redhat.com wrote: Also, can you please try to search within this domain, not only login to it? Does it fail or works good? (in webadmin go to users tab and click add, select your domain and search for users). - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Juan Jose jj197...@gmail.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Tuesday, November 25, 2014 1:49:20 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue 2014-11-25 12:54:10,687 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server - Original Message - From: Juan Jose jj197...@gmail.com To: Ondra Machacek omach...@redhat.com, alo...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Tuesday, November 25, 2014 2:29:26 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Ondra and everybody, It works with my other user: engine-manage-domains add --domain=siee.local --provider=ad --user=juanjo --add-permissions Enter password: Successfully added domain siee.local. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart). Manage Domains completed successfully But after restarted ovirt-engine if I try to loging with juanjo in the administrator portal and I
[ovirt-users] Adding domain to oVirt to 3.5 issue
Hello everybody, I have upgraded my oVirt 3.4 to 3.5 version without any problem apparently. After finish the upgrade I have tried to login with any of my AD users from my Samba 4, like I used to do in oVirt 3.4 but I received authentication errors as below error: 2014-11-21 14:06:02,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-3) Kerberos error: Pre-authentication information was invalid (24) 2014-11-21 14:06:02,683 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-3) Authentication Failed. Please verify the username and password. 2014-11-21 14:06:02,685 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server 2014-11-21 14:06:02,688 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-3) Failed to run command LdapGetAdUserByUserNameCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL. 2014-11-21 14:06:02,690 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException Input: {Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]= http://www.ovirt.org, Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=Kerberos/Ldap Authz (Built-in), Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE;type=class java.lang.Integer;uuid=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE[2eb1f541-0f65-44a1-a6e3-014e247595f5];]=100, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=siee.local, Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=AAA_AUTHZ_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHZ_CAPABILITIES[6106d1fb-9291-4351-a947-b897b9540a23];]=1, Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=N/A, Extkey[name=AAA_AUTHZ_AVAILABLE_NAMESPACES;type=interface java.util.Collection;uuid=AAA_AUTHZ_AVAILABLE_NAMESPACES[6dffa34c-955f-486a-bd35-0a272b45a711];]=[*], Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.Kerberos/Ldap Authz (Built-in).siee.local), Extkey[name=EXTENSION_PROVIDES;type=interface java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authz]}, Extkey[name=AAA_AUTHZ_QUERY_FLAGS;type=class java.lang.Integer;uuid=AAA_AUTHZ_QUERY_FLAGS[97d226e9-8d87-49a0-9a7f-af689320907b];]=3, Extkey[name=EXTENSION_INVOKE_COMMAND;type=class org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHZ_FETCH_PRINCIPAL_RECORD[5a5bf9bb-9336-4376-a823-26efe1ba26df], Extkey[name=AAA_AUTHN_AUTH_RECORD;type=class
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Yes, I think we just fixed this[1]. We can fix this manually, yair, ondra what is the easiest fix? BTW: you can also checkout the new ldap provider (ovirt-engine-extension-aaa-ldap) in 3.5 which should be much more robust[1], I can help you set it up. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1167211 [2] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD - Original Message - From: Juan Jose jj197...@gmail.com To: users@ovirt.org Sent: Monday, November 24, 2014 2:22:44 PM Subject: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello everybody, I have upgraded my oVirt 3.4 to 3.5 version without any problem apparently. After finish the upgrade I have tried to login with any of my AD users from my Samba 4, like I used to do in oVirt 3.4 but I received authentication errors as below error: 2014-11-21 14:06:02,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-3) Kerberos error: Pre-authentication information was invalid (24) 2014-11-21 14:06:02,683 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-3) Authentication Failed. Please verify the username and password. 2014-11-21 14:06:02,685 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server 2014-11-21 14:06:02,688 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-3) Failed to run command LdapGetAdUserByUserNameCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL. 2014-11-21 14:06:02,690 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException Input: {Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]= http://www.ovirt.org , Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=Kerberos/Ldap Authz (Built-in), Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE;type=class java.lang.Integer;uuid=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE[2eb1f541-0f65-44a1-a6e3-014e247595f5];]=100, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=siee.local, Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=AAA_AUTHZ_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHZ_CAPABILITIES[6106d1fb-9291-4351-a947-b897b9540a23];]=1, Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=N/A, Extkey[name=AAA_AUTHZ_AVAILABLE_NAMESPACES;type=interface java.util.Collection;uuid=AAA_AUTHZ_AVAILABLE_NAMESPACES[6dffa34c-955f-486a-bd35-0a272b45a711];]=[*], Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.Kerberos/Ldap Authz (Built-in).siee.local), Extkey[name=EXTENSION_PROVIDES;type=interface
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Please try to run your command with domain in lower case: engine-manage-domains add --domain=siee.local --provider=ad --user=Administrator - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Juan Jose jj197...@gmail.com Cc: users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Ondra Machacek omach...@redhat.com Sent: Monday, November 24, 2014 1:27:39 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Yes, I think we just fixed this[1]. We can fix this manually, yair, ondra what is the easiest fix? BTW: you can also checkout the new ldap provider (ovirt-engine-extension-aaa-ldap) in 3.5 which should be much more robust[1], I can help you set it up. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1167211 [2] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD - Original Message - From: Juan Jose jj197...@gmail.com To: users@ovirt.org Sent: Monday, November 24, 2014 2:22:44 PM Subject: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello everybody, I have upgraded my oVirt 3.4 to 3.5 version without any problem apparently. After finish the upgrade I have tried to login with any of my AD users from my Samba 4, like I used to do in oVirt 3.4 but I received authentication errors as below error: 2014-11-21 14:06:02,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-3) Kerberos error: Pre-authentication information was invalid (24) 2014-11-21 14:06:02,683 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-3) Authentication Failed. Please verify the username and password. 2014-11-21 14:06:02,685 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server 2014-11-21 14:06:02,688 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-3) Failed to run command LdapGetAdUserByUserNameCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL. 2014-11-21 14:06:02,690 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException Input: {Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]= http://www.ovirt.org , Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=Kerberos/Ldap Authz (Built-in), Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE;type=class java.lang.Integer;uuid=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE[2eb1f541-0f65-44a1-a6e3-014e247595f5];]=100, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=siee.local, Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=AAA_AUTHZ_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHZ_CAPABILITIES[6106d1fb-9291-4351-a947-b897b9540a23];]=1, Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
- Original Message - From: Ondra Machacek omach...@redhat.com To: jj197...@gmail.com Cc: users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Alon Bar-Lev alo...@redhat.com Sent: Monday, November 24, 2014 2:46:20 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Please try to run your command with domain in lower case: engine-manage-domains add --domain=siee.local --provider=ad --user=Administrator it is already added, won't it simpler to modify the vdc_options? - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Juan Jose jj197...@gmail.com Cc: users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Ondra Machacek omach...@redhat.com Sent: Monday, November 24, 2014 1:27:39 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Yes, I think we just fixed this[1]. We can fix this manually, yair, ondra what is the easiest fix? BTW: you can also checkout the new ldap provider (ovirt-engine-extension-aaa-ldap) in 3.5 which should be much more robust[1], I can help you set it up. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1167211 [2] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD - Original Message - From: Juan Jose jj197...@gmail.com To: users@ovirt.org Sent: Monday, November 24, 2014 2:22:44 PM Subject: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello everybody, I have upgraded my oVirt 3.4 to 3.5 version without any problem apparently. After finish the upgrade I have tried to login with any of my AD users from my Samba 4, like I used to do in oVirt 3.4 but I received authentication errors as below error: 2014-11-21 14:06:02,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-3) Kerberos error: Pre-authentication information was invalid (24) 2014-11-21 14:06:02,683 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-3) Authentication Failed. Please verify the username and password. 2014-11-21 14:06:02,685 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server 2014-11-21 14:06:02,688 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-3) Failed to run command LdapGetAdUserByUserNameCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL. 2014-11-21 14:06:02,690 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException Input: {Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]= http://www.ovirt.org , Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=Kerberos/Ldap Authz (Built-in), Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE;type=class java.lang.Integer;uuid=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE[2eb1f541-0f65-44a1-a6e3-014e247595f5];]=100, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=siee.local, Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=AAA_AUTHZ_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHZ_CAPABILITIES[6106d1fb-9291-4351-a947
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
I understood that domain can be deleted, but can't be added, so there won't be needed values to update in vdc_options. Juanjo - Can you please provide us what's the result of command: $ psql -U engine -d engine -c select * from vdc_options where option_name='LDAPSecurityAuthentication' If it's empty or if the domain name is upper case or lower case? If it's upper, than please lower case it. $ psql -U engine -d engine -c update vdc_options set option_value='siee.local:GSSAPI' where option_name='LDAPSecurityAuthentication' - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Ondra Machacek omach...@redhat.com Cc: jj197...@gmail.com, users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com Sent: Monday, November 24, 2014 1:49:11 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue - Original Message - From: Ondra Machacek omach...@redhat.com To: jj197...@gmail.com Cc: users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Alon Bar-Lev alo...@redhat.com Sent: Monday, November 24, 2014 2:46:20 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Please try to run your command with domain in lower case: engine-manage-domains add --domain=siee.local --provider=ad --user=Administrator it is already added, won't it simpler to modify the vdc_options? - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Juan Jose jj197...@gmail.com Cc: users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Ondra Machacek omach...@redhat.com Sent: Monday, November 24, 2014 1:27:39 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Yes, I think we just fixed this[1]. We can fix this manually, yair, ondra what is the easiest fix? BTW: you can also checkout the new ldap provider (ovirt-engine-extension-aaa-ldap) in 3.5 which should be much more robust[1], I can help you set it up. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1167211 [2] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD - Original Message - From: Juan Jose jj197...@gmail.com To: users@ovirt.org Sent: Monday, November 24, 2014 2:22:44 PM Subject: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello everybody, I have upgraded my oVirt 3.4 to 3.5 version without any problem apparently. After finish the upgrade I have tried to login with any of my AD users from my Samba 4, like I used to do in oVirt 3.4 but I received authentication errors as below error: 2014-11-21 14:06:02,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-3) Kerberos error: Pre-authentication information was invalid (24) 2014-11-21 14:06:02,683 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-3) Authentication Failed. Please verify the username and password. 2014-11-21 14:06:02,685 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server 2014-11-21 14:06:02,688 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-3) Failed to run command LdapGetAdUserByUserNameCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL. 2014-11-21 14:06:02,690 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException Input: {Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]= http://www.ovirt.org , Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=Kerberos/Ldap Authz (Built-in), Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid