Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
- Original Message -
From: Juan Jose jj197...@gmail.com
To: Alon Bar-Lev alo...@redhat.com, Yair Zaslavsky yzasl...@redhat.com
Sent: Wednesday, December 10, 2014 12:30:34 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Alon and Yair,
Many thanks for your help, finally It works properly. My problem, after
last Alon indications was that my user Juanjo was defined with SuperUser
role in the previous domain configuration. I have loggen in with admin user
from internal and I have removed old configuration and I have configured my
user Juanjo with all administrators roles in folder Permission and I
can log in in administration portal without problems and it works properly.
My final configuration I have is an emulated *AD based on Samba 4* and the
final configuration files are:
Good!
So samba is not emulating active directory entirely :)
But good to know it is working.
Please also checkout group membership.
ovirt-engine-extension-aaa-ldap.noarch
1.0.1-0.0.master.20141209141731.git0437701.el6
this fix for samba ad will be released in 1.0.1.
*/etc/ovirt-engine/extensions.d/siee-local-authn.properties*:
ovirt.engine.extension.name = siee-local-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = siee
ovirt.engine.aaa.authn.authz.plugin = siee-local-authz
config.profile.file.1 = /etc/ovirt-engine/aaa/siee.properties
*/etc/ovirt-engine/extensions.d/siee-local-authz.properties*:
ovirt.engine.extension.name = siee-local-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/siee.properties
*/etc/ovirt-engine/aaa/siee.properties*:
include = ad.properties
#
# Active directory domain name.
#
vars.domain = siee.local
#
# Search user and its password.
#
vars.user = searcher@${global:vars.domain}
vars.password =
#
# Optional DNS servers, if enterprise
# DNS server cannot resolve the domain srvrecord.
#
#vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
# Uncomment if using custom DNS
#pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
= ${global:vars.dns}
#pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
#pool.default.ssl.startTLS = true
#pool.default.ssl.truststore.file =
${local:_basedir}/${global:vars.domain}.jks
#pool.default.ssl.truststore.password = changeit
You should enable SSL for production use... as you do not want passwords to be
transmitted in clear.
Not sure how you install ssl on the samba ldap... but once you do, follow the
README instructions[1]
[1]
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l141
*/etc/krb5.conf*:
You are not using kerberos, so there is no reason to configure it for setup to
work.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SIEE.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = no
default_tkt_enctypes = arcfour-hmac-md5
udp_preference_limit = 1
#[realms]
#[domain_realm]
# .siee.local = SIEE.LOCAL
# siee.local = SIEE.LOCAL
Many thanks again to everybody,
Juanjo.
On Tue, Dec 9, 2014 at 5:31 PM, Alon Bar-Lev alo...@redhat.com wrote:
- Original Message -
From: Juan Jose jj197...@gmail.com
To: Alon Bar-Lev alo...@redhat.com, Yair Zaslavsky
yzasl...@redhat.com
Sent: Tuesday, December 9, 2014 5:42:56 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Alon,
In my firsts e-mails I had already said that I have an emulation of AD
based on Samba 4. I have tested the last version ov
ovirt-engine-extension-aaa-ldap package and I think the problem is the
same
although the error is User is not authorized to perform this action.
I attach the enginle.log.
USER_NOT_AUTHORIZED_TO_PERFORM_ACTION means user is not superuser or can
manage objects as far as I
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
We start over...
This is not active directory... it is samba.
Attribute(name=vendorName, values={'Samba Team (http://samba.org)'})
Only now I realized this, maybe you mentioned it earlier not sure.
Of course this was never tested, so probably not working.
I see that samba does not return a list of extended operations, I will
workaround this and we can see what's else differ from active directory.
Thanks,
Alon
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
- Original Message -
From: Alon Bar-Lev alo...@redhat.com
To: Juan Jose jj197...@gmail.com
Cc: users users@ovirt.org
Sent: Tuesday, December 9, 2014 3:59:33 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
We start over...
This is not active directory... it is samba.
Attribute(name=vendorName, values={'Samba Team (http://samba.org)'})
Only now I realized this, maybe you mentioned it earlier not sure.
Of course this was never tested, so probably not working.
I see that samba does not return a list of extended operations, I will
workaround this and we can see what's else differ from active directory.
Can you please checkout the following rpm[1]?
[1]
http://jenkins.ovirt.org/job/ovirt-engine-extension-aaa-ldap_master_create-rpms-el6-x86_64_merged/
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Alon,
I have done what you have said. My new configuration files are:
/etc/ovirt-engine/extensions.d/siee-local-authn.properties:
ovirt.engine.extension.name = siee-local-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = siee
ovirt.engine.aaa.authn.authz.plugin = siee-local-authz
config.profile.file.1 = aaa/siee.properties
/etc/ovirt-engine/extensions.d/siee-local-authz.properties:
ovirt.engine.extension.name = siee-local-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = aaa/siee.properties
/etc/ovirt-engine/extensions.d/aaa/siee.properties:
include = ad.properties
#
# Active directory domain name.
#
vars.domain = siee.local
#
# Search user and its password.
#
vars.user = searcher@${global:vars.domain}
vars.password = xxx
#
# Optional DNS servers, if enterprise
# DNS server cannot resolve the domain srvrecord.
#
#vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
# Uncomment if using custom DNS
#pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
= ${global:vars.dns}
#pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
#pool.default.ssl.startTLS = true
#pool.default.ssl.truststore.file =
${local:_basedir}/${global:vars.domain}.jks
#pool.default.ssl.truststore.password = changeit
After reconfigure my files with ovirt-engine stopped I have started
ovirt-engine and I have tried to log in. The error persist,
General command validation failure. and after that I have stopped
ovirt-engine again. I attach my engine.log file.
Many thanks again,
Juanjo.
On Tue, Dec 2, 2014 at 3:46 PM, Alon Bar-Lev alo...@redhat.com wrote:
- Original Message -
From: Juan Jose jj197...@gmail.com
To: Alon Bar-Lev alo...@redhat.com
Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky
yzasl...@redhat.com, users@ovirt.org
Sent: Tuesday, December 2, 2014 3:48:54 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Alon and everybody,
I have installed package ovirt-engine-extension-aaa-ldap and configure my
files as the documentation says. The files are:
/etc/ovirt-engine/extensions.d/siee.local-authn.properties:
ovirt.engine.extension.name = siee.local-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = siee.local
ovirt.engine.aaa.authn.authz.plugin = siee.local-authz
config.profile.file.1 = aaa/siee.local.properties
please use absolute file name for 3.5.0 relative will be available in 3.5.1
/etc/ovirt-engine/extensions.d/siee.local-authz.properties:
ovirt.engine.extension.name = siee.local-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = aaa/siee.local.properties
please use absolute file name for 3.5.0 relative will be available in 3.5.1
/etc/ovirt-engine/extensions.d/aaa/siee.local.properties:
include = ad.properties
#
# Active directory domain name.
#
vars.domain = siee.local
#
# Search user and its password.
#
vars.user = juanjo@${global:vars.domain}
vars.password =
this should be dedicate user for search not your private user.
#
# Optional DNS servers, if enterprise
# DNS server cannot resolve the domain srvrecord.
#
#vars.dns = dns://dc1.${global:vars.domain}
dns://dc2.${global:vars.domain}
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hi!
You have the following errors:
2014-12-05 09:32:31,778 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread
1-5) Loading extension 'siee-local-authn'
2014-12-05 09:32:31,819 ERROR
[org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (MSC
service thread 1-5) Could not load extension based on configuration file
'/etc/ovirt-engine/extensions.d/siee-local-authn.properties'. Please check the
configuration file is valid. Exception message is: Error loading extension
'siee-local-authn': /aaa/siee.properties (No such file or directory)
2014-12-05 09:32:31,823 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread
1-5) Loading extension 'siee-local-authz'
2014-12-05 09:32:31,824 ERROR
[org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (MSC
service thread 1-5) Could not load extension based on configuration file
'/etc/ovirt-engine/extensions.d/siee-local-authz.properties'. Please check the
configuration file is valid. Exception message is: Error loading extension
'siee-local-authz': /aaa/siee.properties (No such file or directory)
Per my last message, you should provide absolute file names if you use 3.5.0.
Please see inline comments bellow.
Also, you are trying to authenticate with the legacy provider:
2014-12-05 09:33:04,871 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-5) Failed ldap search server
ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to
Authentication Failed. Please verify the username and password.. We should not
try the next server
Can you please use engine-manage-domains to remove the legacy (old) domain, so
we reduce confusion?
Thanks!
- Original Message -
From: Juan Jose jj197...@gmail.com
To: Alon Bar-Lev alo...@redhat.com
Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky
yzasl...@redhat.com, users@ovirt.org
Sent: Friday, December 5, 2014 10:43:01 AM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Alon,
I have done what you have said. My new configuration files are:
/etc/ovirt-engine/extensions.d/siee-local-authn.properties:
ovirt.engine.extension.name = siee-local-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = siee
ovirt.engine.aaa.authn.authz.plugin = siee-local-authz
config.profile.file.1 = aaa/siee.properties
should be: /etc/ovirt-engine/extensions.d/aaa/siee.properties in 3.5.0 or can
be ../aaa/siee.properties in 3.5.1.
/etc/ovirt-engine/extensions.d/siee-local-authz.properties:
ovirt.engine.extension.name = siee-local-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = aaa/siee.properties
should be: /etc/ovirt-engine/extensions.d/aaa/siee.properties in 3.5.0 or can
be ../aaa/siee.properties in 3.5.1.
/etc/ovirt-engine/extensions.d/aaa/siee.properties:
include = ad.properties
#
# Active directory domain name.
#
vars.domain = siee.local
#
# Search user and its password.
#
vars.user = searcher@${global:vars.domain}
vars.password = xxx
#
# Optional DNS servers, if enterprise
# DNS server cannot resolve the domain srvrecord.
#
#vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
# Uncomment if using custom DNS
#pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
= ${global:vars.dns}
#pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
#pool.default.ssl.startTLS = true
#pool.default.ssl.truststore.file =
${local:_basedir}/${global:vars.domain}.jks
#pool.default.ssl.truststore.password = changeit
After reconfigure my files with ovirt-engine stopped I have started
ovirt-engine and I have tried to log in. The error persist,
General command validation failure. and after that I have stopped
ovirt-engine again. I attach my engine.log file.
Many thanks again,
Juanjo.
On Tue, Dec 2, 2014 at 3:46 PM, Alon Bar-Lev alo...@redhat.com wrote:
- Original Message -
From: Juan Jose jj197...@gmail.com
To: Alon
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Alon, I have deleted Legacy domain with engine-manage-domain, and I have changed configuration to absolute file name as you can see: /etc/ovirt-engine/extensions.d/siee-local-authn.properties: ovirt.engine.extension.name = siee-local-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = siee ovirt.engine.aaa.authn.authz.plugin = siee-local-authz config.profile.file.1 = /etc/ovirt-engine/extensions.d/aaa/siee.properties /etc/ovirt-engine/extensions.d/siee-local-authz.properties: ovirt.engine.extension.name = siee-local-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/extensions.d/aaa/siee.properties I had configured relative file name because the example /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/extensions.d/domain1-authz.properties has a relative file name. I have done the same: delete engine.log, restart ovirt-engine and try log in and the same error is showed, General command validation failure. Attach engine.log file. Thanks, Juanjo. On Fri, Dec 5, 2014 at 9:52 AM, Alon Bar-Lev alo...@redhat.com wrote: Hi! You have the following errors: 2014-12-05 09:32:31,778 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-5) Loading extension 'siee-local-authn' 2014-12-05 09:32:31,819 ERROR [org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (MSC service thread 1-5) Could not load extension based on configuration file '/etc/ovirt-engine/extensions.d/siee-local-authn.properties'. Please check the configuration file is valid. Exception message is: Error loading extension 'siee-local-authn': /aaa/siee.properties (No such file or directory) 2014-12-05 09:32:31,823 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-5) Loading extension 'siee-local-authz' 2014-12-05 09:32:31,824 ERROR [org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (MSC service thread 1-5) Could not load extension based on configuration file '/etc/ovirt-engine/extensions.d/siee-local-authz.properties'. Please check the configuration file is valid. Exception message is: Error loading extension 'siee-local-authz': /aaa/siee.properties (No such file or directory) Per my last message, you should provide absolute file names if you use 3.5.0. Please see inline comments bellow. Also, you are trying to authenticate with the legacy provider: 2014-12-05 09:33:04,871 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server Can you please use engine-manage-domains to remove the legacy (old) domain, so we reduce confusion? Thanks! - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Friday, December 5, 2014 10:43:01 AM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon, I have done what you have said. My new configuration files are: /etc/ovirt-engine/extensions.d/siee-local-authn.properties: ovirt.engine.extension.name = siee-local-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = siee ovirt.engine.aaa.authn.authz.plugin = siee-local-authz config.profile.file.1 = aaa/siee.properties should be: /etc/ovirt-engine/extensions.d/aaa/siee.properties in 3.5.0 or can be ../aaa/siee.properties in 3.5.1. /etc/ovirt-engine/extensions.d/siee-local-authz.properties: ovirt.engine.extension.name = siee-local-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
We will also need log of the generic ldap extensin, can you please provide it? Thanks! - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Friday, December 5, 2014 1:10:06 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon, I have deleted Legacy domain with engine-manage-domain, and I have changed configuration to absolute file name as you can see: /etc/ovirt-engine/extensions.d/siee-local-authn.properties: ovirt.engine.extension.name = siee-local-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = siee ovirt.engine.aaa.authn.authz.plugin = siee-local-authz config.profile.file.1 = /etc/ovirt-engine/extensions.d/aaa/siee.properties /etc/ovirt-engine/extensions.d/siee-local-authz.properties: ovirt.engine.extension.name = siee-local-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/extensions.d/aaa/siee.properties I had configured relative file name because the example /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/extensions.d/domain1-authz.properties has a relative file name. I have done the same: delete engine.log, restart ovirt-engine and try log in and the same error is showed, General command validation failure. Attach engine.log file. Thanks, Juanjo. On Fri, Dec 5, 2014 at 9:52 AM, Alon Bar-Lev alo...@redhat.com wrote: Hi! You have the following errors: 2014-12-05 09:32:31,778 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-5) Loading extension 'siee-local-authn' 2014-12-05 09:32:31,819 ERROR [org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (MSC service thread 1-5) Could not load extension based on configuration file '/etc/ovirt-engine/extensions.d/siee-local-authn.properties'. Please check the configuration file is valid. Exception message is: Error loading extension 'siee-local-authn': /aaa/siee.properties (No such file or directory) 2014-12-05 09:32:31,823 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-5) Loading extension 'siee-local-authz' 2014-12-05 09:32:31,824 ERROR [org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (MSC service thread 1-5) Could not load extension based on configuration file '/etc/ovirt-engine/extensions.d/siee-local-authz.properties'. Please check the configuration file is valid. Exception message is: Error loading extension 'siee-local-authz': /aaa/siee.properties (No such file or directory) Per my last message, you should provide absolute file names if you use 3.5.0. Please see inline comments bellow. Also, you are trying to authenticate with the legacy provider: 2014-12-05 09:33:04,871 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server Can you please use engine-manage-domains to remove the legacy (old) domain, so we reduce confusion? Thanks! - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Friday, December 5, 2014 10:43:01 AM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon, I have done what you have said. My new configuration files are: /etc/ovirt-engine/extensions.d/siee-local-authn.properties: ovirt.engine.extension.name = siee-local-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = siee ovirt.engine.aaa.authn.authz.plugin = siee-local-authz config.profile.file.1 = aaa/siee.properties should be: /etc/ovirt-engine
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hi! I tested the configuration and it worked properly. - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Friday, December 5, 2014 1:10:06 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon, I have deleted Legacy domain with engine-manage-domain, and I have changed configuration to absolute file name as you can see: /etc/ovirt-engine/extensions.d/siee-local-authn.properties: ovirt.engine.extension.name = siee-local-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = siee ovirt.engine.aaa.authn.authz.plugin = siee-local-authz config.profile.file.1 = /etc/ovirt-engine/extensions.d/aaa/siee.properties Please move this file to /etc/ovirt-engine/aaa/siee.properties, it should not reside within the extensions.d /etc/ovirt-engine/extensions.d/siee-local-authz.properties: ovirt.engine.extension.name = siee-local-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/extensions.d/aaa/siee.properties Same. I had configured relative file name because the example /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/extensions.d/domain1-authz.properties has a relative file name. Yes, as I wrote, this relative is coming int 3.5.1. I have done the same: delete engine.log, restart ovirt-engine and try log in and the same error is showed, General command validation failure. Please first refer the startup errors, there is no much sense to try login if startup fails... :) In your case: 2014-12-05 11:25:05,575 ERROR [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authz::siee-local-authz] Cannot initialize LDAP framework, deferring initialization. Error: null Which is as if something missing. I took your configuration as-is and it does work, in the exception of moving /etc/ovirt-engine/extensions.d/aaa to /etc/ovirt-engine/aaa as it should be, please perform this change and modify the file locations within extension properties file. I need to figure out what is happening, so from README[1], please follow the following instructions and restart engine so we get more verbose logs. Update: /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in Make sure handle level name is ALL for ENGINE, if not set like I am unsure if in 3.5.0 this was the case: --- file-handler name=ENGINE autoflush=true level name=ALL/ --- Add the following before the root-logger line: --- logger category=org.ovirt.engineextensions.aaa.ldap level name=ALL/ /logger --- Restart the engine and send the engine.log, this way I can see what happening during initialization. Thanks for checking it out, hopefully something trivial is missing, Alon [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l230 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Alon and everybody,
I have installed package ovirt-engine-extension-aaa-ldap and configure my
files as the documentation says. The files are:
/etc/ovirt-engine/extensions.d/siee.local-authn.properties:
ovirt.engine.extension.name = siee.local-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = siee.local
ovirt.engine.aaa.authn.authz.plugin = siee.local-authz
config.profile.file.1 = aaa/siee.local.properties
/etc/ovirt-engine/extensions.d/siee.local-authz.properties:
ovirt.engine.extension.name = siee.local-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = aaa/siee.local.properties
/etc/ovirt-engine/extensions.d/aaa/siee.local.properties:
include = ad.properties
#
# Active directory domain name.
#
vars.domain = siee.local
#
# Search user and its password.
#
vars.user = juanjo@${global:vars.domain}
vars.password =
#
# Optional DNS servers, if enterprise
# DNS server cannot resolve the domain srvrecord.
#
#vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
# Uncomment if using custom DNS
#pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
= ${global:vars.dns}
#pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
#pool.default.ssl.startTLS = true
#pool.default.ssl.truststore.file =
${local:_basedir}/${global:vars.domain}.jks
#pool.default.ssl.truststore.password = changeit
And after this configuration I restart ovirt-engine service. When I try to
login in administrator portal I can see the error The user name or
password is incorrect.. In /var/log/ovirt-engine/engine.log I have the
errors:
2014-12-02 14:02:21,983 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-8) Correlation ID: null, Call Stack: null, Custom
Event ID: -1, Message: User juanjo cannot login, please verify the username
and password.
2014-12-02 14:02:21,991 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-8) Correlation ID: null, Call Stack: null, Custom
Event ID: -1, Message: User juanjo failed to log in.
I'm using correct user and password becuase I can login in a Windows client
machine which is inside siee.local domain with this user and its correct
password.
What do you think it could be the problem?
If you need more information or I have to configure any other parameters,
please tell me.
Many thanks in advanced,
Juanjo.
On Wed, Nov 26, 2014 at 3:19 PM, Alon Bar-Lev alo...@redhat.com wrote:
- Original Message -
From: Juan Jose jj197...@gmail.com
To: Alon Bar-Lev alo...@redhat.com
Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky
yzasl...@redhat.com, users@ovirt.org
Sent: Wednesday, November 26, 2014 3:04:14 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Alon and everybody,
Check in my ovirt-engine machine for ovirt-engine-aaa-ldap package and it
is not available:
yum list ovirt-engine*
Loaded plugins: fastestmirror, refresh-packagekit, security, versionlock
Loading mirror speeds from cached hostfile
* base: ftp.udl.es
* epel: mirror.uv.es
* extras: ftp.udl.es
* ovirt-3.5: ftp.nluug.nl
* ovirt-3.5-epel: mirror.uv.es
* ovirt-3.5-jpackage-6.0-generic: mirror.ibcp.fr
* ovirt-epel: mirror.uv.es
* ovirt-jpackage-6.0-generic: mirror.ibcp.fr
* updates: ftp.udl.es
Installed Packages
ovirt-engine.noarch
3.5.0.1-1.el6 @ovirt-3.5
ovirt-engine-backend.noarch
3.5.0.1-1.el6 @ovirt-3.5
ovirt-engine-cli.noarch
3.3.0.6-1.el6 @ovirt-3.3.3
ovirt-engine-dbscripts.noarch
3.5.0.1-1.el6 @ovirt-3.5
ovirt-engine-extensions-api-impl.noarch
3.5.0.1-1.el6 @ovirt-3.5
ovirt-engine-jboss-as.x86_64
7.1.1-1.el6 @ovirt-3.5
ovirt-engine-lib.noarch
3.5.0.1-1.el6 @ovirt-3.5
ovirt-engine-restapi.noarch
3.5.0.1-1.el6 @ovirt-3.5
ovirt-engine-sdk-python.noarch
3.5.0.8-1.el6
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
- Original Message -
From: Juan Jose jj197...@gmail.com
To: Alon Bar-Lev alo...@redhat.com
Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky
yzasl...@redhat.com, users@ovirt.org
Sent: Tuesday, December 2, 2014 3:48:54 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Alon and everybody,
I have installed package ovirt-engine-extension-aaa-ldap and configure my
files as the documentation says. The files are:
/etc/ovirt-engine/extensions.d/siee.local-authn.properties:
ovirt.engine.extension.name = siee.local-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = siee.local
ovirt.engine.aaa.authn.authz.plugin = siee.local-authz
config.profile.file.1 = aaa/siee.local.properties
please use absolute file name for 3.5.0 relative will be available in 3.5.1
/etc/ovirt-engine/extensions.d/siee.local-authz.properties:
ovirt.engine.extension.name = siee.local-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = aaa/siee.local.properties
please use absolute file name for 3.5.0 relative will be available in 3.5.1
/etc/ovirt-engine/extensions.d/aaa/siee.local.properties:
include = ad.properties
#
# Active directory domain name.
#
vars.domain = siee.local
#
# Search user and its password.
#
vars.user = juanjo@${global:vars.domain}
vars.password =
this should be dedicate user for search not your private user.
#
# Optional DNS servers, if enterprise
# DNS server cannot resolve the domain srvrecord.
#
#vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
# Uncomment if using custom DNS
#pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
= ${global:vars.dns}
#pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
#pool.default.ssl.startTLS = true
#pool.default.ssl.truststore.file =
${local:_basedir}/${global:vars.domain}.jks
#pool.default.ssl.truststore.password = changeit
And after this configuration I restart ovirt-engine service. When I try to
login in administrator portal I can see the error The user name or
password is incorrect.. In /var/log/ovirt-engine/engine.log I have the
errors:
2014-12-02 14:02:21,983 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-8) Correlation ID: null, Call Stack: null, Custom
Event ID: -1, Message: User juanjo cannot login, please verify the username
and password.
2014-12-02 14:02:21,991 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-8) Correlation ID: null, Call Stack: null, Custom
Event ID: -1, Message: User juanjo failed to log in.
I'm using correct user and password becuase I can login in a Windows client
machine which is inside siee.local domain with this user and its correct
password.
What do you think it could be the problem?
If you need more information or I have to configure any other parameters,
please tell me.
please attach full engine.log, more correctly, stop engine, remove engine.log
start engine, try to login and send log.
please make sure you select the siee.local domain in dropdown of login screen.
when I get the engine.log I will be able to understand who to progress.
thanks!
Many thanks in advanced,
Juanjo.
On Wed, Nov 26, 2014 at 3:19 PM, Alon Bar-Lev alo...@redhat.com wrote:
- Original Message -
From: Juan Jose jj197...@gmail.com
To: Alon Bar-Lev alo...@redhat.com
Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky
yzasl...@redhat.com, users@ovirt.org
Sent: Wednesday, November 26, 2014 3:04:14 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Alon and everybody,
Check in my ovirt-engine machine for ovirt-engine-aaa-ldap package and it
is not available:
yum list ovirt-engine*
Loaded plugins: fastestmirror, refresh-packagekit, security, versionlock
Loading mirror speeds from cached hostfile
* base: ftp.udl.es
* epel: mirror.uv.es
* extras: ftp.udl.es
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello everybody, I will try this package shortly, but I would like to know why I can't use my AD as I was doing in ovirt 3.4 before upgrade to ovirt 3.5. I have executed kinit without problems after some modification in my /etc/krb5.conf file, as I said in before mail but the error with portal persists. Any suggestion? Many thanks in advanced, Juanjo. On Wed, Nov 26, 2014 at 3:19 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Wednesday, November 26, 2014 3:04:14 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon and everybody, Check in my ovirt-engine machine for ovirt-engine-aaa-ldap package and it is not available: yum list ovirt-engine* Loaded plugins: fastestmirror, refresh-packagekit, security, versionlock Loading mirror speeds from cached hostfile * base: ftp.udl.es * epel: mirror.uv.es * extras: ftp.udl.es * ovirt-3.5: ftp.nluug.nl * ovirt-3.5-epel: mirror.uv.es * ovirt-3.5-jpackage-6.0-generic: mirror.ibcp.fr * ovirt-epel: mirror.uv.es * ovirt-jpackage-6.0-generic: mirror.ibcp.fr * updates: ftp.udl.es Installed Packages ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-backend.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-cli.noarch 3.3.0.6-1.el6 @ovirt-3.3.3 ovirt-engine-dbscripts.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-extensions-api-impl.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-jboss-as.x86_64 7.1.1-1.el6 @ovirt-3.5 ovirt-engine-lib.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-restapi.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-sdk-python.noarch 3.5.0.8-1.el6 @ovirt-3.5 ovirt-engine-setup.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-base.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-ovirt-engine-common.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-websocket-proxy.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-tools.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-userportal.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-webadmin-portal.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-websocket-proxy.noarch 3.5.0.1-1.el6 @ovirt-3.5 Available Packages ovirt-engine-cli.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-dwh.noarch 3.5.0-1.el6 ovirt-3.5 ovirt-engine-dwh-setup.noarch 3.5.0-1.el6 ovirt-3.5 ovirt-engine-extensions-api-impl-javadoc.noarch 3.5.0.1-1.el6 ovirt-3.5 ovirt-engine-reports.noarch 3.5.1-0.1.el6 ovirt-3.5 ovirt-engine-reports-setup.noarch 3.5.1-0.1.el6 ovirt-3.5 ovirt-engine-sdk-java.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-sdk-java-javadoc.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-setup-plugin-allinone.noarch How can I get this package? Thanks for trying! Package is available at ovirt-3.5-snapshot[1]. [1] http://resources.ovirt.org/pub/ovirt-3.5-snapshot/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
- Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Friday, November 28, 2014 2:03:30 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello everybody, I will try this package shortly, but I would like to know why I can't use my AD as I was doing in ovirt 3.4 before upgrade to ovirt 3.5. I have executed kinit without problems after some modification in my /etc/krb5.conf file, as I said in before mail but the error with portal persists. Any suggestion? I leave this for yair/oved to determine. You difficulties is the main reason why we wrote a new implementation. The current one is too complex, has almost no customization and very difficult for problem determination. Many thanks in advanced, Juanjo. On Wed, Nov 26, 2014 at 3:19 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Wednesday, November 26, 2014 3:04:14 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon and everybody, Check in my ovirt-engine machine for ovirt-engine-aaa-ldap package and it is not available: yum list ovirt-engine* Loaded plugins: fastestmirror, refresh-packagekit, security, versionlock Loading mirror speeds from cached hostfile * base: ftp.udl.es * epel: mirror.uv.es * extras: ftp.udl.es * ovirt-3.5: ftp.nluug.nl * ovirt-3.5-epel: mirror.uv.es * ovirt-3.5-jpackage-6.0-generic: mirror.ibcp.fr * ovirt-epel: mirror.uv.es * ovirt-jpackage-6.0-generic: mirror.ibcp.fr * updates: ftp.udl.es Installed Packages ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-backend.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-cli.noarch 3.3.0.6-1.el6 @ovirt-3.3.3 ovirt-engine-dbscripts.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-extensions-api-impl.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-jboss-as.x86_64 7.1.1-1.el6 @ovirt-3.5 ovirt-engine-lib.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-restapi.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-sdk-python.noarch 3.5.0.8-1.el6 @ovirt-3.5 ovirt-engine-setup.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-base.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-ovirt-engine-common.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-websocket-proxy.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-tools.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-userportal.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-webadmin-portal.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-websocket-proxy.noarch 3.5.0.1-1.el6 @ovirt-3.5 Available Packages ovirt-engine-cli.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-dwh.noarch 3.5.0-1.el6 ovirt-3.5 ovirt-engine-dwh-setup.noarch 3.5.0-1.el6 ovirt-3.5 ovirt-engine-extensions-api-impl-javadoc.noarch 3.5.0.1-1.el6 ovirt-3.5 ovirt-engine-reports.noarch 3.5.1-0.1.el6 ovirt-3.5 ovirt-engine-reports-setup.noarch 3.5.1-0.1.el6 ovirt-3.5 ovirt-engine-sdk-java.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-sdk-java-javadoc.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-setup-plugin-allinone.noarch How can I get this package? Thanks for trying! Package is available at ovirt-3.5-snapshot[1]. [1] http://resources.ovirt.org/pub/ovirt-3.5-snapshot/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hi, can you please take a look into windows AD logs, what's the message when you try to login in ovirt? Or can you please use tcpdump and see what's sent when you do login? Also would you please tell what's your AD version, I'll try to reproduce. Thanks, Ondra - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Friday, November 28, 2014 1:03:30 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello everybody, I will try this package shortly, but I would like to know why I can't use my AD as I was doing in ovirt 3.4 before upgrade to ovirt 3.5. I have executed kinit without problems after some modification in my /etc/krb5.conf file, as I said in before mail but the error with portal persists. Any suggestion? Many thanks in advanced, Juanjo. On Wed, Nov 26, 2014 at 3:19 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Wednesday, November 26, 2014 3:04:14 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon and everybody, Check in my ovirt-engine machine for ovirt-engine-aaa-ldap package and it is not available: yum list ovirt-engine* Loaded plugins: fastestmirror, refresh-packagekit, security, versionlock Loading mirror speeds from cached hostfile * base: ftp.udl.es * epel: mirror.uv.es * extras: ftp.udl.es * ovirt-3.5: ftp.nluug.nl * ovirt-3.5-epel: mirror.uv.es * ovirt-3.5-jpackage-6.0-generic: mirror.ibcp.fr * ovirt-epel: mirror.uv.es * ovirt-jpackage-6.0-generic: mirror.ibcp.fr * updates: ftp.udl.es Installed Packages ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-backend.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-cli.noarch 3.3.0.6-1.el6 @ovirt-3.3.3 ovirt-engine-dbscripts.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-extensions-api-impl.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-jboss-as.x86_64 7.1.1-1.el6 @ovirt-3.5 ovirt-engine-lib.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-restapi.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-sdk-python.noarch 3.5.0.8-1.el6 @ovirt-3.5 ovirt-engine-setup.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-base.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-ovirt-engine-common.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-websocket-proxy.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-tools.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-userportal.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-webadmin-portal.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-websocket-proxy.noarch 3.5.0.1-1.el6 @ovirt-3.5 Available Packages ovirt-engine-cli.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-dwh.noarch 3.5.0-1.el6 ovirt-3.5 ovirt-engine-dwh-setup.noarch 3.5.0-1.el6 ovirt-3.5 ovirt-engine-extensions-api-impl-javadoc.noarch 3.5.0.1-1.el6 ovirt-3.5 ovirt-engine-reports.noarch 3.5.1-0.1.el6 ovirt-3.5 ovirt-engine-reports-setup.noarch 3.5.1-0.1.el6 ovirt-3.5 ovirt-engine-sdk-java.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-sdk-java-javadoc.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-setup-plugin-allinone.noarch How can I get this package? Thanks for trying! Package is available at ovirt-3.5-snapshot[1]. [1] http://resources.ovirt.org/pub/ovirt-3.5-snapshot/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
- Original Message -
From: Juan Jose jj197...@gmail.com
To: Yair Zaslavsky yzasl...@redhat.com, Ondra Machacek
omach...@redhat.com, alo...@redhat.com,
users@ovirt.org
Sent: Wednesday, November 26, 2014 1:01:37 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello everybody,
I will try to configure ovirt-engine-extension-aaa-ldap package as Alon
says.
+1 please do.
By other side, I have executed the command kinit and the response is:
kinit: Client not found in Kerberos database while getting initial
credentials
I am sure you did tht, but just to be on the safe side - did u perform kinit
principal@REALM?
My /etc/krb5.conf files is (adserver.siee.local is my AD server based in
Samba 4), I have modified this file to exchange EXAMPLE.COM by siee.local
and adserver.siee.local:
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SIEE.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
SIEE.LOCAL = {
kdc = adserver.siee.local
admin_server = adserver.siee.local
}
[domain_realm]
.siee.local = SIEE.LOCAL
siee.local = SIEE.LOCAL
My /etc/ovirt-engine/krb5.conf:
[libdefaults]
default_realm = SIEE.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = no
default_tkt_enctypes = arcfour-hmac-md5
udp_preference_limit = 1
#realms
#domain_realm
This last file is the same that I had before my upgrade to oVirt 3.5.
Many thanks again,
Juanjo.
On Wed, Nov 26, 2014 at 5:37 AM, Yair Zaslavsky yzasl...@redhat.com wrote:
- Original Message -
From: Juan Jose jj197...@gmail.com
To: Ondra Machacek omach...@redhat.com, Yair Zaslavsky
yzasl...@redhat.com, alo...@redhat.com,
users@ovirt.org
Sent: Tuesday, November 25, 2014 6:09:18 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello again,
Yes the password is correct, I can login in a Windows machine to my
domain
siee.local with the user Juanjo. Moreover I have chanbged this user
password to simpler one and the result is the same.
I have logged in administration portal with internal admin user and I try
to navigate through the domain to find user to assign some user in a VM
but
nothing is showed as you can see in the attached screen image and any
error is faced in administration portal, but the
/var/log/ovirt-engine/engine.log show this:
2014-11-25 17:02:05,355 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information
was
invalid (24)
2014-11-25 17:02:05,356 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username
and password.
2014-11-25 17:02:05,357 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-5) Failed ldap search server
ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to
Authentication Failed. Please verify the username and password.. We
should
not try the next server
2014-11-25 17:02:05,359 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
(ajp--127.0.0.1-8702-5) Failed to run command
LdapSearchUserByQueryCommand.
Domain is siee.local. User is juanjo@SIEE.LOCAL.
2014-11-25 17:02:05,402 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information
was
invalid (24)
2014-11-25 17:02:05,404 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username
and password.
2014-11-25 17:02:05,406 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-5) Failed ldap search server
ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to
Authentication Failed. Please verify the username and password.. We
should
not try the next server
2014-11-25 17:02:05,408 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
(ajp--127.0.0.1-8702-5) Failed to run command
LdapSearchGroupsByQueryCommand. Domain is siee.local. User is
juanjo@SIEE.LOCAL.
every time I click Go button. Moreover I haven't changed anything from
my
Samba4 AD and it is working handling my siee.local domain. This error is
showed since oVirt 3.5 upgrade.
Many thanks in advance,
Juanjo
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Alon, I have tried to find this package: yum list ovirt-engine-extension-aaa-ldap or yum list ovirt-engine-extension-* and always I receive: Error: No matching Packages to list Is it possible that I need some special repository? Many thanks again, Juanjo. On Tue, Nov 25, 2014 at 6:32 PM, Alon Bar-Lev alo...@redhat.com wrote: Hello Juan, Do you want to give a chance to the new provider? In this provider I can help? Package is ovirt-engine-extension-aaa-ldap. Documentation is available here[1]. The chances to make it work are higher, and this is the future of LDAP support. Alon [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Alon and everybody, Check in my ovirt-engine machine for ovirt-engine-aaa-ldap package and it is not available: yum list ovirt-engine* Loaded plugins: fastestmirror, refresh-packagekit, security, versionlock Loading mirror speeds from cached hostfile * base: ftp.udl.es * epel: mirror.uv.es * extras: ftp.udl.es * ovirt-3.5: ftp.nluug.nl * ovirt-3.5-epel: mirror.uv.es * ovirt-3.5-jpackage-6.0-generic: mirror.ibcp.fr * ovirt-epel: mirror.uv.es * ovirt-jpackage-6.0-generic: mirror.ibcp.fr * updates: ftp.udl.es Installed Packages ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-backend.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-cli.noarch 3.3.0.6-1.el6 @ovirt-3.3.3 ovirt-engine-dbscripts.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-extensions-api-impl.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-jboss-as.x86_64 7.1.1-1.el6 @ovirt-3.5 ovirt-engine-lib.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-restapi.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-sdk-python.noarch 3.5.0.8-1.el6 @ovirt-3.5 ovirt-engine-setup.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-base.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-ovirt-engine-common.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-websocket-proxy.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-tools.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-userportal.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-webadmin-portal.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-websocket-proxy.noarch 3.5.0.1-1.el6 @ovirt-3.5 Available Packages ovirt-engine-cli.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-dwh.noarch 3.5.0-1.el6 ovirt-3.5 ovirt-engine-dwh-setup.noarch 3.5.0-1.el6 ovirt-3.5 ovirt-engine-extensions-api-impl-javadoc.noarch 3.5.0.1-1.el6 ovirt-3.5 ovirt-engine-reports.noarch 3.5.1-0.1.el6 ovirt-3.5 ovirt-engine-reports-setup.noarch 3.5.1-0.1.el6 ovirt-3.5 ovirt-engine-sdk-java.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-sdk-java-javadoc.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-setup-plugin-allinone.noarch How can I get this package? Many thanks in advanced, Juanjo. On Tue, Nov 25, 2014 at 6:32 PM, Alon Bar-Lev alo...@redhat.com wrote: Hello Juan, Do you want to give a chance to the new provider? In this provider I can help? Package is ovirt-engine-extension-aaa-ldap. Documentation is available here[1]. The chances to make it work are higher, and this is the future of LDAP support. Alon [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
- Original Message - From: Juan Jose jj197...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Wednesday, November 26, 2014 3:04:14 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon and everybody, Check in my ovirt-engine machine for ovirt-engine-aaa-ldap package and it is not available: yum list ovirt-engine* Loaded plugins: fastestmirror, refresh-packagekit, security, versionlock Loading mirror speeds from cached hostfile * base: ftp.udl.es * epel: mirror.uv.es * extras: ftp.udl.es * ovirt-3.5: ftp.nluug.nl * ovirt-3.5-epel: mirror.uv.es * ovirt-3.5-jpackage-6.0-generic: mirror.ibcp.fr * ovirt-epel: mirror.uv.es * ovirt-jpackage-6.0-generic: mirror.ibcp.fr * updates: ftp.udl.es Installed Packages ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-backend.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-cli.noarch 3.3.0.6-1.el6 @ovirt-3.3.3 ovirt-engine-dbscripts.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-extensions-api-impl.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-jboss-as.x86_64 7.1.1-1.el6 @ovirt-3.5 ovirt-engine-lib.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-restapi.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-sdk-python.noarch 3.5.0.8-1.el6 @ovirt-3.5 ovirt-engine-setup.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-base.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-ovirt-engine.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-ovirt-engine-common.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-setup-plugin-websocket-proxy.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-tools.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-userportal.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-webadmin-portal.noarch 3.5.0.1-1.el6 @ovirt-3.5 ovirt-engine-websocket-proxy.noarch 3.5.0.1-1.el6 @ovirt-3.5 Available Packages ovirt-engine-cli.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-dwh.noarch 3.5.0-1.el6 ovirt-3.5 ovirt-engine-dwh-setup.noarch 3.5.0-1.el6 ovirt-3.5 ovirt-engine-extensions-api-impl-javadoc.noarch 3.5.0.1-1.el6 ovirt-3.5 ovirt-engine-reports.noarch 3.5.1-0.1.el6 ovirt-3.5 ovirt-engine-reports-setup.noarch 3.5.1-0.1.el6 ovirt-3.5 ovirt-engine-sdk-java.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-sdk-java-javadoc.noarch 3.5.0.5-1.el6 ovirt-3.5 ovirt-engine-setup-plugin-allinone.noarch How can I get this package? Thanks for trying! Package is available at ovirt-3.5-snapshot[1]. [1] http://resources.ovirt.org/pub/ovirt-3.5-snapshot/ ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello everybody, Ondra you are right, I removed the domain. I have already tried to execute the command with lower case the domain name and the result is the same engine-manage-domains add --domain=siee.local --provider=ad --user=Administrator --add-permissions Enter password: No user in Directory was found for Administrator@SIEE.LOCAL. Trying next LDAP server in list Failure while testing domain siee.local. Details: No user information was found for user the result to the command psql -U engine -d engine -c select * from vdc_options where option_name='LDAPSecurityAuthentication' is: psql: FATAL: Ident authentication failed for user engine And for second command psql -U engine -d engine -c update vdc_options set option_value='siee.local:GSSAPI' where option_name='LDAPSecurityAuthentication', I receive the same response: psql: FATAL: Ident authentication failed for user engine Is there any problem? Many thanks in advanced, Juanjo. On Mon, Nov 24, 2014 at 1:57 PM, Ondra Machacek omach...@redhat.com wrote: I understood that domain can be deleted, but can't be added, so there won't be needed values to update in vdc_options. Juanjo - Can you please provide us what's the result of command: $ psql -U engine -d engine -c select * from vdc_options where option_name='LDAPSecurityAuthentication' If it's empty or if the domain name is upper case or lower case? If it's upper, than please lower case it. $ psql -U engine -d engine -c update vdc_options set option_value='siee.local:GSSAPI' where option_name='LDAPSecurityAuthentication' - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Ondra Machacek omach...@redhat.com Cc: jj197...@gmail.com, users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com Sent: Monday, November 24, 2014 1:49:11 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue - Original Message - From: Ondra Machacek omach...@redhat.com To: jj197...@gmail.com Cc: users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Alon Bar-Lev alo...@redhat.com Sent: Monday, November 24, 2014 2:46:20 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Please try to run your command with domain in lower case: engine-manage-domains add --domain=siee.local --provider=ad --user=Administrator it is already added, won't it simpler to modify the vdc_options? - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Juan Jose jj197...@gmail.com Cc: users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Ondra Machacek omach...@redhat.com Sent: Monday, November 24, 2014 1:27:39 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Yes, I think we just fixed this[1]. We can fix this manually, yair, ondra what is the easiest fix? BTW: you can also checkout the new ldap provider (ovirt-engine-extension-aaa-ldap) in 3.5 which should be much more robust[1], I can help you set it up. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1167211 [2] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD - Original Message - From: Juan Jose jj197...@gmail.com To: users@ovirt.org Sent: Monday, November 24, 2014 2:22:44 PM Subject: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello everybody, I have upgraded my oVirt 3.4 to 3.5 version without any problem apparently. After finish the upgrade I have tried to login with any of my AD users from my Samba 4, like I used to do in oVirt 3.4 but I received authentication errors as below error: 2014-11-21 14:06:02,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-3) Kerberos error: Pre-authentication information was invalid (24) 2014-11-21 14:06:02,683 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-3) Authentication Failed. Please verify the username and password. 2014-11-21 14:06:02,685 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server 2014-11-21 14:06:02,688 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-3) Failed to run command LdapGetAdUserByUserNameCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL. 2014-11-21 14:06:02,690 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hi, can you please try different account than Administrator? - Original Message - From: Juan Jose jj197...@gmail.com To: omach...@redhat.com, alo...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Tuesday, November 25, 2014 11:01:13 AM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello everybody, Ondra you are right, I removed the domain. I have already tried to execute the command with lower case the domain name and the result is the same engine-manage-domains add --domain=siee.local --provider=ad --user=Administrator --add-permissions Enter password: No user in Directory was found for Administrator@SIEE.LOCAL. Trying next LDAP server in list Failure while testing domain siee.local. Details: No user information was found for user the result to the command psql -U engine -d engine -c select * from vdc_options where option_name='LDAPSecurityAuthentication' is: psql: FATAL: Ident authentication failed for user engine And for second command psql -U engine -d engine -c update vdc_options set option_value='siee.local:GSSAPI' where option_name='LDAPSecurityAuthentication', I receive the same response: psql: FATAL: Ident authentication failed for user engine Is there any problem? Many thanks in advanced, Juanjo. On Mon, Nov 24, 2014 at 1:57 PM, Ondra Machacek omach...@redhat.com wrote: I understood that domain can be deleted, but can't be added, so there won't be needed values to update in vdc_options. Juanjo - Can you please provide us what's the result of command: $ psql -U engine -d engine -c select * from vdc_options where option_name='LDAPSecurityAuthentication' If it's empty or if the domain name is upper case or lower case? If it's upper, than please lower case it. $ psql -U engine -d engine -c update vdc_options set option_value='siee.local:GSSAPI' where option_name='LDAPSecurityAuthentication' - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Ondra Machacek omach...@redhat.com Cc: jj197...@gmail.com, users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com Sent: Monday, November 24, 2014 1:49:11 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue - Original Message - From: Ondra Machacek omach...@redhat.com To: jj197...@gmail.com Cc: users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Alon Bar-Lev alo...@redhat.com Sent: Monday, November 24, 2014 2:46:20 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Please try to run your command with domain in lower case: engine-manage-domains add --domain=siee.local --provider=ad --user=Administrator it is already added, won't it simpler to modify the vdc_options? - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Juan Jose jj197...@gmail.com Cc: users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Ondra Machacek omach...@redhat.com Sent: Monday, November 24, 2014 1:27:39 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Yes, I think we just fixed this[1]. We can fix this manually, yair, ondra what is the easiest fix? BTW: you can also checkout the new ldap provider (ovirt-engine-extension-aaa-ldap) in 3.5 which should be much more robust[1], I can help you set it up. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1167211 [2] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD - Original Message - From: Juan Jose jj197...@gmail.com To: users@ovirt.org Sent: Monday, November 24, 2014 2:22:44 PM Subject: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello everybody, I have upgraded my oVirt 3.4 to 3.5 version without any problem apparently. After finish the upgrade I have tried to login with any of my AD users from my Samba 4, like I used to do in oVirt 3.4 but I received authentication errors as below error: 2014-11-21 14:06:02,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-3) Kerberos error: Pre-authentication information was invalid (24) 2014-11-21 14:06:02,683 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-3) Authentication Failed. Please verify the username and password. 2014-11-21 14:06:02,685 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-3) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
2014-11-25 12:54:10,687 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-5) Failed ldap search server
ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to
Authentication Failed. Please verify the username and password.. We should not
try the next server
- Original Message -
From: Juan Jose jj197...@gmail.com
To: Ondra Machacek omach...@redhat.com, alo...@redhat.com, Yair
Zaslavsky yzasl...@redhat.com,
users@ovirt.org
Sent: Tuesday, November 25, 2014 2:29:26 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Ondra and everybody,
It works with my other user:
engine-manage-domains add --domain=siee.local --provider=ad --user=juanjo
--add-permissions
Enter password:
Successfully added domain siee.local. oVirt Engine restart is required in
order for the changes to take place (service ovirt-engine restart).
Manage Domains completed successfully
But after restarted ovirt-engine if I try to loging with juanjo in the
administrator portal and I receive the error General command validation
failure, as you can see in the attached image.
I'm showing below the engine.log lines with the error:
2014-11-25 12:54:10,680 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was
invalid (24)
2014-11-25 12:54:10,681 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username
and password.
2014-11-25 12:54:10,687 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-5) Failed ldap search server
ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to
Authentication Failed. Please verify the username and password.. We should
not try the next server
2014-11-25 12:54:10,688 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
(ajp--127.0.0.1-8702-5) Failed to run command
LdapGetAdUserByUserNameCommand. Domain is siee.local. User is
juanjo@SIEE.LOCAL.
2014-11-25 12:54:10,689 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-5) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
http://www.ovirt.org, Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=Kerberos/Ldap
Authz (Built-in), Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
oVirt Project, Extkey[name=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE;type=class
java.lang.Integer;uuid=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE[2eb1f541-0f65-44a1-a6e3-014e247595f5];]=100,
Extkey[name=EXTENSION_INSTANCE_NAME;type=class
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=siee.local,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
Extkey[name=AAA_AUTHZ_CAPABILITIES;type=class
java.lang.Long;uuid=AAA_AUTHZ_CAPABILITIES[6106d1fb-9291-4351-a947-b897b9540a23];]=1,
Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
Extkey[name=EXTENSION_VERSION;type=class
java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=N/A,
Extkey[name=AAA_AUTHZ_AVAILABLE_NAMESPACES;type=interface
java.util.Collection;uuid=AAA_AUTHZ_AVAILABLE_NAMESPACES[6dffa34c-955f-486a-bd35
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Are you sure you use correct password?
See[1] 0x18 - This indicates failure to obtain ticket, possibly due to the
client providing the wrong password.
If you are sure, then please also check AD logs.
[1] - http://support.microsoft.com/kb/230476
- Original Message -
From: Alon Bar-Lev alo...@redhat.com
To: Juan Jose jj197...@gmail.com
Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky
yzasl...@redhat.com, users@ovirt.org
Sent: Tuesday, November 25, 2014 1:49:20 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
2014-11-25 12:54:10,687 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-5) Failed ldap search server
ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to
Authentication Failed. Please verify the username and password.. We should
not try the next server
- Original Message -
From: Juan Jose jj197...@gmail.com
To: Ondra Machacek omach...@redhat.com, alo...@redhat.com, Yair
Zaslavsky yzasl...@redhat.com,
users@ovirt.org
Sent: Tuesday, November 25, 2014 2:29:26 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Ondra and everybody,
It works with my other user:
engine-manage-domains add --domain=siee.local --provider=ad --user=juanjo
--add-permissions
Enter password:
Successfully added domain siee.local. oVirt Engine restart is required in
order for the changes to take place (service ovirt-engine restart).
Manage Domains completed successfully
But after restarted ovirt-engine if I try to loging with juanjo in the
administrator portal and I receive the error General command validation
failure, as you can see in the attached image.
I'm showing below the engine.log lines with the error:
2014-11-25 12:54:10,680 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was
invalid (24)
2014-11-25 12:54:10,681 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username
and password.
2014-11-25 12:54:10,687 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-5) Failed ldap search server
ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to
Authentication Failed. Please verify the username and password.. We should
not try the next server
2014-11-25 12:54:10,688 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
(ajp--127.0.0.1-8702-5) Failed to run command
LdapGetAdUserByUserNameCommand. Domain is siee.local. User is
juanjo@SIEE.LOCAL.
2014-11-25 12:54:10,689 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-5) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
http://www.ovirt.org, Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=Kerberos/Ldap
Authz (Built-in), Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
oVirt Project, Extkey[name=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE;type=class
java.lang.Integer;uuid=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE[2eb1f541-0f65-44a1-a6e3-014e247595f5];]=100,
Extkey[name=EXTENSION_INSTANCE_NAME;type=class
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=siee.local,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
Extkey[name=AAA_AUTHZ_CAPABILITIES;type=class
java.lang.Long;uuid=AAA_AUTHZ_CAPABILITIES[6106d1fb-9291-4351-a947
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Also, can you please try to search within this domain,
not only login to it? Does it fail or works good?
(in webadmin go to users tab and click add,
select your domain and search for users).
- Original Message -
From: Alon Bar-Lev alo...@redhat.com
To: Juan Jose jj197...@gmail.com
Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky
yzasl...@redhat.com, users@ovirt.org
Sent: Tuesday, November 25, 2014 1:49:20 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
2014-11-25 12:54:10,687 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-5) Failed ldap search server
ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to
Authentication Failed. Please verify the username and password.. We should
not try the next server
- Original Message -
From: Juan Jose jj197...@gmail.com
To: Ondra Machacek omach...@redhat.com, alo...@redhat.com, Yair
Zaslavsky yzasl...@redhat.com,
users@ovirt.org
Sent: Tuesday, November 25, 2014 2:29:26 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Ondra and everybody,
It works with my other user:
engine-manage-domains add --domain=siee.local --provider=ad --user=juanjo
--add-permissions
Enter password:
Successfully added domain siee.local. oVirt Engine restart is required in
order for the changes to take place (service ovirt-engine restart).
Manage Domains completed successfully
But after restarted ovirt-engine if I try to loging with juanjo in the
administrator portal and I receive the error General command validation
failure, as you can see in the attached image.
I'm showing below the engine.log lines with the error:
2014-11-25 12:54:10,680 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was
invalid (24)
2014-11-25 12:54:10,681 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username
and password.
2014-11-25 12:54:10,687 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-5) Failed ldap search server
ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to
Authentication Failed. Please verify the username and password.. We should
not try the next server
2014-11-25 12:54:10,688 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
(ajp--127.0.0.1-8702-5) Failed to run command
LdapGetAdUserByUserNameCommand. Domain is siee.local. User is
juanjo@SIEE.LOCAL.
2014-11-25 12:54:10,689 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-5) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
http://www.ovirt.org, Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=Kerberos/Ldap
Authz (Built-in), Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
oVirt Project, Extkey[name=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE;type=class
java.lang.Integer;uuid=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE[2eb1f541-0f65-44a1-a6e3-014e247595f5];]=100,
Extkey[name=EXTENSION_INSTANCE_NAME;type=class
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=siee.local,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
Extkey[name=AAA_AUTHZ_CAPABILITIES;type=class
java.lang.Long;uuid=AAA_AUTHZ_CAPABILITIES[6106d1fb-9291-4351-a947-b897b9540a23];]=1,
Extkey[name
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Juan, Do you want to give a chance to the new provider? In this provider I can help? Package is ovirt-engine-extension-aaa-ldap. Documentation is available here[1]. The chances to make it work are higher, and this is the future of LDAP support. Alon [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Did you recently update Cyrus SASL?-- Sent from my HP Pre3On Nov 25, 2014 11:09 AM, Juan Jose jj197...@gmail.com wrote: Hello again,Yes the password is correct, I can login in a Windows machine to my domain siee.local with the user Juanjo. Moreover I have chanbged this user password to simpler one and the result is the same.I have logged in administration portal with internal admin user and I try to navigate through the domain to find user to assign some user in a VM but nothing is showed as you can see in the attached screen image and any error is faced in administration portal, but the /var/log/ovirt-engine/engine.log show this:2014-11-25 17:02:05,355 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was invalid (24)2014-11-25 17:02:05,356 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username and password.2014-11-25 17:02:05,357 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server2014-11-25 17:02:05,359 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-5) Failed to run command LdapSearchUserByQueryCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL.2014-11-25 17:02:05,402 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was invalid (24)2014-11-25 17:02:05,404 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username and password.2014-11-25 17:02:05,406 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server2014-11-25 17:02:05,408 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-5) Failed to run command LdapSearchGroupsByQueryCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL.every time I click Go button. Moreover I havent changed anything from my Samba4 AD and it is working handling my siee.local domain. This error is showed since oVirt 3.5 upgrade.Many thanks in advance,Juanjo.On Tue, Nov 25, 2014 at 2:29 PM, Ondra Machacek omach...@redhat.com wrote:Also, can you please try to search within this domain, not only login to it? Does it fail or works good? (in webadmin go to users tab and click add, select your domain and search for users). - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Juan Jose jj197...@gmail.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Tuesday, November 25, 2014 1:49:20 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue 2014-11-25 12:54:10,687 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server - Original Message - From: Juan Jose jj197...@gmail.com To: Ondra Machacek omach...@redhat.com, alo...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Tuesday, November 25, 2014 2:29:26 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Ondra and everybody, It works with my other user: engine-manage-domains add --domain=siee.local --provider=ad --user=juanjo --add-permissions Enter password: Successfully added domain siee.local. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart). Manage Domains completed successfully But after restarted ovirt-engine if I try to loging with juanjo in the administrator portal and I receive the error General command validation failure, as you can see in the attached image. Im showing below the engine.log lines with the error: 2014-11-25 12:54:10,680 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was invalid (24) 2014-11-25 12:54:10,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Authentication
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
- Original Message - From: Juan Jose jj197...@gmail.com To: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, alo...@redhat.com, users@ovirt.org Sent: Tuesday, November 25, 2014 6:09:18 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello again, Yes the password is correct, I can login in a Windows machine to my domain siee.local with the user Juanjo. Moreover I have chanbged this user password to simpler one and the result is the same. I have logged in administration portal with internal admin user and I try to navigate through the domain to find user to assign some user in a VM but nothing is showed as you can see in the attached screen image and any error is faced in administration portal, but the /var/log/ovirt-engine/engine.log show this: 2014-11-25 17:02:05,355 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was invalid (24) 2014-11-25 17:02:05,356 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username and password. 2014-11-25 17:02:05,357 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server 2014-11-25 17:02:05,359 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-5) Failed to run command LdapSearchUserByQueryCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL. 2014-11-25 17:02:05,402 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was invalid (24) 2014-11-25 17:02:05,404 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username and password. 2014-11-25 17:02:05,406 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server 2014-11-25 17:02:05,408 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-5) Failed to run command LdapSearchGroupsByQueryCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL. every time I click Go button. Moreover I haven't changed anything from my Samba4 AD and it is working handling my siee.local domain. This error is showed since oVirt 3.5 upgrade. Many thanks in advance, Juanjo. As Alon suggested, you can try the next provider for 3.5 However, until you do so, can you use kinit in order to perform kerberos authentication with the problematic user? Cheers, Yair On Tue, Nov 25, 2014 at 2:29 PM, Ondra Machacek omach...@redhat.com wrote: Also, can you please try to search within this domain, not only login to it? Does it fail or works good? (in webadmin go to users tab and click add, select your domain and search for users). - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Juan Jose jj197...@gmail.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Tuesday, November 25, 2014 1:49:20 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue 2014-11-25 12:54:10,687 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server - Original Message - From: Juan Jose jj197...@gmail.com To: Ondra Machacek omach...@redhat.com, alo...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Tuesday, November 25, 2014 2:29:26 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Ondra and everybody, It works with my other user: engine-manage-domains add --domain=siee.local --provider=ad --user=juanjo --add-permissions Enter password: Successfully added domain siee.local. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart). Manage Domains completed successfully But after restarted ovirt-engine if I try to loging with juanjo in the administrator portal and I
[ovirt-users] Adding domain to oVirt to 3.5 issue
Hello everybody,
I have upgraded my oVirt 3.4 to 3.5 version without any problem apparently.
After finish the upgrade I have tried to login with any of my AD users from
my Samba 4, like I used to do in oVirt 3.4 but I received authentication
errors as below error:
2014-11-21 14:06:02,681 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-3) Kerberos error: Pre-authentication information was
invalid (24)
2014-11-21 14:06:02,683 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-3) Authentication Failed. Please verify the username
and password.
2014-11-21 14:06:02,685 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-3) Failed ldap search server
ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to
Authentication Failed. Please verify the username and password.. We should
not try the next server
2014-11-21 14:06:02,688 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
(ajp--127.0.0.1-8702-3) Failed to run command
LdapGetAdUserByUserNameCommand. Domain is siee.local. User is
juanjo@SIEE.LOCAL.
2014-11-21 14:06:02,690 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
http://www.ovirt.org, Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=Kerberos/Ldap
Authz (Built-in), Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
oVirt Project, Extkey[name=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE;type=class
java.lang.Integer;uuid=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE[2eb1f541-0f65-44a1-a6e3-014e247595f5];]=100,
Extkey[name=EXTENSION_INSTANCE_NAME;type=class
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=siee.local,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
Extkey[name=AAA_AUTHZ_CAPABILITIES;type=class
java.lang.Long;uuid=AAA_AUTHZ_CAPABILITIES[6106d1fb-9291-4351-a947-b897b9540a23];]=1,
Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
Extkey[name=EXTENSION_VERSION;type=class
java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=N/A,
Extkey[name=AAA_AUTHZ_AVAILABLE_NAMESPACES;type=interface
java.util.Collection;uuid=AAA_AUTHZ_AVAILABLE_NAMESPACES[6dffa34c-955f-486a-bd35-0a272b45a711];]=[*],
Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.Kerberos/Ldap
Authz (Built-in).siee.local), Extkey[name=EXTENSION_PROVIDES;type=interface
java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authz]},
Extkey[name=AAA_AUTHZ_QUERY_FLAGS;type=class
java.lang.Integer;uuid=AAA_AUTHZ_QUERY_FLAGS[97d226e9-8d87-49a0-9a7f-af689320907b];]=3,
Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHZ_FETCH_PRINCIPAL_RECORD[5a5bf9bb-9336-4376-a823-26efe1ba26df],
Extkey[name=AAA_AUTHN_AUTH_RECORD;type=class
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Yes,
I think we just fixed this[1].
We can fix this manually, yair, ondra what is the easiest fix?
BTW: you can also checkout the new ldap provider
(ovirt-engine-extension-aaa-ldap) in 3.5 which should be much more robust[1], I
can help you set it up.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1167211
[2]
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
- Original Message -
From: Juan Jose jj197...@gmail.com
To: users@ovirt.org
Sent: Monday, November 24, 2014 2:22:44 PM
Subject: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello everybody,
I have upgraded my oVirt 3.4 to 3.5 version without any problem apparently.
After finish the upgrade I have tried to login with any of my AD users from
my Samba 4, like I used to do in oVirt 3.4 but I received authentication
errors as below error:
2014-11-21 14:06:02,681 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-3) Kerberos error: Pre-authentication information was
invalid (24)
2014-11-21 14:06:02,683 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-3) Authentication Failed. Please verify the username
and password.
2014-11-21 14:06:02,685 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-3) Failed ldap search server
ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to
Authentication Failed. Please verify the username and password.. We should
not try the next server
2014-11-21 14:06:02,688 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
(ajp--127.0.0.1-8702-3) Failed to run command
LdapGetAdUserByUserNameCommand. Domain is siee.local. User is
juanjo@SIEE.LOCAL.
2014-11-21 14:06:02,690 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
http://www.ovirt.org , Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=Kerberos/Ldap
Authz (Built-in), Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
oVirt Project, Extkey[name=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE;type=class
java.lang.Integer;uuid=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE[2eb1f541-0f65-44a1-a6e3-014e247595f5];]=100,
Extkey[name=EXTENSION_INSTANCE_NAME;type=class
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=siee.local,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
Extkey[name=AAA_AUTHZ_CAPABILITIES;type=class
java.lang.Long;uuid=AAA_AUTHZ_CAPABILITIES[6106d1fb-9291-4351-a947-b897b9540a23];]=1,
Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
Extkey[name=EXTENSION_VERSION;type=class
java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=N/A,
Extkey[name=AAA_AUTHZ_AVAILABLE_NAMESPACES;type=interface
java.util.Collection;uuid=AAA_AUTHZ_AVAILABLE_NAMESPACES[6dffa34c-955f-486a-bd35-0a272b45a711];]=[*],
Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.Kerberos/Ldap
Authz (Built-in).siee.local), Extkey[name=EXTENSION_PROVIDES;type=interface
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Please try to run your command with domain in lower case:
engine-manage-domains add --domain=siee.local --provider=ad --user=Administrator
- Original Message -
From: Alon Bar-Lev alo...@redhat.com
To: Juan Jose jj197...@gmail.com
Cc: users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Ondra Machacek
omach...@redhat.com
Sent: Monday, November 24, 2014 1:27:39 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Yes,
I think we just fixed this[1].
We can fix this manually, yair, ondra what is the easiest fix?
BTW: you can also checkout the new ldap provider
(ovirt-engine-extension-aaa-ldap) in 3.5 which should be much more
robust[1], I can help you set it up.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1167211
[2]
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
- Original Message -
From: Juan Jose jj197...@gmail.com
To: users@ovirt.org
Sent: Monday, November 24, 2014 2:22:44 PM
Subject: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello everybody,
I have upgraded my oVirt 3.4 to 3.5 version without any problem apparently.
After finish the upgrade I have tried to login with any of my AD users from
my Samba 4, like I used to do in oVirt 3.4 but I received authentication
errors as below error:
2014-11-21 14:06:02,681 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-3) Kerberos error: Pre-authentication information was
invalid (24)
2014-11-21 14:06:02,683 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-3) Authentication Failed. Please verify the username
and password.
2014-11-21 14:06:02,685 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-3) Failed ldap search server
ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to
Authentication Failed. Please verify the username and password.. We should
not try the next server
2014-11-21 14:06:02,688 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
(ajp--127.0.0.1-8702-3) Failed to run command
LdapGetAdUserByUserNameCommand. Domain is siee.local. User is
juanjo@SIEE.LOCAL.
2014-11-21 14:06:02,690 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
http://www.ovirt.org , Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=Kerberos/Ldap
Authz (Built-in), Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
oVirt Project, Extkey[name=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE;type=class
java.lang.Integer;uuid=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE[2eb1f541-0f65-44a1-a6e3-014e247595f5];]=100,
Extkey[name=EXTENSION_INSTANCE_NAME;type=class
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=siee.local,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
Extkey[name=AAA_AUTHZ_CAPABILITIES;type=class
java.lang.Long;uuid=AAA_AUTHZ_CAPABILITIES[6106d1fb-9291-4351-a947-b897b9540a23];]=1,
Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
Extkey[name=EXTENSION_VERSION;type=class
java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
- Original Message -
From: Ondra Machacek omach...@redhat.com
To: jj197...@gmail.com
Cc: users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Alon Bar-Lev
alo...@redhat.com
Sent: Monday, November 24, 2014 2:46:20 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Please try to run your command with domain in lower case:
engine-manage-domains add --domain=siee.local --provider=ad
--user=Administrator
it is already added, won't it simpler to modify the vdc_options?
- Original Message -
From: Alon Bar-Lev alo...@redhat.com
To: Juan Jose jj197...@gmail.com
Cc: users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Ondra
Machacek omach...@redhat.com
Sent: Monday, November 24, 2014 1:27:39 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Yes,
I think we just fixed this[1].
We can fix this manually, yair, ondra what is the easiest fix?
BTW: you can also checkout the new ldap provider
(ovirt-engine-extension-aaa-ldap) in 3.5 which should be much more
robust[1], I can help you set it up.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1167211
[2]
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
- Original Message -
From: Juan Jose jj197...@gmail.com
To: users@ovirt.org
Sent: Monday, November 24, 2014 2:22:44 PM
Subject: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello everybody,
I have upgraded my oVirt 3.4 to 3.5 version without any problem
apparently.
After finish the upgrade I have tried to login with any of my AD users
from
my Samba 4, like I used to do in oVirt 3.4 but I received authentication
errors as below error:
2014-11-21 14:06:02,681 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-3) Kerberos error: Pre-authentication information
was
invalid (24)
2014-11-21 14:06:02,683 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-3) Authentication Failed. Please verify the username
and password.
2014-11-21 14:06:02,685 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-3) Failed ldap search server
ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to
Authentication Failed. Please verify the username and password.. We
should
not try the next server
2014-11-21 14:06:02,688 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
(ajp--127.0.0.1-8702-3) Failed to run command
LdapGetAdUserByUserNameCommand. Domain is siee.local. User is
juanjo@SIEE.LOCAL.
2014-11-21 14:06:02,690 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
http://www.ovirt.org , Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=Kerberos/Ldap
Authz (Built-in), Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
oVirt Project, Extkey[name=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE;type=class
java.lang.Integer;uuid=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE[2eb1f541-0f65-44a1-a6e3-014e247595f5];]=100,
Extkey[name=EXTENSION_INSTANCE_NAME;type=class
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=siee.local,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
Extkey[name=AAA_AUTHZ_CAPABILITIES;type=class
java.lang.Long;uuid=AAA_AUTHZ_CAPABILITIES[6106d1fb-9291-4351-a947
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
I understood that domain can be deleted, but can't be added,
so there won't be needed values to update in vdc_options.
Juanjo - Can you please provide us what's the result of command:
$ psql -U engine -d engine -c select * from vdc_options where
option_name='LDAPSecurityAuthentication'
If it's empty or if the domain name is upper case or lower case?
If it's upper, than please lower case it.
$ psql -U engine -d engine -c update vdc_options set
option_value='siee.local:GSSAPI' where option_name='LDAPSecurityAuthentication'
- Original Message -
From: Alon Bar-Lev alo...@redhat.com
To: Ondra Machacek omach...@redhat.com
Cc: jj197...@gmail.com, users@ovirt.org, Yair Zaslavsky
yzasl...@redhat.com
Sent: Monday, November 24, 2014 1:49:11 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
- Original Message -
From: Ondra Machacek omach...@redhat.com
To: jj197...@gmail.com
Cc: users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Alon Bar-Lev
alo...@redhat.com
Sent: Monday, November 24, 2014 2:46:20 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Please try to run your command with domain in lower case:
engine-manage-domains add --domain=siee.local --provider=ad
--user=Administrator
it is already added, won't it simpler to modify the vdc_options?
- Original Message -
From: Alon Bar-Lev alo...@redhat.com
To: Juan Jose jj197...@gmail.com
Cc: users@ovirt.org, Yair Zaslavsky yzasl...@redhat.com, Ondra
Machacek omach...@redhat.com
Sent: Monday, November 24, 2014 1:27:39 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Yes,
I think we just fixed this[1].
We can fix this manually, yair, ondra what is the easiest fix?
BTW: you can also checkout the new ldap provider
(ovirt-engine-extension-aaa-ldap) in 3.5 which should be much more
robust[1], I can help you set it up.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1167211
[2]
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
- Original Message -
From: Juan Jose jj197...@gmail.com
To: users@ovirt.org
Sent: Monday, November 24, 2014 2:22:44 PM
Subject: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello everybody,
I have upgraded my oVirt 3.4 to 3.5 version without any problem
apparently.
After finish the upgrade I have tried to login with any of my AD users
from
my Samba 4, like I used to do in oVirt 3.4 but I received
authentication
errors as below error:
2014-11-21 14:06:02,681 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-3) Kerberos error: Pre-authentication information
was
invalid (24)
2014-11-21 14:06:02,683 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
(ajp--127.0.0.1-8702-3) Authentication Failed. Please verify the
username
and password.
2014-11-21 14:06:02,685 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-3) Failed ldap search server
ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to
Authentication Failed. Please verify the username and password.. We
should
not try the next server
2014-11-21 14:06:02,688 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
(ajp--127.0.0.1-8702-3) Failed to run command
LdapGetAdUserByUserNameCommand. Domain is siee.local. User is
juanjo@SIEE.LOCAL.
2014-11-21 14:06:02,690 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
http://www.ovirt.org , Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=Kerberos/Ldap
Authz (Built-in),
Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid
