On 01/29/2015 02:54 PM, Koen Vanoppen wrote:
I just don't understand. Why did engine-manage-domains previously DID work, no problems what so ever and now I have this...
Because manage-domains didn't use global catalog. And probabaly the reason you don't have _ldap SRV record is that you didn't have them never and you just used '--ldapServers' parameter, that's why manage-domains worked with your domain.
Now you are using DNS, not static configuration of ldap servers.
2015-01-29 14:48 GMT+01:00 Ondra Machacek <omach...@redhat.com <mailto:omach...@redhat.com>>: It's same situation as before, but now you are missing ldap SRV record. With same steps you used to add _gc SRV record add also _ldap SRV record. But it's strange that you don't already have them. On 01/29/2015 02:46 PM, Koen Vanoppen wrote: I saw that when I pressed the send button. If I do that i again get the following: 2015-01-29 14:28:35,891 WARN [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com> <http://tcp.ldap.mydomain.com>__': javax.naming.__NameNotFoundException: DNS name not found [response code 3]; remaining name '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com> <http://tcp.ldap.mydomain.com>__' 2015-01-29 14:28:35,924 WARN [org.ovirt.engineextensions.__aaa.ldap.AuthnExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-__ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com> <http://tcp.ldap.mydomain.com>__': javax.naming.__NameNotFoundException: DNS name not found [response code 3]; remaining name '_ldap._tcp.ldap.mydomain.com <http://tcp.ldap.mydomain.com> <http://tcp.ldap.mydomain.com>__' And yes I replayed mydomain with the correct one... :-) 2015-01-29 14:40 GMT+01:00 Ondra Machacek <omach...@redhat.com <mailto:omach...@redhat.com> <mailto:omach...@redhat.com <mailto:omach...@redhat.com>>>: On 01/29/2015 02:18 PM, Koen Vanoppen wrote: OK... Now I have this one :-) WARN [org.ovirt.engineextensions.____aaa.ldap.AuthnExtension] (MSC service thread 1-2) [ovirt-engine-extension-aaa-____ldap.authn::BRU_AIR-authn] Cannot initialize LDAP framework, deferring initialization. Error: Invalid DNS pseudo-URL(s): uncomment vars.dns Changed the properties file to this: include = <ad.properties> # # Active directory domain name. # vars.domain = ldap.mydomain.com <http://ldap.mydomain.com> <http://ldap.mydomain.com> <http://ldap.mydomain.com> (this one resolves to and gives ping back, front end of the pool) # # Search user and its password. # vars.user = juniper-ad...@mydomain.com <mailto:juniper-ad...@mydomain.com> <mailto:juniper-admin@__mydomain.com <mailto:juniper-ad...@mydomain.com>> <mailto:juniper-admin@ <mailto:juniper-admin@>__mydoma__in.com <http://mydomain.com> <mailto:juniper-admin@__mydomain.com <mailto:juniper-ad...@mydomain.com>>> vars.password = ***** # # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these resolve and give a ping back) pool.default.serverset.type = srvrecord #pool.default.serverset.____single.server = ${global:vars.server} pool.default.serverset.____srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.____bindDN = ${global:vars.user} pool.default.auth.simple.____password = ${global:vars.password} # Uncomment if using custom DNS pool.default.serverset.____srvrecord.jndi-properties.____java.naming.provider.url = ${global:vars.dns} pool.default.socketfactory.____resolver.uRL = ${global:vars.dns} Thanks for your effort! 2015-01-29 13:50 GMT+01:00 Alon Bar-Lev <alo...@redhat.com <mailto:alo...@redhat.com> <mailto:alo...@redhat.com <mailto:alo...@redhat.com>> <mailto:alo...@redhat.com <mailto:alo...@redhat.com> <mailto:alo...@redhat.com <mailto:alo...@redhat.com>>>>: ----- Original Message ----- > From: "Koen Vanoppen" <vanoppen.k...@gmail.com <mailto:vanoppen.k...@gmail.com> <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.k...@gmail.com>> <mailto:vanoppen.koen@gmail. <mailto:vanoppen.koen@gmail.>____com <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.k...@gmail.com>>>> > To: "Alon Bar-Lev" <alo...@redhat.com <mailto:alo...@redhat.com> <mailto:alo...@redhat.com <mailto:alo...@redhat.com>> <mailto:alo...@redhat.com <mailto:alo...@redhat.com> <mailto:alo...@redhat.com <mailto:alo...@redhat.com>>>> > Cc:users@ovirt.org <mailto:cc%3aus...@ovirt.org> <mailto:cc%3aus...@ovirt.org <mailto:cc%253aus...@ovirt.org>> <mailto:users@ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>>> > Sent: Thursday, January 29, 2015 2:41:52 PM > Subject: Re: [ovirt-users] AAA > > Yes We have: > > [root@ovirtmgmt01prod ~]# dig @srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> SRV _gc._ >tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> <http://tcp.mydomain.com> > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.____rc1.el6_5.1 <<>> @srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> > SRV _gc._tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> <http://tcp.mydomain.com> > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;_gc._tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> <http://tcp.mydomain.com>. IN SRV this ^^^^^^^ means that you do not have srv record. are you sure you replace mydomain.com <http://mydomain.com> <http://mydomain.com> <http://mydomain.com> with your actual active directory domain name? have you tried to look into your dns manager for this information as well? > > ;; AUTHORITY SECTION: > mydomain.com <http://mydomain.com> <http://mydomain.com> <http://mydomain.com>. 3600 IN SOA srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com>. > hostmaster.airport. 1398582 900 600 86400 3600 > > ;; Query time: 12 msec > ;; SERVER: 10.110.3.123#53(10.110.3.123) > ;; WHEN: Thu Jan 29 13:40:41 2015 > ;; MSG SIZE rcvd: 98 > > > > 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev <alo...@redhat.com <mailto:alo...@redhat.com> <mailto:alo...@redhat.com <mailto:alo...@redhat.com>> <mailto:alo...@redhat.com <mailto:alo...@redhat.com> <mailto:alo...@redhat.com <mailto:alo...@redhat.com>>>>: > > > > > > > ----- Original Message ----- > > > From: "Koen Vanoppen" <vanoppen.k...@gmail.com <mailto:vanoppen.k...@gmail.com> <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.k...@gmail.com>> <mailto:vanoppen.koen@gmail. <mailto:vanoppen.koen@gmail.>____com <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.k...@gmail.com>>>> > > > To: "Alon Bar-Lev" <alo...@redhat.com <mailto:alo...@redhat.com> <mailto:alo...@redhat.com <mailto:alo...@redhat.com>> <mailto:alo...@redhat.com <mailto:alo...@redhat.com> <mailto:alo...@redhat.com <mailto:alo...@redhat.com>>>>, users@ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> <mailto:users@ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>>> > > > Sent: Thursday, January 29, 2015 2:19:32 PM > > > Subject: Re: [ovirt-users] AAA > > > > > > Big thanks for your help, but still the same: > > > > > > # > > > # Active directory domain name. > > > # > > > vars.domain = mydomain.com <http://mydomain.com> <http://mydomain.com> <http://mydomain.com> > > > > > > # > > > # Search user and its password. > > > # > > > vars.user = admin@${global:vars.domain} > > > vars.password = ***** > > > > > > # > > > # Optional DNS servers, if enterprise > > > # DNS server cannot resolve the domain srvrecord. > > > # > > > vars.dns = dns://srvdc03.${global:vars.____domain} > > > dns://srvdc04.${global:vars.____domain} > > > > > > pool.default.serverset.type = srvrecord > > > pool.default.serverset.____srvrecord.domain = ${global:vars.domain} > > > pool.default.auth.simple.____bindDN = ${global:vars.user} > > > pool.default.auth.simple.____password = ${global:vars.password} > > > > > > # Uncomment if using custom DNS > > > > > pool.default.serverset.____srvrecord.jndi-properties.____java.naming.provider.url = > > > ${global:vars.dns} > > > pool.default.socketfactory.____resolver.uRL = ${global:vars.dns} > > > > > > > > > > > > [ovirt-engine-extension-aaa-____ldap.authz::BRU_AIR-authz] Cannot initialize > > > LDAP framework, deferring initialization. Error: No DNS SRV records were > > > found with record name '_gc._tcp.brussels.airport'. > > > > > > And I can't put '_gc._tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> <http://tcp.mydomain.com> in the dns... Isn't there another > > > way it just resolves the dns servers I gave him? > > > > > > > Microsoft Domain controller must have gc service entry within DNS to work > > properly. > > 1. Are you sure you have Microsoft DNS installed on srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> ? > > 2. Can you please execute: > > $ dig @srvdc03.mydomain.com <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> <http://srvdc03.mydomain.com> SRV _gc._tcp.mydomain.com <http://tcp.mydomain.com> <http://tcp.mydomain.com> <http://tcp.mydomain.com> > > 3. Can you please open the DNS manager within your domain and search for > > srv records? Maybe you have DNS installed only on few servers, using the > > DNS manager you can also see which. > > > > > > > > 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev <alo...@redhat.com <mailto:alo...@redhat.com> <mailto:alo...@redhat.com <mailto:alo...@redhat.com>> <mailto:alo...@redhat.com <mailto:alo...@redhat.com> <mailto:alo...@redhat.com <mailto:alo...@redhat.com>>>>: > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Ondra Machacek" <omach...@redhat.com <mailto:omach...@redhat.com> <mailto:omach...@redhat.com <mailto:omach...@redhat.com>> <mailto:omach...@redhat.com <mailto:omach...@redhat.com> <mailto:omach...@redhat.com <mailto:omach...@redhat.com>>>> > > > > > To: "Koen Vanoppen" <vanoppen.k...@gmail.com <mailto:vanoppen.k...@gmail.com> <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.k...@gmail.com>> <mailto:vanoppen.koen@gmail. <mailto:vanoppen.koen@gmail.>____com <mailto:vanoppen.koen@gmail.__com <mailto:vanoppen.k...@gmail.com>>>>, users@ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> <mailto:users@ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>>> > > > > > Sent: Thursday, January 29, 2015 1:49:00 PM > > > > > Subject: Re: [ovirt-users] AAA > > > > > > > > > > > > > > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote: > > > > > > No, I don't. and I wouldn't know how he got to this name... > > > > > > > > > > Well, then you have to, if you want to use > > 'pool.default.serverset.type > > > > > = srvrecord'. > > > > > > > > > > It just need to know where your global catalog is running, since it's > > > > > needed for new provider. > > > > > > > > > > It searches for global catalog like this: > > > > > dig @${vars.dns} -t SRV _gc._tcp.${vars.domain} > > > > > > > > > > So you need to have this SRV record in DNS, if you want to use > > srvrecord > > > > > serverset type. Or you don't have to if you use single server type. > > > > > > > > active directory will not work without access to global catalog. > > > > please set one or more of the domain controllers as dns server, for > > > > example: > > > > > > > > vars.dns = dns://dc1.${global:vars.____domain} > > dns://dc2.${global:vars.____domain} > > > > > > > > please also uncomment/add these lines to make vars.dns effective. > > > > > > > > > > pool.default.serverset.____srvrecord.jndi-properties.____java.naming.provider.url > > > > = ${global:vars.dns} > > > > pool.default.socketfactory.____resolver.uRL = ${global:vars.dns} > > > > > > > > Thanks! > > > > > > > > > > > > > > > > > > > > > Thanks for the reply! > > > > > > > > > > > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek <omach...@redhat.com <mailto:omach...@redhat.com> <mailto:omach...@redhat.com <mailto:omach...@redhat.com>> <mailto:omach...@redhat.com <mailto:omach...@redhat.com> <mailto:omach...@redhat.com <mailto:omach...@redhat.com>>> > > > > > > <mailto:omach...@redhat.com <mailto:omach...@redhat.com> <mailto:omach...@redhat.com <mailto:omach...@redhat.com>> <mailto:omach...@redhat.com <mailto:omach...@redhat.com> <mailto:omach...@redhat.com <mailto:omach...@redhat.com>>>>__>__: > > > > > > > > > > > > On 01/29/2015 11:41 AM, Koen Vanoppen wrote: > > > > > > > > > > > > Can somebody help me setting up AAA for ovirt 3.5.1? > > > > > > > > > > > > I'm getting this now: > > > > > > > > > > > > 2015-01-29 11:35:36,889 WARN > > > > > > [org.ovirt.engineextensions.______aaa.ldap.AuthzExtension] (MSC > > > > > > service thread > > > > > > 1-1) > > [ovirt-engine-extension-aaa-______ldap.authz::BRU_AIR-authz] > > > > > > Cannot > > > > > > initialize LDAP framework, deferring initialization. > > Error: An > > > > > > error > > > > > > occurred while attempting to query DNS in order to > > retrieve SRV > > > > > > records > > > > > > with name '_gc._tcp.brussels.airport': > > > > > > javax.naming.______NameNotFoundException: DNS name not found > > > > > > [response code > > > > > > 3]; remaining name '_gc._tcp.brussels.airport' > > > > > > > > > > > > > > > > > > Do you have this '_gc._tcp.brussels.airport' SRV record in DNS > > ? > > > > > > > > > > > > > > > > > > my 3 configs: > > > > > > _*BRU_AIR-authn.properties*_ > > > > > > ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> <http://ovirt.engine.__extensi__on.name <http://extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>> < > > > > http://ovirt.engine.extension.____name <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>> > > > > > > <http://ovirt.engine.__extensi____on.name <http://extensi__on.name> <http://extension.name> <http://extension.name> > > > > > > <http://ovirt.engine.__extensi__on.name <http://extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>>> = > > > > > > BRU_AIR-authn > > > > > > ovirt.engine.extension.______bindings.method = jbossmodule > > > > > > ovirt.engine.extension.______binding.jbossmodule.module = > > > > > > org.ovirt.engine-extensions.______aaa.ldap > > > > > > ovirt.engine.extension.______binding.jbossmodule.class = > > > > > > org.ovirt.engineextensions.______aaa.ldap.AuthnExtension > > > > > > ovirt.engine.extension.______provides = > > > > > > org.ovirt.engine.api.______extensions.aaa.Authn > > > > > > ovirt.engine.aaa.authn.__profi____le.name <http://profi__le.name> <http://profile.name> <http://profile.name> > > > > > > <http://ovirt.engine.aaa.__aut__hn.profile.name <http://authn.profile.name> <http://ovirt.engine.aaa.__authn.profile.name <http://ovirt.engine.aaa.authn.profile.name>>> > > > > > > <http://ovirt.engine.aaa.__aut____hn.profile.name <http://aut__hn.profile.name> <http://authn.profile.name> <http://authn.profile.name> > > > > > > <http://ovirt.engine.aaa.__aut__hn.profile.name <http://authn.profile.name> <http://ovirt.engine.aaa.__authn.profile.name <http://ovirt.engine.aaa.authn.profile.name>>>> = BRU-AIR > > > > > > ovirt.engine.aaa.authn.authz.______plugin = BRU_AIR-authz > > > > > > config.profile.file.1 = > > > > /etc/ovirt-engine/aaa/BRU_AIR.______properties > > > > > > > > > > > > _*BRU_AIR-authz.properties*_ > > > > > > ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> <http://ovirt.engine.__extensi__on.name <http://extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>> < > > > > http://ovirt.engine.extension.____name <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>> > > > > > > <http://ovirt.engine.__extensi____on.name <http://extensi__on.name> <http://extension.name> <http://extension.name> > > > > > > <http://ovirt.engine.__extensi__on.name <http://extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>>>> = > > > > > > BRU_AIR-authz > > > > > > ovirt.engine.extension.______bindings.method = jbossmodule > > > > > > ovirt.engine.extension.______binding.jbossmodule.module = > > > > > > org.ovirt.engine-extensions.______aaa.ldap > > > > > > ovirt.engine.extension.______binding.jbossmodule.class = > > > > > > org.ovirt.engineextensions.______aaa.ldap.AuthzExtension > > > > > > ovirt.engine.extension.______provides = > > > > > > org.ovirt.engine.api.______extensions.aaa.Authz > > > > > > config.profile.file.1 = > > > > /etc/ovirt-engine/aaa/BRU_AIR.______properties > > > > > > > > > > > > _*BRU_AIR.properties*_ > > > > > > include = <ad.properties> > > > > > > > > > > > > # > > > > > > # Active directory domain name. > > > > > > # > > > > > > vars.domain = mydomain.com <http://mydomain.com> <http://mydomain.com> <http://mydomain.com> <http://mydomain.com> > > > > > > <http://mydomain.com> > > > > > > > > > > > > # > > > > > > # Search user and its password. > > > > > > # > > > > > > vars.user = admin@${global:vars.domain} > > > > > > vars.password = *********** > > > > > > > > > > > > # > > > > > > # Optional DNS servers, if enterprise > > > > > > # DNS server cannot resolve the domain srvrecord. > > > > > > # > > > > > > vars.dns = dns://dc01.mydomain.com <http://dc01.mydomain.com> <http://dc01.mydomain.com> <http://dc01.mydomain.com> < > > http://dc01.mydomain.com> > > > > > > <http://dc01.mydomain.com> > > > > > > > > > > > > pool.default.serverset.type = srvrecord > > > > > > pool.default.serverset.______srvrecord.domain = > > > > ${global:vars.domain} > > > > > > pool.default.auth.simple.______bindDN = ${global:vars.user} > > > > > > pool.default.auth.simple.______password = > > ${global:vars.password > > > > > > > > > > > > In the GUI for adding user I get this: > > > > > > > > > > > > An error occurred while attempting to query DNS in order to > > > > > > retrieve SRV > > > > > > records with name '_gc__tcp_brussels_airport': > > > > > > javax_naming_______NameNotFoundException: DNS name not found > > > > > > [response code > > > > > > 3]; remaining name '_gc__tcp_brussels_airport' > > > > > > > > > > > > Any ideas? I ran out... > > > > > > > > > > > > Kind regards, > > > > > > > > > > > > Koen > > > > > > > > > > > > > > > > > > _____________________________________________________ > > > > > > Users mailing list > > > > > > Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>> > > > > > > http://lists.ovirt.org/______mailman/listinfo/users <http://lists.ovirt.org/____mailman/listinfo/users> <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users>> > > > > > > <http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>> > > > > > > > > > > > > > > > > > ___________________________________________________ > > > > > Users mailing list > > > > > Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>> > > > > > http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>> > > > > > > > > > > > > > > > ___________________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> http://lists.ovirt.org/____mailman/listinfo/users <http://lists.ovirt.org/__mailman/listinfo/users> <http://lists.ovirt.org/__mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users