Re: [Users] Problem running engine-manage-domain on oVirt 3.1.0-4
Thanks Yair, I made the changes to the engine-manage-domains script as suggested in the gerrit link - that now works just fine, and also confirms what I thought the problem was all along - namely that the configured username returned on a `engine-manage-domains --action=list` is that of the previous admin. The problem being that their account is no longer valid within the active directory, hence validation fails. I've trawled the various ovirt config directories but can't find a resource that holds the username to use on the LDAP query. Presumably this is something that gets setup at install time? Is there a way to re-configure the underlying username? Many thanks, Trevor On 25 July 2013 22:29, Yair Zaslavsky yzasl...@redhat.com wrote: - Original Message - From: Trevor Galloway trevg...@googlemail.com To: users@ovirt.org Sent: Thursday, July 25, 2013 7:51:56 PM Subject: [Users] Problem running engine-manage-domain on oVirt 3.1.0-4 Hello oVirt Users, Just signed up to the user mailing list and have a question regarding an error being reported to stdout when running engine-manage-domains. When running the `engine-manage-domains` utility from the command line I see the following error reported: *[root@hive ovirt-engine]# engine-manage-domains -action=list* *Failed reading current configuration. Details: Error Key for add operation must be defined! while reading configuration value AdUserName.* A quick Google on this leads directly to Bugzilla – Bug 883846 – which looks like it’s fixed in the 3.2 version. Can anyone confirm that? I’ve inherited a DL580 running oVirt Manager and a bunch of VM’s, and don’t really want to undertake an upgrade just now if I don’t have to. This is indeed the issue. The real problem seems to be that I can’t assign a user with any roles since the ldap lookup to the active server fails – due, I think, to the fact that the query is configured to authenticate with the previous admins credentials – they left and the account is now disabled. J From the /var/log/ovirt-engine/engine.log *2013-07-25 11:32:15,574 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp--0.0.0.0-8009-1) Authentication failed. The user is either locked or disabled* *2013-07-25 11:32:15,575 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--0.0.0.0-8009-1) Failed ldap search server LDAP://my_active_directory:389 due to org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We should not try the next server: org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException* * * The above gets written out as soon as I hit the Go button in the Add System Permission to User dialogue window. engine-manage-domains uses engine-config and provides its a configuration (after the above bug fix) with keys in form of key=. If you really don't want to upgrade, maybe you should consider editing the engine-manage-domains script, as in http://gerrit.ovirt.org/#/c/9743/3/backend/manager/conf/kerberos/engine-manage-domains? You will have to do that for any altering operations on domains and their associated users. Please let us know if it worked for you Many thanks, Yair Thanks in advance for any advice! ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Problem running engine-manage-domain on oVirt 3.1.0-4
On 07/26/2013 01:55 PM, Trevor Galloway wrote: Thanks Yair, I made the changes to the engine-manage-domains script as suggested in the gerrit link - that now works just fine, and also confirms what I thought the problem was all along - namely that the configured username returned on a `engine-manage-domains --action=list` is that of the previous admin. The problem being that their account is no longer valid within the active directory, hence validation fails. I've trawled the various ovirt config directories but can't find a resource that holds the username to use on the LDAP query. Presumably this is something that gets setup at install time? Is there a way to re-configure the underlying username? engine-manage-domains should allow you to set the user used in the ldap query via -action=list. then you can use -action=edit to update it Many thanks, Trevor On 25 July 2013 22:29, Yair Zaslavsky yzasl...@redhat.com mailto:yzasl...@redhat.com wrote: - Original Message - From: Trevor Galloway trevg...@googlemail.com mailto:trevg...@googlemail.com To: users@ovirt.org mailto:users@ovirt.org Sent: Thursday, July 25, 2013 7:51:56 PM Subject: [Users] Problem running engine-manage-domain on oVirt 3.1.0-4 Hello oVirt Users, Just signed up to the user mailing list and have a question regarding an error being reported to stdout when running engine-manage-domains. When running the `engine-manage-domains` utility from the command line I see the following error reported: *[root@hive ovirt-engine]# engine-manage-domains -action=list* *Failed reading current configuration. Details: Error Key for add operation must be defined! while reading configuration value AdUserName.* A quick Google on this leads directly to Bugzilla – Bug 883846 – which looks like it’s fixed in the 3.2 version. Can anyone confirm that? I’ve inherited a DL580 running oVirt Manager and a bunch of VM’s, and don’t really want to undertake an upgrade just now if I don’t have to. This is indeed the issue. The real problem seems to be that I can’t assign a user with any roles since the ldap lookup to the active server fails – due, I think, to the fact that the query is configured to authenticate with the previous admins credentials – they left and the account is now disabled. J From the /var/log/ovirt-engine/engine.log *2013-07-25 11:32:15,574 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp--0.0.0.0-8009-1) Authentication failed. The user is either locked or disabled* *2013-07-25 11:32:15,575 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--0.0.0.0-8009-1) Failed ldap search server LDAP://my_active_directory:389 due to org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We should not try the next server: org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException* * * The above gets written out as soon as I hit the Go button in the Add System Permission to User dialogue window. engine-manage-domains uses engine-config and provides its a configuration (after the above bug fix) with keys in form of key=. If you really don't want to upgrade, maybe you should consider editing the engine-manage-domains script, as in http://gerrit.ovirt.org/#/c/9743/3/backend/manager/conf/kerberos/engine-manage-domains ? You will have to do that for any altering operations on domains and their associated users. Please let us know if it worked for you Many thanks, Yair Thanks in advance for any advice! ___ Users mailing list Users@ovirt.org mailto:Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Problem running engine-manage-domain on oVirt 3.1.0-4
Thanks Itamar for the suggestion - however the `-action=edit` fails since the currently configured user account is inactive within the active directory - it looks as if there is an initial authentication that needs to validate before the edit can proceed ... :( Hence my query about being able to reset the underlying username that engine-manage-domains uses? Thanks Trevor On 26 July 2013 12:01, Itamar Heim ih...@redhat.com wrote: On 07/26/2013 01:55 PM, Trevor Galloway wrote: Thanks Yair, I made the changes to the engine-manage-domains script as suggested in the gerrit link - that now works just fine, and also confirms what I thought the problem was all along - namely that the configured username returned on a `engine-manage-domains --action=list` is that of the previous admin. The problem being that their account is no longer valid within the active directory, hence validation fails. I've trawled the various ovirt config directories but can't find a resource that holds the username to use on the LDAP query. Presumably this is something that gets setup at install time? Is there a way to re-configure the underlying username? engine-manage-domains should allow you to set the user used in the ldap query via -action=list. then you can use -action=edit to update it Many thanks, Trevor On 25 July 2013 22:29, Yair Zaslavsky yzasl...@redhat.com mailto:yzasl...@redhat.com wrote: - Original Message - From: Trevor Galloway trevg...@googlemail.com mailto:trevgall@googlemail.**com trevg...@googlemail.com To: users@ovirt.org mailto:users@ovirt.org Sent: Thursday, July 25, 2013 7:51:56 PM Subject: [Users] Problem running engine-manage-domain on oVirt 3.1.0-4 Hello oVirt Users, Just signed up to the user mailing list and have a question regarding an error being reported to stdout when running engine-manage-domains. When running the `engine-manage-domains` utility from the command line I see the following error reported: *[root@hive ovirt-engine]# engine-manage-domains -action=list* *Failed reading current configuration. Details: Error Key for add operation must be defined! while reading configuration value AdUserName.* A quick Google on this leads directly to Bugzilla – Bug 883846 – which looks like it’s fixed in the 3.2 version. Can anyone confirm that? I’ve inherited a DL580 running oVirt Manager and a bunch of VM’s, and don’t really want to undertake an upgrade just now if I don’t have to. This is indeed the issue. The real problem seems to be that I can’t assign a user with any roles since the ldap lookup to the active server fails – due, I think, to the fact that the query is configured to authenticate with the previous admins credentials – they left and the account is now disabled. J From the /var/log/ovirt-engine/engine.**log *2013-07-25 11:32:15,574 ERROR [org.ovirt.engine.core.bll.**adbroker.** GSSAPIDirContextAuthentication**Strategy] (ajp--0.0.0.0-8009-1) Authentication failed. The user is either locked or disabled* *2013-07-25 11:32:15,575 ERROR [org.ovirt.engine.core.bll.**adbroker.DirectorySearcher] (ajp--0.0.0.0-8009-1) Failed ldap search server LDAP://my_active_directory:**389 due to org.ovirt.engine.core.bll.**adbroker.**EngineDirectoryServiceExceptio **n. We should not try the next server: org.ovirt.engine.core.bll.**adbroker.** EngineDirectoryServiceExceptio**n* * * The above gets written out as soon as I hit the Go button in the Add System Permission to User dialogue window. engine-manage-domains uses engine-config and provides its a configuration (after the above bug fix) with keys in form of key=. If you really don't want to upgrade, maybe you should consider editing the engine-manage-domains script, as in http://gerrit.ovirt.org/#/c/**9743/3/backend/manager/conf/** kerberos/engine-manage-domainshttp://gerrit.ovirt.org/#/c/9743/3/backend/manager/conf/kerberos/engine-manage-domains ? You will have to do that for any altering operations on domains and their associated users. Please let us know if it worked for you Many thanks, Yair Thanks in advance for any advice! __**_ Users mailing list Users@ovirt.org mailto:Users@ovirt.org http://lists.ovirt.org/**mailman/listinfo/usershttp://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Problem running engine-manage-domain on oVirt 3.1.0-4
On 07/26/2013 03:54 PM, Trevor Galloway wrote: Thanks Itamar for the suggestion - however the `-action=edit` fails since the currently configured user account is inactive within the active directory - it looks as if there is an initial authentication that needs to validate before the edit can proceed ... :( Hence my query about being able to reset the underlying username that engine-manage-domains uses? you can delete the domain, then add it. (and i'd expect edit allows you to set the new user and use it, strange it will fail you) Thanks Trevor On 26 July 2013 12:01, Itamar Heim ih...@redhat.com mailto:ih...@redhat.com wrote: On 07/26/2013 01:55 PM, Trevor Galloway wrote: Thanks Yair, I made the changes to the engine-manage-domains script as suggested in the gerrit link - that now works just fine, and also confirms what I thought the problem was all along - namely that the configured username returned on a `engine-manage-domains --action=list` is that of the previous admin. The problem being that their account is no longer valid within the active directory, hence validation fails. I've trawled the various ovirt config directories but can't find a resource that holds the username to use on the LDAP query. Presumably this is something that gets setup at install time? Is there a way to re-configure the underlying username? engine-manage-domains should allow you to set the user used in the ldap query via -action=list. then you can use -action=edit to update it Many thanks, Trevor On 25 July 2013 22:29, Yair Zaslavsky yzasl...@redhat.com mailto:yzasl...@redhat.com mailto:yzasl...@redhat.com mailto:yzasl...@redhat.com wrote: - Original Message - From: Trevor Galloway trevg...@googlemail.com mailto:trevg...@googlemail.com mailto:trevgall@googlemail.__com mailto:trevg...@googlemail.com To: users@ovirt.org mailto:users@ovirt.org mailto:users@ovirt.org mailto:users@ovirt.org Sent: Thursday, July 25, 2013 7:51:56 PM Subject: [Users] Problem running engine-manage-domain on oVirt 3.1.0-4 Hello oVirt Users, Just signed up to the user mailing list and have a question regarding an error being reported to stdout when running engine-manage-domains. When running the `engine-manage-domains` utility from the command line I see the following error reported: *[root@hive ovirt-engine]# engine-manage-domains -action=list* *Failed reading current configuration. Details: Error Key for add operation must be defined! while reading configuration value AdUserName.* A quick Google on this leads directly to Bugzilla – Bug 883846 – which looks like it’s fixed in the 3.2 version. Can anyone confirm that? I’ve inherited a DL580 running oVirt Manager and a bunch of VM’s, and don’t really want to undertake an upgrade just now if I don’t have to. This is indeed the issue. The real problem seems to be that I can’t assign a user with any roles since the ldap lookup to the active server fails – due, I think, to the fact that the query is configured to authenticate with the previous admins credentials – they left and the account is now disabled. J From the /var/log/ovirt-engine/engine.__log *2013-07-25 11:32:15,574 ERROR [org.ovirt.engine.core.bll.__adbroker.__GSSAPIDirContextAuthentication__Strategy] (ajp--0.0.0.0-8009-1) Authentication failed. The user is either locked or disabled* *2013-07-25 11:32:15,575 ERROR [org.ovirt.engine.core.bll.__adbroker.DirectorySearcher] (ajp--0.0.0.0-8009-1) Failed ldap search server LDAP://my_active_directory:__389 due to org.ovirt.engine.core.bll.__adbroker.__EngineDirectoryServiceExceptio__n. We should not try the next server: org.ovirt.engine.core.bll
[Users] Problem running engine-manage-domain on oVirt 3.1.0-4
Hello oVirt Users, Just signed up to the user mailing list and have a question regarding an error being reported to stdout when running engine-manage-domains. When running the `engine-manage-domains` utility from the command line I see the following error reported: *[root@hive ovirt-engine]# engine-manage-domains -action=list* *Failed reading current configuration. Details: Error Key for add operation must be defined! while reading configuration value AdUserName.* A quick Google on this leads directly to Bugzilla – Bug 883846 – which looks like it’s fixed in the 3.2 version. Can anyone confirm that? I’ve inherited a DL580 running oVirt Manager and a bunch of VM’s, and don’t really want to undertake an upgrade just now if I don’t have to. The real problem seems to be that I can’t assign a user with any roles since the ldap lookup to the active server fails – due, I think, to the fact that the query is configured to authenticate with the previous admins credentials – they left and the account is now disabled. J From the /var/log/ovirt-engine/engine.log *2013-07-25 11:32:15,574 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp--0.0.0.0-8009-1) Authentication failed. The user is either locked or disabled* *2013-07-25 11:32:15,575 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--0.0.0.0-8009-1) Failed ldap search server LDAP://my_active_directory:389 due to org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We should not try the next server: org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException* * * The above gets written out as soon as I hit the Go button in the Add System Permission to User dialogue window. Thanks in advance for any advice! ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Problem running engine-manage-domain on oVirt 3.1.0-4
- Original Message - From: Trevor Galloway trevg...@googlemail.com To: users@ovirt.org Sent: Thursday, July 25, 2013 7:51:56 PM Subject: [Users] Problem running engine-manage-domain on oVirt 3.1.0-4 Hello oVirt Users, Just signed up to the user mailing list and have a question regarding an error being reported to stdout when running engine-manage-domains. When running the `engine-manage-domains` utility from the command line I see the following error reported: *[root@hive ovirt-engine]# engine-manage-domains -action=list* *Failed reading current configuration. Details: Error Key for add operation must be defined! while reading configuration value AdUserName.* A quick Google on this leads directly to Bugzilla – Bug 883846 – which looks like it’s fixed in the 3.2 version. Can anyone confirm that? I’ve inherited a DL580 running oVirt Manager and a bunch of VM’s, and don’t really want to undertake an upgrade just now if I don’t have to. This is indeed the issue. The real problem seems to be that I can’t assign a user with any roles since the ldap lookup to the active server fails – due, I think, to the fact that the query is configured to authenticate with the previous admins credentials – they left and the account is now disabled. J From the /var/log/ovirt-engine/engine.log *2013-07-25 11:32:15,574 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp--0.0.0.0-8009-1) Authentication failed. The user is either locked or disabled* *2013-07-25 11:32:15,575 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--0.0.0.0-8009-1) Failed ldap search server LDAP://my_active_directory:389 due to org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException. We should not try the next server: org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException* * * The above gets written out as soon as I hit the Go button in the Add System Permission to User dialogue window. engine-manage-domains uses engine-config and provides its a configuration (after the above bug fix) with keys in form of key=. If you really don't want to upgrade, maybe you should consider editing the engine-manage-domains script, as in http://gerrit.ovirt.org/#/c/9743/3/backend/manager/conf/kerberos/engine-manage-domains ? You will have to do that for any altering operations on domains and their associated users. Please let us know if it worked for you Many thanks, Yair Thanks in advance for any advice! ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users