Ok, now it works. Thanks to tcpdump/wireshark I could undesrstand that:
- Rhevm-manage-domains sends DNS queries asking for PTR of RHEV-H and another redundant domain server, so I - The LDAP query it sends is (&(sAMAccountType=805306368)(userPrincipalName= [email protected])<mailto:[email protected])>) but the account "fptadmin02" I was using had a different userPrincipalName So here is how I solved: - adding the missing PTRs in the reverse zone of the DNS server - logging in with another username that has a correct userPrincipalName Anyhow, after restarting jbossas, still I can't log in the console with a domain username. >From wireshark I see it doesn't even send an LDAP query; it breaks at KRB5 >packets with "error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)" Here are the logs from rhevm.log http://pastebin.com/kZqn3kzz Alberto Scotto [Blue] Via Cardinal Massaia, 83 10147 - Torino - ITALY phone: +39 011 29100 [email protected] www.reply.it From: [email protected] [mailto:[email protected]] On Behalf Of Scotto Alberto Sent: venerdì 31 agosto 2012 11:35 To: [email protected] Subject: [Users] can't add domain with rhevm-manage-domains Hi all, I'm trying to add a domain (active directory), but I can't get it to work. The command I execute is: rhevm-manage-domains -action=add -domain='FPT.LOCAL' -user='fptadmin' -interactive Attached you can find: - Output of the command - Logs from /var/log/rhevm/rhevm-manage-domains/rhevm-manage-domains.log I found a RHEV KB saying: For Error: LDAP query Failed, make sure the Active Directory server and the RHEVM server have the correct PTR records in the DNS reverse lookup zone file And another one says: It's required to create PTR entry into DNS for the following: * Name Server (NS) - Start of Authority (SOA) Example: WIN-TL8JB8JAG8.ad.mydomain.com. * Active Directory Name Example: ad.mydomain.com. * RHEVM machine Example: rhevm.ad.mydomain.com. We are fulfilling this requirement, as nslookup of these 3 machines' IP work. Additional info. These commands work (if you need I can paste the full output): #dig SRV _kerberos._tcp.FPT.LOCAL #dig SRV _kerberos._udp.FPT.LOCAL #dig SRV _ldap._tcp.FPT.LOCAL # kinit [email protected]<mailto:[email protected]> # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected]<mailto:[email protected]> Valid starting Expires Service principal 08/30/12 15:55:46 08/31/12 01:55:51 krbtgt/[email protected]<mailto:krbtgt/[email protected]> renew until 09/06/12 15:55:46 Thank you very much in advance Alberto Scotto [Blue] Via Cardinal Massaia, 83 10147 - Torino - ITALY phone: +39 011 29100 [email protected] www.reply.it ________________________________ -- The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. ________________________________ -- The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
<<inline: image001.png>>
<<inline: blue.png>>
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
