----- Original Message ----- > From: "Scotto Alberto" <[email protected]> > To: "Oved Ourfalli" <[email protected]> > Cc: [email protected] > Sent: Monday, September 3, 2012 4:21:27 PM > Subject: Re: [Users] can't add domain with rhevm-manage-domains > > Oved, > Thank you for your try! > > > The query you pasted below shows "DOMAIN.LOCAL". > That was just an example. The command I ran was correct (FPT.LOCAL) > > The issue seems solved. This morning I tried logging in with my > domain user and it succeeded. > Then a colleague of mine stopped again the reverse zone for the AD > server, and now I can't login again, even after reactivating the > zone.. > I suppose there must be some cache delay... :S
If you'll use openjdk 1.7 this problem will not surface. out of curiosity, what is the output of java -version? > > > > > Alberto Scotto > > Blue Reply > Via Cardinal Massaia, 83 > 10147 - Torino - ITALY > phone: +39 011 29100 > [email protected] > www.reply.it > > -----Original Message----- > From: Oved Ourfalli [mailto:[email protected]] > Sent: domenica 2 settembre 2012 15:53 > To: Scotto Alberto > Cc: [email protected] > Subject: Re: [Users] can't add domain with rhevm-manage-domains > > Hey, > > What's the name of your domain? > The query you pasted below shows "DOMAIN.LOCAL". > However, in the log I see: > "Failed authenticating user: f35191a to domain fpt.local". > > Did some reading, and looks like this error happens when the kerberos > ticket is requested to the wrong REALM. > > What version are you working with? > Is there anything else in the logs besides what you have put in > pastebin? > > Oved > > ----- Original Message ----- > > From: "Scotto Alberto" <[email protected]> > > To: [email protected] > > Sent: Friday, August 31, 2012 6:45:15 PM > > Subject: Re: [Users] can't add domain with rhevm-manage-domains > > > > > > > > > > > > Ok, now it works. > > > > > > > > Thanks to tcpdump/wireshark I could undesrstand that: > > > > - Rhevm-manage-domains sends DNS queries asking for PTR of RHEV-H > > and > > another redundant domain server, so I > > > > - The LDAP query it sends is > > (&(sAMAccountType=805306368)(userPrincipalName= > > [email protected]) ) but the account “fptadmin02” I was using > > had a different userPrincipalName > > > > > > > > So here is how I solved: > > > > - adding the missing PTRs in the reverse zone of the DNS server > > > > - logging in with another username that has a correct > > userPrincipalName > > > > > > > > Anyhow, after restarting jbossas, still I can’t log in the console > > with a domain username. > > > > From wireshark I see it doesn’t even send an LDAP query; it breaks > > at > > KRB5 packets with “error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)” > > > > > > > > Here are the logs from rhevm.log > > > > http://pastebin.com/kZqn3kzz > > > > > > > > > > > > > > > > > > > > > > > > Alberto Scotto > > > > Blue > > Via Cardinal Massaia, 83 > > 10147 - Torino - ITALY > > phone: +39 011 29100 > > [email protected] > > www.reply.it > > > > > > > > From: [email protected] [mailto:[email protected]] On > > Behalf Of Scotto Alberto > > Sent: venerdì 31 agosto 2012 11:35 > > To: [email protected] > > Subject: [Users] can't add domain with rhevm-manage-domains > > > > > > > > > > Hi all, > > > > I’m trying to add a domain (active directory), but I can’t get it > > to > > work. > > > > > > > > The command I execute is: > > > > rhevm-manage-domains -action=add -domain='FPT.LOCAL' > > -user='fptadmin' > > –interactive > > > > > > > > Attached you can find: > > > > - Output of the command > > > > - Logs from > > /var/log/rhevm/rhevm-manage-domains/rhevm-manage-domains.log > > > > > > > > > > > > I found a RHEV KB saying: > > > > > > > > For Error: LDAP query Failed , make sure the Active Directory > > server > > and the RHEVM server have the correct PTR records in the DNS > > reverse > > lookup zone file > > > > > > > > And another one says: > > > > It's required to create PTR entry into DNS for the following: > > > > · Name Server (NS) - Start of Authority (SOA) > > Example: WIN-TL8JB8JAG8.ad.mydomain.com. > > > > · Active Directory Name > > Example: ad.mydomain.com. > > > > · RHEVM machine > > Example: rhevm.ad.mydomain.com. > > > > We are fulfilling this requirement, as nslookup of these 3 > > machines’ > > IP work. > > > > > > > > Additional info. > > > > > > > > These commands work (if you need I can paste the full output): > > > > #dig SRV _kerberos._tcp.FPT.LOCAL #dig SRV _kerberos._udp.FPT.LOCAL > > #dig SRV _ldap._tcp.FPT.LOCAL > > > > > > > > # kinit [email protected] > > > > # klist > > > > Ticket cache: FILE:/tmp/krb5cc_0 > > > > Default principal: [email protected] > > > > > > > > Valid starting Expires Service principal > > > > 08/30/12 15:55:46 08/31/12 01:55:51 krbtgt/[email protected] > > > > renew until 09/06/12 15:55:46 > > > > > > > > > > > > Thank you very much in advance > > > > > > > > Alberto Scotto > > > > Blue > > Via Cardinal Massaia, 83 > > 10147 - Torino - ITALY > > phone: +39 011 29100 > > [email protected] > > www.reply.it > > > > > > > > > > > > > > > > -- > > The information transmitted is intended for the person or entity to > > which it is addressed and may contain confidential and/or > > privileged > > material. Any review, retransmission, dissemination or other use > > of, > > or taking of any action in reliance upon, this information by > > persons > > or entities other than the intended recipient is prohibited. > > If you received this in error, please contact the sender and delete > > the material from any computer. > > > > > > -- > > The information transmitted is intended for the person or entity to > > which it is addressed and may contain confidential and/or > > privileged > > material. Any review, retransmission, dissemination or other use > > of, > > or taking of any action in reliance upon, this information by > > persons > > or entities other than the intended recipient is prohibited. > > If you received this in error, please contact the sender and delete > > the material from any computer. > > > > _______________________________________________ > > Users mailing list > > [email protected] > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > ________________________________ > > -- > The information transmitted is intended for the person or entity to > which it is addressed and may contain confidential and/or privileged > material. Any review, retransmission, dissemination or other use of, > or taking of any action in reliance upon, this information by > persons or entities other than the intended recipient is prohibited. > If you received this in error, please contact the sender and delete > the material from any computer. > _______________________________________________ > Users mailing list > [email protected] > http://lists.ovirt.org/mailman/listinfo/users > _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
