Thanks Itamar for the suggestion - however the `-action=edit` fails since the currently configured user account is inactive within the active directory - it looks as if there is an initial authentication that needs to validate before the edit can proceed ... :(
Hence my query about being able to reset the underlying username that engine-manage-domains uses? Thanks Trevor On 26 July 2013 12:01, Itamar Heim <ih...@redhat.com> wrote: > On 07/26/2013 01:55 PM, Trevor Galloway wrote: > >> Thanks Yair, >> I made the changes to the engine-manage-domains script as suggested in >> the gerrit link - that now works just fine, and also confirms what I >> thought the problem was all along - namely that the configured username >> returned on a `engine-manage-domains --action=list` is that of the >> previous admin. >> The problem being that their account is no longer valid within the >> active directory, hence validation fails. >> I've trawled the various ovirt config directories but can't find a >> resource that holds the username to use on the LDAP query. Presumably >> this is something that gets setup at install time? >> Is there a way to re-configure the underlying username? >> > > engine-manage-domains should allow you to set the user used in the ldap > query via -action=list. > then you can use -action=edit to update it > > Many thanks, >> Trevor >> >> >> On 25 July 2013 22:29, Yair Zaslavsky <yzasl...@redhat.com >> <mailto:yzasl...@redhat.com>> wrote: >> >> >> >> ----- Original Message ----- >> > From: "Trevor Galloway" <trevg...@googlemail.com >> <mailto:trevgall@googlemail.**com <trevg...@googlemail.com>>> >> > To: users@ovirt.org <mailto:users@ovirt.org> >> > Sent: Thursday, July 25, 2013 7:51:56 PM >> > Subject: [Users] Problem running engine-manage-domain on oVirt >> 3.1.0-4 >> > >> > Hello oVirt Users, >> > >> > >> > >> > Just signed up to the user mailing list and have a question >> regarding an >> > error being reported to stdout when running engine-manage-domains. >> > >> > >> > >> > When running the `engine-manage-domains` utility from the command >> line I >> > see the following error reported: >> > >> > >> > >> > *[root@hive ovirt-engine]# engine-manage-domains -action=list* >> > >> > *Failed reading current configuration. Details: Error "Key for add >> > operation must be defined!" while reading configuration value >> AdUserName.* >> > >> > >> > >> > A quick Google on this leads directly to Bugzilla – Bug 883846 – >> which >> > looks like it’s fixed in the 3.2 version. Can anyone confirm >> that? I’ve >> > inherited a DL580 running oVirt Manager and a bunch of VM’s, and >> don’t >> > really want to undertake an upgrade just now if I don’t have to. >> >> This is indeed the issue. >> >> > >> > >> > >> > >> > >> > The real problem seems to be that I can’t assign a user with any >> roles >> > since the ldap lookup to the active server fails – due, I think, >> to the >> > fact that the query is configured to authenticate with the >> previous admins >> > credentials – they left and the account is now disabled. J >> > >> > >> > >> > From the /var/log/ovirt-engine/engine.**log >> > >> > *2013-07-25 11:32:15,574 ERROR >> > >> [org.ovirt.engine.core.bll.**adbroker.** >> GSSAPIDirContextAuthentication**Strategy] >> > (ajp--0.0.0.0-8009-1) Authentication failed. The user is either >> locked or >> > disabled* >> > >> > *2013-07-25 11:32:15,575 ERROR >> > [org.ovirt.engine.core.bll.**adbroker.DirectorySearcher] >> > (ajp--0.0.0.0-8009-1) Failed ldap search server >> > LDAP://<my_active_directory>:**389 due to >> > >> org.ovirt.engine.core.bll.**adbroker.**EngineDirectoryServiceExceptio >> **n. We >> > should not try the next server: >> > org.ovirt.engine.core.bll.**adbroker.** >> EngineDirectoryServiceExceptio**n* >> > >> > * * >> > >> > The above gets written out as soon as I hit the Go button in the >> Add System >> > Permission to User dialogue window. >> >> engine-manage-domains uses engine-config and provides its a >> configuration (after the above bug fix) with keys in form of "key=". >> If you really don't want to upgrade, maybe you should consider >> editing the engine-manage-domains script, as in >> >> http://gerrit.ovirt.org/#/c/**9743/3/backend/manager/conf/** >> kerberos/engine-manage-domains<http://gerrit.ovirt.org/#/c/9743/3/backend/manager/conf/kerberos/engine-manage-domains> >> ? >> >> You will have to do that for any altering operations on domains and >> their associated users. >> >> Please let us know if it worked for you >> >> Many thanks, >> Yair >> >> >> > >> > >> > >> > Thanks in advance for any advice! >> > >> > ______________________________**_________________ >> > Users mailing list >> > Users@ovirt.org <mailto:Users@ovirt.org> >> > >> http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users> >> >> > >> >> >> >> >> ______________________________**_________________ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users> >> >> >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users