That’s it! Some background: within our IT department most of us have a regular
user account and an administrative account. For the later account type, the UPN
and SAM account name happen to be the same (e.g. jdoead...@example.com) whereas
for regular users UPN is something like john....@example..com. When I used the
UPN name (e.g. john.doe) the login worked fine.
We can work with that. But is there a way to change it to using SAM account
name?
Thanks,
Daniel
On 10/26/16, 12:58 PM, "Ondra Machacek" <omach...@redhat.com> wrote:
On 10/26/2016 06:31 PM, Beckman, Daniel wrote:
> I have been updating our oVirt 3.6 (3.6.7.5-1) environment in
> preparation for upgrading to oVirt 4.
>
>
>
> We had been using the legacy AD connection (via engine-manage-domains),
> and since that’s no longer available in oVirt 4, this was a priorty. (I
> put this off as long as I could – I found the new method a step back in
> ease of use.)
>
>
>
> So following the documentation I setup
> ‘ovirt-engine-extension-aaa-ldap’, connecting to the same Active
> Directory forest. It seemed to work; I was able to look up users. But
> none of the existing AD users that we had been using in oVirt were able
> to log in to the admin or user portal, using the new extension. The
> error is “General command validation failure.”. (Whereas if you enter a
> wrong password, you get the expected wrong password error.)* *Here’s
> what /var/log/ovirt-engine/engine.log shows for “myuser”:
>
> {Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
>
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
>
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
> Extkey[name=EXTENSION_LICENSE;type=class
>
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
> 2.0, Extkey[name=EXTENSION_NOTES;type=class
>
java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display
> name: ovirt-engine-extension-aaa-ldap-1.1.4-1.el7,
> Extkey[name=EXTENSION_HOME_URL;type=class
>
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=http://www.ovirt.org,
> Extkey[name=EXTENSION_LOCALE;type=class
>
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
> Extkey[name=EXTENSION_NAME;type=class
>
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authz,
> Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
>
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
> Extkey[name=EXTENSION_CONFIGURATION;type=class
>
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
> Extkey[name=EXTENSION_AUTHOR;type=class
>
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
> oVirt Project, Extkey[name=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE;type=class
>
java.lang.Integer;uuid=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE[2eb1f541-0f65-44a1-a6e3-014e247595f5];]=50,
> Extkey[name=EXTENSION_INSTANCE_NAME;type=class
>
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=ingramcontent.com,
> Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
>
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
> Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
>
java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
> Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
>
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
> Extkey[name=EXTENSION_VERSION;type=class
>
java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.1.4,
> Extkey[name=AAA_AUTHZ_AVAILABLE_NAMESPACES;type=interface
>
java.util.Collection;uuid=AAA_AUTHZ_AVAILABLE_NAMESPACES[6dffa34c-955f-486a-bd35-0a272b45a711];]=[DC=ingramcontent,DC=com],
> Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
>
org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authz.ingramcontent.com),
> Extkey[name=EXTENSION_PROVIDES;type=interface
>
java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authz],
> Extkey[name=EXTENSION_CONFIGURATION_FILE;type=class
>
java.lang.String;uuid=EXTENSION_CONFIGURATION_FILE[4fb0ffd3-983c-4f3f-98ff-9660bd67af6a];]=/etc/ovirt-engine/extensions.d/INGRAMCONTENT.COM.properties},
> Extkey[name=AAA_AUTHZ_QUERY_FLAGS;type=class
>
java.lang.Integer;uuid=AAA_AUTHZ_QUERY_FLAGS[97d226e9-8d87-49a0-9a7f-af689320907b];]=3,
> Extkey[name=AAA_AUTHZ_PRINCIPAL;type=class
>
java.lang.String;uuid=AAA_AUTHZ_PRINCIPAL[a3c1d5ca-f1ea-131c-86ae-a1ecbcadd6b7];]=myu...@ingramcontent.com,
> Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
>
org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHZ_FETCH_PRINCIPAL_RECORD[5a5bf9bb-9336-4376-a823-26efe1ba26df],
> Extkey[name=AAA_AUTHN_AUTH_RECORD;type=class
>
org.ovirt.engine.api.extensions.ExtMap;uuid=AAA_AUTHN_AUTH_RECORD[e9462168-b53b-44ac-9af5-f25e1697173e];]={Extkey[name=AAA_AUTHN_AUTH_RECORD_PRINCIPAL;type=class
>
java.lang.String;uuid=AAA_AUTHN_AUTH_RECORD_PRINCIPAL[c3498f07-11fe-464c-958c-8bd7490b119a];]=myu...@ingramcontent.com}}
>
> {Extkey[name=EXTENSION_INVOKE_RESULT;type=class
>
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2,
> Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
>
java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=Cannot
> resolve principal 'myu...@ingramcontent.com'}
"Cannot resolve principal 'myu...@ingramcontent.com'"
^ This error usually means that 'myuser' has different UPN than
'myu...@ingramcontent.com'. ovirt-engine-extension-aaa-ldap uses UPN to
login instead of SAM account name. So you should check what UPN the user
'myuser' has and login with it.
>
>
>
> I logged in with the local ‘admin’ account and added some additional
> users from AD. Then I found that those newly added users **could** log
> in just fine. It’s only a problem with users that we had previously
> added when the legacy
>
> LDAP provider was used. I’ve tried removing and re-adding those existing
> users, but that doesn’t fix it. My hunch is that there is something left
> over associated with those accounts that’s breaking this. To be clear,
> I’ve already removed the legacy provider:
>
>
>
> engine-manage-domains list
>
> Legacy kerberos/ldap directory integration is obsoleted and will be
> removed in 4.0 version along with the engine-manage-domains utility.
> Please migrate to ovirt-engine-extension-aaa-ldap provider or contact
> support for assistance.
>
>
>
> Manage Domains completed successfully
>
>
>
> Where else should I look to troubleshoot? Any suggestions appreciated.
> Thanks!
>
>
>
> Best,
>
> Daniel
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
