RHEV3 help needed for configuring AD authentication
Hi,
I'm now starting with Lab 4 of the evaluator guide. I want to use internal existing active directory authentication and definitively need help.
I search and read a lot but w/o success. Neither https://access.redhat.com/sites/default/files/rhev_troubleshooting_rhevm_install.pdf helps.
I tested many variation arround:
rhevm-manage-domains -action=add -domain='diamant.labdistri.net' -user='Administrator@labdistri.net' -interactive
(I guess parameter for domain= should be a resolvable name to the AD controller... this is the case).
I tested with and without '@labdistri.net' after Administrator (I'm usure this should be the Domain controller credential! may be this should be admin (rhevm unsername)?
This is sample error I got:
[root@rhevm ~]# rhevm-manage-domains -action=add -domain='diamant.labdistri.net' -user='Administrator@labdistri.net' -interactive
Enter password:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: diamant.labdistri.net
Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
Help will be welcome;-)
Regards
Responses
RHEV uses UPN notations, and the administrator user usually doesn't have one. Can you try with a normal user instead?
Could you first confirm that user name and password are ones defined on the actual Active Directory?
Correct
Could you confirm the syntax for the domain= :
-domain=labdistri.net (which is only the domain name)
or
-domain=MyADserver.labdistri.net (which is resolvable name to the DC controller itself)
-domain=labdistri.net
Make sure DNS lookup works - it's used from here on to locate the actual controller and issue queries to it
Assuming the user/pwd are ones define on the DC controller, yes, I have already tested another name:
rhevm-manage-domains -action=add -domain=diamant.labdistri.net -user=bmeunier -interactive
or
rhevm-manage-domains -action=add -domain=labdistri.net -user=bmeunier -interactive
but this lead still to the same type of error.
Try to enter the username in quotes (or maybe doublequotes - can't remember from the last time I've done this)
Also try to enter the username@domain (UPN) kind of username
Make sure in AD, that the user you're using actually has a UPN
I also tested -PasswordFile= but got another error (unable to read).
This sounds like a separate issue. Lets get you registered first, and we can play with this one later
Go to your AD users and computers, open the user properties for bmeunier and check the following in the Account tab:
1. Make sure the user has the first user logon name set up (the one where you set the @domain.com on the right hand side)
2. Make sure in the Account Options, the last 4 options are unchecked (they are all related to Kerberos)
Also make sure the RHEV-M host can query the AD DNS server for SRV and TXT records, in fact - set your AD DNS as one of the DNS servers RHEV-M will be using. Just editing the hosts file is not enough.
You can either put `nameserver=IP_OF_AD_DNS_SERVER` at the top of resolv.conf
Or you can edit /etc/sysconfig/network-scripts/ifcfg-eth0 and add DNS1="IP_OF_AD_DNS_SERVER" then restart your network service
Either way, afterwards, check with nslookup
$nslookup
> google.com
Server: a.b.c.d
Address: a.b.c.d:53
Non Authoritative address:
...
Here, a.b.c.d should turn out to be the IP of your AD DNS server