Problem using rhevm-manage-domain tool to join AD domain

Latest response

I have setup the rhevm server, and the hypervisor, I have virtual machines running on my single host and can usually connect to them (a bit iffy connecting with SPICE to RHEL and other linux machines but that's a matter for another discussion).

 

Now my problem is that I cannot add my AD domain to the config so I can assign users in our AD domain to guests hosted on the RHEV-H server. I am trying to use the following command:

 

rhevm-manage-domains -action=add -domain='office.domain' -user='Inter\Administrator' -interactive

 

but get error

 

Failure while testing domain office.domain. Details: Authentication Failed. Please verify the username and password.

 

The thing is if I needed to log in through Windows the username would appear as: 

 

"Inter\Admininistrator"

 

'Inter' being an alias pointing to the AD domain (office.domain), in which the user to do stuff in is Administrator.

 

Can anyone tell me if 'Inter\Administrator' should be able to work with this tool talking to AD, or would it have to appear differently? ("Inter-Administrator", "Inter:Administrator", maybe even just "Adminisatrator")... I've tried these variations without any luck so far, so maybe the problem is something else entirely?

 

Any assistance is appreciated.

Responses

Did you setup a delegated configuration per the documentation?  Some AD environments disable this or control this as a security practice, so you need to take this into account.  When I tested AD integration for RHEV-M, I setup a OEM/generic Microsoft 2008 based domain.  I setup the delegated authority per the documetnation and then used the following on the RHEV-M server...

 

# rhevm-manage-domains interactive -action=add -domain='<FQDN domain name>' -user='manager' -interactive

 

Where <FQDN domain name> is that actual AD domain name.  And 'manager' is a valid domain id in the <FQDN domain name> domain.

 

The reference to 'manager' was a test account that had delegated authority as discussed above.  Worked.  But you could have used a group assignment in AD and added AD users to the group then in turn added them to RHEV-M as authorized accounts.  You should not reference the short name for the domain, or any other alias (or heaven forbid, the NETBIOS compliant name for the domain).  I think this is where your issue is.  The <domain>\<user> convention is a AD specific notation, and even the <user>@<domain> specification is unique to specific AD aware or integrated solutions/environments, but not applicable to the AD integration with RHEV-M.

 

You can use the action=list option of rhevm-manage-domains to list all accounts added successfully as well.

 

I did notice that the BETA documentation has some typos, or errors.  So it took a bit of work to figure out what was wrong.  BETA documentation had the following which did not work, error/typo whatever you want to call it...

 

# rhevm-manage-domains interactive -action=add -domain='<FQDN domain name>' -user='manager' -password='<password>'

 

It appears based on what you did, you avoided typo/error I once found in the BETA documentation.

RHEV uses UPN notations to lookup users. The AD  builtin users like "Administrator" do not have a UPN notations.

 

Instead, create a normal user, delegate admin privileges to that user, and try again.

 

Thanks Dany, it worked.

Now the problem has chnaged, I managed to successfully add my domain as directed by Dany above, but now after restarting the server (really needed only to restart JBOSS but went the whole whack) I cannot reach the Management Console via Windows IE.

 

I go to http://rhevmachine.domain:8080, and I see the menu list (Portals.. Documentaion.. Support..) the Redhat shadowman logo and red bar along the top etc. But now when I click on "Administrator Portal" or "User Portal" I get an error:

 

HTTP Status 404 - /RHEVManager

 

I tried turning off iptables on the server running rhevm but that had no effect, I tried clearing the cache on the IE machine. Niether of these worked. Any suggestions?

1. Make sure RHEV-M can resolve it's own FQDN

2. Restart the jbossas service again

FQDN in DNS.?

Using a supported browser?

Is JBossas service really running?

 

Since you get to the initial banner, the above shold be ok...  Did you insert the certificate?  Per the instructions even if using 8080.  Add site to trusted sites in IE, if using IE9?  You don't or have not seen the plug-in download right?

 

I had this issue many times in the beta.  Most of the time JBoss was acting up and I had to stop and restart JBoss, then restart the IE session.  But since GA, so far not see the issue.  RHEV-M would just stop responding for no apparent reason.

can it be restarted via

 

/etc/init.d/jboss restart

 

or 

 

service jboss restart

 

or something like this?

Yup, pings itself etc.

Yup, IE8 

I think JBOSS is running, I don't see it in Top though, and "ps aux | grep jboss" results are too messy to be sure.

 

I am not asked to add a certificate, and I had been asked previously. Hopefully a restart of jboss will sort it out.

jbossas is the service name 

Nice, "/etc/init.d/jbossas restart" worked.