Problem using rhevm-manage-domain tool to join AD domain
I have setup the rhevm server, and the hypervisor, I have virtual machines running on my single host and can usually connect to them (a bit iffy connecting with SPICE to RHEL and other linux machines but that's a matter for another discussion).
Now my problem is that I cannot add my AD domain to the config so I can assign users in our AD domain to guests hosted on the RHEV-H server. I am trying to use the following command:
rhevm-manage-domains -action=add -domain='office.domain' -user='Inter\Administrator' -interactive
but get error
Failure while testing domain office.domain. Details: Authentication Failed. Please verify the username and password.
The thing is if I needed to log in through Windows the username would appear as:
"Inter\Admininistrator"
'Inter' being an alias pointing to the AD domain (office.domain), in which the user to do stuff in is Administrator.
Can anyone tell me if 'Inter\Administrator' should be able to work with this tool talking to AD, or would it have to appear differently? ("Inter-Administrator", "Inter:Administrator", maybe even just "Adminisatrator")... I've tried these variations without any luck so far, so maybe the problem is something else entirely?
Any assistance is appreciated.
Responses
Did you setup a delegated configuration per the documentation? Some AD environments disable this or control this as a security practice, so you need to take this into account. When I tested AD integration for RHEV-M, I setup a OEM/generic Microsoft 2008 based domain. I setup the delegated authority per the documetnation and then used the following on the RHEV-M server...
# rhevm-manage-domains interactive -action=add -domain='<FQDN domain name>' -user='manager' -interactive
Where <FQDN domain name> is that actual AD domain name. And 'manager' is a valid domain id in the <FQDN domain name> domain.
The reference to 'manager' was a test account that had delegated authority as discussed above. Worked. But you could have used a group assignment in AD and added AD users to the group then in turn added them to RHEV-M as authorized accounts. You should not reference the short name for the domain, or any other alias (or heaven forbid, the NETBIOS compliant name for the domain). I think this is where your issue is. The <domain>\<user> convention is a AD specific notation, and even the <user>@<domain> specification is unique to specific AD aware or integrated solutions/environments, but not applicable to the AD integration with RHEV-M.
You can use the action=list option of rhevm-manage-domains to list all accounts added successfully as well.
I did notice that the BETA documentation has some typos, or errors. So it took a bit of work to figure out what was wrong. BETA documentation had the following which did not work, error/typo whatever you want to call it...
# rhevm-manage-domains interactive -action=add -domain='<FQDN domain name>' -user='manager' -password='<password>'
It appears based on what you did, you avoided typo/error I once found in the BETA documentation.
RHEV uses UPN notations to lookup users. The AD builtin users like "Administrator" do not have a UPN notations.
Instead, create a normal user, delegate admin privileges to that user, and try again.
FQDN in DNS.?
Using a supported browser?
Is JBossas service really running?
Since you get to the initial banner, the above shold be ok... Did you insert the certificate? Per the instructions even if using 8080. Add site to trusted sites in IE, if using IE9? You don't or have not seen the plug-in download right?
I had this issue many times in the beta. Most of the time JBoss was acting up and I had to stop and restart JBoss, then restart the IE session. But since GA, so far not see the issue. RHEV-M would just stop responding for no apparent reason.