[ovirt-users] Hosted engine Single Sign-On to VM with freeIPA not working
Paul
paul at kenla.nl
Fri Apr 21 09:01:19 UTC 2017
Hi Ondra,
It is over a year since the last message, so I thought let's give this a new
try.
Did setup a new test environment with latest versions, all RH-family (Centos
7.3 with ovirt 4.1)
Ovirt engine works fine with IPA, in the console I can log in with
credentials. But SSO still does not work :-(
Unfortunately the workaround with "authconfig --enablenis --update" breaks
polkit.service and cascades in a lot of other fails making the VM failing to
boot properly.
Any suggestions?
Regards,
Paul
System setup:
--- Engine----
[root at engine ~]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[root at engine ~]# uname -a
Linux engine.domain.com 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root at engine ~]# rpm -qa | grep ovirt
ovirt-engine-setup-plugin-ovirt-engine-common-4.1.1.8-1.el7.centos.noarch
ovirt-imageio-proxy-1.0.0-0.201701151456.git89ae3b4.el7.centos.noarch
ovirt-iso-uploader-4.0.2-1.el7.centos.noarch
ovirt-engine-setup-plugin-ovirt-engine-4.1.1.8-1.el7.centos.noarch
ovirt-engine-tools-4.1.1.8-1.el7.centos.noarch
ovirt-engine-backend-4.1.1.8-1.el7.centos.noarch
ovirt-engine-extension-aaa-jdbc-1.1.4-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-setup-1.3.1-1.el7.centos.noarch
ovirt-release41-4.1.1.1-1.el7.centos.noarch
ovirt-setup-lib-1.1.0-1.el7.centos.noarch
ovirt-imageio-common-1.0.0-1.el7.noarch
ovirt-engine-sdk-python-3.6.9.1-1.el7.centos.noarch
ovirt-engine-extensions-api-impl-4.1.1.8-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-1.3.1-1.el7.centos.noarch
ovirt-imageio-proxy-setup-1.0.0-0.201701151456.git89ae3b4.el7.centos.noarch
ovirt-engine-dwh-4.1.1-1.el7.centos.noarch
ovirt-engine-setup-plugin-websocket-proxy-4.1.1.8-1.el7.centos.noarch
ovirt-engine-tools-backup-4.1.1.8-1.el7.centos.noarch
ovirt-engine-setup-4.1.1.8-1.el7.centos.noarch
ovirt-engine-vmconsole-proxy-helper-4.1.1.8-1.el7.centos.noarch
ovirt-engine-dashboard-1.1.0-7.el7.centos.noarch
ovirt-engine-metrics-1.0.2-1.el7.centos.noarch
ovirt-engine-userportal-4.1.1.8-1.el7.centos.noarch
ovirt-engine-dbscripts-4.1.1.8-1.el7.centos.noarch
ovirt-engine-4.1.1.8-1.el7.centos.noarch
ovirt-engine-wildfly-10.1.0-1.el7.x86_64
python-ovirt-engine-sdk4-4.1.3-2.el7.centos.x86_64
ovirt-vmconsole-proxy-1.0.4-1.el7.centos.noarch
ovirt-engine-wildfly-overlay-10.0.0-1.el7.noarch
ovirt-engine-cli-3.6.9.2-1.el7.centos.noarch
ovirt-engine-lib-4.1.1.8-1.el7.centos.noarch
ovirt-host-deploy-java-1.6.3-1.el7.centos.noarch
ovirt-engine-dwh-setup-4.1.1-1.el7.centos.noarch
ovirt-engine-websocket-proxy-4.1.1.8-1.el7.centos.noarch
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.1.1.8-1.el7.centos.noarch
ovirt-engine-webadmin-portal-4.1.1.8-1.el7.centos.noarch
ovirt-engine-restapi-4.1.1.8-1.el7.centos.noarch
ovirt-guest-agent-common-1.0.13-2.el7.noarch
ovirt-host-deploy-1.6.3-1.el7.centos.noarch
ovirt-vmconsole-1.0.4-1.el7.centos.noarch
ovirt-engine-extension-aaa-misc-1.0.1-1.el7.noarch
ovirt-web-ui-0.1.2-4.el7.centos.x86_64
ovirt-engine-setup-base-4.1.1.8-1.el7.centos.noarch
--- IPA ----
[root at ipa01 log]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[root at ipa01 log]# uname -a
Linux ipa01.domain.com 3.10.0-514.16.1.el7.x86_64 #1 SMP Wed Apr 12 15:04:24
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root at ipa01 log]# rpm -qa | grep ipa
python2-ipalib-4.4.0-14.el7.centos.7.noarch
python2-ipaserver-4.4.0-14.el7.centos.7.noarch
libipa_hbac-1.14.0-43.el7_3.14.x86_64
python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-common-4.4.0-14.el7.centos.7.noarch
ipa-client-common-4.4.0-14.el7.centos.7.noarch
python-ipaddress-1.0.16-2.el7.noarch
sssd-ipa-1.14.0-43.el7_3.14.x86_64
python2-ipaclient-4.4.0-14.el7.centos.7.noarch
ipa-client-4.4.0-14.el7.centos.7.x86_64
ipa-server-4.4.0-14.el7.centos.7.x86_64
ipa-server-common-4.4.0-14.el7.centos.7.noarch
ipa-admintools-4.4.0-14.el7.centos.7.noarch
ipa-server-dns-4.4.0-14.el7.centos.7.noarch
---Client---
[root at ad01 ~]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[root at ad01 ~]# uname -a
Linux ad01.domain.com 3.10.0-514.16.1.el7.x86_64 #1 SMP Wed Apr 12 15:04:24
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root at ad01 ~]# rpm -qa | grep ipa
python2-ipaclient-4.4.0-14.el7.centos.7.noarch
python-iniparse-0.4-9.el7.noarch
ipa-client-common-4.4.0-14.el7.centos.7.noarch
python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
ipa-client-4.4.0-14.el7.centos.7.x86_64
sssd-ipa-1.14.0-43.el7_3.14.x86_64
python-ipaddress-1.0.16-2.el7.noarch
python2-ipalib-4.4.0-14.el7.centos.7.noarch
ipa-common-4.4.0-14.el7.centos.7.noarch
libipa_hbac-1.14.0-43.el7_3.14.x86_64
[root at ad01 ~]# rpm -qa | grep ovirt
ovirt-guest-agent-pam-module-1.0.13-2.el7.x86_64
ovirt-guest-agent-common-1.0.13-2.el7.noarch
ovirt-guest-agent-gdm-plugin-1.0.13-2.el7.noarch
Relevant logs:
--- client ---
[root at ad01 ~]# vi /var/log/messages
Apr 21 10:07:59 ad01 [sssd[krb5_child[2635]]]: Preauthentication failed
Apr 21 10:07:59 ad01 [sssd[krb5_child[2635]]]: Preauthentication failed
[root at ad01 ~]# vi /var/log/sssd/krb5_child.log
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [unpack_buffer]
(0x0100): cmd [249] uid [1480400007] gid [1480400007] validate [true]
enterprise principal [false] offline [false] UPN [test at DOMAIN.COM]
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
[host/ad01.domain.com at DOMAIN.COM]
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [check_fast_ccache]
(0x0200): FAST TGT is still valid.
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [become_user]
(0x0200): Trying to become user [1480400007][1480400007].
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [set_lifetime_options]
(0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [set_lifetime_options]
(0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [sss_krb5_prompter]
(0x0020): Cannot handle password prompts.
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [k5c_send_data]
(0x0200): Received error code 0
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [unpack_buffer]
(0x0100): cmd [241] uid [1480400007] gid [1480400007] validate [true]
enterprise principal [false] offline [false] UPN [test at DOMAIN.COM]
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [unpack_buffer]
(0x0100): ccname: [KEYRING:persistent:1480400007] old_ccname:
[KEYRING:persistent:1480400007] keytab: [/etc/krb5.keytab]
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [switch_creds]
(0x0200): Switch user to [1480400007][1480400007].
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [switch_creds]
(0x0200): Switch user to [0][0].
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
[host/ad01.domain.com at DOMAIN.COM]
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [check_fast_ccache]
(0x0200): FAST TGT is still valid.
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [become_user]
(0x0200): Trying to become user [1480400007][1480400007].
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [set_lifetime_options]
(0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [set_lifetime_options]
(0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [get_and_save_tgt]
(0x0020): 1296: [-1765328360][Preauthentication failed]
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [map_krb5_error]
(0x0020): 1365: [-1765328360][Preauthentication failed]
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [k5c_send_data]
(0x0200): Received error code 1432158221
---IPA---
/var/log/ krb5kdc.log
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): AS_REQ (6 etypes {18
17 16 23 25 26}) 10.0.2.2: NEEDED_PREAUTH: test at DOMAIN.COM for
krbtgt/DOMAIN.COM at DOMAIN.COM, Additional pre-authentication required
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): closing down fd 12
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): AS_REQ (6 etypes {18
17 16 23 25 26}) 10.0.2.2: NEEDED_PREAUTH: test at DOMAIN.COM for
krbtgt/DOMAIN.COM at DOMAIN.COM, Additional pre-authentication required
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): closing down fd 12
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): AS_REQ (6 etypes {18
17 16 23 25 26}) 10.0.2.2: NEEDED_PREAUTH: test at DOMAIN.COM for
krbtgt/DOMAIN.COM at DOMAIN.COM, Additional pre-authentication required
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): closing down fd 12
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): AS_REQ (6 etypes {18
17 16 23 25 26}) 10.0.2.2: NEEDED_PREAUTH: test at DOMAIN.COM for
krbtgt/DOMAIN.COM at DOMAIN.COM, Additional pre-authentication required
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): closing down fd 12
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): preauth
(encrypted_challenge) verify failure: Incorrect password in encrypted
challenge
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): AS_REQ (6 etypes {18
17 16 23 25 26}) 10.0.2.2: PREAUTH_FAILED: test at DOMAIN.COM for
krbtgt/DOMAIN.COM at DOMAIN.COM, Incorrect password in encrypted challenge
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): closing down fd 12
-----Original Message-----
From: Paul [mailto:paul at kenla.nl]
Sent: zondag 20 maart 2016 16:48
To: 'Ondra Machacek' <omachace at redhat.com>; 'users at ovirt.org'
<users at ovirt.org>
Subject: RE: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA
not working
Hi Ondra,
Bug 1316135 was new to me and sounds very similar to my issue "(0, 17,
<NULL>) [Success (Failure setting user credentials)]"
Proposed work-around with "authconfig --enablenis --update" worked for me,
although this creates an issue with the keyring authentication. I can live
with this for the moment, but hopefully the bug can be fixed soon.
Thanks for the quick responses,
Regards,
Paul
-----Original Message-----
From: Ondra Machacek [mailto:omachace at redhat.com]
Sent: donderdag 17 maart 2016 19:12
To: Paul <paul at kenla.nl>; users at ovirt.org
Subject: Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA
not working
Hi Paul,
ok, thanks for info, then there is an issue in pam configuration, most
probably.
There is open issue for it on rhel7, please try read this comment[1] if it
helps to you.
Ondra
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1316135#c3
More information about the Users
mailing list