<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="GENERATOR" content="GtkHTML/4.4.4">
</head>
<body>
fre 2013-04-12 klockan 14:41 +0300 skrev Itamar Heim:
<blockquote type="CITE">
<pre>
On 04/12/2013 11:27 AM, Karli Sjöberg wrote:
> Hey Everyone!
>
> I solved it! I friggin solved it, and it didn´t have anything to do with
> the spice-client, spice-plugin(ActiveX or XPI), or userportal
> specifically, it´s in the engine itself! So Juanjo here said that it
> works for him, and I took a guess that´s because he is only using
> admin@internal <<a href="mailto:admin@internal">mailto:admin@internal</a>> for testing (correct me if I´m
> wrong Juanjo), so I added a "UserRole" to admin on a test VM, logged
> into Userportal, clicked for console, and it worked! So, since our setup
> is a little more complex, as it´s connected to our ActiveDirectory, I
> concluded that it must be a permissions related issue. I created a new
> UserRole, called "ConsoleOwner" that only have "Login Permissions" and
> "RemoteLogin" and added that role to our engine´s "System Permissions"
> on a directory group as "broad" as possible. After that if I also added
> an explicit UserRole permission for a directory user on any VM now it
> works 100%. Me so happy!:)
>
> A question goes out the developers: Should you have to do that? I
> thought that permissions where supposed to be calculated like Windows
> ACLs "Effective Permissions", so that if I just add sufficient
> permissions for a directory user on a VM, it´s effective permissions
> should have granted the necessary abilities in the system, without me
> having to first add that as a "big" system permission to have them
> granted? Bug, or intended?
>
> Thank you so much Juanjo, for posting the versions you are currently
> using that proved that it "should" work, and that it had to be something
> else that prevented us from using it (which it was). Thank you!
can you please clarify again which permission you granted to a user on
the VM which didn't work before you added to the user the console
permission?
</pre>
</blockquote>
<br>
I´m not really sure if I understood your question completely, so I´ll explain again:<br>
<br>
1) Only adding directory user/group with "UserRole" permission to a VM or Pool = Fail; "Couldn´t connect to graphics server".<br>
<br>
2) First adding a very broad directory group with "ConsoleOwner"[1] permission to the inherited "System Permissions", and then add directory user/group with "UserRole" to a VM or Pool = Success!<br>
<br>
[1] ConsoleOwner is a "User Role" I created that only needed to permit "Login Permissions" and "Remote Log In".<br>
<br>
We haz VDI now, "Powered by oVirt";)<br>
<br>
<table cellspacing="0" cellpadding="0" width="100%">
<tbody>
<tr>
<td>-- <br>
<br>
Med Vänliga Hälsningar<br>
-------------------------------------------------------------------------------<br>
Karli Sjöberg<br>
Swedish University of Agricultural Sciences<br>
Box 7079 (Visiting Address Kronåsvägen 8)<br>
S-750 07 Uppsala, Sweden<br>
Phone: +46-(0)18-67 15 66<br>
<a href="mailto:karli.sjoberg@adm.slu.se">karli.sjoberg@slu.se</a> </td>
</tr>
</tbody>
</table>
</body>
</html>