<div dir="ltr">Hi Ondra,<br><div><div class="gmail_extra"><br></div><div class="gmail_extra">That is good to know that we don't need Kerberos - it complicates things a lot.<br><div class="gmail_quote"><br>I think the errors might be the options I'd selected during the setup. I was thrown a bit that<br>it passed all the internal tests provided by the setup script, but failed on the web GUI. When <br>I've seen 'unspecified GSS failure' and 'peer not authenticated' it's usually been due to <br>Kerberos (though admittedly these are just generic errors). So I tried the Redhat guide for SSO at:<br><br><a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html</a><br><br></div></div><div class="gmail_extra"><div class="gmail_quote">which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink to the Apache<br></div><div class="gmail_quote">config it says to create, as it results in internal server errors in Apache. It uses an SPN for<br></div><div class="gmail_quote">Apache in the keytab.<br></div><div class="gmail_quote"><br></div>Now that you've confirmed that it can actually work without any need for the Kerberos stuff, <br></div><div class="gmail_extra">I will start afresh from a clean setup and apply what I've learnt during this process.</div><div class="gmail_extra"><br><div class="gmail_quote">I'll try it out and let you know either way.<br><br></div><div class="gmail_quote">Many thanks for all the help!<br><br></div><div class="gmail_quote">Kind regards,<br><br></div><div class="gmail_quote">Cam<br><br><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="gmail-HOEnZb"><div class="gmail-h5">
<br></div></div>
Yes, you really do not need anything kerberos related to securely bind<br>
to AD via LDAP simple bind over TLS/SSL. This is really strange to me<br>
what errors you are getting, but you probably configured apache (or<br>
something else?) to require keytab, but you don't have to, and you can<br>
remove that configuration.<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">
<br>
Thanks,<br>
<br>
Cam<br>
<br>
<br>
<br>
<br>
Thanks,<br>
<br>
Cam<br>
<br>
______________________________<wbr>_________________<br>
<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a> <mailto:<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a>><br></span>
<mailto:<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a> <mailto:<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a>>><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman<wbr>/listinfo/users</a><br>
<<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailma<wbr>n/listinfo/users</a>><br>
<<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailma<wbr>n/listinfo/users</a><br>
<<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailma<wbr>n/listinfo/users</a>>><br>
<br>
<br>
<br>
</blockquote>
</blockquote></div><br></div></div></div>