<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p dir="ltr"><br>
Den 14 okt. 2016 4:30 em skrev cmc <iucounu@gmail.com>:<br>
><br>
> Hi Ondra,<br>
><br>
> It manages to authenticate, but appends the domain again once I'm logged in, for instance, if I log in as user 'cam', it will log me in,<br>
> and display the login name in the top right corner as 'cam@domain.com@domain.com' (this shows up in the log as well: it shows me<br>
> logging in as cam@domain.com, but then returns an error as user cam@domain.com@domain.com is not authorized). My thought was<br>
> that something done earlier when I was playing around with sssd, kerberos and AD is doing this, though I have removed these packages<br>
> and run authconfig to remove sssd. Any ideas?</p>
<p dir="ltr">Can't say why, but it's the same for us. It's unsightly, kindly put.</p>
<p dir="ltr">/K</p>
<p dir="ltr">><br>
> Cheers,<br>
><br>
> Cam<br>
><br>
> On Thu, Oct 13, 2016 at 2:04 PM, cmc <iucounu@gmail.com> wrote:<br>
>><br>
>> Hi Ondra,<br>
>><br>
>> That is good to know that we don't need Kerberos - it complicates things a lot.<br>
>><br>
>> I think the errors might be the options I'd selected during the setup. I was thrown a bit that<br>
>> it passed all the internal tests provided by the setup script, but failed on the web GUI. When
<br>
>> I've seen 'unspecified GSS failure' and 'peer not authenticated' it's usually been due to
<br>
>> Kerberos (though admittedly these are just generic errors). So I tried the Redhat guide for SSO at:<br>
>><br>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html<br>
>><br>
>> which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink to the Apache<br>
>> config it says to create, as it results in internal server errors in Apache. It uses an SPN for<br>
>> Apache in the keytab.<br>
>><br>
>> Now that you've confirmed that it can actually work without any need for the Kerberos stuff,
<br>
>> I will start afresh from a clean setup and apply what I've learnt during this process.<br>
>><br>
>> I'll try it out and let you know either way.<br>
>><br>
>> Many thanks for all the help!<br>
>><br>
>> Kind regards,<br>
>><br>
>> Cam<br>
>><br>
>><br>
>>><br>
>>> Yes, you really do not need anything kerberos related to securely bind<br>
>>> to AD via LDAP simple bind over TLS/SSL. This is really strange to me<br>
>>> what errors you are getting, but you probably configured apache (or<br>
>>> something else?) to require keytab, but you don't have to, and you can<br>
>>> remove that configuration.<br>
>>><br>
>>>><br>
>>>> Thanks,<br>
>>>><br>
>>>> Cam<br>
>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>> Thanks,<br>
>>>><br>
>>>> Cam<br>
>>>><br>
>>>> _______________________________________________<br>
>>>><br>
>>>> Users mailing list<br>
>>>> Users@ovirt.org <mailto:Users@ovirt.org><br>
>>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>><br>
>>>> http://lists.ovirt.org/mailman/listinfo/users<br>
>>>> <http://lists.ovirt.org/mailman/listinfo/users><br>
>>>> <http://lists.ovirt.org/mailman/listinfo/users<br>
>>>> <http://lists.ovirt.org/mailman/listinfo/users>><br>
>>>><br>
>>>><br>
>>>><br>
>><br>
><br>
</p>
</body>
</html>