<div dir="ltr"><div><div><div><div><div><div>Hi Ondra,<br><br></div>It manages to authenticate, but appends the domain again once I'm logged in, for instance, if I log in as user 'cam', it will log me in,<br></div>and display the login name in the top right corner as 'cam@domain.com@<a href="http://domain.com">domain.com</a>' (this shows up in the log as well: it shows me<br>logging in as <a href="mailto:cam@domain.com">cam@domain.com</a>, but then returns an error as user cam@domain.com@<a href="http://domain.com">domain.com</a> is not authorized). My thought was<br></div>that something done earlier when I was playing around with sssd, kerberos and AD is doing this, though I have removed these packages<br></div>and run authconfig to remove sssd. Any ideas?<br><br></div>Cheers,<br><br></div>Cam<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 13, 2016 at 2:04 PM, cmc <span dir="ltr"><<a href="mailto:iucounu@gmail.com" target="_blank">iucounu@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Ondra,<br><div><div class="gmail_extra"><br></div><div class="gmail_extra">That is good to know that we don't need Kerberos - it complicates things a lot.<br><div class="gmail_quote"><br>I think the errors might be the options I'd selected during the setup. I was thrown a bit that<br>it passed all the internal tests provided by the setup script, but failed on the web GUI. When <br>I've seen 'unspecified GSS failure' and 'peer not authenticated' it's usually been due to <br>Kerberos (though admittedly these are just generic errors). So I tried the Redhat guide for SSO at:<br><br><a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html" target="_blank">https://access.redhat.com/<wbr>documentation/en-US/Red_Hat_<wbr>Enterprise_Virtualization/3.6/<wbr>html/Administration_Guide/<wbr>Configuring_LDAP_and_Kerberos_<wbr>for_Single_Sign-on.html</a><br><br></div></div><div class="gmail_extra"><div class="gmail_quote">which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink to the Apache<br></div><div class="gmail_quote">config it says to create, as it results in internal server errors in Apache. It uses an SPN for<br></div><div class="gmail_quote">Apache in the keytab.<br></div><div class="gmail_quote"><br></div>Now that you've confirmed that it can actually work without any need for the Kerberos stuff, <br></div><div class="gmail_extra">I will start afresh from a clean setup and apply what I've learnt during this process.</div><div class="gmail_extra"><br><div class="gmail_quote">I'll try it out and let you know either way.<br><br></div><div class="gmail_quote">Many thanks for all the help!<br><br></div><div class="gmail_quote">Kind regards,<br><br></div><div class="gmail_quote">Cam<span class=""><br><br><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="m_-2749846956816549365gmail-HOEnZb"><div class="m_-2749846956816549365gmail-h5">
<br></div></div>
Yes, you really do not need anything kerberos related to securely bind<br>
to AD via LDAP simple bind over TLS/SSL. This is really strange to me<br>
what errors you are getting, but you probably configured apache (or<br>
something else?) to require keytab, but you don't have to, and you can<br>
remove that configuration.<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="m_-2749846956816549365gmail-">
<br>
Thanks,<br>
<br>
Cam<br>
<br>
<br>
<br>
<br>
Thanks,<br>
<br>
Cam<br>
<br>
______________________________<wbr>_________________<br>
<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a> <mailto:<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a>><br></span>
<mailto:<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a> <mailto:<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a>>><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman<wbr>/listinfo/users</a><br>
<<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailma<wbr>n/listinfo/users</a>><br>
<<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailma<wbr>n/listinfo/users</a><br>
<<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailma<wbr>n/listinfo/users</a>>><br>
<br>
<br>
<br>
</blockquote>
</blockquote></span></div><br></div></div></div>
</blockquote></div><br></div>