<div dir="ltr">Hi Ondra,<div><br><div><div>I assigned permissions to an LDAP group and it just needed me to remove that group and re-add it for it to authorize again.</div></div><div><br></div><div>Yes, the UPN is user@domain in our case. Not a big deal, but is there a plan to change the display name? I get confused looks</div><div>and questions when people log in. </div><div><br></div><div>All working now, many thanks once again for all your help!</div><div><br></div><div>Cheers,</div><div><br></div><div>Cam</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 17, 2016 at 10:06 AM, Ondra Machacek <span dir="ltr"><<a href="mailto:omachace@redhat.com" target="_blank">omachace@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Cam,<br>
<br>
this is OK, because we use user principal name(UPN)[1] for the<br>
'username' field of the oVirt. So the result username will consist of<br>
UPN@authz-extension, so if your user's UPN is 'user@domain' and you<br>
will name your authz extension as 'domain', then the result username<br>
will be 'user@domain@domain'.<br>
<br>
The problem, that you can't get authorized is that you didn't assigned<br>
any permissions to your user.<br>
<br>
[1] <a href="https://msdn.microsoft.com/en-us/library/ms680857(v=vs.85).aspx" rel="noreferrer" target="_blank">https://msdn.microsoft.com/en-<wbr>us/library/ms680857(v=vs.85).a<wbr>spx</a><span class=""><br>
<br>
On 10/14/2016 04:30 PM, cmc wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
Hi Ondra,<br>
<br>
It manages to authenticate, but appends the domain again once I'm logged<br>
in, for instance, if I log in as user 'cam', it will log me in,<br>
and display the login name in the top right corner as<br></span>
'cam@domain.com@<a href="http://domain.com" rel="noreferrer" target="_blank">domain.com</a> <<a href="http://domain.com" rel="noreferrer" target="_blank">http://domain.com</a>>' (this shows up in the<span class=""><br>
log as well: it shows me<br></span>
logging in as <a href="mailto:cam@domain.com" target="_blank">cam@domain.com</a> <mailto:<a href="mailto:cam@domain.com" target="_blank">cam@domain.com</a>>, but then returns<br>
an error as user cam@domain.com@<a href="http://domain.com" rel="noreferrer" target="_blank">domain.com</a> <<a href="http://domain.com" rel="noreferrer" target="_blank">http://domain.com</a>> is not<span class=""><br>
authorized). My thought was<br>
that something done earlier when I was playing around with sssd,<br>
kerberos and AD is doing this, though I have removed these packages<br>
and run authconfig to remove sssd. Any ideas?<br>
<br>
Cheers,<br>
<br>
Cam<br>
<br>
On Thu, Oct 13, 2016 at 2:04 PM, cmc <<a href="mailto:iucounu@gmail.com" target="_blank">iucounu@gmail.com</a><br></span><div><div class="h5">
<mailto:<a href="mailto:iucounu@gmail.com" target="_blank">iucounu@gmail.com</a>>> wrote:<br>
<br>
Hi Ondra,<br>
<br>
That is good to know that we don't need Kerberos - it complicates<br>
things a lot.<br>
<br>
I think the errors might be the options I'd selected during the<br>
setup. I was thrown a bit that<br>
it passed all the internal tests provided by the setup script, but<br>
failed on the web GUI. When<br>
I've seen 'unspecified GSS failure' and 'peer not authenticated'<br>
it's usually been due to<br>
Kerberos (though admittedly these are just generic errors). So I<br>
tried the Redhat guide for SSO at:<br>
<br>
<a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html" rel="noreferrer" target="_blank">https://access.redhat.com/docu<wbr>mentation/en-US/Red_Hat_Enterp<wbr>rise_Virtualization/3.6/html/<wbr>Administration_Guide/Configuri<wbr>ng_LDAP_and_Kerberos_for_<wbr>Single_Sign-on.html</a><br>
<<a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html" rel="noreferrer" target="_blank">https://access.redhat.com/doc<wbr>umentation/en-US/Red_Hat_Enter<wbr>prise_Virtualization/3.6/html/<wbr>Administration_Guide/Configuri<wbr>ng_LDAP_and_Kerberos_for_<wbr>Single_Sign-on.html</a>><br>
<br>
which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink<br>
to the Apache<br>
config it says to create, as it results in internal server errors in<br>
Apache. It uses an SPN for<br>
Apache in the keytab.<br>
<br>
Now that you've confirmed that it can actually work without any need<br>
for the Kerberos stuff,<br>
I will start afresh from a clean setup and apply what I've learnt<br>
during this process.<br>
<br>
I'll try it out and let you know either way.<br>
<br>
Many thanks for all the help!<br>
<br>
Kind regards,<br>
<br>
Cam<br>
<br>
<br>
<br>
Yes, you really do not need anything kerberos related to<br>
securely bind<br>
to AD via LDAP simple bind over TLS/SSL. This is really strange<br>
to me<br>
what errors you are getting, but you probably configured apache (or<br>
something else?) to require keytab, but you don't have to, and<br>
you can<br>
remove that configuration.<br>
<br>
<br>
Thanks,<br>
<br>
Cam<br>
<br>
<br>
<br>
<br>
Thanks,<br>
<br>
Cam<br>
<br>
______________________________<wbr>_________________<br>
<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a> <mailto:<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a>><br>
<mailto:<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a> <mailto:<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a>>><br>
<mailto:<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a> <mailto:<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a>><br>
<mailto:<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a> <mailto:<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a>>>><br>
<br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman<wbr>/listinfo/users</a><br>
<<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailma<wbr>n/listinfo/users</a>><br>
<<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailma<wbr>n/listinfo/users</a><br>
<<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailma<wbr>n/listinfo/users</a>>><br>
<br>
<<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailma<wbr>n/listinfo/users</a><br>
<<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailma<wbr>n/listinfo/users</a>><br>
<<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailma<wbr>n/listinfo/users</a><br>
<<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailma<wbr>n/listinfo/users</a>>>><br>
<br>
<br>
<br>
<br>
<br>
</div></div></blockquote>
</blockquote></div><br></div>