<div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial"><div>Here are the engine logs:</div><div><br></div><div>2018-02-05 14:53:53,681+08 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-38) [] User test@test.org successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access</div><div>2018-02-05 14:53:53,765+08 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-40) [6961a53b] Running command: CreateUserSessionCommand internal: false.</div><div>2018-02-05 14:53:53,775+08 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-40) [6961a53b] EVENT_ID: USER_VDC_LOGIN(30), Correlation ID: 6961a53b, Call Stack: null, Custom Event ID: -1, Message: User test@test.org@test.org logged in.</div><div>2018-02-05 14:53:55,305+08 ERROR [org.ovirt.engine.core.utils.servlet.ServletUtils] (default task-60) [] Can't read file '/usr/share/ovirt-engine/files/spice/SpiceVersion_x64.txt' for request '/ovirt-engine/services/files/spice/SpiceVersion_x64.txt', will send a 404 error response.</div><div>2018-02-05 14:53:57,379+08 INFO [org.ovirt.engine.core.bll.VmLogonCommand] (default task-21) [4550dbd4-9c26-48fa-8ded-e50cd47a34e1] Running command: VmLogonCommand internal: false. Entities affected : ID: ae5846f6-4f25-4e7a-af2d-02e99599de47 Type: VMAction group CONNECT_TO_VM with role type USER</div><div>2018-02-05 14:53:57,400+08 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-21) [4550dbd4-9c26-48fa-8ded-e50cd47a34e1] START, VmLogonVDSCommand(HostName = host, VmLogonVDSCommandParameters:{runAsync='true', hostId='0049362d-39cc-498d-9c7e-f36c5fba20bf', vmId='ae5846f6-4f25-4e7a-af2d-02e99599de47', domain='test.org', password='***', userName='test@test.org@test.org'}), log id: 34439164</div><div>2018-02-05 14:53:58,404+08 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-21) [4550dbd4-9c26-48fa-8ded-e50cd47a34e1] FINISH, VmLogonVDSCommand, log id: 34439164</div><div>2018-02-05 14:53:58,467+08 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (default task-23) [48fb921e] Running command: SetVmTicketCommand internal: false. Entities affected : ID: ae5846f6-4f25-4e7a-af2d-02e99599de47 Type: VMAction group CONNECT_TO_VM with role type USER</div><div>2018-02-05 14:53:58,469+08 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (default task-23) [48fb921e] START, SetVmTicketVDSCommand(HostName = host, SetVmTicketVDSCommandParameters:{runAsync='true', hostId='0049362d-39cc-498d-9c7e-f36c5fba20bf', vmId='ae5846f6-4f25-4e7a-af2d-02e99599de47', protocol='SPICE', ticket='60qsiE96d7F5', validTime='120', userName='test@test.org', userId='737c7b8b-9503-489b-b32a-10bf8615bc1f', disconnectAction='LOCK_SCREEN'}), log id: 3076856</div><div>2018-02-05 14:53:59,108+08 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (default task-23) [48fb921e] FINISH, SetVmTicketVDSCommand, log id: 3076856</div><div>2018-02-05 14:53:59,116+08 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-23) [48fb921e] EVENT_ID: VM_SET_TICKET(164), Correlation ID: 48fb921e, Call Stack: null, Custom Event ID: -1, Message: User test@test.org@test.org initiated console session for VM win7</div><div>2018-02-05 14:54:16,134+08 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler4) [] EVENT_ID: VM_CONSOLE_CONNECTED(167), Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User test@test.org is connected to VM win7.</div><br>At 2018-02-02 14:50:49, "Martin Perina" <mperina@redhat.com> wrote:<br> <blockquote id="isReplyContent" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"><div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 2, 2018 at 4:46 AM, ¶ÇàÁú <span dir="ltr"><<a href="mailto:ddqlo@126.com" target="_blank">ddqlo@126.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial"><div>Thanks for the reply. I have completely configured all the things in option 1 which you told. But it seems that sso still does not work. My domain forest is "<a href="http://test.org" target="_blank">test.org</a>" and my user is "test". When I login the user portal, I get "<a href="mailto:test@test.org">test@test.org</a>@<a href="http://test.org" target="_blank">test.org</a>" int the top right corner. Should it be "<a href="mailto:test@test.org" target="_blank">test@test.org</a>"?</div></div></blockquote><div style="font-family:arial,helvetica,sans-serif" class="gmail_default"><br>This is fine, for AD we are using UPN as username (in your case '<a href="mailto:test@test.org">test@test.org</a>') and we concatenate this with authz extension name (in your case '@<a href="http://test.org">test.org</a>').<br><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial"><div> Is it possible that engine send wrong user name to the guest agent? <br></div></div></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial"><div><img src="cid:7866f400$1$16164c9a788$Coremail$ddqlo$126.com" style="width:171px;height:36px"></div><div><br></div></div></blockquote><div><br><div style="font-family:arial,helvetica,sans-serif;display:inline" class="gmail_default">Could you please share engine.log from, after you try to login to VM Portal and open console to the VM to investigate?<br><br></div><div style="font-family:arial,helvetica,sans-serif;display:inline" class="gmail_default">Thanks<br><br></div><div style="font-family:arial,helvetica,sans-serif;display:inline" class="gmail_default">Martin<br><br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial"><div></div><div style="zoom:1"></div><div id="m_8954576301906369599divNeteaseMailCard"></div>At 2018-02-01 15:35:57, "Martin Perina" <<a href="mailto:mperina@redhat.com" target="_blank">mperina@redhat.com</a>> wrote:<br> <blockquote id="m_8954576301906369599isReplyContent" style="PADDING-LEFT:1ex;MARGIN:0px 0px 0px 0.8ex;BORDER-LEFT:#ccc 1px solid"><div dir="ltr"><div style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 1, 2018 at 9:13 AM, ¶ÇàÁú <span dir="ltr"><<a href="mailto:ddqlo@126.com" target="_blank">ddqlo@126.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial"><div>Hi, all</div><div> I am trying to make SSO working with windows7 vm in an ovirt 4.1 environment. Ovirt-guest-agent has been installed in windows7 vm. I have an active directory server of windows2012 and I have configured the engine using "ovirt-engine-extension-aaa-ld<wbr></wbr>ap-setup" successfully. The windows7 vm has joined the domain,too. But when I login the userportal using a user created in the AD server, I still have to login the windows7 vm using the same user for the second time. It seems that SSO does not work.</div><div> Anyone can help me? Thanks!</div></div></blockquote><div><br><div>We are not providing full SSO for </div>VMs<div>. At the moment you have 2 options:<br><br></div><div>1. If you want user to be automatically logged in into a VM, then you need to setup SSO using aaa-ldap extension for AD (please don't forget to answer Yes for question about SSO for VMs in setup tool). Andf of course in a VM you need to have installed and enabled guest agent. Once user logs into VM Portal and clicks on a VM, then he should be automatically logged into it.<br><br></div><div>2. If you setup kerberos for engine SSO, then you don't need to enter password to loging into VM Portal, but in such case we cannot pass a password into a VM and user are not automatically logged in.<br><br></div><div>Martin<br><br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br><br><span title="neteasefooter"><p> </p></span><br>______________________________<wbr></wbr>_________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman<wbr></wbr>/listinfo/users</a><br>
<br></blockquote></div><br><br clear="all"><span class="HOEnZb"><font color="#888888"><br>-- <br><div class="m_8954576301906369599gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><font size="1">Martin Perina<br>Associate Manager, Software Engineering<br>Red Hat Czech s.r.o.<br></font></div></div>
</font></span></div></div>
</blockquote></div><br><br><span title="neteasefooter"><p> </p></span></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><font size="1">Martin Perina<br>Associate Manager, Software Engineering<br>Red Hat Czech s.r.o.<br></font></div></div>
</div></div>
</blockquote></div><br><br><span title="neteasefooter"><p> </p></span>