On 12/16/2014 11:01 AM, Pavel Zelensky wrote:
Hi
What version of the engine are you using exactly? And what is your authentication configuration?
[root@ovirt ~]# rpm -qa|grep ovirt-eng ovirt-engine-3.5.0.1-1.el6.noarch
# engine-manage-domains list Domain: ov.jetlab.local User name: pzelensky@OV.JETLAB.LOCAL Manage Domains completed successfully
# cat engine-manage-domains.conf jaasFile=/usr/share/ovirt-engine/conf/jaas.conf krb5confFile=/etc/ovirt-engine/krb5.conf engineConfigExecutable=/usr/share/ovirt-engine/bin/engine-config.sh localHostEntry=localhost useDnsLookup=true [root@ovirt engine-manage-domains]# cat /etc/ovirt-engine/krb5.conf
[libdefaults]
default_realm = OV.JETLAB.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 10h renew_lifetime = 7d forwardable = no default_tkt_enctypes = arcfour-hmac-md5 udp_preference_limit = 1
#realms
And also SDK version: ovirt_engine_sdk_python-3.5.0.8-py2.7 So oVirt authenticates users using connection to MS AD which is based on Windows 2012R2
-- Pavel
I reproduced this in my environment. Apparently the password is lost somewhere in the authentication process. Yair, can you please take a look?
On Tue, Dec 16, 2014 at 12:04 PM, Juan Hernández <jhernand@redhat.com <mailto:jhernand@redhat.com>> wrote:
On 12/15/2014 08:37 PM, Pavel Zelensky wrote: > Hi > > I think it's not good idea, but I've done it: > > 2014-12-15 22:21:37,485 INFO [org.ovirt.engine.core.bll.VmLogonCommand] > (ajp--127.0.0.1-8702-6) [None] Running command: VmLogonCommand internal: > false. Entities affected : ID: 202ca21f-5167-4107-b1dd-2a7a5d64b32a > Type: VMAction group CONNECT_TO_VM with role type USER > 2014-12-15 22:21:37,495 INFO > [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] > (ajp--127.0.0.1-8702-6) [None] START, VmLogonVDSCommand(HostName = > ceph2, HostId = c7a7c873-b68a-44f8-bebf-37ca3aa1caa8, > vmId=202ca21f-5167-4107-b1dd-2a7a5d64b32a, domain=internal, > password=null, userName=admin), log id: 776ac4b1 > 2014-12-15 22:21:37,514 INFO > [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] > (ajp--127.0.0.1-8702-6) [None] FINISH, VmLogonVDSCommand, log id: 776ac4b1 > 2014-12-15 22:21:41,155 INFO > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (DefaultQuartzScheduler_Worker-47) Correlation ID: null, Call Stack: > null, Custom Event ID: -1, Message: User admin is connected to VM w7ent-01. > > Looks pretty the same, also trying to login as admin@internal into Win7 > workstation assigned to MS domain shouldn't work. >
I just wanted to check if with admin@internal you still get password=null (they use different authentication mechanisms).
> BTW, when I'm connecting to the same VM using the same domain user > account through user portal - everything is Ok, and SSO works pretty > good. In that case in logfile I'm getting this (password=[asterisks]): > 2014-12-14 22:45:21,010 INFO > [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] > (ajp--127.0.0.1-8702-4) [6f5a076f] START, VmLogonVDSCommand(HostName = > ceph2, HostId = c7a7c873-b68a-44f8-bebf-37ca3aa1caa8, > vmId=202ca21f-5167-4107-b1dd-2a7a5d64b32a, domain=ov.jetlab.local, > password=******, userName=test4), log id: 7cc2d16a > > that's why I think that problem is in python sdk. It uses JSESSIONID and > not sending password every time it executing command through REST API. > May be with api.vm.logon() method It should send password again? But how > I can do it? > > Pavel >
No, you shouldn't (and can't) sent the password again. This isn't a problem in the Python SDK, but in the backend or the RESTAPI.
> > On Mon, Dec 15, 2014 at 8:41 PM, Juan Hernández <jhernand@redhat.com <mailto:jhernand@redhat.com> > <mailto:jhernand@redhat.com <mailto:jhernand@redhat.com>>> wrote: > > On 12/15/2014 05:57 PM, Pavel Zelensky wrote: > > > > Hi guys, > > > > I'm expiriencing some problems trying to invoke api.vm.logon() method > > which I believe will call for desktopLogin on the VM and provide vm > > console with user logged in for remote-viewer. > > > > But it results in the following records in logfile: > > 2014-12-12 16:07:01,314 INFO > [org.ovirt.engine.core.bll.VmLogonCommand] > > (ajp--127.0.0.1-8702-3) [7cfe61d3] Running command: VmLogonCommand > > internal: false. Entities affected : ID: > > a7c151a4-2d63-4172-a840-190748a3dbc1 Type: VMAction group > CONNECT_TO_VM > > with role type USER > > 2014-12-12 16:07:01,320 INFO > > [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] > > (ajp--127.0.0.1-8702-3) [7cfe61d3] START, VmLogonVDSCommand(HostName = > > ceph4, HostId = bbaad505-34a3-4a52-ab52-0446724cae30, > > vmId=a7c151a4-2d63-4172-a840-190748a3dbc1, domain=ov.jetlab.local, > > password=null, userName=test4), log id: 5d458d88 > > 2014-12-12 16:07:01,536 INFO > > [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] > > (ajp--127.0.0.1-8702-3) [7cfe61d3] FINISH, VmLogonVDSCommand, log id: > > 5d458d88 > > > > I think that problem is in second line: 'password=null'. Engine > doesn't > > get user password thus desktopLogin fails. In remote-viewer I'm > getting > > black screen instead of users's desktop. > > > > Is there any solution for this? > > > > Looks like an authentication problem. Can you try the same with > admin@internal? > > -- > Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta > 3ºD, 28016 Madrid, Spain > Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat > S.L. > > > > -- > Pavel
-- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
-- ПЗ
-- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.