On 16 Dec 2014, at 17:05, Juan Hernández <jhernand(a)redhat.com&gt; wrote: > On 12/16/2014 11:01 AM, Pavel Zelensky wrote: > Hi > > What version of the engine are you using exactly? And what is your > authentication configuration? > > [root@ovirt ~]# rpm -qa|grep ovirt-eng > ovirt-engine-3.5.0.1-1.el6.noarch > > # engine-manage-domains list > Domain: ov.jetlab.local > User name: pzelensky(a)OV.JETLAB.LOCAL > Manage Domains completed successfully > > # cat engine-manage-domains.conf > jaasFile=/usr/share/ovirt-engine/conf/jaas.conf > krb5confFile=/etc/ovirt-engine/krb5.conf > engineConfigExecutable=/usr/share/ovirt-engine/bin/engine-config.sh > localHostEntry=localhost > useDnsLookup=true > [root@ovirt engine-manage-domains]# cat /etc/ovirt-engine/krb5.conf > > [libdefaults] > > default_realm = OV.JETLAB.LOCAL > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 10h > renew_lifetime = 7d > forwardable = no > default_tkt_enctypes = arcfour-hmac-md5 > udp_preference_limit = 1 > > #realms > > And also SDK version: ovirt_engine_sdk_python-3.5.0.8-py2.7 > So oVirt authenticates users using connection to MS AD which is based on > Windows 2012R2 > > -- > Pavel > I reproduced this in my environment. Apparently the password is lost somewhere in the authentication process. Yair, can you please take a look? > > > > On Tue, Dec 16, 2014 at 12:04 PM, Juan Hernández <jhernand(a)redhat.com > <mailto:jhernand@redhat.com>> wrote: > >> On 12/15/2014 08:37 PM, Pavel Zelensky wrote: >> Hi >> >> I think it's not good idea, but I've done it: >> >> 2014-12-15 22:21:37,485 INFO [org.ovirt.engine.core.bll.VmLogonCommand] >> (ajp--127.0.0.1-8702-6) [None] Running command: VmLogonCommand internal: >> false. Entities affected : ID: 202ca21f-5167-4107-b1dd-2a7a5d64b32a >> Type: VMAction group CONNECT_TO_VM with role type USER >> 2014-12-15 22:21:37,495 INFO >> [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] >> (ajp--127.0.0.1-8702-6) [None] START, VmLogonVDSCommand(HostName = >> ceph2, HostId = c7a7c873-b68a-44f8-bebf-37ca3aa1caa8, >> vmId=202ca21f-5167-4107-b1dd-2a7a5d64b32a, domain=internal, >> password=null, userName=admin), log id: 776ac4b1 >> 2014-12-15 22:21:37,514 INFO >> [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] >> (ajp--127.0.0.1-8702-6) [None] FINISH, VmLogonVDSCommand, log id: 776ac4b1 >> 2014-12-15 22:21:41,155 INFO >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (DefaultQuartzScheduler_Worker-47) Correlation ID: null, Call Stack: >> null, Custom Event ID: -1, Message: User admin is connected to VM w7ent-01. >> >> Looks pretty the same, also trying to login as admin@internal into Win7 >> workstation assigned to MS domain shouldn't work. >> > > I just wanted to check if with admin@internal you still get > password=null (they use different authentication mechanisms). > >> BTW, when I'm connecting to the same VM using the same domain user >> account through user portal - everything is Ok, and SSO works pretty >> good. In that case in logfile I'm getting this (password=[asterisks]): >> 2014-12-14 22:45:21,010 INFO >> [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] >> (ajp--127.0.0.1-8702-4) [6f5a076f] START, VmLogonVDSCommand(HostName = >> ceph2, HostId = c7a7c873-b68a-44f8-bebf-37ca3aa1caa8, >> vmId=202ca21f-5167-4107-b1dd-2a7a5d64b32a, domain=ov.jetlab.local, >> password=******, userName=test4), log id: 7cc2d16a >> >> that's why I think that problem is in python sdk. It uses JSESSIONID and >> not sending password every time it executing command through REST API. >> May be with api.vm.logon() method It should send password again? But how >> I can do it? >> >> Pavel >> > > No, you shouldn't (and can't) sent the password again. This isn't a > problem in the Python SDK, but in the backend or the RESTAPI. > > >> >> On Mon, Dec 15, 2014 at 8:41 PM, Juan Hernández <jhernand(a)redhat.com <mailto:jhernand@redhat.com> >> <mailto:jhernand@redhat.com <mailto:jhernand@redhat.com>>> wrote: >> >>> On 12/15/2014 05:57 PM, Pavel Zelensky wrote: >>> >>> Hi guys, >>> >>> I'm expiriencing some problems trying to invoke > api.vm.logon() method >>> which I believe will call for desktopLogin on the VM and > provide vm >>> console with user logged in for remote-viewer. >>> >>> But it results in the following records in logfile: >>> 2014-12-12 16:07:01,314 INFO >> [org.ovirt.engine.core.bll.VmLogonCommand] >>> (ajp--127.0.0.1-8702-3) [7cfe61d3] Running command: > VmLogonCommand >>> internal: false. Entities affected : ID: >>> a7c151a4-2d63-4172-a840-190748a3dbc1 Type: VMAction group >> CONNECT_TO_VM >>> with role type USER >>> 2014-12-12 16:07:01,320 INFO >>> [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] >>> (ajp--127.0.0.1-8702-3) [7cfe61d3] START, > VmLogonVDSCommand(HostName = >>> ceph4, HostId = bbaad505-34a3-4a52-ab52-0446724cae30, >>> vmId=a7c151a4-2d63-4172-a840-190748a3dbc1, > domain=ov.jetlab.local, >>> password=null, userName=test4), log id: 5d458d88 >>> 2014-12-12 16:07:01,536 INFO >>> [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] >>> (ajp--127.0.0.1-8702-3) [7cfe61d3] FINISH, > VmLogonVDSCommand, log id: >>> 5d458d88 >>> >>> I think that problem is in second line: 'password=null'. Engine >> doesn't >>> get user password thus desktopLogin fails. In remote-viewer I'm >> getting >>> black screen instead of users's desktop. >>> >>> Is there any solution for this? >>> >> >> Looks like an authentication problem. Can you try the same with >> admin@internal? >> >> -- >> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, > planta >> 3ºD, 28016 Madrid, Spain >> Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - > Red Hat >> S.L. >> >> >> >> -- >> Pavel > > > -- > Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta > 3ºD, 28016 Madrid, Spain > Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat > S.L. > > > > -- > ПЗ -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.