Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
What do you mean?
Maybe the password delegation into the virtual machine?
If engine does not know the password, it cannot delegate it to virtual machine.
Solution is described here[1], so far no resources were allocated.
[1] http://www.ovirt.org/Features/SSO
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli(a)apra.it>
To: "Shahar Havivi" <shaharh(a)redhat.com>, "Alon Bar-Lev"
<alonbl(a)redhat.com>
Cc: "users" <users(a)ovirt.org>
Sent: Friday, October 30, 2015 9:33:02 PM
Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
It works fine, but it kills SSO as user...
Poking in the windows logs I see a failed login as:
myuser(a)mydomain.tld-authz !!
Il 27/10/2015 11:51, Shahar Havivi ha scritto:
> On 27.10.15 05:25, Alon Bar-Lev wrote:
>> yes, you should probably only customize: $JoinDomain$,
>> $DomainAdminPassword$, $DomainAdmin$
>> maybe, not sure: $JoinDomain$, $MachineObjectOU$
>> the rest should be the same as any other.
> Please make sure that the file is the full sysprep file such as you can
> find
> in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file.
> You can leave the variables such as $OrgName$ which will be replaces (exept
> from the variables that Alon mentioned which where the original problem).
>
>> ----- Original Message -----
>>> From: "Cristian Mammoli" <c.mammoli(a)apra.it>
>>> To: "Shahar Havivi" <shaharh(a)redhat.com>, "Alon
Bar-Lev"
>>> <alonbl(a)redhat.com>
>>> Cc: "users" <users(a)ovirt.org>
>>> Sent: Tuesday, October 27, 2015 11:19:02 AM
>>> Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep
>>> domain join
>>>
>>> So just pasting there the contents of a modified
>>> /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should
>>> work right?
>>>
>>> The variables like '![CDATA[$OrgName$' will be replaced?
>>>
>>> Il 26/10/2015 12:43, Shahar Havivi ha scritto:
>>>> On 26.10.15 06:23, Alon Bar-Lev wrote:
>>>>> Hi,
>>>>> The usage of the engine-manage-domain user to anything else but
ldap
>>>>> searches is something that is unexpected and insecure.
>>>>> As a solution, you may either paste a modified sysprep file into
the
>>>>> pool
>>>>> at UI or set up a different osinfo profile with modified sysprep
file,
>>>>> this modified sysprep file can contain the credentials of the user
that
>>>>> is being used for joining the domain.
>>>>> CCing Shahar which may assist farther.
>>>> Hi,
>>>> You can paste a modified sysprep file to "new
Pool"->"Initial
>>>> run"->"Custom
>>>> Script"
>>>> As Alon mentioned.
>>> --
>>> Mammoli Cristian
>>> System administrator
>>> T. +39 0731 22911
>>> Via Brodolini 6 | 60035 Jesi (an)
>>>
>>>
--
Mammoli Cristian
System administrator
T. +39 0731 22911
Via Brodolini 6 | 60035 Jesi (an)