Re: [ovirt-users] ovirt with 389 server inactive groups

I found why the group_ids field is wrong If you look at the ad_groups table then mane for the group is "<domain here>/Groups/sysadmin" however if you look at the groups field in the users table it says "<domain here>/groups/sysadmin" I tried updating the name field in the ad_groups table to match "<domain here>/groups/sysadmin" then removed and added a user now the if for that group in the group_ids field is being set correctly. This is at least a usable workaround for now. now we need to find the root cause. On Sun, Aug 17, 2014 at 10:39 AM, Paul Robert Marino <prmarino1(a)gmail.com&gt; wrote: > confirmed that does seem to be the cause I updated the group_ids field > of a user to the appropriate Id's from ad_groups and it fixed that > user. > in answer to your question "Did you first add the goup, and then added > users (that belong to a group) either by adding users, or by adding a > permission?" Ive tried it ever different way I can think of the > results are always the same. > > > On Sun, Aug 17, 2014 at 9:46 AM, Yair Zaslavsky <yzaslavs(a)redhat.com&gt; wrote: >> >> >> ----- Original Message ----- >>> From: "Paul Robert Marino" <prmarino1(a)gmail.com&gt; >>> To: "Yair Zaslavsky" <yzaslavs(a)redhat.com&gt; >>> Cc: "Itamar Heim" <iheim(a)redhat.com&gt;, users(a)ovirt.org >>> Sent: Sunday, August 17, 2014 4:33:30 PM >>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >>> >>> here are the results of the queries you asked for >>> >>> >>> group_ids >>> >>> | >>> >>> groups >>> >>> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------- >>> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- >>> ---- >>> 00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000 >>> | <domain here>/groups/sysadmin,<domain here>/groups/pmarino,<domain >>> here>/groups/pd managers,<domain here>/groups/qa managers,<domain >>> here>/groups/accounting managers,<domain here>/directory administrat >>> ors >>> (1 row) >>> >>> >>> engine=# select id, name from ad_groups; >>> id | name >>> --------------------------------------+--------------------------------------- >>> eee00000-0000-0000-0000-123456789eee | Everyone >>> 2a8a8401-fc9e-11e3-8742-861538ea406a | <domain here>/Groups/sysadmin >>> (2 rows) >> >> It does look that there is something wrong in the association of users to their group IDS. >> Just to make sure I'm not missing anything - >> Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission? >> >> Yair >> >>> >>> >>> >>> On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky <yzaslavs(a)redhat.com&gt; wrote: >>> > >>> > >>> > ----- Original Message ----- >>> >> From: "Paul Robert Marino" <prmarino1(a)gmail.com&gt; >>> >> To: "Yair Zaslavsky" <yzaslavs(a)redhat.com&gt; >>> >> Cc: "Itamar Heim" <iheim(a)redhat.com&gt;, users(a)ovirt.org >>> >> Sent: Wednesday, August 13, 2014 11:47:40 PM >>> >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >>> >> >>> >> Ok so before I open a bug ticket I want to confirm I'm not doing any >>> >> thing wrong here. >>> >> I upgraded to 3.4 >>> >> now it says "Active: false " on LDAP groups. >>> >> >>> >> Again I tried to add the sysadmin group from the directory server and >>> >> set the power user and super user roles on the group >>> >> it shows up as "<domain name>/Groups/sysadmin" >>> >> I adder the permisions by clicking on the configure link on the top of >>> >> the screen and set them in the "System Permissions" tab >>> > >>> > Sounds good so far. >>> > I assume also you see the permissiosn in the permissions sub tab when you >>> > click the group. >>> > >>> >> >>> >> I added a user (pmarino) to the system which shows in the "Directory >>> >> Group" tab shows "sysadmin groups <domian name>" among others >>> >> however it only shows in the Permissions tab the permissions inherited >>> >> by "Everyone" it does not show any permissions inherited by the >>> >> sysadmin group. >>> > >>> > This is not good - I mean, should have worked. >>> > >>> >> >>> >> just to prove it didnt work I logged out and attempted to log back in >>> >> as the user (pmarino) it wouldn't let me log in >>> >> >>> >> I logged back in as the internal admin user then I added the SuperUser >>> >> permissions directly to the pmarino account and logged back out again. >>> >> Now when I logged in as pmarino it gave me the access I expected. >>> > >>> > Can I please ask you to provide some database info ? >>> > >>> > It will be awesome if you can provide the following SQL queries results - >>> > >>> > select group_ids, groups from users where username ilike '%pmarino%'; >>> > >>> > In addition, please perform - select id, name from ad_groups; >>> > >>> > Thanks for your help. >>> > >>> > P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the >>> > solution to the bugs) should have fixed your issue as well. >>> > >>> > >>> > >>> >> >>> >> >>> >> >>> >> Here is the relevant portion of the engine log >>> >> " >>> >> 2014-08-13 16:00:38,801 INFO >>> >> [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5) >>> >> [1e7fa420] Running command: AddGroupCommand internal: false. Entities >>> >> affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System >>> >> 2014-08-13 16:00:38,813 INFO >>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >>> >> (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call >>> >> Stack: null, Custom Event ID: -1, Message: User '<domain >>> >> name>/Groups/sysadmin' was added successfully to the system. >>> >> 2014-08-13 16:09:01,352 INFO >>> >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand] >>> >> (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command: >>> >> AddSystemPermissionCommand internal: false. Entities affected : ID: >>> >> aaa00000-0000-0000-0000-123456789aaa Type: System, ID: >>> >> aaa00000-0000-0000-0000-123456789aaa Type: System >>> >> 2014-08-13 16:09:01,371 INFO >>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >>> >> (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID: >>> >> 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group >>> >> <domain name>/Groups/sysadmin was granted permission for Role >>> >> SuperUser on System by admin. >>> >> 2014-08-13 16:10:40,963 INFO >>> >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand] >>> >> (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command: >>> >> AddSystemPermissionCommand internal: false. Entities affected : ID: >>> >> aaa00000-0000-0000-0000-123456789aaa Type: System, ID: >>> >> aaa00000-0000-0000-0000-123456789aaa Type: System >>> >> 2014-08-13 16:10:40,979 INFO >>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >>> >> (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: b42abcb, >>> >> Call Stack: null, Custom Event ID: -1, Message: User/Group <domain >>> >> name>/Groups/sysadmin was granted permission for Role PowerUserRole on >>> >> System by admin. >>> >> 2014-08-13 16:20:53,891 INFO >>> >> [org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4) >>> >> [58e00be1] Running command: AddUserCommand internal: false. Entities >>> >> affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System >>> >> 2014-08-13 16:20:53,919 INFO >>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >>> >> (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call >>> >> Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added >>> >> successfully to the system. >>> >> 2014-08-13 16:35:52,202 INFO >>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >>> >> (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null, >>> >> Custom Event ID: -1, Message: User pmarino failed to log in. >>> >> 2014-08-13 16:35:52,202 WARN >>> >> [org.ovirt.engine.core.bll.LoginAdminUserCommand] >>> >> (ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser failed. >>> >> Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION >>> >> 2014-08-13 16:39:48,048 INFO >>> >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand] >>> >> (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command: >>> >> AddSystemPermissionCommand internal: false. Entities affected : ID: >>> >> aaa00000-0000-0000-0000-123456789aaa Type: System >>> >> 2014-08-13 16:39:48,069 INFO >>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >>> >> (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID: >>> >> 5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group >>> >> pmarino was granted permission for Role SuperUser on System by admin. >>> >> 2014-08-13 16:40:43,357 INFO >>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >>> >> (ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null, Custom >>> >> Event ID: -1, Message: User pmarino logged in. >>> >> >>> >> " >>> >> >>> >> On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky <yzaslavs(a)redhat.com&gt; >>> >> wrote: >>> >> > >>> >> > >>> >> > ----- Original Message ----- >>> >> >> From: "Yair Zaslavsky" <yzaslavs(a)redhat.com&gt; >>> >> >> To: "Itamar Heim" <iheim(a)redhat.com&gt; >>> >> >> Cc: users(a)ovirt.org >>> >> >> Sent: Monday, August 11, 2014 8:13:53 PM >>> >> >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >>> >> >> >>> >> >> I have checked the codebase of 3.3 - >>> >> >> the "active" field is used for presentation purpose only. >>> >> > >>> >> > Presentation wise only - means that it is not used for our permissions >>> >> > calculation , for example. >>> >> > >>> >> >> Alon has addressed our plans for this in his previous comments. >>> >> >> I hope this clarifies more.. >>> >> >> >>> >> >> Yair >>> >> >> >>> >> >> >>> >> >> ----- Original Message ----- >>> >> >> > From: "Itamar Heim" <iheim(a)redhat.com&gt; >>> >> >> > To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt;, "Paul Robert Marino" >>> >> >> > <prmarino1(a)gmail.com&gt; >>> >> >> > Cc: users(a)ovirt.org >>> >> >> > Sent: Sunday, August 10, 2014 11:54:05 PM >>> >> >> > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >>> >> >> > >>> >> >> > On 08/10/2014 10:50 PM, Alon Bar-Lev wrote: >>> >> >> > > >>> >> >> > > >>> >> >> > > ----- Original Message ----- >>> >> >> > >> From: "Paul Robert Marino" <prmarino1(a)gmail.com&gt; >>> >> >> > >> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>> >> >> > >> Cc: "Maurice James" <mjames(a)media-node.com&gt;, users(a)ovirt.org >>> >> >> > >> Sent: Sunday, August 10, 2014 10:43:14 PM >>> >> >> > >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >>> >> >> > >> >>> >> >> > >> Sorry for my delayed response to this >>> >> >> > >> >>> >> >> > >> I am using ovirt 3.3. >>> >> >> > >> I am using Kerberos 5, and all of the DNS requirements are in >>> >> >> > >> place. >>> >> >> > >> Finally 389 server is the upstream project for RHDS and one of the >>> >> >> > >> upstream projects for IPA. >>> >> >> > >> So I chose to set it as RHDS because its an identical match. >>> >> >> > >> >>> >> >> > >> User authentication works just fine my problem is adding roles to >>> >> >> > >> groups. >>> >> >> > >> I can assign a role to a group but the group always shows an >>> >> >> > >> inactive >>> >> >> > >> status; however if I assign a role directly to to a user it works >>> >> >> > >> fine. >>> >> >> > >> In addition if I drill down into a user it knows what groups in >>> >> >> > >> the >>> >> >> > >> 389 server the user is a member of. >>> >> >> > >> >>> >> >> > >> finally I can't see any error in the logs when adding a role to a >>> >> >> > >> group >>> >> >> > >> >>> >> >> > > >>> >> >> > > Please open a bug, I am unsure that it will be addressed before >>> >> >> > > 3.5, >>> >> >> > > as >>> >> >> > > we >>> >> >> > > have done major rework for the authentication and authorization to >>> >> >> > > make >>> >> >> > > it >>> >> >> > > much more versatile. Even if there will be a fix it will be >>> >> >> > > provided >>> >> >> > > to >>> >> >> > > 3.4.z. >>> >> >> > > >>> >> >> > > It will be best if you want to test this scenario in 3.5 release >>> >> >> > > candidate >>> >> >> > > and the new ldap provider, so we can address the issue before 3.5 >>> >> >> > > release >>> >> >> > > if exists. >>> >> >> > > >>> >> >> > >>> >> >> > could also be one of these fixed in 3.4: >>> >> >> > 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it >>> >> >> > does not inherit the group permissions >>> >> >> > 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs >>> >> >> > to >>> >> >> > a group indirectly, it does not inherit the group permissions >>> >> >> > >>> >> >> > >> >>> >> >> > >> >>> >> >> > >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl(a)redhat.com&gt; >>> >> >> > >> wrote: >>> >> >> > >>> >>> >> >> > >>> >>> >> >> > >>> ----- Original Message ----- >>> >> >> > >>>> From: "Maurice James" <mjames(a)media-node.com&gt; >>> >> >> > >>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>> >> >> > >>>> Cc: "Itamar Heim" <iheim(a)redhat.com&gt;, users(a)ovirt.org >>> >> >> > >>>> Sent: Saturday, August 9, 2014 3:47:04 AM >>> >> >> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >>> >> >> > >>>> >>> >> >> > >>>> Does this still require the use of kerberos? Will 389-ds work on >>> >> >> > >>>> its >>> >> >> > >>>> own? >>> >> >> > >>> >>> >> >> > >>> In 3.5 we introduced pure ldap support[1], obsoleting the >>> >> >> > >>> kerberos/ldap >>> >> >> > >>> mix. >>> >> >> > >>> >>> >> >> > >>> It will be great to receive feedback[2]. >>> >> >> > >>> >>> >> >> > >>> 389ds is not supported directly, I think it is similar to IPA as >>> >> >> > >>> it >>> >> >> > >>> uses >>> >> >> > >>> 389. Maybe I should rename the profile of ipa to 389 if it works >>> >> >> > >>> properly. >>> >> >> > >>> >>> >> >> > >>> Regards, >>> >> >> > >>> Alon >>> >> >> > >>> >>> >> >> > >>> [1] >>> >> >> > >>> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=bl... >>> >> >> > >>> [2] >>> >> >> > >>> http://lists.ovirt.org/pipermail/devel/2014-August/008367.html >>> >> >> > >>> >>> >> >> > >>>> >>> >> >> > >>>> ----- Original Message ----- >>> >> >> > >>>> From: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>> >> >> > >>>> To: "Itamar Heim" <iheim(a)redhat.com&gt; >>> >> >> > >>>> Cc: users(a)ovirt.org >>> >> >> > >>>> Sent: Friday, August 8, 2014 3:45:07 PM >>> >> >> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >>> >> >> > >>>> >>> >> >> > >>>> >>> >> >> > >>>> >>> >> >> > >>>> ----- Original Message ----- >>> >> >> > >>>>> From: "Itamar Heim" <iheim(a)redhat.com&gt; >>> >> >> > >>>>> To: "Paul Robert Marino" <prmarino1(a)gmail.com&gt;, users(a)ovirt.org >>> >> >> > >>>>> Sent: Friday, August 8, 2014 10:37:11 PM >>> >> >> > >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive >>> >> >> > >>>>> groups >>> >> >> > >>>>> >>> >> >> > >>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote: >>> >> >> > >>>>>> I have ovirt engine running and connected to a 389 server with >>> >> >> > >>>>>> the >>> >> >> > >>>>>> memberof plugin enabled and working properly. >>> >> >> > >>>>>> >>> >> >> > >>>>>> I can add users and assign them to roles without any issues. >>> >> >> > >>>>>> >>> >> >> > >>>>>> when I look at a user I can see all the LDAP groups they are a >>> >> >> > >>>>>> member >>> >> >> > >>>>>> of. >>> >> >> > >>>>>> >>> >> >> > >>>>>> when I run engine-manage-domains -action=validate it tells me >>> >> >> > >>>>>> the >>> >> >> > >>>>>> domain is valid. >>> >> >> > >>>>>> >>> >> >> > >>>>>> here is my problem when I try to assign a role to an LDAP >>> >> >> > >>>>>> group >>> >> >> > >>>>>> it >>> >> >> > >>>>>> looks like it works but in the general tab when under the >>> >> >> > >>>>>> group >>> >> >> > >>>>>> it >>> >> >> > >>>>>> tells me the status is Inactive. >>> >> >> > >>>>>> >>> >> >> > >>>>>> dose any one know how to enable the group? >>> >> >> > >>>>>> _______________________________________________ >>> >> >> > >>>>>> Users mailing list >>> >> >> > >>>>>> Users(a)ovirt.org >>> >> >> > >>>>>> http://lists.ovirt.org/mailman/listinfo/users >>> >> >> > >>>>>> >>> >> >> > >>>>> >>> >> >> > >>>>> 3.4 or new 3.5 Generic LDAP provider? >>> >> >> > >>>> >>> >> >> > >>>> >>> >> >> > >>>> On case this is 3.5 it is known issue, all groups will be seen >>> >> >> > >>>> as >>> >> >> > >>>> inactive, >>> >> >> > >>>> this field will probably be removed from UI, as groups are no >>> >> >> > >>>> longer >>> >> >> > >>>> fetched >>> >> >> > >>>> periodically. >>> >> >> > >>>> This field is totally ignored. >>> >> >> > >>>> >>> >> >> > >>>> Alon >>> >> >> > >>>> _______________________________________________ >>> >> >> > >>>> Users mailing list >>> >> >> > >>>> Users(a)ovirt.org >>> >> >> > >>>> http://lists.ovirt.org/mailman/listinfo/users >>> >> >> > >>>> >>> >> >> > >>> _______________________________________________ >>> >> >> > >>> Users mailing list >>> >> >> > >>> Users(a)ovirt.org >>> >> >> > >>> http://lists.ovirt.org/mailman/listinfo/users >>> >> >> > >> >>> >> >> > > _______________________________________________ >>> >> >> > > Users mailing list >>> >> >> > > Users(a)ovirt.org >>> >> >> > > http://lists.ovirt.org/mailman/listinfo/users >>> >> >> > > >>> >> >> > >>> >> >> > _______________________________________________ >>> >> >> > Users mailing list >>> >> >> > Users(a)ovirt.org >>> >> >> > http://lists.ovirt.org/mailman/listinfo/users >>> >> >> > >>> >> >> _______________________________________________ >>> >> >> Users mailing list >>> >> >> Users(a)ovirt.org >>> >> >> http://lists.ovirt.org/mailman/listinfo/users >>> >> >> >>> >> > _______________________________________________ >>> >> > Users mailing list >>> >> > Users(a)ovirt.org >>> >> > http://lists.ovirt.org/mailman/listinfo/users >>> >> >>>