Re: [ovirt-users] iSCSI domain on 4kn drives
by Martijn Grendelman
--------------DE48748F7C67E1FABE46EEAF
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Op 7-8-2016 om 8:19 schreef Yaniv Kaul:
>
> On Fri, Aug 5, 2016 at 4:42 PM, Martijn Grendelman
> <martijn.grendelman(a)isaac.nl <mailto:martijn.grendelman@isaac.nl>> wrote:
>
> Op 4-8-2016 om 18:36 schreef Yaniv Kaul:
>> On Thu, Aug 4, 2016 at 11:49 AM, Martijn Grendelman
>> <martijn.grendelman(a)isaac.nl
>> <mailto:martijn.grendelman@isaac.nl>> wrote:
>>
>> Hi,
>>
>> Does oVirt support iSCSI storage domains on target LUNs using
>> a block
>> size of 4k?
>>
>>
>> No, we do not - not if it exposes 4K blocks.
>> Y.
>
> Is this on the roadmap?
>
>
> Not in the short term roadmap.
> Of course, patches are welcome. It's mainly in VDSM.
> I wonder if it'll work in NFS.
> Y.
I don't think I ever replied to this, but I can confirm that in RHEV 3.6
it works with NFS.
Best regards,
Martijn.
--------------DE48748F7C67E1FABE46EEAF
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit
<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Op 7-8-2016 om 8:19 schreef Yaniv Kaul:<br>
<blockquote
cite="mid:280cfbd3a16ad1b76cc7de56bda88f45,CAJgorsbJHLV1e3fH4b4AR3GBp1oi44fDhfeii+PQ1iY1RwUStw@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra">On Fri, Aug 5, 2016 at 4:42 PM, Martijn
Grendelman <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:martijn.grendelman@isaac.nl" target="_blank">martijn.grendelman(a)isaac.nl</a>></span>
wrote:<br>
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Op 4-8-2016 om
18:36 schreef Yaniv Kaul:<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote"><span class="">On Thu,
Aug 4, 2016 at 11:49 AM, Martijn Grendelman <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:martijn.grendelman@isaac.nl"
target="_blank">martijn.grendelman(a)isaac.nl</a>></span>
wrote:<br>
</span><span class="">
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">Hi,<br>
<br>
Does oVirt support iSCSI storage domains on
target LUNs using a block<br>
size of 4k?<br>
</blockquote>
<div><br>
</div>
</span><span class="">
<div>No, we do not - not if it exposes 4K
blocks.</div>
<div>Y.</div>
</span></div>
</div>
</div>
</blockquote>
<br>
Is this on the roadmap?<br>
</div>
</blockquote>
<div><br>
</div>
<div>Not in the short term roadmap.</div>
<div>Of course, patches are welcome. It's mainly in VDSM.</div>
<div>I wonder if it'll work in NFS.</div>
<div>Y.</div>
</div>
</div>
</div>
</blockquote>
<br>
I don't think I ever replied to this, but I can confirm that in RHEV
3.6 it works with NFS.<br>
<br>
Best regards,<br>
Martijn.<br>
</body>
</html>
--------------DE48748F7C67E1FABE46EEAF--
4 years, 9 months
Re: [ovirt-users] How to import a qcow2 disk into ovirt
by Martín Follonier
Hi,
I've done all the recommendations in this thread, and I'm still getting the
"Paused by System" message just after the transfer starts.
Honestly I don't know were else to look at, cause I don't find any log
entry or packet capture that give me a hint about what is happening.
I'll appreciate any help! Thank you in advance!
Regards
Martin
On Thu, Sep 1, 2016 at 5:01 PM, Amit Aviram <aavi...(a)redhat.com> wrote:
> You can do both,
> Through the database, the table is "vdc_options". change "option_value"
> where "option_name" = 'ImageProxyAddress' .
>
> On Thu, Sep 1, 2016 at 4:56 PM, Gianluca Cecchi <gianluca.cec...(a)gmail.com
> > wrote:
>
>> On Thu, Sep 1, 2016 at 3:53 PM, Amit Aviram <aavi...(a)redhat.com> wrote:
>>
>>> You can just replace this value in the DB and change it to the right
>>> FQDN, it is a config value named "ImageProxyAddress". replace "localhost"
>>> with the right address (notice that the port is there too).
>>>
>>> If this will keep happen after users will have the latest version, we
>>> will have to open a bug and fix whatever causes the URL to be "localhost".
>>>
>>>
>> Do you mean through "engine-config" or directly into database?
>> In this second case which is the table involved?
>>
>> Gianluca
>>
>
>
[root@ractorshe bin]# systemctl stop ovirt-imageio-proxy
engine=# select * from vdc_options where option_name='ImageProxyAddress';
option_id | option_name | option_value | version
-----------+-------------------+-----------------+---------
950 | ImageProxyAddress | localhost:54323 | general
(1 row)
engine=# update vdc_options set option_value='ractorshe.mydomain:54323'
where option_name='ImageProxyAddress';
UPDATE 1
engine=# select * from vdc_options where option_name='ImageProxyAddress';
option_id | option_name | option_value |
version
-----------+-------------------+--------------------------------------+---------
950 | ImageProxyAddress | ractorshe.mydomain:54323 | general
(1 row)
engine=#
engine=# select * from vdc_options where option_name='ImageProxyAddress';
option_id | option_name | option_value |
version
-----------+-------------------+--------------------------------------+---------
950 | ImageProxyAddress | ractorshe.mydomain:54323 | general
(1 row)
systemctl stop ovirt-engine
(otherwise it remained localhost)
systemctl start ovirt-engine
systemctl start ovirt-imageio-proxy
Now transfer is ok.
I tried a qcow2 disck configured as 40Gb but containing about 1.6Gb of data.
I'm going to connect it to a VM and see if all is ok also from a contents
point of view.
Gianluca
_______________________________________________
Users mailing listUsers@ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users
4 years, 10 months
Lowering the bar for wiki contribution?
by Roy Golan
I'm getting the feeling I'm not alone in this, authoring and publishing a
wiki page isn't as used to be for long time.
I want to suggest a bit lighter workflow:
1. Everyone can merge their page - (it's a wiki)
Same as with (public and open) code, no one has the motivation to publish
a badly written
wiki page under their name. True, it can have an impact, but not as with
broken code
2. Use Page-Status marker
The author first merges the draft. Its now out there and should be updated
as time goes and its
status is DRAFT. Maintainers will come later and after review would change
the status to
PUBLISH. That could be a header in on the page:
---
page status: DRAFT/PUBLISH
---
Simple I think, and should work.
5 years, 1 month
ovirt-ha-agent cpu usage
by Gianluca Cecchi
Hello,
I have a test machine that is a nuc6 with an i5 and 32G of ram and SSD
disks.
It is configured as a single host environment with Self Hosted Engine VM.
Both host and SHE are CentOS 7.2 and oVirt version is 3.6.6.2-1.el7
I notice that having 3 VMs powered on and making nothing special (engine
VM, a CentOS 7 VM and a Fedora 24 VM) the ovirt-ha-agent process on host
often spikes its cpu usage.
See for example this quick video with top command running on host that
reflects what happens continuously.
https://drive.google.com/file/d/0BwoPbcrMv8mvYUVRMFlLVmxRdXM/view?usp=sha...
Is it normal that ovirt-ha-agent consumes all this amount of cpu?
Going into /var/log/ovirt-hosted-engine-ha/agent.log I see nothing special,
only messages of type "INFO". The same for broker.log
Thanks,
Gianluca
5 years, 3 months
Hosted engine Single Sign-On to VM with freeIPA not working
by Paul
This is a multipart message in MIME format.
------=_NextPart_000_0050_01D18069.35C995E0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Hi,
I am having an issue with getting SSO to work when a standard user(UserRole)
logs in to the UserPortal.
The user has permission to use only this VM, so after login the console is
automatically opened for that VM.
Problem is that it doesn't login on the VM system with the provided
credentials. Manual login at the console works without any issues.
HBAC-rule check on IPA shows access is granted. Client has SELINUX in
permissive mode and a disabled firewalld.
On the client side I do see some PAM related errors in the logs (see details
below). Extensive Google search on error 17 "Failure setting user
credentials" didn't show helpful information :-(
AFAIK this is did a pretty standard set-up, all working with RH-family
products. I would expect others to encounter this issue as well.
If someone knows any solution or has some directions to fix this it would be
greatly appreciated.
Thanks,
Paul
------------------------------------------------------
System setup: I have 3 systems
The connection between the Engine and IPA is working fine. (I can log in
with IPA users etc.) Connection is made according to this document:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualizat
ion/3.6/html-single/Administration_Guide/index.html#sect-Configuring_an_Exte
rnal_LDAP_Provider
Configuration of the client is done according to this document:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualizat
ion/3.6/html/Virtual_Machine_Management_Guide/chap-Additional_Configuration.
html#sect-Configuring_Single_Sign-On_for_Virtual_Machines
--- Hosted Engine:
[root@engine ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@engine ~]# uname -a
Linux engine.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@engine ~]# rpm -qa | grep ovirt
ovirt-vmconsole-1.0.0-1.el7.centos.noarch
ovirt-engine-restapi-3.6.2.6-1.el7.centos.noarch
ovirt-setup-lib-1.0.1-1.el7.centos.noarch
ovirt-engine-setup-plugin-ovirt-engine-common-3.6.3.4-1.el7.centos.noarch
ovirt-engine-setup-3.6.3.4-1.el7.centos.noarch
ovirt-image-uploader-3.6.0-1.el7.centos.noarch
ovirt-engine-extension-aaa-jdbc-1.0.5-1.el7.noarch
ovirt-host-deploy-1.4.1-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch
ovirt-engine-wildfly-overlay-8.0.4-1.el7.noarch
ovirt-engine-wildfly-8.2.1-1.el7.x86_64
ovirt-vmconsole-proxy-1.0.0-1.el7.centos.noarch
ovirt-engine-tools-3.6.2.6-1.el7.centos.noarch
ovirt-engine-dbscripts-3.6.2.6-1.el7.centos.noarch
ovirt-engine-backend-3.6.2.6-1.el7.centos.noarch
ovirt-engine-3.6.2.6-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noarch
ovirt-engine-setup-base-3.6.3.4-1.el7.centos.noarch
ovirt-engine-setup-plugin-ovirt-engine-3.6.3.4-1.el7.centos.noarch
ovirt-engine-setup-plugin-websocket-proxy-3.6.3.4-1.el7.centos.noarch
ovirt-engine-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch
ovirt-engine-cli-3.6.2.0-1.el7.centos.noarch
ovirt-host-deploy-java-1.4.1-1.el7.centos.noarch
ovirt-engine-userportal-3.6.2.6-1.el7.centos.noarch
ovirt-engine-webadmin-portal-3.6.2.6-1.el7.centos.noarch
ovirt-guest-agent-common-1.0.11-1.el7.noarch
ovirt-release36-003-1.noarch
ovirt-iso-uploader-3.6.0-1.el7.centos.noarch
ovirt-engine-lib-3.6.3.4-1.el7.centos.noarch
ovirt-engine-sdk-python-3.6.3.0-1.el7.centos.noarch
ovirt-engine-setup-plugin-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch
ovirt-engine-websocket-proxy-3.6.3.4-1.el7.centos.noarch
ovirt-log-collector-3.6.1-1.el7.centos.noarch
ovirt-engine-extensions-api-impl-3.6.3.4-1.el7.centos.noarch
--- FreeIPA:
[root@ipa01 ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@ipa01 ~]# uname -a
Linux ipa01.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50
UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@ipa01 ~]# rpm -qa | grep ipa
ipa-python-4.2.0-15.el7_2.6.x86_64
ipa-client-4.2.0-15.el7_2.6.x86_64
python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
python-iniparse-0.4-9.el7.noarch
libipa_hbac-1.13.0-40.el7_2.1.x86_64
sssd-ipa-1.13.0-40.el7_2.1.x86_64
ipa-admintools-4.2.0-15.el7_2.6.x86_64
ipa-server-4.2.0-15.el7_2.6.x86_64
ipa-server-dns-4.2.0-15.el7_2.6.x86_64
--- Client:
[root@test06 ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@test06 ~]# uname -a
Linux test06.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@test06 ~]# rpm -qa | grep ipa
python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
python-iniparse-0.4-9.el7.noarch
sssd-ipa-1.13.0-40.el7_2.1.x86_64
ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64
libipa_hbac-1.13.0-40.el7_2.1.x86_64
ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64
device-mapper-multipath-0.4.9-85.el7.x86_64
device-mapper-multipath-libs-0.4.9-85.el7.x86_64
[root@test06 ~]# rpm -qa | grep guest-agent
qemu-guest-agent-2.3.0-4.el7.x86_64
ovirt-guest-agent-pam-module-1.0.11-1.el7.x86_64
ovirt-guest-agent-gdm-plugin-1.0.11-1.el7.noarch
ovirt-guest-agent-common-1.0.11-1.el7.noarch
---------------------------------------------------
Relevant logs:
--- Engine:
//var/log/ovirt-engine/engine
2016-03-17 15:22:10,516 INFO
[org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-22) []
Running command: LoginUserCommand internal: false.
2016-03-17 15:22:10,568 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(default task-22) [] Correlation ID: null, Call Stack: null, Custom Event
ID: -1, Message: User test6@DOMAIN logged in.
2016-03-17 15:22:13,795 WARN
[org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (default task-6)
[7400ae46] The message key 'VmLogon' is missing from
'bundles/ExecutionMessages'
2016-03-17 15:22:13,839 INFO [org.ovirt.engine.core.bll.VmLogonCommand]
(default task-6) [7400ae46] Running command: VmLogonCommand internal: false.
Entities affected : ID: 64a84b40-6050-4a96-a59d-d557a317c38c Type: VMAction
group CONNECT_TO_VM with role type USER
2016-03-17 15:22:13,842 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default
task-6) [7400ae46] START, VmLogonVDSCommand(HostName = host01,
VmLogonVDSCommandParameters:{runAsync='true',
hostId='225157c0-224b-4aa6-9210-db4de7c7fc30',
vmId='64a84b40-6050-4a96-a59d-d557a317c38c', domain='DOMAIN-authz',
password='***', userName='test6@DOMAIN'}), log id: 2015a1e0
2016-03-17 15:22:14,848 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default
task-6) [7400ae46] FINISH, VmLogonVDSCommand, log id: 2015a1e0
2016-03-17 15:22:15,317 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand]
(default task-18) [10dad788] Running command: SetVmTicketCommand internal:
true. Entities affected : ID: 64a84b40-6050-4a96-a59d-d557a317c38c Type:
VMAction group CONNECT_TO_VM with role type USER
2016-03-17 15:22:15,322 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (default
task-18) [10dad788] START, SetVmTicketVDSCommand(HostName = host01,
SetVmTicketVDSCommandParameters:{runAsync='true',
hostId='225157c0-224b-4aa6-9210-db4de7c7fc30',
vmId='64a84b40-6050-4a96-a59d-d557a317c38c', protocol='SPICE',
ticket='rd8avqvdBnRl', validTime='120', userName='test6',
userId='10b2da3e-6401-4a09-a330-c0780bc0faef',
disconnectAction='LOCK_SCREEN'}), log id: 72efb73b
2016-03-17 15:22:16,340 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (default
task-18) [10dad788] FINISH, SetVmTicketVDSCommand, log id: 72efb73b
2016-03-17 15:22:16,377 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(default task-18) [10dad788] Correlation ID: 10dad788, Call Stack: null,
Custom Event ID: -1, Message: User test6@DOMAIN initiated console session
for VM test06
2016-03-17 15:22:19,418 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(DefaultQuartzScheduler_Worker-53) [] Correlation ID: null, Call Stack:
null, Custom Event ID: -1, Message: User test6@DOMAIN-authz is connected to
VM test06.
--- Client:
/var/log/ovirt-guest-agent/ovirt-guest-agent.log
MainThread::INFO::2016-03-17
15:20:58,145::ovirt-guest-agent::57::root::Starting oVirt guest agent
CredServer::INFO::2016-03-17 15:20:58,214::CredServer::257::root::CredServer
is running...
Dummy-1::INFO::2016-03-17 15:20:58,216::OVirtAgentLogic::294::root::Received
an external command: lock-screen...
Dummy-1::INFO::2016-03-17 15:22:13,104::OVirtAgentLogic::294::root::Received
an external command: login...
Dummy-1::INFO::2016-03-17 15:22:13,104::CredServer::207::root::The following
users are allowed to connect: [0]
Dummy-1::INFO::2016-03-17 15:22:13,104::CredServer::273::root::Opening
credentials channel...
Dummy-1::INFO::2016-03-17 15:22:13,105::CredServer::132::root::Emitting user
authenticated signal (651416).
CredChannel::INFO::2016-03-17 15:22:13,188::CredServer::225::root::Incomming
connection from user: 0 process: 2570
CredChannel::INFO::2016-03-17 15:22:13,188::CredServer::232::root::Sending
user's credential (token: 651416)
Dummy-1::INFO::2016-03-17 15:22:13,189::CredServer::277::root::Credentials
channel was closed.
/var/log/secure
Mar 17 15:21:07 test06 gdm-launch-environment]:
pam_unix(gdm-launch-environment:session): session opened for user gdm by
(uid=0)
Mar 17 15:21:10 test06 polkitd[749]: Registered Authentication Agent for
unix-session:c1 (system bus name :1.34 [gnome-shell --mode=gdm], object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 17 15:22:13 test06 gdm-ovirtcred]: pam_sss(gdm-ovirtcred:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=test6
Mar 17 15:22:13 test06 gdm-ovirtcred]: pam_sss(gdm-ovirtcred:auth): received
for user test6: 17 (Failure setting user credentials)
/var/log/sssd/krb5_child.log (debug-level 10)
(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [get_and_save_tgt]
(0x0020): 1234: [-1765328360][Preauthentication failed]
(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [map_krb5_error]
(0x0020): 1303: [-1765328360][Preauthentication failed]
(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [k5c_send_data]
(0x0200): Received error code 1432158215
(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [pack_response_packet]
(0x2000): response packet size: [4]
(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [k5c_send_data]
(0x4000): Response sent.
(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [main] (0x0400):
krb5_child completed successfully
/var/log/sssd/sssd_DOMAIN.COM.log (debug-level 10)
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [be_pam_handler] (0x0100):
Got request with the following data
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
command: PAM_AUTHENTICATE
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
domain: DOMAIN.COM
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
user: test6
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
service: gdm-ovirtcred
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
tty:
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
ruser:
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
rhost:
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
authtok type: 1
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
newauthtok type: 0
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
priv: 1
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
cli_pid: 2570
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
logon name: not set
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [krb5_auth_queue_send]
(0x1000): Wait queue of user [test6] is empty, running request
[0x7fe30df03cc0] immediately.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [krb5_setup] (0x4000): No
mapping for: test6
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Added
timed event "ltdb_callback": 0x7fe30df07120
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Added
timed event "ltdb_timeout": 0x7fe30df16590
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Running
timer event 0x7fe30df07120 "ltdb_callback"
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Destroying
timer event 0x7fe30df16590 "ltdb_timeout"
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Ending
timer event 0x7fe30df07120 "ltdb_callback"
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'IPA'
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [get_server_status]
(0x1000): Status of server 'ipa01.DOMAIN.COM' is 'working'
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [get_port_status]
(0x1000): Port status of port 389 for server 'ipa01.DOMAIN.COM' is 'working'
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6
seconds
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [resolve_srv_send]
(0x0200): The status of SRV lookup is resolved
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [get_server_status]
(0x1000): Status of server 'ipa01.DOMAIN.COM' is 'working'
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[be_resolve_server_process] (0x0200): Found address for server
ipa01.DOMAIN.COM: [10.0.1.21] TTL 1200
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ipa_resolve_callback]
(0x0400): Constructed uri 'ldap://ipa01.DOMAIN.COM'
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sss_krb5_realm_has_proxy]
(0x0040): profile_get_values failed.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_handler_setup]
(0x2000): Setting up signal handler up for pid [2575]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_handler_setup]
(0x2000): Signal handler set up for pid [2575]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [write_pipe_handler]
(0x0400): All data has been sent!
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_sig_handler]
(0x1000): Waiting for child [2575].
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_sig_handler]
(0x0100): child [2575] finished successfully.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [check_wait_queue]
(0x1000): Wait queue for user [test6] is empty.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [krb5_auth_queue_done]
(0x1000): krb5_auth_queue request [0x7fe30df03cc0] done.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_id_op_connect_step]
(0x4000): reusing cached connection
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_print_server]
(0x2000): Searching 10.0.1.21
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=DOMAIN,dc=com].
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaMigrationEnabled]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaSELinuxUserMapDefault]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaSELinuxUserMapOrder]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 122
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_op_add] (0x2000):
New operation 122 timeout 60
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fe30deef090], connected[1], ops[0x7fe30df094a0],
ldap[0x7fe30def2920]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_entry]
(0x1000): OriginalDN: [cn=ipaConfig,cn=etc,dc=DOMAIN,dc=com].
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaMigrationEnabled]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaSELinuxUserMapDefault]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaSELinuxUserMapOrder]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fe30deef090], connected[1], ops[0x7fe30df094a0],
ldap[0x7fe30def2920]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_op_destructor]
(0x2000): Operation 122 finished
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_id_op_destroy]
(0x4000): releasing operation connection
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[ipa_get_migration_flag_done] (0x0100): Password migration is not enabled.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 17, <NULL>) [Success (Failure setting user
credentials)]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [be_pam_handler_callback]
(0x0100): Sending result [17][DOMAIN.COM]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [be_pam_handler_callback]
(0x0100): Sent result [17][DOMAIN.COM]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fe30deef090], connected[1], ops[(nil)],
ldap[0x7fe30def2920]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
------=_NextPart_000_0050_01D18069.35C995E0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii"><meta name=3DGenerator content=3D"Microsoft Word 15 =
(filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US =
link=3D"#0563C1" vlink=3D"#954F72"><div class=3DWordSection1><p =
class=3DMsoNormal>Hi,<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>I am having =
an issue with getting SSO to work when a standard user(UserRole) logs in =
to the UserPortal.<o:p></o:p></p><p class=3DMsoNormal>The user has =
permission to use only this VM, so after login the console is =
automatically opened for that VM.<o:p></o:p></p><p =
class=3DMsoNormal>Problem is that it doesn't login on the VM system with =
the provided credentials. Manual login at the console works without any =
issues. <o:p></o:p></p><p class=3DMsoNormal>HBAC-rule check on IPA shows =
access is granted. Client has SELINUX in permissive mode and a disabled =
firewalld. <o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>On the client side I do see some PAM related errors in =
the logs (see details below). Extensive Google search on error 17 =
"Failure setting user credentials" didn't show helpful =
information :-(<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>AFAIK this =
is did a pretty standard set-up, all working with RH-family products. I =
would expect others to encounter this issue as well. <o:p></o:p></p><p =
class=3DMsoNormal>If someone knows any solution or has some directions =
to fix this it would be greatly appreciated.<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>Thanks,<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>Paul<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>------------------------------------------------------<=
o:p></o:p></p><p class=3DMsoNormal>System setup: I have 3 systems =
<o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>The connection between the Engine and IPA is working =
fine. (I can log in with IPA users etc.) Connection is made according to =
this document: =
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtuali=
zation/3.6/html-single/Administration_Guide/index.html#sect-Configuring_a=
n_External_LDAP_Provider<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>Configuration of the client is done according to this =
document: =
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtuali=
zation/3.6/html/Virtual_Machine_Management_Guide/chap-Additional_Configur=
ation.html#sect-Configuring_Single_Sign-On_for_Virtual_Machines<o:p></o:p=
></p><p class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>--- =
Hosted Engine:<o:p></o:p></p><p class=3DMsoNormal>[root@engine ~]# cat =
/etc/redhat-release<o:p></o:p></p><p class=3DMsoNormal>CentOS Linux =
release 7.2.1511 (Core)<o:p></o:p></p><p class=3DMsoNormal>[root@engine =
~]# uname -a<o:p></o:p></p><p class=3DMsoNormal>Linux engine.DOMAIN.COM =
3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64 =
x86_64 x86_64 GNU/Linux<o:p></o:p></p><p class=3DMsoNormal>[root@engine =
~]# rpm -qa | grep ovirt<o:p></o:p></p><p =
class=3DMsoNormal>ovirt-vmconsole-1.0.0-1.el7.centos.noarch<o:p></o:p></p=
><p =
class=3DMsoNormal>ovirt-engine-restapi-3.6.2.6-1.el7.centos.noarch<o:p></=
o:p></p><p =
class=3DMsoNormal>ovirt-setup-lib-1.0.1-1.el7.centos.noarch<o:p></o:p></p=
><p =
class=3DMsoNormal>ovirt-engine-setup-plugin-ovirt-engine-common-3.6.3.4-1=
.el7.centos.noarch<o:p></o:p></p><p =
class=3DMsoNormal>ovirt-engine-setup-3.6.3.4-1.el7.centos.noarch<o:p></o:=
p></p><p =
class=3DMsoNormal>ovirt-image-uploader-3.6.0-1.el7.centos.noarch<o:p></o:=
p></p><p =
class=3DMsoNormal>ovirt-engine-extension-aaa-jdbc-1.0.5-1.el7.noarch<o:p>=
</o:p></p><p =
class=3DMsoNormal>ovirt-host-deploy-1.4.1-1.el7.centos.noarch<o:p></o:p><=
/p><p =
class=3DMsoNormal>ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.cento=
s.noarch<o:p></o:p></p><p =
class=3DMsoNormal>ovirt-engine-wildfly-overlay-8.0.4-1.el7.noarch<o:p></o=
:p></p><p =
class=3DMsoNormal>ovirt-engine-wildfly-8.2.1-1.el7.x86_64<o:p></o:p></p><=
p =
class=3DMsoNormal>ovirt-vmconsole-proxy-1.0.0-1.el7.centos.noarch<o:p></o=
:p></p><p =
class=3DMsoNormal>ovirt-engine-tools-3.6.2.6-1.el7.centos.noarch<o:p></o:=
p></p><p =
class=3DMsoNormal>ovirt-engine-dbscripts-3.6.2.6-1.el7.centos.noarch<o:p>=
</o:p></p><p =
class=3DMsoNormal>ovirt-engine-backend-3.6.2.6-1.el7.centos.noarch<o:p></=
o:p></p><p =
class=3DMsoNormal>ovirt-engine-3.6.2.6-1.el7.centos.noarch<o:p></o:p></p>=
<p =
class=3DMsoNormal>ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noar=
ch<o:p></o:p></p><p =
class=3DMsoNormal>ovirt-engine-setup-base-3.6.3.4-1.el7.centos.noarch<o:p=
></o:p></p><p =
class=3DMsoNormal>ovirt-engine-setup-plugin-ovirt-engine-3.6.3.4-1.el7.ce=
ntos.noarch<o:p></o:p></p><p =
class=3DMsoNormal>ovirt-engine-setup-plugin-websocket-proxy-3.6.3.4-1.el7=
.centos.noarch<o:p></o:p></p><p =
class=3DMsoNormal>ovirt-engine-vmconsole-proxy-helper-3.6.3.4-1.el7.cento=
s.noarch<o:p></o:p></p><p =
class=3DMsoNormal>ovirt-engine-cli-3.6.2.0-1.el7.centos.noarch<o:p></o:p>=
</p><p =
class=3DMsoNormal>ovirt-host-deploy-java-1.4.1-1.el7.centos.noarch<o:p></=
o:p></p><p =
class=3DMsoNormal>ovirt-engine-userportal-3.6.2.6-1.el7.centos.noarch<o:p=
></o:p></p><p =
class=3DMsoNormal>ovirt-engine-webadmin-portal-3.6.2.6-1.el7.centos.noarc=
h<o:p></o:p></p><p =
class=3DMsoNormal>ovirt-guest-agent-common-1.0.11-1.el7.noarch<o:p></o:p>=
</p><p class=3DMsoNormal>ovirt-release36-003-1.noarch<o:p></o:p></p><p =
class=3DMsoNormal>ovirt-iso-uploader-3.6.0-1.el7.centos.noarch<o:p></o:p>=
</p><p =
class=3DMsoNormal>ovirt-engine-lib-3.6.3.4-1.el7.centos.noarch<o:p></o:p>=
</p><p =
class=3DMsoNormal>ovirt-engine-sdk-python-3.6.3.0-1.el7.centos.noarch<o:p=
></o:p></p><p =
class=3DMsoNormal>ovirt-engine-setup-plugin-vmconsole-proxy-helper-3.6.3.=
4-1.el7.centos.noarch<o:p></o:p></p><p =
class=3DMsoNormal>ovirt-engine-websocket-proxy-3.6.3.4-1.el7.centos.noarc=
h<o:p></o:p></p><p =
class=3DMsoNormal>ovirt-log-collector-3.6.1-1.el7.centos.noarch<o:p></o:p=
></p><p =
class=3DMsoNormal>ovirt-engine-extensions-api-impl-3.6.3.4-1.el7.centos.n=
oarch<o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>--- FreeIPA:<o:p></o:p></p><p =
class=3DMsoNormal>[root@ipa01 ~]# cat =
/etc/redhat-release<o:p></o:p></p><p class=3DMsoNormal>CentOS Linux =
release 7.2.1511 (Core) <o:p></o:p></p><p class=3DMsoNormal>[root@ipa01 =
~]# uname -a<o:p></o:p></p><p class=3DMsoNormal>Linux =
ipa01.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 =
UTC 2016 x86_64 x86_64 x86_64 GNU/Linux<o:p></o:p></p><p =
class=3DMsoNormal>[root@ipa01 ~]# rpm -qa | grep ipa<o:p></o:p></p><p =
class=3DMsoNormal>ipa-python-4.2.0-15.el7_2.6.x86_64<o:p></o:p></p><p =
class=3DMsoNormal>ipa-client-4.2.0-15.el7_2.6.x86_64<o:p></o:p></p><p =
class=3DMsoNormal>python-libipa_hbac-1.13.0-40.el7_2.1.x86_64<o:p></o:p><=
/p><p =
class=3DMsoNormal>python-iniparse-0.4-9.el7.noarch<o:p></o:p></p><p =
class=3DMsoNormal>libipa_hbac-1.13.0-40.el7_2.1.x86_64<o:p></o:p></p><p =
class=3DMsoNormal>sssd-ipa-1.13.0-40.el7_2.1.x86_64<o:p></o:p></p><p =
class=3DMsoNormal>ipa-admintools-4.2.0-15.el7_2.6.x86_64<o:p></o:p></p><p=
class=3DMsoNormal>ipa-server-4.2.0-15.el7_2.6.x86_64<o:p></o:p></p><p =
class=3DMsoNormal>ipa-server-dns-4.2.0-15.el7_2.6.x86_64<o:p></o:p></p><p=
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>--- =
Client:<o:p></o:p></p><p class=3DMsoNormal>[root@test06 ~]# cat =
/etc/redhat-release<o:p></o:p></p><p class=3DMsoNormal>CentOS Linux =
release 7.2.1511 (Core) <o:p></o:p></p><p class=3DMsoNormal>[root@test06 =
~]# uname -a<o:p></o:p></p><p class=3DMsoNormal>Linux test06.DOMAIN.COM =
3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64 =
x86_64 x86_64 GNU/Linux<o:p></o:p></p><p class=3DMsoNormal>[root@test06 =
~]# rpm -qa | grep ipa<o:p></o:p></p><p =
class=3DMsoNormal>python-libipa_hbac-1.13.0-40.el7_2.1.x86_64<o:p></o:p><=
/p><p =
class=3DMsoNormal>python-iniparse-0.4-9.el7.noarch<o:p></o:p></p><p =
class=3DMsoNormal>sssd-ipa-1.13.0-40.el7_2.1.x86_64<o:p></o:p></p><p =
class=3DMsoNormal>ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64<o:p></o:p><=
/p><p =
class=3DMsoNormal>libipa_hbac-1.13.0-40.el7_2.1.x86_64<o:p></o:p></p><p =
class=3DMsoNormal>ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64<o:p></o:p><=
/p><p =
class=3DMsoNormal>device-mapper-multipath-0.4.9-85.el7.x86_64<o:p></o:p><=
/p><p =
class=3DMsoNormal>device-mapper-multipath-libs-0.4.9-85.el7.x86_64<o:p></=
o:p></p><p class=3DMsoNormal>[root@test06 ~]# rpm -qa | grep =
guest-agent<o:p></o:p></p><p =
class=3DMsoNormal>qemu-guest-agent-2.3.0-4.el7.x86_64<o:p></o:p></p><p =
class=3DMsoNormal>ovirt-guest-agent-pam-module-1.0.11-1.el7.x86_64<o:p></=
o:p></p><p =
class=3DMsoNormal>ovirt-guest-agent-gdm-plugin-1.0.11-1.el7.noarch<o:p></=
o:p></p><p =
class=3DMsoNormal>ovirt-guest-agent-common-1.0.11-1.el7.noarch<o:p></o:p>=
</p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>---------------------------------------------------<o:p=
></o:p></p><p class=3DMsoNormal>Relevant logs:<o:p></o:p></p><p =
class=3DMsoNormal>--- Engine:<o:p></o:p></p><p =
class=3DMsoNormal>//var/log/ovirt-engine/engine<o:p></o:p></p><p =
class=3DMsoNormal>2016-03-17 15:22:10,516 INFO =
[org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-22) [] =
Running command: LoginUserCommand internal: false.<o:p></o:p></p><p =
class=3DMsoNormal>2016-03-17 15:22:10,568 INFO =
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] =
(default task-22) [] Correlation ID: null, Call Stack: null, Custom =
Event ID: -1, Message: User test6@DOMAIN logged in.<o:p></o:p></p><p =
class=3DMsoNormal>2016-03-17 15:22:13,795 WARN =
[org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (default =
task-6) [7400ae46] The message key 'VmLogon' is missing from =
'bundles/ExecutionMessages'<o:p></o:p></p><p =
class=3DMsoNormal>2016-03-17 15:22:13,839 INFO =
[org.ovirt.engine.core.bll.VmLogonCommand] (default task-6) [7400ae46] =
Running command: VmLogonCommand internal: false. Entities affected =
: ID: 64a84b40-6050-4a96-a59d-d557a317c38c Type: VMAction group =
CONNECT_TO_VM with role type USER<o:p></o:p></p><p =
class=3DMsoNormal>2016-03-17 15:22:13,842 INFO =
[org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default =
task-6) [7400ae46] START, VmLogonVDSCommand(HostName =3D host01, =
VmLogonVDSCommandParameters:{runAsync=3D'true', =
hostId=3D'225157c0-224b-4aa6-9210-db4de7c7fc30', =
vmId=3D'64a84b40-6050-4a96-a59d-d557a317c38c', domain=3D'DOMAIN-authz', =
password=3D'***', userName=3D'test6@DOMAIN'}), log id: =
2015a1e0<o:p></o:p></p><p class=3DMsoNormal>2016-03-17 15:22:14,848 =
INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] =
(default task-6) [7400ae46] FINISH, VmLogonVDSCommand, log id: =
2015a1e0<o:p></o:p></p><p class=3DMsoNormal>2016-03-17 15:22:15,317 =
INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (default =
task-18) [10dad788] Running command: SetVmTicketCommand internal: true. =
Entities affected : ID: 64a84b40-6050-4a96-a59d-d557a317c38c Type: =
VMAction group CONNECT_TO_VM with role type USER<o:p></o:p></p><p =
class=3DMsoNormal>2016-03-17 15:22:15,322 INFO =
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] =
(default task-18) [10dad788] START, SetVmTicketVDSCommand(HostName =3D =
host01, SetVmTicketVDSCommandParameters:{runAsync=3D'true', =
hostId=3D'225157c0-224b-4aa6-9210-db4de7c7fc30', =
vmId=3D'64a84b40-6050-4a96-a59d-d557a317c38c', protocol=3D'SPICE', =
ticket=3D'rd8avqvdBnRl', validTime=3D'120', userName=3D'test6', =
userId=3D'10b2da3e-6401-4a09-a330-c0780bc0faef', =
disconnectAction=3D'LOCK_SCREEN'}), log id: 72efb73b<o:p></o:p></p><p =
class=3DMsoNormal>2016-03-17 15:22:16,340 INFO =
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] =
(default task-18) [10dad788] FINISH, SetVmTicketVDSCommand, log id: =
72efb73b<o:p></o:p></p><p class=3DMsoNormal>2016-03-17 15:22:16,377 =
INFO =
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] =
(default task-18) [10dad788] Correlation ID: 10dad788, Call Stack: null, =
Custom Event ID: -1, Message: User test6@DOMAIN initiated console =
session for VM test06<o:p></o:p></p><p class=3DMsoNormal>2016-03-17 =
15:22:19,418 INFO =
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] =
(DefaultQuartzScheduler_Worker-53) [] Correlation ID: null, Call Stack: =
null, Custom Event ID: -1, Message: User test6@DOMAIN-authz is connected =
to VM test06.<o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>--- Client:<o:p></o:p></p><p =
class=3DMsoNormal>/var/log/ovirt-guest-agent/ovirt-guest-agent.log<o:p></=
o:p></p><p class=3DMsoNormal>MainThread::INFO::2016-03-17 =
15:20:58,145::ovirt-guest-agent::57::root::Starting oVirt guest =
agent<o:p></o:p></p><p class=3DMsoNormal>CredServer::INFO::2016-03-17 =
15:20:58,214::CredServer::257::root::CredServer is =
running...<o:p></o:p></p><p class=3DMsoNormal>Dummy-1::INFO::2016-03-17 =
15:20:58,216::OVirtAgentLogic::294::root::Received an external command: =
lock-screen...<o:p></o:p></p><p =
class=3DMsoNormal>Dummy-1::INFO::2016-03-17 =
15:22:13,104::OVirtAgentLogic::294::root::Received an external command: =
login...<o:p></o:p></p><p class=3DMsoNormal>Dummy-1::INFO::2016-03-17 =
15:22:13,104::CredServer::207::root::The following users are allowed to =
connect: [0]<o:p></o:p></p><p =
class=3DMsoNormal>Dummy-1::INFO::2016-03-17 =
15:22:13,104::CredServer::273::root::Opening credentials =
channel...<o:p></o:p></p><p class=3DMsoNormal>Dummy-1::INFO::2016-03-17 =
15:22:13,105::CredServer::132::root::Emitting user authenticated signal =
(651416).<o:p></o:p></p><p =
class=3DMsoNormal>CredChannel::INFO::2016-03-17 =
15:22:13,188::CredServer::225::root::Incomming connection from user: 0 =
process: 2570<o:p></o:p></p><p =
class=3DMsoNormal>CredChannel::INFO::2016-03-17 =
15:22:13,188::CredServer::232::root::Sending user's credential (token: =
651416)<o:p></o:p></p><p class=3DMsoNormal>Dummy-1::INFO::2016-03-17 =
15:22:13,189::CredServer::277::root::Credentials channel was =
closed.<o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>/var/log/secure<o:p></o:p></p><p class=3DMsoNormal>Mar =
17 15:21:07 test06 gdm-launch-environment]: =
pam_unix(gdm-launch-environment:session): session opened for user gdm by =
(uid=3D0)<o:p></o:p></p><p class=3DMsoNormal>Mar 17 15:21:10 test06 =
polkitd[749]: Registered Authentication Agent for unix-session:c1 =
(system bus name :1.34 [gnome-shell --mode=3Dgdm], object path =
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale =
en_US.UTF-8)<o:p></o:p></p><p class=3DMsoNormal>Mar 17 15:22:13 test06 =
gdm-ovirtcred]: pam_sss(gdm-ovirtcred:auth): authentication failure; =
logname=3D uid=3D0 euid=3D0 tty=3D ruser=3D rhost=3D =
user=3Dtest6<o:p></o:p></p><p class=3DMsoNormal><b><span =
style=3D'color:red'>Mar 17 15:22:13 test06 gdm-ovirtcred]: =
pam_sss(gdm-ovirtcred:auth): received for user test6: 17 (Failure =
setting user credentials)<o:p></o:p></span></b></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal><span =
lang=3DNL>/var/log/sssd/krb5_child.log (debug-level =
10)<o:p></o:p></span></p><p class=3DMsoNormal><b><span =
style=3D'color:red'>(Thu Mar 17 15:22:13 2016) =
[[sssd[krb5_child[2575]]]] [get_and_save_tgt] (0x0020): 1234: =
[-1765328360][Preauthentication failed]<o:p></o:p></span></b></p><p =
class=3DMsoNormal><b><span style=3D'color:red'>(Thu Mar 17 15:22:13 =
2016) [[sssd[krb5_child[2575]]]] [map_krb5_error] (0x0020): 1303: =
[-1765328360][Preauthentication failed]<o:p></o:p></span></b></p><p =
class=3DMsoNormal><b><span style=3D'color:red'>(Thu Mar 17 15:22:13 =
2016) [[sssd[krb5_child[2575]]]] [k5c_send_data] (0x0200): Received =
error code 1432158215<o:p></o:p></span></b></p><p class=3DMsoNormal>(Thu =
Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [pack_response_packet] =
(0x2000): response packet size: [4]<o:p></o:p></p><p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] =
[k5c_send_data] (0x4000): Response sent.<o:p></o:p></p><p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] =
[main] (0x0400): krb5_child completed successfully<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>/var/log/sssd/sssd_DOMAIN.COM.log (debug-level =
10)<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [be_pam_handler] (0x0100): Got request with the =
following data<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 =
2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): command: =
PAM_AUTHENTICATE<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 =
2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): domain: =
DOMAIN.COM<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): user: =
test6<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): service: =
gdm-ovirtcred<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 =
2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): =
tty:<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): =
ruser:<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): =
rhost:<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): authtok type: =
1<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): newauthtok type: =
0<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): priv: =
1<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): cli_pid: =
2570<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): logon name: not =
set<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [krb5_auth_queue_send] (0x1000): Wait queue of =
user [test6] is empty, running request [0x7fe30df03cc0] =
immediately.<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 =
2016) [sssd[be[DOMAIN.COM]]] [krb5_setup] (0x4000): No mapping for: =
test6<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Added timed event =
"ltdb_callback": 0x7fe30df07120<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Added timed event =
"ltdb_timeout": 0x7fe30df16590<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Running timer =
event 0x7fe30df07120 "ltdb_callback"<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Destroying timer =
event 0x7fe30df16590 "ltdb_timeout"<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Ending timer event =
0x7fe30df07120 "ltdb_callback"<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [fo_resolve_service_send] =
(0x0100): Trying to resolve service 'IPA'<o:p></o:p></p><p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] =
[get_server_status] (0x1000): Status of server 'ipa01.DOMAIN.COM' is =
'working'<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [get_port_status] (0x1000): Port status of port =
389 for server 'ipa01.DOMAIN.COM' is 'working'<o:p></o:p></p><p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] =
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 =
seconds<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [resolve_srv_send] (0x0200): The status of SRV =
lookup is resolved<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [get_server_status] (0x1000): =
Status of server 'ipa01.DOMAIN.COM' is 'working'<o:p></o:p></p><p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] =
[be_resolve_server_process] (0x1000): Saving the first resolved =
server<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [be_resolve_server_process] (0x0200): Found =
address for server ipa01.DOMAIN.COM: [10.0.1.21] TTL =
1200<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [ipa_resolve_callback] (0x0400): Constructed uri =
'ldap://ipa01.DOMAIN.COM'<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sss_krb5_realm_has_proxy] =
(0x0040): profile_get_values failed.<o:p></o:p></p><p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] =
[child_handler_setup] (0x2000): Setting up signal handler up for pid =
[2575]<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [child_handler_setup] (0x2000): Signal handler =
set up for pid [2575]<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [write_pipe_handler] (0x0400): All =
data has been sent!<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_sig_handler] (0x1000): =
Waiting for child [2575].<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_sig_handler] (0x0100): =
child [2575] finished successfully.<o:p></o:p></p><p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] =
[read_pipe_handler] (0x0400): EOF received, client =
finished<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [check_wait_queue] (0x1000): Wait queue for user =
[test6] is empty.<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [krb5_auth_queue_done] (0x1000): =
krb5_auth_queue request [0x7fe30df03cc0] done.<o:p></o:p></p><p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] =
[sdap_id_op_connect_step] (0x4000): reusing cached =
connection<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [sdap_print_server] (0x2000): Searching =
10.0.1.21<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [sdap_get_generic_ext_step] (0x0400): calling =
ldap_search_ext with =
[(&(cn=3DipaConfig)(objectClass=3DipaGuiConfig))][cn=3Detc,dc=3DDOMAI=
N,dc=3Dcom].<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 =
2016) [sssd[be[DOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): =
Requesting attrs: [ipaMigrationEnabled]<o:p></o:p></p><p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] =
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: =
[ipaSELinuxUserMapDefault]<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar =
17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_get_generic_ext_step] =
(0x1000): Requesting attrs: [ipaSELinuxUserMapOrder]<o:p></o:p></p><p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] =
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid =3D =
122<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [sdap_op_add] (0x2000): New operation 122 timeout =
60<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [sdap_process_result] (0x2000): Trace: =
sh[0x7fe30deef090], connected[1], ops[0x7fe30df094a0], =
ldap[0x7fe30def2920]<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_message] (0x4000): =
Message type: [LDAP_RES_SEARCH_ENTRY]<o:p></o:p></p><p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] =
[sdap_parse_entry] (0x1000): OriginalDN: =
[cn=3DipaConfig,cn=3Detc,dc=3DDOMAIN,dc=3Dcom].<o:p></o:p></p><p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] =
[sdap_parse_range] (0x2000): No sub-attributes for =
[ipaMigrationEnabled]<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_range] (0x2000): No =
sub-attributes for [ipaSELinuxUserMapDefault]<o:p></o:p></p><p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] =
[sdap_parse_range] (0x2000): No sub-attributes for =
[ipaSELinuxUserMapOrder]<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_result] (0x2000): =
Trace: sh[0x7fe30deef090], connected[1], ops[0x7fe30df094a0], =
ldap[0x7fe30def2920]<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_message] (0x4000): =
Message type: [LDAP_RES_SEARCH_RESULT]<o:p></o:p></p><p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] =
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no =
errmsg set<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [sdap_op_destructor] (0x2000): Operation 122 =
finished <o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [sdap_id_op_destroy] (0x4000): releasing =
operation connection <o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ipa_get_migration_flag_done] =
(0x0100): Password migration is not enabled. <o:p></o:p></p><p =
class=3DMsoNormal><b><span style=3D'color:red'>(Thu Mar 17 15:22:13 =
2016) [sssd[be[DOMAIN.COM]]] [be_pam_handler_callback] (0x0100): Backend =
returned: (0, 17, <NULL>) [Success (Failure setting user =
credentials)] <o:p></o:p></span></b></p><p class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [be_pam_handler_callback] =
(0x0100): Sending result [17][DOMAIN.COM] <o:p></o:p></p><p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] =
[be_pam_handler_callback] (0x0100): Sent result [17][DOMAIN.COM] =
<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [sdap_process_result] (0x2000): Trace: =
sh[0x7fe30deef090], connected[1], ops[(nil)], ldap[0x7fe30def2920] =
<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [sdap_process_result] (0x2000): Trace: =
ldap_result found nothing!<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal> =
<o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p></div></body></html>
------=_NextPart_000_0050_01D18069.35C995E0--
5 years, 3 months
VM has been paused due to storage I/O problem
by Gianluca Cecchi
Hello,
my test environment is composed by 2 old HP blades BL685c G1 (ovmsrv05 and
ovmsrv06) and they are connected in a SAN with FC-switches to an old IBM
DS4700 storage array.
Apart from being old, they seem all ok from an hw point of view.
I have configured oVirt 4.0.6 and an FCP storage domain.
The hosts are plain CentOS 7.3 servers fully updated.
It is not an hosted engine environment: the manager is a vm outside of the
cluster.
I have configured power mgmt on both and it works good.
I have at the moment only one VM for test and it is doing quite nothing.
Starting point: ovmsrv05 is in maintenance (since about 2 days) and the VM
is running on ovmsrv06.
I update qemu-kvm package on ovmsrv05 and then I restart it from web admin
gui:
Power Mgmt --> Restart
Sequence of events in pane and the problem in subject:
Jan 31, 2017 10:29:43 AM Host ovmsrv05 power management was verified
successfully.
Jan 31, 2017 10:29:43 AM Status of host ovmsrv05 was set to Up.
Jan 31, 2017 10:29:38 AM Executing power management status on Host ovmsrv05
using Proxy Host ovmsrv06 and Fence Agent ilo:10.4.192.212.
Jan 31, 2017 10:29:29 AM Activation of host ovmsrv05 initiated by
admin@internal-authz.
Jan 31, 2017 10:28:05 AM VM ol65 has recovered from paused back to up.
Jan 31, 2017 10:27:55 AM VM ol65 has been paused due to storage I/O problem.
Jan 31, 2017 10:27:55 AM VM ol65 has been paused.
Jan 31, 2017 10:25:52 AM Host ovmsrv05 was restarted by
admin@internal-authz.
Jan 31, 2017 10:25:52 AM Host ovmsrv05 was started by admin@internal-authz.
Jan 31, 2017 10:25:52 AM Power management start of Host ovmsrv05 succeeded.
Jan 31, 2017 10:25:50 AM Executing power management status on Host ovmsrv05
using Proxy Host ovmsrv06 and Fence Agent ilo:10.4.192.212.
Jan 31, 2017 10:25:37 AM Executing power management start on Host ovmsrv05
using Proxy Host ovmsrv06 and Fence Agent ilo:10.4.192.212.
Jan 31, 2017 10:25:37 AM Power management start of Host ovmsrv05 initiated.
Jan 31, 2017 10:25:37 AM Auto fence for host ovmsrv05 was started.
Jan 31, 2017 10:25:37 AM All VMs' status on Non Responsive Host ovmsrv05
were changed to 'Down' by admin@internal-authz
Jan 31, 2017 10:25:36 AM Host ovmsrv05 was stopped by admin@internal-authz.
Jan 31, 2017 10:25:36 AM Power management stop of Host ovmsrv05 succeeded.
Jan 31, 2017 10:25:34 AM Executing power management status on Host ovmsrv05
using Proxy Host ovmsrv06 and Fence Agent ilo:10.4.192.212.
Jan 31, 2017 10:25:15 AM Executing power management stop on Host ovmsrv05
using Proxy Host ovmsrv06 and Fence Agent ilo:10.4.192.212.
Jan 31, 2017 10:25:15 AM Power management stop of Host ovmsrv05 initiated.
Jan 31, 2017 10:25:12 AM Executing power management status on Host ovmsrv05
using Proxy Host ovmsrv06 and Fence Agent ilo:10.4.192.212.
Watching the timestamps, the culprit seems the reboot time of ovmsrv05 that
detects some LUNs in owned state and other ones in unowned
Full messages of both hosts here:
https://drive.google.com/file/d/0BwoPbcrMv8mvekZQT1pjc0NMRlU/view?usp=sha...
and
https://drive.google.com/file/d/0BwoPbcrMv8mvcjBCYVdFZWdXTms/view?usp=sha...
At this time there are 4 LUNs globally seen by the two hosts but only 1 of
them is currently configured as the only storage domain in oVirt cluster.
[root@ovmsrv05 ~]# multipath -l | grep ^36
3600a0b8000299aa80000d08b55014119 dm-5 IBM ,1814 FAStT
3600a0b80002999020000cd3c5501458f dm-3 IBM ,1814 FAStT
3600a0b80002999020000ccf855011198 dm-2 IBM ,1814 FAStT
3600a0b8000299aa80000d08955014098 dm-4 IBM ,1814 FAStT
the configured one:
[root@ovmsrv05 ~]# multipath -l 3600a0b8000299aa80000d08b55014119
3600a0b8000299aa80000d08b55014119 dm-5 IBM ,1814 FAStT
size=4.0T features='0' hwhandler='1 rdac' wp=rw
|-+- policy='service-time 0' prio=0 status=active
| |- 0:0:1:3 sdl 8:176 active undef running
| `- 2:0:1:3 sdp 8:240 active undef running
`-+- policy='service-time 0' prio=0 status=enabled
|- 0:0:0:3 sdd 8:48 active undef running
`- 2:0:0:3 sdi 8:128 active undef running
In mesages of booting node, arounf the problem registered by the storage:
[root@ovmsrv05 ~]# grep owned /var/log/messages
Jan 31 10:27:38 ovmsrv05 kernel: scsi 0:0:0:1: rdac: LUN 1 (RDAC) (owned)
Jan 31 10:27:38 ovmsrv05 kernel: scsi 0:0:0:2: rdac: LUN 2 (RDAC) (owned)
Jan 31 10:27:38 ovmsrv05 kernel: scsi 0:0:0:3: rdac: LUN 3 (RDAC) (unowned)
Jan 31 10:27:38 ovmsrv05 kernel: scsi 2:0:0:1: rdac: LUN 1 (RDAC) (owned)
Jan 31 10:27:38 ovmsrv05 kernel: scsi 0:0:0:4: rdac: LUN 4 (RDAC) (unowned)
Jan 31 10:27:38 ovmsrv05 kernel: scsi 2:0:0:2: rdac: LUN 2 (RDAC) (owned)
Jan 31 10:27:38 ovmsrv05 kernel: scsi 0:0:1:1: rdac: LUN 1 (RDAC) (unowned)
Jan 31 10:27:38 ovmsrv05 kernel: scsi 2:0:0:3: rdac: LUN 3 (RDAC) (unowned)
Jan 31 10:27:38 ovmsrv05 kernel: scsi 2:0:0:4: rdac: LUN 4 (RDAC) (unowned)
Jan 31 10:27:38 ovmsrv05 kernel: scsi 0:0:1:2: rdac: LUN 2 (RDAC) (unowned)
Jan 31 10:27:38 ovmsrv05 kernel: scsi 2:0:1:1: rdac: LUN 1 (RDAC) (unowned)
Jan 31 10:27:38 ovmsrv05 kernel: scsi 0:0:1:3: rdac: LUN 3 (RDAC) (owned)
Jan 31 10:27:38 ovmsrv05 kernel: scsi 2:0:1:2: rdac: LUN 2 (RDAC) (unowned)
Jan 31 10:27:38 ovmsrv05 kernel: scsi 0:0:1:4: rdac: LUN 4 (RDAC) (owned)
Jan 31 10:27:38 ovmsrv05 kernel: scsi 2:0:1:3: rdac: LUN 3 (RDAC) (owned)
Jan 31 10:27:39 ovmsrv05 kernel: scsi 2:0:1:4: rdac: LUN 4 (RDAC) (owned)
I don't know exactly the meaning of owned/unowned in the output above..
Possibly it detects the 0:0:1:3 and 2:0:1:3 paths (those of the active
group) as "owned" and this could have created problems with the active node?
On active node strangely I don't loose all the paths, but the VM has been
paused anyway
[root@ovmsrv06 log]# grep "remaining active path" /var/log/messages
Jan 31 10:27:48 ovmsrv06 multipathd: 3600a0b8000299aa80000d08b55014119:
remaining active paths: 3
Jan 31 10:27:49 ovmsrv06 multipathd: 3600a0b8000299aa80000d08b55014119:
remaining active paths: 2
Jan 31 10:27:56 ovmsrv06 multipathd: 3600a0b8000299aa80000d08b55014119:
remaining active paths: 3
Jan 31 10:27:56 ovmsrv06 multipathd: 3600a0b8000299aa80000d08b55014119:
remaining active paths: 2
Jan 31 10:27:56 ovmsrv06 multipathd: 3600a0b8000299aa80000d08b55014119:
remaining active paths: 1
Jan 31 10:27:57 ovmsrv06 multipathd: 3600a0b8000299aa80000d08b55014119:
remaining active paths: 2
Jan 31 10:28:01 ovmsrv06 multipathd: 3600a0b8000299aa80000d08b55014119:
remaining active paths: 3
Jan 31 10:28:01 ovmsrv06 multipathd: 3600a0b8000299aa80000d08b55014119:
remaining active paths: 4
I'm not an expert of this storage array in particular, and of the rdac
hardware handler in general.
What I see is that multipath.conf on both nodes:
# VDSM REVISION 1.3
defaults {
polling_interval 5
no_path_retry fail
user_friendly_names no
flush_on_last_del yes
fast_io_fail_tmo 5
dev_loss_tmo 30
max_fds 4096
}
devices {
device {
# These settings overrides built-in devices settings. It does not
apply
# to devices without built-in settings (these use the settings in
the
# "defaults" section), or to devices defined in the "devices"
section.
# Note: This is not available yet on Fedora 21. For more info see
# https://bugzilla.redhat.com/1253799
all_devs yes
no_path_retry fail
}
}
beginning of /proc/scsi/scsi
[root@ovmsrv06 ~]# cat /proc/scsi/scsi
Attached devices:
Host: scsi1 Channel: 01 Id: 00 Lun: 00
Vendor: HP Model: LOGICAL VOLUME Rev: 1.86
Type: Direct-Access ANSI SCSI revision: 05
Host: scsi0 Channel: 00 Id: 00 Lun: 01
Vendor: IBM Model: 1814 FAStT Rev: 0916
Type: Direct-Access ANSI SCSI revision: 05
...
To get default acquired config for this storage:
multpathd -k
> show config
I can see:
device {
vendor "IBM"
product "^1814"
product_blacklist "Universal Xport"
path_grouping_policy "group_by_prio"
path_checker "rdac"
features "0"
hardware_handler "1 rdac"
prio "rdac"
failback immediate
rr_weight "uniform"
no_path_retry "fail"
}
and
defaults {
verbosity 2
polling_interval 5
max_polling_interval 20
reassign_maps "yes"
multipath_dir "/lib64/multipath"
path_selector "service-time 0"
path_grouping_policy "failover"
uid_attribute "ID_SERIAL"
prio "const"
prio_args ""
features "0"
path_checker "directio"
alias_prefix "mpath"
failback "manual"
rr_min_io 1000
rr_min_io_rq 1
max_fds 4096
rr_weight "uniform"
no_path_retry "fail"
queue_without_daemon "no"
flush_on_last_del "yes"
user_friendly_names "no"
fast_io_fail_tmo 5
dev_loss_tmo 30
bindings_file "/etc/multipath/bindings"
wwids_file /etc/multipath/wwids
log_checker_err always
find_multipaths no
retain_attached_hw_handler no
detect_prio no
hw_str_match no
force_sync no
deferred_remove no
ignore_new_boot_devs no
skip_kpartx no
config_dir "/etc/multipath/conf.d"
delay_watch_checks no
delay_wait_checks no
retrigger_tries 3
retrigger_delay 10
missing_uev_wait_timeout 30
new_bindings_in_boot no
}
Any hint on how to tune multipath.conf so that a powering on server doesn't
create problems to running VMs?
Thanks in advance,
Gianluca
5 years, 4 months
Changing gateway ping address
by Matteo
Hi all,
I need to change the gateway ping address, the one used by hosted engine setup.
Is ok to edit /etc/ovirt-hosted-engine/hosted-engine.conf on each node,
update the gateway param with the new ip address and restart
the agent&broker on each node?
With a blind test seems ok, but need to understand if is the right procedure.
Thanks,
Matteo
5 years, 4 months
oVirt VM backup and restore
by raphael awadallah
Dears Engineers,
I hope you are doing great,
I wish you can help me with a tutorial that shows how to take a scheduled
backups for virtual machines running on oVirt node 4 and how to restore
them.
Best regards
5 years, 5 months
Unable to add permissions for LDAP users
by Michael Burch
--_000_SN1PR10MB071807A20FF1DCCB62983C19D5C70SN1PR10MB0718namp_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can su=
ccessfully authenticate as an LDAP user. I can also login as admin@internal=
and search for, find, and select LDAP users but I cannot add permissions f=
or them. Each time I get the error "User admin@internal-authz failed to gra=
nt permission for Role UserRole on System to User/Group <UNKNOWN>."
I have no control over the LDAP server, which uses custom objectClasses and=
uses groupOfNames instead of PosixGroups. I assume I need to set sequence =
variables to accommodate our group configuration but I'm at a loss as to wh=
ere to begin. the The config I have is as follows:
include =3D <rfc2307-generic.properties>
vars.server =3D labauth.lan.lab.org
pool.authz.auth.type =3D none
pool.default.serverset.type =3D single
pool.default.serverset.single.server =3D ${global:vars.server}
pool.default.ssl.startTLS =3D true
pool.default.ssl.insecure =3D true
pool.default.connection-options.connectTimeoutMillis =3D 10000
pool.default.connection-options.responseTimeoutMillis =3D 90000
sequence-init.init.100-my-basedn-init-vars =3D my-basedn-init-vars
sequence.my-basedn-init-vars.010.description =3D set baseDN
sequence.my-basedn-init-vars.010.type =3D var-set
sequence.my-basedn-init-vars.010.var-set.variable =3D simple_baseDN
sequence.my-basedn-init-vars.010.var-set.value =3D o=3DLANLAB
sequence-init.init.101-my-objectclass-init-vars =3D my-objectclass-init-var=
s
sequence.my-objectclass-init-vars.020.description =3D set objectClass
sequence.my-objectclass-init-vars.020.type =3D var-set
sequence.my-objectclass-init-vars.020.var-set.variable =3D simple_filterUse=
rObject
sequence.my-objectclass-init-vars.020.var-set.value =3D (objectClass=3DlabP=
erson)(uid=3D*)
search.default.search-request.derefPolicy =3D NEVER
sequence-init.init.900-local-init-vars =3D local-init-vars
sequence.local-init-vars.010.description =3D override name space
sequence.local-init-vars.010.type =3D var-set
sequence.local-init-vars.010.var-set.variable =3D simple_namespaceDefault
sequence.local-init-vars.010.var-set.value =3D *
sequence.local-init-vars.020.description =3D apply filter to users
sequence.local-init-vars.020.type =3D var-set
sequence.local-init-vars.020.var-set.variable =3D simple_filterUserObject
sequence.local-init-vars.020.var-set.value =3D ${seq:simple_filterUserObjec=
t}(employeeStatus=3D3)
sequence.local-init-vars.030.description =3D apply filter to groups
sequence.local-init-vars.030.type =3D var-set
sequence.local-init-vars.030.var-set.variable =3D simple_filterGroupObject
sequence.local-init-vars.030.var-set.value =3D (objectClass=3DgroupOfUnique=
Names)
--_000_SN1PR10MB071807A20FF1DCCB62983C19D5C70SN1PR10MB0718namp_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none;"><!-- P {margin-top:0;margi=
n-bottom:0;} --></style>
</head>
<body dir=3D"ltr">
<div id=3D"divtagdefaultwrapper" style=3D"font-size:12pt;color:#000000;font=
-family:Calibri,Arial,Helvetica,sans-serif;">
<p>I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can=
successfully authenticate as an LDAP user. I can also login as admin@inter=
nal and search for, find, and select LDAP users but I cannot add permission=
s for them. Each time I get the
error "<span>User admin@internal-authz failed to grant permission for=
Role UserRole on System to User/Group <UNKNOWN>.</span>"</p>
<p><br>
</p>
<p>I have no control over the LDAP server, which uses custom objectClasses =
and uses groupOfNames instead of PosixGroups. I assume I need to set sequen=
ce variables to accommodate our group configuration but I'm at a loss as to=
where to begin. the The config
I have is as follows:</p>
<p><br>
</p>
<p></p>
<div>include =3D <rfc2307-generic.properties><br>
<br>
vars.server =3D labauth.lan.lab.org<br>
<br>
pool.authz.auth.type =3D none<br>
pool.default.serverset.type =3D single<br>
pool.default.serverset.single.server =3D ${global:vars.server}<br>
pool.default.ssl.startTLS =3D true<br>
pool.default.ssl.insecure =3D true<br>
<br>
pool.default.connection-options.connectTimeoutMillis =3D 10000<br>
pool.default.connection-options.responseTimeoutMillis =3D 90000<br>
sequence-init.init.100-my-basedn-init-vars =3D my-basedn-init-vars<br>
sequence.my-basedn-init-vars.010.description =3D set baseDN<br>
sequence.my-basedn-init-vars.010.type =3D var-set<br>
sequence.my-basedn-init-vars.010.var-set.variable =3D simple_baseDN<br>
sequence.my-basedn-init-vars.010.var-set.value =3D o=3DLANLAB<br>
<br>
sequence-init.init.101-my-objectclass-init-vars =3D my-objectclass-init-var=
s<br>
sequence.my-objectclass-init-vars.020.description =3D set objectClass<br>
sequence.my-objectclass-init-vars.020.type =3D var-set<br>
sequence.my-objectclass-init-vars.020.var-set.variable =3D simple_filterUse=
rObject<br>
sequence.my-objectclass-init-vars.020.var-set.value =3D (objectClass=3DlabP=
erson)(uid=3D*)<br>
<br>
search.default.search-request.derefPolicy =3D NEVER<br>
<br>
sequence-init.init.900-local-init-vars =3D local-init-vars<br>
sequence.local-init-vars.010.description =3D override name space<br>
sequence.local-init-vars.010.type =3D var-set<br>
sequence.local-init-vars.010.var-set.variable =3D simple_namespaceDefault<b=
r>
sequence.local-init-vars.010.var-set.value =3D *<br>
<br>
sequence.local-init-vars.020.description =3D apply filter to users<br>
sequence.local-init-vars.020.type =3D var-set<br>
sequence.local-init-vars.020.var-set.variable =3D simple_filterUserObject<b=
r>
sequence.local-init-vars.020.var-set.value =3D ${seq:simple_filterUserObjec=
t}(employeeStatus=3D3)<br>
<br>
sequence.local-init-vars.030.description =3D apply filter to groups<br>
sequence.local-init-vars.030.type =3D var-set<br>
sequence.local-init-vars.030.var-set.variable =3D simple_filterGroupObject<=
br>
sequence.local-init-vars.030.var-set.value =3D (objectClass=3DgroupOfUnique=
Names)<br>
<br>
<br>
</div>
<p></p>
</div>
</body>
</html>
--_000_SN1PR10MB071807A20FF1DCCB62983C19D5C70SN1PR10MB0718namp_--
5 years, 5 months
ovirt 4 reboot behaviour
by Giulio Casella
Hi,
I noticed a different behaviour after upgrading my entire setup from
rhev 3.6.9 to rhev 4.0.5.
A virtual machine reboot changes the host where the VM is running, also
if the VM was started in "run once" mode with a payload specifying a
placement policy. In version 3 the VM didn't change host across a
reboot; and continued running in run once mode, keeping the same payload
given at start time.
Is there a way to keep the VM running on the same host across a reboot,
excluding the obvious (but time consuming) way of migration after reboot?
If not (but this is a request for enhancement), is it possible to
introduce a payload for reboot (just like for "start") to specify the
placement policy?
Thank you in advance,
gc
5 years, 5 months