From omachace at redhat.com Fri Sep 30 09:45:50 2016
Content-Type: multipart/mixed; boundary="===============2840473544895580847=="
MIME-Version: 1.0
From: Ondra Machacek <omachace at redhat.com>
To: users at ovirt.org
Subject: Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for
 Administration/User Portal. Troubleshooting
Date: Fri, 30 Sep 2016 15:45:47 +0200
Message-ID: <a7f71a75-a23f-42b2-e141-fd9bd4da96b7@redhat.com>
In-Reply-To: 4096421475242490@web25g.yandex.ru

--===============2840473544895580847==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

'/etc/httpd/s-oVirt-Krb.keytab' is apache keytab, you can't try to test
login with it. You should try something like `kinit myuser` and then
curl. And be sure that 'myuser' has appropriate permissions in oVirt.

Do you have properly setup your browser and enabled negotiation (for
example for firefox [1])?

[1] =

https://docs.fedoraproject.org/en-US/Fedora/11/html/Security_Guide/sect-Sec=
urity_Guide-Single_Sign_on_SSO-Configuring_Firefox_to_use_Kerberos_for_SSO.=
html

On 09/30/2016 03:34 PM, aleksey.maksimov(a)it-kb.ru wrote:
> # kinit -V -k -t /etc/httpd/s-oVirt-Krb.keytab HTTP/kom-ad01-ovirt1.ad.ho=
lding.com
>
> Using existing cache: persistent:0:0
> Using principal: HTTP/kom-ad01-ovirt1.ad.holding.com(a)AD.HOLDING.COM
> Using keytab: /etc/httpd/s-oVirt-Krb.keytab
> Authenticated to Kerberos v5
>
> # klist
>
> Ticket cache: KEYRING:persistent:0:0
> Default principal: HTTP/kom-ad01-ovirt1.ad.holding.com(a)AD.HOLDING.COM
>
> Valid starting       Expires              Service principal
> 09/30/2016 16:28:02  10/01/2016 02:28:02  krbtgt/AD.HOLDING.COM(a)AD.HOLD=
ING.COM
>         renew until 10/07/2016 16:28:02
>
> # curl --negotiate -u : -X GET -H "Accept: application/xml" -k https://ko=
m-ad01-ovirt1.ad.holding.com/ovirt-engine/api
>
> <html><head><title>Error</title></head><body>Unauthorized</body></html>
>
> However, if I open this URL (https://kom-ad01-ovirt1.ad.holding.com/ovirt=
-engine/api) in browser it opens without errors and authorization requests
>
>
> # tail -f  /var/log/httpd/ssl_error_log
> # tail -f  /var/log/ovirt-engine/engine.log
>
> In the logs nothing in that moment when I open the portal in the browser.
>
> 30.09.2016, 15:52, "Ondra Machacek" <omachace(a)redhat.com>:
>
>> So if you run kinit and then:
>>
>>   $ curl --negotiate -u : -X GET -H "Accept: application/xml" -k
>> https://fqdn/ovirt-engine/api
>>
>> It's fine?
>>
>>>  Please tell me how to find the cause of the problem. What are the step=
s to troubleshooting to do?
>>
>> On oVirt engine check:
>>
>>   /var/log/httpd/ssl_error_log
>>   /var/log/ovirt-engine/engine.log
>>
>> On AD check kerberos log.
>>
>>>  _______________________________________________
>>>  Users mailing list
>>>  Users(a)ovirt.org
>>>  http://lists.ovirt.org/mailman/listinfo/users

--===============2840473544895580847==--