[ovirt-users] Re: oVirt 4.3.1 with AD creates new user at every login

On Mon, Mar 11, 2019 at 4:49 AM Martin Perina <mperina(a)redhat.com&gt; wrote: > > > On Sat, Mar 9, 2019 at 10:43 AM <l.kamara(a)imperial.ac.uk&gt; wrote: > >> > I just did a clean install of oVirt 4.3.1 (engine and nodes). >> > >> > I setup AD authentication and gave an AD group permissions needed work >> with >> > VMs. I gave them PowerUserRole on the Cluster and Storage. >> > >> > Users in the AD group can login and create VMs but after they log out >> and >> > log back in they don't see any of the VMs created in the previous >> session. >> > >> > I noticed that in Administration -> Users a new row is created for each >> > user every time they login. All columns for each user are the same: >> same >> > first and last name, same user name, authorization provider, and so on >> but >> > the behavior looks very much like they are being treated as new user >> every >> > time they login. >> > > Ravi, is above the same issue as tracked in > https://bugzilla.redhat.com/show_bug.cgi?id=1672860 ? > >> >> Yes it is the same issue and should be fixed by [1] [1] https://gerrit.ovirt.org/#/c/98169/ > >> I have observed the same behaviour with oVirt 4.3.XY >> >> Delving deeper, in the oVirt engine 'users' table, external_id is *not* >> being set for AD users as documented in (e.g.) >> engines/packaging/dbscripts/common_sp.sql >> >> "The external identifier is the user identifier converted to an array of >> bytes:" >> >> ovirt 4.3.0 >> user@domain | f3de0b27-c2a0-463b-a2ff-d480bd88c77f | >> ece7b8c2-4983-4c1e-9a33-c28d58d40213 >> >> >> And under ovirt 4.2.8 for comparison: >> >> username | user_id | >> external_id >> user@domain | 364d176e-8813-4e67-bdd0-dc10b823d23c | >> af5bbg/eTkuktBPXW4Ak5g== >> >> >> Further information on replicating the issue: >> >> 1) Configure LDAP authentication: >> >> >> https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html... >> >> >> 2) Add an LDAP group via the Administration Portal: >> >> Administration >> Users > 'Add' button, click 'Group' >> radio-button, select the relevant LDAP authorization >> select the relevant LDAP authorization provider in the >> drop-down list under 'Search', enter the LDAP group >> in the search text-box then click 'GO'. >> >> The found group should appear below. Select the >> toggle-button to the left of the group then click >> 'Add and Close'. >> >> >> 3) Add SuperUser system permission for the LDAP group. >> >> Back under Administration >> Users, click the 'Group' >> button if groups are not already displayed. Click on >> the LDAP group added in the previous step then click >> 'Permissions' -> 'Add System Permissions' >> >> >> 4) Log into the Administration Portal as an LDAP group member. >> Logout then log back into the Administration Portal as a >> member of the LDAP group specified above. Login should be >> successful because that user will inherit the SuperUser >> system permission but note the following issues below: >> >> - under Administration >> Users, note that a 'User' icon >> is displayed for the LDAP user rather than an 'Admin' icon. >> This is in contrast to 4.2.8, where an Admin icon would >> be displayed. >> >> >> 5) Repeat step 4 above. >> If you logout then log back into the Administration Portal as >> the same member of the LDAP group specified above then >> check Administration >> Users, an additional user entry appears: >> same First Name, Last Name, Authorization provider, Namespace >> and E-mail. >> _______________________________________________ >> Users mailing list -- users(a)ovirt.org >> To unsubscribe send an email to users-leave(a)ovirt.org >> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >> oVirt Code of Conduct: >> https://www.ovirt.org/community/about/community-guidelines/ >> List Archives: >> https://lists.ovirt.org/archives/list/users@ovirt.org/message/PC2JLU65QED... >> > > > -- > Martin Perina > Associate Manager, Software Engineering > Red Hat Czech s.r.o. > _______________________________________________ Users mailing list -- users(a)ovirt.org To unsubscribe send an email to users-leave(a)ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/REPKBSLKHRM...