I found why the group_ids field is wrong If you look at the ad_groups table then mane for the group is "<domain here>/Groups/sysadmin" however if you look at the groups field in the users table it says "<domain here>/groups/sysadmin" I tried updating the name field in the ad_groups table to match "<domain here>/groups/sysadmin" then removed and added a user now the if for that group in the group_ids field is being set correctly. This is at least a usable workaround for now. now we need to find the root cause. On Sun, Aug 17, 2014 at 10:39 AM, Paul Robert Marino <prmarino1@gmail.com> wrote:
confirmed that does seem to be the cause I updated the group_ids field of a user to the appropriate Id's from ad_groups and it fixed that user. in answer to your question "Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission?" Ive tried it ever different way I can think of the results are always the same.
On Sun, Aug 17, 2014 at 9:46 AM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Sunday, August 17, 2014 4:33:30 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
here are the results of the queries you asked for
group_ids
|
groups
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---- 00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000 | <domain here>/groups/sysadmin,<domain here>/groups/pmarino,<domain here>/groups/pd managers,<domain here>/groups/qa managers,<domain here>/groups/accounting managers,<domain here>/directory administrat ors (1 row)
engine=# select id, name from ad_groups; id | name --------------------------------------+--------------------------------------- eee00000-0000-0000-0000-123456789eee | Everyone 2a8a8401-fc9e-11e3-8742-861538ea406a | <domain here>/Groups/sysadmin (2 rows)
It does look that there is something wrong in the association of users to their group IDS. Just to make sure I'm not missing anything - Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission?
Yair
On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Wednesday, August 13, 2014 11:47:40 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Ok so before I open a bug ticket I want to confirm I'm not doing any thing wrong here. I upgraded to 3.4 now it says "Active: false " on LDAP groups.
Again I tried to add the sysadmin group from the directory server and set the power user and super user roles on the group it shows up as "<domain name>/Groups/sysadmin" I adder the permisions by clicking on the configure link on the top of the screen and set them in the "System Permissions" tab
Sounds good so far. I assume also you see the permissiosn in the permissions sub tab when you click the group.
I added a user (pmarino) to the system which shows in the "Directory Group" tab shows "sysadmin groups <domian name>" among others however it only shows in the Permissions tab the permissions inherited by "Everyone" it does not show any permissions inherited by the sysadmin group.
This is not good - I mean, should have worked.
just to prove it didnt work I logged out and attempted to log back in as the user (pmarino) it wouldn't let me log in
I logged back in as the internal admin user then I added the SuperUser permissions directly to the pmarino account and logged back out again. Now when I logged in as pmarino it gave me the access I expected.
Can I please ask you to provide some database info ?
It will be awesome if you can provide the following SQL queries results -
select group_ids, groups from users where username ilike '%pmarino%';
In addition, please perform - select id, name from ad_groups;
Thanks for your help.
P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the solution to the bugs) should have fixed your issue as well.
Here is the relevant portion of the engine log " 2014-08-13 16:00:38,801 INFO [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5) [1e7fa420] Running command: AddGroupCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:00:38,813 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call Stack: null, Custom Event ID: -1, Message: User '<domain name>/Groups/sysadmin' was added successfully to the system. 2014-08-13 16:09:01,352 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:09:01,371 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID: 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role SuperUser on System by admin. 2014-08-13 16:10:40,963 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:10:40,979 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: b42abcb, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role PowerUserRole on System by admin. 2014-08-13 16:20:53,891 INFO [org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4) [58e00be1] Running command: AddUserCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:20:53,919 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added successfully to the system. 2014-08-13 16:35:52,202 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino failed to log in. 2014-08-13 16:35:52,202 WARN [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2014-08-13 16:39:48,048 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:39:48,069 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID: 5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group pmarino was granted permission for Role SuperUser on System by admin. 2014-08-13 16:40:43,357 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino logged in.
"
On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message ----- > From: "Yair Zaslavsky" <yzaslavs@redhat.com> > To: "Itamar Heim" <iheim@redhat.com> > Cc: users@ovirt.org > Sent: Monday, August 11, 2014 8:13:53 PM > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > > I have checked the codebase of 3.3 - > the "active" field is used for presentation purpose only.
Presentation wise only - means that it is not used for our permissions calculation , for example.
> Alon has addressed our plans for this in his previous comments. > I hope this clarifies more.. > > Yair > > > ----- Original Message ----- > > From: "Itamar Heim" <iheim@redhat.com> > > To: "Alon Bar-Lev" <alonbl@redhat.com>, "Paul Robert Marino" > > <prmarino1@gmail.com> > > Cc: users@ovirt.org > > Sent: Sunday, August 10, 2014 11:54:05 PM > > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > > > > On 08/10/2014 10:50 PM, Alon Bar-Lev wrote: > > > > > > > > > ----- Original Message ----- > > >> From: "Paul Robert Marino" <prmarino1@gmail.com> > > >> To: "Alon Bar-Lev" <alonbl@redhat.com> > > >> Cc: "Maurice James" <mjames@media-node.com>, users@ovirt.org > > >> Sent: Sunday, August 10, 2014 10:43:14 PM > > >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > > >> > > >> Sorry for my delayed response to this > > >> > > >> I am using ovirt 3.3. > > >> I am using Kerberos 5, and all of the DNS requirements are in > > >> place. > > >> Finally 389 server is the upstream project for RHDS and one of the > > >> upstream projects for IPA. > > >> So I chose to set it as RHDS because its an identical match. > > >> > > >> User authentication works just fine my problem is adding roles to > > >> groups. > > >> I can assign a role to a group but the group always shows an > > >> inactive > > >> status; however if I assign a role directly to to a user it works > > >> fine. > > >> In addition if I drill down into a user it knows what groups in > > >> the > > >> 389 server the user is a member of. > > >> > > >> finally I can't see any error in the logs when adding a role to a > > >> group > > >> > > > > > > Please open a bug, I am unsure that it will be addressed before > > > 3.5, > > > as > > > we > > > have done major rework for the authentication and authorization to > > > make > > > it > > > much more versatile. Even if there will be a fix it will be > > > provided > > > to > > > 3.4.z. > > > > > > It will be best if you want to test this scenario in 3.5 release > > > candidate > > > and the new ldap provider, so we can address the issue before 3.5 > > > release > > > if exists. > > > > > > > could also be one of these fixed in 3.4: > > 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it > > does not inherit the group permissions > > 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs > > to > > a group indirectly, it does not inherit the group permissions > > > > >> > > >> > > >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl@redhat.com> > > >> wrote: > > >>> > > >>> > > >>> ----- Original Message ----- > > >>>> From: "Maurice James" <mjames@media-node.com> > > >>>> To: "Alon Bar-Lev" <alonbl@redhat.com> > > >>>> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org > > >>>> Sent: Saturday, August 9, 2014 3:47:04 AM > > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > > >>>> > > >>>> Does this still require the use of kerberos? Will 389-ds work on > > >>>> its > > >>>> own? > > >>> > > >>> In 3.5 we introduced pure ldap support[1], obsoleting the > > >>> kerberos/ldap > > >>> mix. > > >>> > > >>> It will be great to receive feedback[2]. > > >>> > > >>> 389ds is not supported directly, I think it is similar to IPA as > > >>> it > > >>> uses > > >>> 389. Maybe I should rename the profile of ipa to 389 if it works > > >>> properly. > > >>> > > >>> Regards, > > >>> Alon > > >>> > > >>> [1] > > >>> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... > > >>> [2] > > >>> http://lists.ovirt.org/pipermail/devel/2014-August/008367.html > > >>> > > >>>> > > >>>> ----- Original Message ----- > > >>>> From: "Alon Bar-Lev" <alonbl@redhat.com> > > >>>> To: "Itamar Heim" <iheim@redhat.com> > > >>>> Cc: users@ovirt.org > > >>>> Sent: Friday, August 8, 2014 3:45:07 PM > > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > > >>>> > > >>>> > > >>>> > > >>>> ----- Original Message ----- > > >>>>> From: "Itamar Heim" <iheim@redhat.com> > > >>>>> To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org > > >>>>> Sent: Friday, August 8, 2014 10:37:11 PM > > >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive > > >>>>> groups > > >>>>> > > >>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote: > > >>>>>> I have ovirt engine running and connected to a 389 server with > > >>>>>> the > > >>>>>> memberof plugin enabled and working properly. > > >>>>>> > > >>>>>> I can add users and assign them to roles without any issues. > > >>>>>> > > >>>>>> when I look at a user I can see all the LDAP groups they are a > > >>>>>> member > > >>>>>> of. > > >>>>>> > > >>>>>> when I run engine-manage-domains -action=validate it tells me > > >>>>>> the > > >>>>>> domain is valid. > > >>>>>> > > >>>>>> here is my problem when I try to assign a role to an LDAP > > >>>>>> group > > >>>>>> it > > >>>>>> looks like it works but in the general tab when under the > > >>>>>> group > > >>>>>> it > > >>>>>> tells me the status is Inactive. > > >>>>>> > > >>>>>> dose any one know how to enable the group? > > >>>>>> _______________________________________________ > > >>>>>> Users mailing list > > >>>>>> Users@ovirt.org > > >>>>>> http://lists.ovirt.org/mailman/listinfo/users > > >>>>>> > > >>>>> > > >>>>> 3.4 or new 3.5 Generic LDAP provider? > > >>>> > > >>>> > > >>>> On case this is 3.5 it is known issue, all groups will be seen > > >>>> as > > >>>> inactive, > > >>>> this field will probably be removed from UI, as groups are no > > >>>> longer > > >>>> fetched > > >>>> periodically. > > >>>> This field is totally ignored. > > >>>> > > >>>> Alon > > >>>> _______________________________________________ > > >>>> Users mailing list > > >>>> Users@ovirt.org > > >>>> http://lists.ovirt.org/mailman/listinfo/users > > >>>> > > >>> _______________________________________________ > > >>> Users mailing list > > >>> Users@ovirt.org > > >>> http://lists.ovirt.org/mailman/listinfo/users > > >> > > > _______________________________________________ > > > Users mailing list > > > Users@ovirt.org > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > > _______________________________________________ > > Users mailing list > > Users@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users