I found why the group_ids field is wrong
If you look at the ad_groups table then mane for the group is "<domain
here>/Groups/sysadmin" however if you look at the groups field in the
users table it says "<domain here>/groups/sysadmin"
I tried updating the name field in the ad_groups table to match
"<domain here>/groups/sysadmin" then removed and added a user now the
if for that group in the group_ids field is being set correctly.
This is at least a usable workaround for now. now we need to find the
root cause.
On Sun, Aug 17, 2014 at 10:39 AM, Paul Robert Marino
<prmarino1(a)gmail.com> wrote:
confirmed that does seem to be the cause I updated the group_ids
field
of a user to the appropriate Id's from ad_groups and it fixed that
user.
in answer to your question "Did you first add the goup, and then added
users (that belong to a group) either by adding users, or by adding a
permission?" Ive tried it ever different way I can think of the
results are always the same.
On Sun, Aug 17, 2014 at 9:46 AM, Yair Zaslavsky <yzaslavs(a)redhat.com> wrote:
>
>
> ----- Original Message -----
>> From: "Paul Robert Marino" <prmarino1(a)gmail.com>
>> To: "Yair Zaslavsky" <yzaslavs(a)redhat.com>
>> Cc: "Itamar Heim" <iheim(a)redhat.com>, users(a)ovirt.org
>> Sent: Sunday, August 17, 2014 4:33:30 PM
>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
>>
>> here are the results of the queries you asked for
>>
>>
>> group_ids
>>
>> |
>>
>> groups
>>
>>
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------
>>
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> ----
>>
00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000
>> | <domain here>/groups/sysadmin,<domain
here>/groups/pmarino,<domain
>> here>/groups/pd managers,<domain here>/groups/qa managers,<domain
>> here>/groups/accounting managers,<domain here>/directory administrat
>> ors
>> (1 row)
>>
>>
>> engine=# select id, name from ad_groups;
>> id | name
>> --------------------------------------+---------------------------------------
>> eee00000-0000-0000-0000-123456789eee | Everyone
>> 2a8a8401-fc9e-11e3-8742-861538ea406a | <domain here>/Groups/sysadmin
>> (2 rows)
>
> It does look that there is something wrong in the association of users to their group
IDS.
> Just to make sure I'm not missing anything -
> Did you first add the goup, and then added users (that belong to a group) either by
adding users, or by adding a permission?
>
> Yair
>
>>
>>
>>
>> On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky <yzaslavs(a)redhat.com>
wrote:
>> >
>> >
>> > ----- Original Message -----
>> >> From: "Paul Robert Marino" <prmarino1(a)gmail.com>
>> >> To: "Yair Zaslavsky" <yzaslavs(a)redhat.com>
>> >> Cc: "Itamar Heim" <iheim(a)redhat.com>, users(a)ovirt.org
>> >> Sent: Wednesday, August 13, 2014 11:47:40 PM
>> >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
>> >>
>> >> Ok so before I open a bug ticket I want to confirm I'm not doing
any
>> >> thing wrong here.
>> >> I upgraded to 3.4
>> >> now it says "Active: false " on LDAP groups.
>> >>
>> >> Again I tried to add the sysadmin group from the directory server and
>> >> set the power user and super user roles on the group
>> >> it shows up as "<domain name>/Groups/sysadmin"
>> >> I adder the permisions by clicking on the configure link on the top of
>> >> the screen and set them in the "System Permissions" tab
>> >
>> > Sounds good so far.
>> > I assume also you see the permissiosn in the permissions sub tab when you
>> > click the group.
>> >
>> >>
>> >> I added a user (pmarino) to the system which shows in the
"Directory
>> >> Group" tab shows "sysadmin groups <domian
name>" among others
>> >> however it only shows in the Permissions tab the permissions inherited
>> >> by "Everyone" it does not show any permissions inherited by
the
>> >> sysadmin group.
>> >
>> > This is not good - I mean, should have worked.
>> >
>> >>
>> >> just to prove it didnt work I logged out and attempted to log back in
>> >> as the user (pmarino) it wouldn't let me log in
>> >>
>> >> I logged back in as the internal admin user then I added the SuperUser
>> >> permissions directly to the pmarino account and logged back out again.
>> >> Now when I logged in as pmarino it gave me the access I expected.
>> >
>> > Can I please ask you to provide some database info ?
>> >
>> > It will be awesome if you can provide the following SQL queries results -
>> >
>> > select group_ids, groups from users where username ilike
'%pmarino%';
>> >
>> > In addition, please perform - select id, name from ad_groups;
>> >
>> > Thanks for your help.
>> >
>> > P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the
>> > solution to the bugs) should have fixed your issue as well.
>> >
>> >
>> >
>> >>
>> >>
>> >>
>> >> Here is the relevant portion of the engine log
>> >> "
>> >> 2014-08-13 16:00:38,801 INFO
>> >> [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5)
>> >> [1e7fa420] Running command: AddGroupCommand internal: false. Entities
>> >> affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System
>> >> 2014-08-13 16:00:38,813 INFO
>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> >> (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call
>> >> Stack: null, Custom Event ID: -1, Message: User '<domain
>> >> name>/Groups/sysadmin' was added successfully to the system.
>> >> 2014-08-13 16:09:01,352 INFO
>> >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
>> >> (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command:
>> >> AddSystemPermissionCommand internal: false. Entities affected : ID:
>> >> aaa00000-0000-0000-0000-123456789aaa Type: System, ID:
>> >> aaa00000-0000-0000-0000-123456789aaa Type: System
>> >> 2014-08-13 16:09:01,371 INFO
>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> >> (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID:
>> >> 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group
>> >> <domain name>/Groups/sysadmin was granted permission for Role
>> >> SuperUser on System by admin.
>> >> 2014-08-13 16:10:40,963 INFO
>> >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
>> >> (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command:
>> >> AddSystemPermissionCommand internal: false. Entities affected : ID:
>> >> aaa00000-0000-0000-0000-123456789aaa Type: System, ID:
>> >> aaa00000-0000-0000-0000-123456789aaa Type: System
>> >> 2014-08-13 16:10:40,979 INFO
>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> >> (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: b42abcb,
>> >> Call Stack: null, Custom Event ID: -1, Message: User/Group <domain
>> >> name>/Groups/sysadmin was granted permission for Role PowerUserRole
on
>> >> System by admin.
>> >> 2014-08-13 16:20:53,891 INFO
>> >> [org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4)
>> >> [58e00be1] Running command: AddUserCommand internal: false. Entities
>> >> affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System
>> >> 2014-08-13 16:20:53,919 INFO
>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> >> (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call
>> >> Stack: null, Custom Event ID: -1, Message: User 'pmarino' was
added
>> >> successfully to the system.
>> >> 2014-08-13 16:35:52,202 INFO
>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> >> (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null,
>> >> Custom Event ID: -1, Message: User pmarino failed to log in.
>> >> 2014-08-13 16:35:52,202 WARN
>> >> [org.ovirt.engine.core.bll.LoginAdminUserCommand]
>> >> (ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser failed.
>> >> Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>> >> 2014-08-13 16:39:48,048 INFO
>> >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
>> >> (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command:
>> >> AddSystemPermissionCommand internal: false. Entities affected : ID:
>> >> aaa00000-0000-0000-0000-123456789aaa Type: System
>> >> 2014-08-13 16:39:48,069 INFO
>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> >> (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID:
>> >> 5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group
>> >> pmarino was granted permission for Role SuperUser on System by admin.
>> >> 2014-08-13 16:40:43,357 INFO
>> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> >> (ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null, Custom
>> >> Event ID: -1, Message: User pmarino logged in.
>> >>
>> >> "
>> >>
>> >> On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky
<yzaslavs(a)redhat.com>
>> >> wrote:
>> >> >
>> >> >
>> >> > ----- Original Message -----
>> >> >> From: "Yair Zaslavsky" <yzaslavs(a)redhat.com>
>> >> >> To: "Itamar Heim" <iheim(a)redhat.com>
>> >> >> Cc: users(a)ovirt.org
>> >> >> Sent: Monday, August 11, 2014 8:13:53 PM
>> >> >> Subject: Re: [ovirt-users] ovirt with 389 server inactive
groups
>> >> >>
>> >> >> I have checked the codebase of 3.3 -
>> >> >> the "active" field is used for presentation purpose
only.
>> >> >
>> >> > Presentation wise only - means that it is not used for our
permissions
>> >> > calculation , for example.
>> >> >
>> >> >> Alon has addressed our plans for this in his previous
comments.
>> >> >> I hope this clarifies more..
>> >> >>
>> >> >> Yair
>> >> >>
>> >> >>
>> >> >> ----- Original Message -----
>> >> >> > From: "Itamar Heim" <iheim(a)redhat.com>
>> >> >> > To: "Alon Bar-Lev" <alonbl(a)redhat.com>,
"Paul Robert Marino"
>> >> >> > <prmarino1(a)gmail.com>
>> >> >> > Cc: users(a)ovirt.org
>> >> >> > Sent: Sunday, August 10, 2014 11:54:05 PM
>> >> >> > Subject: Re: [ovirt-users] ovirt with 389 server inactive
groups
>> >> >> >
>> >> >> > On 08/10/2014 10:50 PM, Alon Bar-Lev wrote:
>> >> >> > >
>> >> >> > >
>> >> >> > > ----- Original Message -----
>> >> >> > >> From: "Paul Robert Marino"
<prmarino1(a)gmail.com>
>> >> >> > >> To: "Alon Bar-Lev"
<alonbl(a)redhat.com>
>> >> >> > >> Cc: "Maurice James"
<mjames(a)media-node.com>, users(a)ovirt.org
>> >> >> > >> Sent: Sunday, August 10, 2014 10:43:14 PM
>> >> >> > >> Subject: Re: [ovirt-users] ovirt with 389 server
inactive groups
>> >> >> > >>
>> >> >> > >> Sorry for my delayed response to this
>> >> >> > >>
>> >> >> > >> I am using ovirt 3.3.
>> >> >> > >> I am using Kerberos 5, and all of the DNS
requirements are in
>> >> >> > >> place.
>> >> >> > >> Finally 389 server is the upstream project for
RHDS and one of the
>> >> >> > >> upstream projects for IPA.
>> >> >> > >> So I chose to set it as RHDS because its an
identical match.
>> >> >> > >>
>> >> >> > >> User authentication works just fine my problem is
adding roles to
>> >> >> > >> groups.
>> >> >> > >> I can assign a role to a group but the group
always shows an
>> >> >> > >> inactive
>> >> >> > >> status; however if I assign a role directly to to
a user it works
>> >> >> > >> fine.
>> >> >> > >> In addition if I drill down into a user it knows
what groups in
>> >> >> > >> the
>> >> >> > >> 389 server the user is a member of.
>> >> >> > >>
>> >> >> > >> finally I can't see any error in the logs
when adding a role to a
>> >> >> > >> group
>> >> >> > >>
>> >> >> > >
>> >> >> > > Please open a bug, I am unsure that it will be
addressed before
>> >> >> > > 3.5,
>> >> >> > > as
>> >> >> > > we
>> >> >> > > have done major rework for the authentication and
authorization to
>> >> >> > > make
>> >> >> > > it
>> >> >> > > much more versatile. Even if there will be a fix it
will be
>> >> >> > > provided
>> >> >> > > to
>> >> >> > > 3.4.z.
>> >> >> > >
>> >> >> > > It will be best if you want to test this scenario in
3.5 release
>> >> >> > > candidate
>> >> >> > > and the new ldap provider, so we can address the
issue before 3.5
>> >> >> > > release
>> >> >> > > if exists.
>> >> >> > >
>> >> >> >
>> >> >> > could also be one of these fixed in 3.4:
>> >> >> > 3.4.0 - Bug 1065615 - When adding a user that belongs to a
group, it
>> >> >> > does not inherit the group permissions
>> >> >> > 3.4.1 - Bug 1069562 - When assigning permissions to user
that belongs
>> >> >> > to
>> >> >> > a group indirectly, it does not inherit the group
permissions
>> >> >> >
>> >> >> > >>
>> >> >> > >>
>> >> >> > >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev
<alonbl(a)redhat.com>
>> >> >> > >> wrote:
>> >> >> > >>>
>> >> >> > >>>
>> >> >> > >>> ----- Original Message -----
>> >> >> > >>>> From: "Maurice James"
<mjames(a)media-node.com>
>> >> >> > >>>> To: "Alon Bar-Lev"
<alonbl(a)redhat.com>
>> >> >> > >>>> Cc: "Itamar Heim"
<iheim(a)redhat.com>, users(a)ovirt.org
>> >> >> > >>>> Sent: Saturday, August 9, 2014 3:47:04
AM
>> >> >> > >>>> Subject: Re: [ovirt-users] ovirt with 389
server inactive groups
>> >> >> > >>>>
>> >> >> > >>>> Does this still require the use of
kerberos? Will 389-ds work on
>> >> >> > >>>> its
>> >> >> > >>>> own?
>> >> >> > >>>
>> >> >> > >>> In 3.5 we introduced pure ldap support[1],
obsoleting the
>> >> >> > >>> kerberos/ldap
>> >> >> > >>> mix.
>> >> >> > >>>
>> >> >> > >>> It will be great to receive feedback[2].
>> >> >> > >>>
>> >> >> > >>> 389ds is not supported directly, I think it
is similar to IPA as
>> >> >> > >>> it
>> >> >> > >>> uses
>> >> >> > >>> 389. Maybe I should rename the profile of ipa
to 389 if it works
>> >> >> > >>> properly.
>> >> >> > >>>
>> >> >> > >>> Regards,
>> >> >> > >>> Alon
>> >> >> > >>>
>> >> >> > >>> [1]
>> >> >> > >>>
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=bl...
>> >> >> > >>> [2]
>> >> >> > >>>
http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
>> >> >> > >>>
>> >> >> > >>>>
>> >> >> > >>>> ----- Original Message -----
>> >> >> > >>>> From: "Alon Bar-Lev"
<alonbl(a)redhat.com>
>> >> >> > >>>> To: "Itamar Heim"
<iheim(a)redhat.com>
>> >> >> > >>>> Cc: users(a)ovirt.org
>> >> >> > >>>> Sent: Friday, August 8, 2014 3:45:07 PM
>> >> >> > >>>> Subject: Re: [ovirt-users] ovirt with 389
server inactive groups
>> >> >> > >>>>
>> >> >> > >>>>
>> >> >> > >>>>
>> >> >> > >>>> ----- Original Message -----
>> >> >> > >>>>> From: "Itamar Heim"
<iheim(a)redhat.com>
>> >> >> > >>>>> To: "Paul Robert Marino"
<prmarino1(a)gmail.com>, users(a)ovirt.org
>> >> >> > >>>>> Sent: Friday, August 8, 2014 10:37:11
PM
>> >> >> > >>>>> Subject: Re: [ovirt-users] ovirt with
389 server inactive
>> >> >> > >>>>> groups
>> >> >> > >>>>>
>> >> >> > >>>>> On 08/07/2014 07:06 PM, Paul Robert
Marino wrote:
>> >> >> > >>>>>> I have ovirt engine running and
connected to a 389 server with
>> >> >> > >>>>>> the
>> >> >> > >>>>>> memberof plugin enabled and
working properly.
>> >> >> > >>>>>>
>> >> >> > >>>>>> I can add users and assign them
to roles without any issues.
>> >> >> > >>>>>>
>> >> >> > >>>>>> when I look at a user I can see
all the LDAP groups they are a
>> >> >> > >>>>>> member
>> >> >> > >>>>>> of.
>> >> >> > >>>>>>
>> >> >> > >>>>>> when I run engine-manage-domains
-action=validate it tells me
>> >> >> > >>>>>> the
>> >> >> > >>>>>> domain is valid.
>> >> >> > >>>>>>
>> >> >> > >>>>>> here is my problem when I try to
assign a role to an LDAP
>> >> >> > >>>>>> group
>> >> >> > >>>>>> it
>> >> >> > >>>>>> looks like it works but in the
general tab when under the
>> >> >> > >>>>>> group
>> >> >> > >>>>>> it
>> >> >> > >>>>>> tells me the status is Inactive.
>> >> >> > >>>>>>
>> >> >> > >>>>>> dose any one know how to enable
the group?
>> >> >> > >>>>>>
_______________________________________________
>> >> >> > >>>>>> Users mailing list
>> >> >> > >>>>>> Users(a)ovirt.org
>> >> >> > >>>>>>
http://lists.ovirt.org/mailman/listinfo/users
>> >> >> > >>>>>>
>> >> >> > >>>>>
>> >> >> > >>>>> 3.4 or new 3.5 Generic LDAP
provider?
>> >> >> > >>>>
>> >> >> > >>>>
>> >> >> > >>>> On case this is 3.5 it is known issue,
all groups will be seen
>> >> >> > >>>> as
>> >> >> > >>>> inactive,
>> >> >> > >>>> this field will probably be removed from
UI, as groups are no
>> >> >> > >>>> longer
>> >> >> > >>>> fetched
>> >> >> > >>>> periodically.
>> >> >> > >>>> This field is totally ignored.
>> >> >> > >>>>
>> >> >> > >>>> Alon
>> >> >> > >>>>
_______________________________________________
>> >> >> > >>>> Users mailing list
>> >> >> > >>>> Users(a)ovirt.org
>> >> >> > >>>>
http://lists.ovirt.org/mailman/listinfo/users
>> >> >> > >>>>
>> >> >> > >>>
_______________________________________________
>> >> >> > >>> Users mailing list
>> >> >> > >>> Users(a)ovirt.org
>> >> >> > >>>
http://lists.ovirt.org/mailman/listinfo/users
>> >> >> > >>
>> >> >> > > _______________________________________________
>> >> >> > > Users mailing list
>> >> >> > > Users(a)ovirt.org
>> >> >> > >
http://lists.ovirt.org/mailman/listinfo/users
>> >> >> > >
>> >> >> >
>> >> >> > _______________________________________________
>> >> >> > Users mailing list
>> >> >> > Users(a)ovirt.org
>> >> >> >
http://lists.ovirt.org/mailman/listinfo/users
>> >> >> >
>> >> >> _______________________________________________
>> >> >> Users mailing list
>> >> >> Users(a)ovirt.org
>> >> >>
http://lists.ovirt.org/mailman/listinfo/users
>> >> >>
>> >> > _______________________________________________
>> >> > Users mailing list
>> >> > Users(a)ovirt.org
>> >> >
http://lists.ovirt.org/mailman/listinfo/users
>> >>
>>