Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join

From: "Cristian Mammoli" <c.mammoli(a)apra.it&gt; To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; Cc: "Shahar Havivi" <shaharh(a)redhat.com&gt;, "users" <users(a)ovirt.org&gt; Sent: Friday, October 30, 2015 9:48:04 PM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join As long as I user engine-manage-domains SSO with spice client worked fine: User logins in the user portal, clicks on a vm and get logged in the windows vm With ovirt-engine-extension-aaa-ldap, configured with ovirt-engine-extension-aaa-ldap-setup, the SSO didn't work. The vm says I tried t login with an invalid username or password. After enabling audit logs in the vm I see that the spice clients tries to login as user@domain-authz I changed "ovirt.engine.extension.name" from "domain-authz" to "domain" in "/etc/ovirt-engine/extensions.d/domain.net-authz.properties" and "ovirt.engine.aaa.authn.authz.plugin" from "domain-authz" to "domain" in "/etc/ovirt-engine/extensions.d/domain-authn.properties" And now SSO works fine Is it the correct way to go??

Il 30/10/2015 20:37, Alon Bar-Lev ha scritto: > What do you mean? > Maybe the password delegation into the virtual machine? > If engine does not know the password, it cannot delegate it to virtual > machine. > Solution is described here[1], so far no resources were allocated. > > [1] http://www.ovirt.org/Features/SSO > > ----- Original Message ----- >> From: "Cristian Mammoli" <c.mammoli(a)apra.it&gt; >> To: "Shahar Havivi" <shaharh(a)redhat.com&gt;, "Alon Bar-Lev" >> <alonbl(a)redhat.com&gt; >> Cc: "users" <users(a)ovirt.org&gt; >> Sent: Friday, October 30, 2015 9:33:02 PM >> Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep >> domain join >> >> It works fine, but it kills SSO as user... >> >> Poking in the windows logs I see a failed login as: >> >> myuser(a)mydomain.tld-authz !! >> >> Il 27/10/2015 11:51, Shahar Havivi ha scritto: >>> On 27.10.15 05:25, Alon Bar-Lev wrote: >>>> yes, you should probably only customize: $JoinDomain$, >>>> $DomainAdminPassword$, $DomainAdmin$ >>>> maybe, not sure: $JoinDomain$, $MachineObjectOU$ >>>> the rest should be the same as any other. >>> Please make sure that the file is the full sysprep file such as you can >>> find >>> in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file. >>> You can leave the variables such as $OrgName$ which will be replaces >>> (exept >>> from the variables that Alon mentioned which where the original problem). >>> >>>> ----- Original Message ----- >>>>> From: "Cristian Mammoli" <c.mammoli(a)apra.it&gt; >>>>> To: "Shahar Havivi" <shaharh(a)redhat.com&gt;, "Alon Bar-Lev" >>>>> <alonbl(a)redhat.com&gt; >>>>> Cc: "users" <users(a)ovirt.org&gt; >>>>> Sent: Tuesday, October 27, 2015 11:19:02 AM >>>>> Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep >>>>> domain join >>>>> >>>>> So just pasting there the contents of a modified >>>>> /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should >>>>> work right? >>>>> >>>>> The variables like '![CDATA[$OrgName$' will be replaced? >>>>> >>>>> Il 26/10/2015 12:43, Shahar Havivi ha scritto: >>>>>> On 26.10.15 06:23, Alon Bar-Lev wrote: >>>>>>> Hi, >>>>>>> The usage of the engine-manage-domain user to anything else but ldap >>>>>>> searches is something that is unexpected and insecure. >>>>>>> As a solution, you may either paste a modified sysprep file into the >>>>>>> pool >>>>>>> at UI or set up a different osinfo profile with modified sysprep >>>>>>> file, >>>>>>> this modified sysprep file can contain the credentials of the user >>>>>>> that >>>>>>> is being used for joining the domain. >>>>>>> CCing Shahar which may assist farther. >>>>>> Hi, >>>>>> You can paste a modified sysprep file to "new Pool"->"Initial >>>>>> run"->"Custom >>>>>> Script" >>>>>> As Alon mentioned. >>>>> -- >>>>> Mammoli Cristian >>>>> System administrator >>>>> T. +39 0731 22911 >>>>> Via Brodolini 6 | 60035 Jesi (an) >>>>> >>>>> >> -- >> Mammoli Cristian >> System administrator >> T. +39 0731 22911 >> Via Brodolini 6 | 60035 Jesi (an) >> >> -- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an)