----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Shahar Havivi" <shaharh@redhat.com>, "users" <users@ovirt.org> Sent: Friday, October 30, 2015 9:48:04 PM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
As long as I user engine-manage-domains SSO with spice client worked fine: User logins in the user portal, clicks on a vm and get logged in the windows vm
With ovirt-engine-extension-aaa-ldap, configured with ovirt-engine-extension-aaa-ldap-setup, the SSO didn't work. The vm says I tried t login with an invalid username or password.
After enabling audit logs in the vm I see that the spice clients tries to login as
user@domain-authz
I changed "ovirt.engine.extension.name" from "domain-authz" to "domain" in "/etc/ovirt-engine/extensions.d/domain.net-authz.properties"
and "ovirt.engine.aaa.authn.authz.plugin" from "domain-authz" to "domain" in "/etc/ovirt-engine/extensions.d/domain-authn.properties"
And now SSO works fine
Is it the correct way to go??
Oh... I did not understand this is what you are trying to do. Yes, this is [1]. There are lots of invalid assumptions in the product, one of them is that the profile name within the ovirt application matches the domain name of the VM. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137#c7
Il 30/10/2015 20:37, Alon Bar-Lev ha scritto:
What do you mean? Maybe the password delegation into the virtual machine? If engine does not know the password, it cannot delegate it to virtual machine. Solution is described here[1], so far no resources were allocated.
[1] http://www.ovirt.org/Features/SSO
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Friday, October 30, 2015 9:33:02 PM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
It works fine, but it kills SSO as user...
Poking in the windows logs I see a failed login as:
myuser@mydomain.tld-authz !!
Il 27/10/2015 11:51, Shahar Havivi ha scritto:
On 27.10.15 05:25, Alon Bar-Lev wrote:
yes, you should probably only customize: $JoinDomain$, $DomainAdminPassword$, $DomainAdmin$ maybe, not sure: $JoinDomain$, $MachineObjectOU$ the rest should be the same as any other. Please make sure that the file is the full sysprep file such as you can find in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file. You can leave the variables such as $OrgName$ which will be replaces (exept from the variables that Alon mentioned which where the original problem).
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Tuesday, October 27, 2015 11:19:02 AM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
So just pasting there the contents of a modified /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should work right?
The variables like '![CDATA[$OrgName$' will be replaced?
Il 26/10/2015 12:43, Shahar Havivi ha scritto: > On 26.10.15 06:23, Alon Bar-Lev wrote: >> Hi, >> The usage of the engine-manage-domain user to anything else but ldap >> searches is something that is unexpected and insecure. >> As a solution, you may either paste a modified sysprep file into the >> pool >> at UI or set up a different osinfo profile with modified sysprep >> file, >> this modified sysprep file can contain the credentials of the user >> that >> is being used for joining the domain. >> CCing Shahar which may assist farther. > Hi, > You can paste a modified sysprep file to "new Pool"->"Initial > run"->"Custom > Script" > As Alon mentioned. -- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an)
-- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an)
-- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an)