10:48 p.m.
As long as I user engine-manage-domains SSO with spice client worked fine:
User logins in the user portal, clicks on a vm and get logged in the
windows vm
With ovirt-engine-extension-aaa-ldap, configured with
ovirt-engine-extension-aaa-ldap-setup, the SSO didn't work. The vm says
I tried t login with an invalid username or password.
After enabling audit logs in the vm I see that the spice clients tries
to login as
user@domain-authz
I changed "ovirt.engine.extension.name" from "domain-authz" to
"domain" in
"/etc/ovirt-engine/extensions.d/domain.net-authz.properties"
and "ovirt.engine.aaa.authn.authz.plugin" from "domain-authz" to
"domain" in
"/etc/ovirt-engine/extensions.d/domain-authn.properties"
And now SSO works fine
Is it the correct way to go??
Il 30/10/2015 20:37, Alon Bar-Lev ha scritto:
What do you mean?
Maybe the password delegation into the virtual machine?
If engine does not know the password, it cannot delegate it to virtual machine.
Solution is described here[1], so far no resources were allocated.
[1] http://www.ovirt.org/Features/SSO
----- Original Message -----
> From: "Cristian Mammoli" <c.mammoli(a)apra.it>
> To: "Shahar Havivi" <shaharh(a)redhat.com>, "Alon Bar-Lev"
<alonbl(a)redhat.com>
> Cc: "users" <users(a)ovirt.org>
> Sent: Friday, October 30, 2015 9:33:02 PM
> Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
>
> It works fine, but it kills SSO as user...
>
> Poking in the windows logs I see a failed login as:
>
> myuser(a)mydomain.tld-authz !!
>
> Il 27/10/2015 11:51, Shahar Havivi ha scritto:
>> On 27.10.15 05:25, Alon Bar-Lev wrote:
>>> yes, you should probably only customize: $JoinDomain$,
>>> $DomainAdminPassword$, $DomainAdmin$
>>> maybe, not sure: $JoinDomain$, $MachineObjectOU$
>>> the rest should be the same as any other.
>> Please make sure that the file is the full sysprep file such as you can
>> find
>> in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file.
>> You can leave the variables such as $OrgName$ which will be replaces (exept
>> from the variables that Alon mentioned which where the original problem).
>>
>>> ----- Original Message -----
>>>> From: "Cristian Mammoli" <c.mammoli(a)apra.it>
>>>> To: "Shahar Havivi" <shaharh(a)redhat.com>, "Alon
Bar-Lev"
>>>> <alonbl(a)redhat.com>
>>>> Cc: "users" <users(a)ovirt.org>
>>>> Sent: Tuesday, October 27, 2015 11:19:02 AM
>>>> Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep
>>>> domain join
>>>>
>>>> So just pasting there the contents of a modified
>>>> /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should
>>>> work right?
>>>>
>>>> The variables like '![CDATA[$OrgName$' will be replaced?
>>>>
>>>> Il 26/10/2015 12:43, Shahar Havivi ha scritto:
>>>>> On 26.10.15 06:23, Alon Bar-Lev wrote:
>>>>>> Hi,
>>>>>> The usage of the engine-manage-domain user to anything else but
ldap
>>>>>> searches is something that is unexpected and insecure.
>>>>>> As a solution, you may either paste a modified sysprep file into
the
>>>>>> pool
>>>>>> at UI or set up a different osinfo profile with modified sysprep
file,
>>>>>> this modified sysprep file can contain the credentials of the
user that
>>>>>> is being used for joining the domain.
>>>>>> CCing Shahar which may assist farther.
>>>>> Hi,
>>>>> You can paste a modified sysprep file to "new
Pool"->"Initial
>>>>> run"->"Custom
>>>>> Script"
>>>>> As Alon mentioned.
>>>> --
>>>> Mammoli Cristian
>>>> System administrator
>>>> T. +39 0731 22911
>>>> Via Brodolini 6 | 60035 Jesi (an)
>>>>
>>>>
> --
> Mammoli Cristian
> System administrator
> T. +39 0731 22911
> Via Brodolini 6 | 60035 Jesi (an)
>
>
--
Mammoli Cristian
System administrator
T. +39 0731 22911
Via Brodolini 6 | 60035 Jesi (an)