As long as I user engine-manage-domains SSO with spice client worked fine: User logins in the user portal, clicks on a vm and get logged in the windows vm With ovirt-engine-extension-aaa-ldap, configured with ovirt-engine-extension-aaa-ldap-setup, the SSO didn't work. The vm says I tried t login with an invalid username or password. After enabling audit logs in the vm I see that the spice clients tries to login as user@domain-authz I changed "ovirt.engine.extension.name" from "domain-authz" to "domain" in "/etc/ovirt-engine/extensions.d/domain.net-authz.properties" and "ovirt.engine.aaa.authn.authz.plugin" from "domain-authz" to "domain" in "/etc/ovirt-engine/extensions.d/domain-authn.properties" And now SSO works fine Is it the correct way to go?? Il 30/10/2015 20:37, Alon Bar-Lev ha scritto:
What do you mean? Maybe the password delegation into the virtual machine? If engine does not know the password, it cannot delegate it to virtual machine. Solution is described here[1], so far no resources were allocated.
[1] http://www.ovirt.org/Features/SSO
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Friday, October 30, 2015 9:33:02 PM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
It works fine, but it kills SSO as user...
Poking in the windows logs I see a failed login as:
myuser@mydomain.tld-authz !!
Il 27/10/2015 11:51, Shahar Havivi ha scritto:
On 27.10.15 05:25, Alon Bar-Lev wrote:
yes, you should probably only customize: $JoinDomain$, $DomainAdminPassword$, $DomainAdmin$ maybe, not sure: $JoinDomain$, $MachineObjectOU$ the rest should be the same as any other. Please make sure that the file is the full sysprep file such as you can find in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file. You can leave the variables such as $OrgName$ which will be replaces (exept from the variables that Alon mentioned which where the original problem).
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Tuesday, October 27, 2015 11:19:02 AM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
So just pasting there the contents of a modified /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should work right?
The variables like '![CDATA[$OrgName$' will be replaced?
Il 26/10/2015 12:43, Shahar Havivi ha scritto:
On 26.10.15 06:23, Alon Bar-Lev wrote: > Hi, > The usage of the engine-manage-domain user to anything else but ldap > searches is something that is unexpected and insecure. > As a solution, you may either paste a modified sysprep file into the > pool > at UI or set up a different osinfo profile with modified sysprep file, > this modified sysprep file can contain the credentials of the user that > is being used for joining the domain. > CCing Shahar which may assist farther. Hi, You can paste a modified sysprep file to "new Pool"->"Initial run"->"Custom Script" As Alon mentioned. -- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an)
-- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an)
-- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an)