As far as I understand, there's something really wrong with credential check on Debian distribution. ovirt-agent fails to set PASSCRED flag on socket and thus throws exception. If i try to catch it, it fails silently and agent is unable to get credentials from pam module via socket. So it fails credential check. If I comment out credential validation segment in CredServer.py, authentication seems to pass, gdm3 tries to load user profile and then crashes: http://paste.ubuntu.com/21391057/ On Fri, 2016-07-29 at 13:35 +0300, Tadas wrote:
There's another interesting error thrown out from ovirt-guest agent, when you try to login:
Jul 29 13:30:24 jessie python[1969]: Exception in thread CredChannel: Ju l 29 13:30:24 jessie python[1969]: Traceback (most recent call last): Ju l 29 13:30:24 jessie python[1969]: File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner Jul 29 13:30:24 jessie python[1969]: self.run() Jul 29 13:30:24 jessie python[1969]: File "/usr/share/ovirt-guest-agent/CredServer.py", line 217, in run Jul 29 13:30:24 jessie python[1969]: cred = self._read_cred(conn) Jul 29 13:30:24 jessie python[1969]: File "/usr/share/ovirt-guest-agent/CredServer.py", line 146, in _read_cred Ju l 29 13:30:24 jessie python[1969]: conn.setsockopt(socket.SOL_SOCKET, socket.SO_PASSCRED, 1) Jul 29 13:30:24 jessie python[1969]: AttributeError: 'module' object has no attribute 'SO_PASSCRED'
On Fri, 2016-07-29 at 13:13 +0300, Tadas wrote:
Yes, it seems that authentication does not work in any of debian releases. Oh well. On Fri, 2016-07-29 at 09:37 +0200, Vinzenz Feenstra wrote:
On Jul 28, 2016, at 4:11 PM, Tadas <tadas@ring.lt> wrote:
Thank you for your reply. Strange, but i do not see any errors in gdm debug log, just this: http://paste.ubuntu.com/21275558/
Well if it works for you, the better. It didn’t work for me though
I will try installing debian unstable and several ubuntu versions tomorrow. From: Vinzenz Feenstra Sent: Thursday, July 28, 2016 4:18 PM To: tadas@ring.lt Cc: users Subject: Re: [ovirt-users] Debian - based OS and SSO
On Jul 28, 2016, at 3:11 PM, Vinzenz Feenstra <vfeenstr@redha t. co m> wrote:
On Jul 28, 2016, at 11:53 AM, Tadas <tadas@ring.lt> wrote: Hello, still having issues with ovirt SSO and Debian OS. Other OSes (Windows/Fedora 24) works just fine. Some information: OS: Debian 8.5 (jessie) I've followed manual on https://www.ovirt.org/documentation /h ow -to/gues t-agent/install-the-guest-agent-in-debian/ and installed ovirt- agent. I can get info via spice socket on hypervisor side, this means that agent works fine. I've compiled pam-ovirt-cred and copied it into /lib/x86_64- linux- gnu/security/
It should be in /lib/security afaik
I've configured /etc/pamd/gdm-ovirtcred (just copied from working Fedora 24)
replace in that file all occurences of password-auth with passwd
But still login fails. I can see this in ovirt-agent log file:
It some how fails for me in some cases with this now:
Correction its here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794064
https://bugs.freedesktop.org/show_bug.cgi?id=71525 There’s not much I can do about that though
Dummy-2::INFO::2016-07-28 12:49:51,046::OVirtAgentLogic::270::root::Received an external command: login... Dummy-2::DEBUG::2016-07-28 12:49:51,047::OVirtAgentLogic::304::root::User log-in (credentials = '\x00\x00\x00\x04test********\x00') Dummy-2::INFO::2016-07-28 12:49:51,047::CredServer::207::root::The following users are allowed to connect: [0] Dummy-2::DEBUG::2016-07-28 12:49:51,047::CredServer::272::root::Token: 760258 Dummy-2::INFO::2016-07-28 12:49:51,047::CredServer::273::root::Opening credentials channel... Dummy-2::INFO::2016-07-28 12:49:51,047::CredServer::132::root::Emitting user authenticated signal (760258). Dummy-2::INFO::2016-07-28 12:49:51,178::CredServer::277::root::Credentials channel was closed.
This looks okay. The error is on pam side (auth.log):
Jul 28 12:49:39 desktop64 gdm-ovirtcred]: pam_succeed_if(gdm- ovirtcred:auth): error retrieving user name: Conversation error Jul 28 12:49:39 desktop64 gdm-ovirtcred]: pam_ovirt_cred(gdm- ovirtcred:auth): Failed to acquire user's credentials
Have no idea, where it fails. Would appreciate, if you could help me here a bit. Thank you.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users