9:33 p.m.
Thanks Ondra :)
With the command:
su - postgres -c "psql -t engine -c \"insert into permissions values
('0000001b-001b-001b-001b-00000000029f',
'00000000-0000-0000-0000-000000000001',
'fdfc627c-d875-11e0-90f0-83df133b58cc',
'aaa00000-0000-0000-0000-123456789aaa', 1);\""
I get:
ERROR: duplicate key value violates unique constraint
"idx_combined_ad_role_object"
DETAIL: Key (ad_element_id, role_id,
object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc,
00000000-0000-0000-0000-000000000001, aaa00000-0000-0000-0000-123456789aaa)
already exists.
History
261 yum install ovirt-engine-extension-aaa-ldap
262 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
/etc/ovirt-engine/
263 cd /etc/ovirt-engine/
264 ll
265 vim profile1.properties
266 ll
267 cd cp
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
/etc/ovirt-engine/extensions.d/
268 cd cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/
269 cd
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
270 ll
271 cp
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
/etc/ovirt-engine/extensions.d/
272 cd /etc/ovirt-engine/extensions.d/
273 ll
274 find / -type f -iname profile1.properties
275 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
/etc/ovirt-engine/aaa/
276 find / -type f -iname profile1.properties
277 vim /etc/ovirt-engine/aaa/profile1.properties
278 chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
279 chmod 600 /etc/ovirt-engine/aaa/profile1.properties
280 systemctl restart ovirt-engine
281 vim /etc/ovirt-engine/extensions.d/profile1-authn.properties
282 cd /usr/share/
283 ls
284 cd ovirt-engine-aaa-ldap
285 ls
286 cd ovirt-engine-extension-aaa-ldap/
287 ls
288 cd examples/
289 ls
290 cd ad
291 ls
292 cd extensions.d/
293 ls
294 vim profile1-authn.properties
295 pwd
296 cd ..
297 pwd
298 cd ..
299 ls
300 cd simple
301 ls
302 cd aaa/
303 ls
304 vim profile1.properties
305 pwd
306 rm -rf /etc/ovirt-engine/aaa/profile1.properties
307 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties
/etc/ovirt-engine/aaa/
308 vim /etc/ovirt-engine/aaa/profile1.properties
309 history
310 chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
311 chmod 600 /etc/ovirt-engine/aaa/profile1.properties
312 systemctl restart ovirt-engine
313 updatedb
314 locate domain1-authn.properties
315 history
316 cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/
317 ll
318 cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/
319 ls
320 cd extensions.d/
321 ls
322 pwd
323 cd /etc/ovirt-engine/extensions.d/
324 ls
325 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
/etc/ovirt-engine/extensions.d/
326 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
/etc/ovirt-engine/extensions.d/
327 rm -rf /etc/ovirt-engine/extensions.d/profile1-authn.properties
328 rm -rf /etc/ovirt-engine/extensions.d/profile1-authz.properties
329 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
/etc/ovirt-engine/extensions.d/
330 ll
331 history
332 chown ovirt:ovirt /etc/ovirt-engine/extensions.d/*
333 chmod 600 /etc/ovirt-engine/extensions.d/*
334 ll
335 cd extensions.d/
336 ll
337 cd
338 engine-config -s SASL_QOP=auth
339 systemctl restart ovirt-engine
340 engine-manage-domains add --domain=udistritaloas.edu.co
--provider=ipa --user=admin --ldap-servers=freeipa.udistritaloas.edu.co
341 systemctl restart ovirt-engine
342 engine-manage-domains list
343 history
344 cd /etc/ovirt-engine/extensions.d/
345 ll
346 rm -rf internal-authn.properties
347 rm -rf internal-authz.properties
348 rm -rf profile1-authn.properties
349 rm -rf profile1-authz.properties
350 history
351 cd /etc/ovirt-engine/aaa/
352 ll
353 rm -rf profile1.properties
354 vim internal.properties
355 systemctl restart ovirt-engine
356 ovirt-aaa-jdbc-tool user edit admin --account-valid-to="2100-01-01
00:00:00Z"
357 ovirt-aaa-jdbc-tool user password-reset admin
--password-valid-to="2100-01-01 00:00:00Z"
358 engine-config -s AdminPassword=interactive
359 ovirt-aaa-jdbc-tool user password-reset admin
--password-valid-to="2100-01-01 00:00:00Z"
360 systemctl restart ovirt-engine
361 exit
362 cd /etc/ovirt-engine/aaa/
363 ll
364 vim internal.properties
365 /etc/ovirt-engine/extensions.d/
366 cd /etc/ovirt-engine/extensions.d/
367 ll
368 cd extensions.d/
369 ll
370 pwd
371 ll
372 cd ..
373 ll
374 cd ..
375 ll
376 cd /etc/ovirt-engine/extensions.d/
377 ll
378 cd extensions.d/
379 ll
380 pwd
381 ll
382 cd ..
383 ll
384 systemctl restart ovirt-engine.service
385 ovirt-aaa-jdbc-tool user edit admin --account-valid-to="2100-01-01
00:00:00Z"
386 ovirt-aaa-jdbc-tool user password-reset admin
--password-valid-to="2100-01-01 00:00:00Z"
387 systemctl restart ovirt-engine.service
388 ovirt-aaa-jdbc-tool user password-reset admin@internal
--password-valid-to="2100-01-01 00:00:00Z"
389 yum install -y ovirt-engine-extension-aaa-jdbc
390 engine-setup
391 ovirt-aaa-jdbc-tool user show admin
392 ovirt-aaa-jdbc-tool settings show
393 cd /var/log
394 ll
395 cd ovirt-engine
396 ll
397 tail -f n 100 ui.log
398 ll
399 tail -f -n engine.log
400 tail -f -n 1000 engine.log
401 tail -n 5000 engine.log | grep admin@internal
402 ovirt-aaa-jdbc-tool user show admin
403 ovirt-aaa-jdbc-tool user show admin@internal
404 ovirt-aaa-jdbc-tool query --what=user
405 engine-config -s AdminPassword=interactive
406 vim /etc/ovirt-engine/extension.d/internal-authn.properties
407 vim /etc/ovirt-engine/extensions.d/internal-authn.properties
408 cd /etc/ovirt-engine/extensions.d/
409 ll
410 vim /etc/ovirt-engine/aaa/internal.properties
411 cd /etc/ovirt-engine/aaa/
412 ll
413 vim internal.properties
414 pwd
415 ovirt-aaa-jdbc-tool user add julian
--attribute=firstName=Julian --attribute=lastName=Tete
--attribute=email=danteconrad14(a)gmail.com
416 ovirt-aaa-jdbc-tool user password-reset julian
--password-valid-to="2025-08-15 10:30:00Z"
417 history
418 tail -n 5000 engine.log | grep admin@internal
419 tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin@internal
420 ovirt-aaa-jdbc-tool user edit admin --account-valid-from="2015-10-01
00:00:00Z"
421 ovirt-aaa-jdbc-tool user password-reset admin --force
--password-valid-to="2100-01-01 00:00:00Z"
422 systemctl restart ovirt-engine.service
423 history
424 ovirt-aaa-jdbc-tool query --what=user
425 updatedb
426 locate internal
427 yum install -y ovirt-engine-cli
428 cd /opt
429 cd /opt/
2016-06-20 13:24 GMT-05:00 Ondra Machacek <omachace(a)redhat.com>:
On 06/20/2016 06:36 PM, Julián Tete wrote:
> oVirt: 3.6.2
>
> Trying to use:
>
> https://github.com/machacekondra/ovirt-engine-kerbldap-migration
>
> First use:
>
> engine-manage-domains add --domain=udistritaloas.edu.co
> <http://udistritaloas.edu.co> --provider=ipa --user=admin
> --ldap-servers=freeipa.udistritaloas.edu.co
> <http://freeipa.udistritaloas.edu.co>
>
>
> The domain was added, but a I can't access to the webadmin portal :/
>
> I get the message:
>
> "User is not authorized to perform this action."
>
> In ovirt-cli
>
> [401] - Unauthorized
>
> tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin@internal
>
> 2016-06-20 10:52:22,835 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-32) [] Correlation ID: null, Call Stack: null, Custom
> Event ID: -1, Message: User admin@internal failed to log in.
> 2016-06-20 10:52:22,836 WARN
> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (default task-32)
> [] CanDoAction of action 'LoginAdminUser' failed for user
> admin@internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
> 2016-06-20 11:00:37,679 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-3) [] Correlation ID: null, Call Stack: null, Custom Event
> ID: -1, Message: User admin@internal failed to log in.
> 2016-06-20 11:00:37,679 WARN
> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-3) []
> CanDoAction of action 'LoginUser' failed for user admin@internal.
> Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
> 2016-06-20 11:01:04,016 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-4) [] Correlation ID: null, Call Stack: null, Custom Event
> ID: -1, Message: User admin@internal failed to log in.
> 2016-06-20 11:01:04,016 WARN
> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-4) []
> CanDoAction of action 'LoginUser' failed for user admin@internal.
> Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>
I am little bit lost, what was your steps, to get into this state, but it
looks that your admin@internal user was removed SuperUser permissions, I
am really not sure how could you achieve that, but to fix it please run
following command:
$ su - postgres -c "psql -t engine -c \"insert into permissions values
('0000001b-001b-001b-001b-00000000029f',
'00000000-0000-0000-0000-000000000001',
'fdfc627c-d875-11e0-90f0-83df133b58cc',
'aaa00000-0000-0000-0000-123456789aaa', 1);\""
This command will add your admin@internal SuperUser permissions on system.
Can you please describe what have you done a bit more, so we can
understand the problem?
Thanks.
> Properties of Internal domain:
>
> cat /etc/ovirt-engine/aaa/internal.properties
>
> ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
> internal-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine.extension.aaa.jdbc
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
> ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name
> <http://ovirt.engine.aaa.authn.profile.name> = internal
> ovirt.engine.aaa.authn.authz.plugin = internal-authz
> config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>
> cat /etc/ovirt-engine/extensions.d/internal-authn.properties
>
> ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
> internal-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine.extension.aaa.jdbc
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
> ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name
> <http://ovirt.engine.aaa.authn.profile.name> = internal
> ovirt.engine.aaa.authn.authz.plugin = internal-authz
> config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>
> cat /etc/ovirt-engine/extensions.d/internal-authz.properties
>
> ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
>
> internal-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine.extension.aaa.jdbc
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension
> ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Authz
> config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>
> Properties of admin@internal user:
>
> ovirt-aaa-jdbc-tool user show admin
>
> -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
> Namespace: *
> Name: admin
> ID: fdfc627c-d875-11e0-90f0-83df133b58cc
> Display Name:
> Email:
> First Name: admin
> Last Name:
> Department:
> Title:
> Description:
> Account Disabled: false
> Account Unlocked At: 1970-01-01 00:00:00Z
> Account Valid From: 2015-10-01 00:00:00Z
> Account Valid To: 2100-01-01 00:00:00Z
> Account Without Password: false
> Last successful Login At: 2016-06-20 16:01:03Z
> Last unsuccessful Login At: 2016-06-19 16:53:07Z
> Password Valid To: 2100-01-01 00:00:00Z
>
> ¿ Can I assign privilegies to the user ? ¿ Any idea ?
>
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>