Thanks Ondra :) With the command: su - postgres -c "psql -t engine -c \"insert into permissions values ('0000001b-001b-001b-001b-00000000029f', '00000000-0000-0000-0000-000000000001', 'fdfc627c-d875-11e0-90f0-83df133b58cc', 'aaa00000-0000-0000-0000-123456789aaa', 1);\"" I get: ERROR: duplicate key value violates unique constraint "idx_combined_ad_role_object" DETAIL: Key (ad_element_id, role_id, object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc, 00000000-0000-0000-0000-000000000001, aaa00000-0000-0000-0000-123456789aaa) already exists. History 261 yum install ovirt-engine-extension-aaa-ldap 262 cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties /etc/ovirt-engine/ 263 cd /etc/ovirt-engine/ 264 ll 265 vim profile1.properties 266 ll 267 cd cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/ 268 cd cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/ 269 cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/ 270 ll 271 cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/ 272 cd /etc/ovirt-engine/extensions.d/ 273 ll 274 find / -type f -iname profile1.properties 275 cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties /etc/ovirt-engine/aaa/ 276 find / -type f -iname profile1.properties 277 vim /etc/ovirt-engine/aaa/profile1.properties 278 chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties 279 chmod 600 /etc/ovirt-engine/aaa/profile1.properties 280 systemctl restart ovirt-engine 281 vim /etc/ovirt-engine/extensions.d/profile1-authn.properties 282 cd /usr/share/ 283 ls 284 cd ovirt-engine-aaa-ldap 285 ls 286 cd ovirt-engine-extension-aaa-ldap/ 287 ls 288 cd examples/ 289 ls 290 cd ad 291 ls 292 cd extensions.d/ 293 ls 294 vim profile1-authn.properties 295 pwd 296 cd .. 297 pwd 298 cd .. 299 ls 300 cd simple 301 ls 302 cd aaa/ 303 ls 304 vim profile1.properties 305 pwd 306 rm -rf /etc/ovirt-engine/aaa/profile1.properties 307 cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties /etc/ovirt-engine/aaa/ 308 vim /etc/ovirt-engine/aaa/profile1.properties 309 history 310 chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties 311 chmod 600 /etc/ovirt-engine/aaa/profile1.properties 312 systemctl restart ovirt-engine 313 updatedb 314 locate domain1-authn.properties 315 history 316 cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/ 317 ll 318 cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/ 319 ls 320 cd extensions.d/ 321 ls 322 pwd 323 cd /etc/ovirt-engine/extensions.d/ 324 ls 325 cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/ /etc/ovirt-engine/extensions.d/ 326 cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/ 327 rm -rf /etc/ovirt-engine/extensions.d/profile1-authn.properties 328 rm -rf /etc/ovirt-engine/extensions.d/profile1-authz.properties 329 cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/ 330 ll 331 history 332 chown ovirt:ovirt /etc/ovirt-engine/extensions.d/* 333 chmod 600 /etc/ovirt-engine/extensions.d/* 334 ll 335 cd extensions.d/ 336 ll 337 cd 338 engine-config -s SASL_QOP=auth 339 systemctl restart ovirt-engine 340 engine-manage-domains add --domain=udistritaloas.edu.co --provider=ipa --user=admin --ldap-servers=freeipa.udistritaloas.edu.co 341 systemctl restart ovirt-engine 342 engine-manage-domains list 343 history 344 cd /etc/ovirt-engine/extensions.d/ 345 ll 346 rm -rf internal-authn.properties 347 rm -rf internal-authz.properties 348 rm -rf profile1-authn.properties 349 rm -rf profile1-authz.properties 350 history 351 cd /etc/ovirt-engine/aaa/ 352 ll 353 rm -rf profile1.properties 354 vim internal.properties 355 systemctl restart ovirt-engine 356 ovirt-aaa-jdbc-tool user edit admin --account-valid-to="2100-01-01 00:00:00Z" 357 ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to="2100-01-01 00:00:00Z" 358 engine-config -s AdminPassword=interactive 359 ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to="2100-01-01 00:00:00Z" 360 systemctl restart ovirt-engine 361 exit 362 cd /etc/ovirt-engine/aaa/ 363 ll 364 vim internal.properties 365 /etc/ovirt-engine/extensions.d/ 366 cd /etc/ovirt-engine/extensions.d/ 367 ll 368 cd extensions.d/ 369 ll 370 pwd 371 ll 372 cd .. 373 ll 374 cd .. 375 ll 376 cd /etc/ovirt-engine/extensions.d/ 377 ll 378 cd extensions.d/ 379 ll 380 pwd 381 ll 382 cd .. 383 ll 384 systemctl restart ovirt-engine.service 385 ovirt-aaa-jdbc-tool user edit admin --account-valid-to="2100-01-01 00:00:00Z" 386 ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to="2100-01-01 00:00:00Z" 387 systemctl restart ovirt-engine.service 388 ovirt-aaa-jdbc-tool user password-reset admin@internal --password-valid-to="2100-01-01 00:00:00Z" 389 yum install -y ovirt-engine-extension-aaa-jdbc 390 engine-setup 391 ovirt-aaa-jdbc-tool user show admin 392 ovirt-aaa-jdbc-tool settings show 393 cd /var/log 394 ll 395 cd ovirt-engine 396 ll 397 tail -f n 100 ui.log 398 ll 399 tail -f -n engine.log 400 tail -f -n 1000 engine.log 401 tail -n 5000 engine.log | grep admin@internal 402 ovirt-aaa-jdbc-tool user show admin 403 ovirt-aaa-jdbc-tool user show admin@internal 404 ovirt-aaa-jdbc-tool query --what=user 405 engine-config -s AdminPassword=interactive 406 vim /etc/ovirt-engine/extension.d/internal-authn.properties 407 vim /etc/ovirt-engine/extensions.d/internal-authn.properties 408 cd /etc/ovirt-engine/extensions.d/ 409 ll 410 vim /etc/ovirt-engine/aaa/internal.properties 411 cd /etc/ovirt-engine/aaa/ 412 ll 413 vim internal.properties 414 pwd 415 ovirt-aaa-jdbc-tool user add julian --attribute=firstName=Julian --attribute=lastName=Tete --attribute=email=danteconrad14@gmail.com 416 ovirt-aaa-jdbc-tool user password-reset julian --password-valid-to="2025-08-15 10:30:00Z" 417 history 418 tail -n 5000 engine.log | grep admin@internal 419 tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin@internal 420 ovirt-aaa-jdbc-tool user edit admin --account-valid-from="2015-10-01 00:00:00Z" 421 ovirt-aaa-jdbc-tool user password-reset admin --force --password-valid-to="2100-01-01 00:00:00Z" 422 systemctl restart ovirt-engine.service 423 history 424 ovirt-aaa-jdbc-tool query --what=user 425 updatedb 426 locate internal 427 yum install -y ovirt-engine-cli 428 cd /opt 429 cd /opt/ 2016-06-20 13:24 GMT-05:00 Ondra Machacek <omachace@redhat.com>:
On 06/20/2016 06:36 PM, Julián Tete wrote:
oVirt: 3.6.2
Trying to use:
https://github.com/machacekondra/ovirt-engine-kerbldap-migration
First use:
engine-manage-domains add --domain=udistritaloas.edu.co <http://udistritaloas.edu.co> --provider=ipa --user=admin --ldap-servers=freeipa.udistritaloas.edu.co <http://freeipa.udistritaloas.edu.co>
The domain was added, but a I can't access to the webadmin portal :/
I get the message:
"User is not authorized to perform this action."
In ovirt-cli
[401] - Unauthorized
tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin@internal
2016-06-20 10:52:22,835 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-32) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User admin@internal failed to log in. 2016-06-20 10:52:22,836 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (default task-32) [] CanDoAction of action 'LoginAdminUser' failed for user admin@internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2016-06-20 11:00:37,679 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-3) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User admin@internal failed to log in. 2016-06-20 11:00:37,679 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-3) [] CanDoAction of action 'LoginUser' failed for user admin@internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2016-06-20 11:01:04,016 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-4) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User admin@internal failed to log in. 2016-06-20 11:01:04,016 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-4) [] CanDoAction of action 'LoginUser' failed for user admin@internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
I am little bit lost, what was your steps, to get into this state, but it looks that your admin@internal user was removed SuperUser permissions, I am really not sure how could you achieve that, but to fix it please run following command:
$ su - postgres -c "psql -t engine -c \"insert into permissions values ('0000001b-001b-001b-001b-00000000029f', '00000000-0000-0000-0000-000000000001', 'fdfc627c-d875-11e0-90f0-83df133b58cc', 'aaa00000-0000-0000-0000-123456789aaa', 1);\""
This command will add your admin@internal SuperUser permissions on system.
Can you please describe what have you done a bit more, so we can understand the problem?
Thanks.
Properties of Internal domain:
cat /etc/ovirt-engine/aaa/internal.properties
ovirt.engine.extension.name <http://ovirt.engine.extension.name> = internal-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine.extension.aaa.jdbc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name <http://ovirt.engine.aaa.authn.profile.name> = internal ovirt.engine.aaa.authn.authz.plugin = internal-authz config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
cat /etc/ovirt-engine/extensions.d/internal-authn.properties
ovirt.engine.extension.name <http://ovirt.engine.extension.name> = internal-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine.extension.aaa.jdbc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name <http://ovirt.engine.aaa.authn.profile.name> = internal ovirt.engine.aaa.authn.authz.plugin = internal-authz config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
cat /etc/ovirt-engine/extensions.d/internal-authz.properties
ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
internal-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine.extension.aaa.jdbc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
Properties of admin@internal user:
ovirt-aaa-jdbc-tool user show admin
-- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) -- Namespace: * Name: admin ID: fdfc627c-d875-11e0-90f0-83df133b58cc Display Name: Email: First Name: admin Last Name: Department: Title: Description: Account Disabled: false Account Unlocked At: 1970-01-01 00:00:00Z Account Valid From: 2015-10-01 00:00:00Z Account Valid To: 2100-01-01 00:00:00Z Account Without Password: false Last successful Login At: 2016-06-20 16:01:03Z Last unsuccessful Login At: 2016-06-19 16:53:07Z Password Valid To: 2100-01-01 00:00:00Z
¿ Can I assign privilegies to the user ? ¿ Any idea ?
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users