Hi Ondra, It is over a year since the last message, so I thought let's give this a new try. Did setup a new test environment with latest versions, all RH-family (Centos 7.3 with ovirt 4.1) Ovirt engine works fine with IPA, in the console I can log in with credentials. But SSO still does not work :-( Unfortunately the workaround with "authconfig --enablenis --update" breaks polkit.service and cascades in a lot of other fails making the VM failing to boot properly. Any suggestions? Regards, Paul System setup: --- Engine---- [root@engine ~]# cat /etc/redhat-release CentOS Linux release 7.3.1611 (Core) [root@engine ~]# uname -a Linux engine.domain.com 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux [root@engine ~]# rpm -qa | grep ovirt ovirt-engine-setup-plugin-ovirt-engine-common-4.1.1.8-1.el7.centos.noarch ovirt-imageio-proxy-1.0.0-0.201701151456.git89ae3b4.el7.centos.noarch ovirt-iso-uploader-4.0.2-1.el7.centos.noarch ovirt-engine-setup-plugin-ovirt-engine-4.1.1.8-1.el7.centos.noarch ovirt-engine-tools-4.1.1.8-1.el7.centos.noarch ovirt-engine-backend-4.1.1.8-1.el7.centos.noarch ovirt-engine-extension-aaa-jdbc-1.1.4-1.el7.centos.noarch ovirt-engine-extension-aaa-ldap-setup-1.3.1-1.el7.centos.noarch ovirt-release41-4.1.1.1-1.el7.centos.noarch ovirt-setup-lib-1.1.0-1.el7.centos.noarch ovirt-imageio-common-1.0.0-1.el7.noarch ovirt-engine-sdk-python-3.6.9.1-1.el7.centos.noarch ovirt-engine-extensions-api-impl-4.1.1.8-1.el7.centos.noarch ovirt-engine-extension-aaa-ldap-1.3.1-1.el7.centos.noarch ovirt-imageio-proxy-setup-1.0.0-0.201701151456.git89ae3b4.el7.centos.noarch ovirt-engine-dwh-4.1.1-1.el7.centos.noarch ovirt-engine-setup-plugin-websocket-proxy-4.1.1.8-1.el7.centos.noarch ovirt-engine-tools-backup-4.1.1.8-1.el7.centos.noarch ovirt-engine-setup-4.1.1.8-1.el7.centos.noarch ovirt-engine-vmconsole-proxy-helper-4.1.1.8-1.el7.centos.noarch ovirt-engine-dashboard-1.1.0-7.el7.centos.noarch ovirt-engine-metrics-1.0.2-1.el7.centos.noarch ovirt-engine-userportal-4.1.1.8-1.el7.centos.noarch ovirt-engine-dbscripts-4.1.1.8-1.el7.centos.noarch ovirt-engine-4.1.1.8-1.el7.centos.noarch ovirt-engine-wildfly-10.1.0-1.el7.x86_64 python-ovirt-engine-sdk4-4.1.3-2.el7.centos.x86_64 ovirt-vmconsole-proxy-1.0.4-1.el7.centos.noarch ovirt-engine-wildfly-overlay-10.0.0-1.el7.noarch ovirt-engine-cli-3.6.9.2-1.el7.centos.noarch ovirt-engine-lib-4.1.1.8-1.el7.centos.noarch ovirt-host-deploy-java-1.6.3-1.el7.centos.noarch ovirt-engine-dwh-setup-4.1.1-1.el7.centos.noarch ovirt-engine-websocket-proxy-4.1.1.8-1.el7.centos.noarch ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.1.1.8-1.el7.centos.noarch ovirt-engine-webadmin-portal-4.1.1.8-1.el7.centos.noarch ovirt-engine-restapi-4.1.1.8-1.el7.centos.noarch ovirt-guest-agent-common-1.0.13-2.el7.noarch ovirt-host-deploy-1.6.3-1.el7.centos.noarch ovirt-vmconsole-1.0.4-1.el7.centos.noarch ovirt-engine-extension-aaa-misc-1.0.1-1.el7.noarch ovirt-web-ui-0.1.2-4.el7.centos.x86_64 ovirt-engine-setup-base-4.1.1.8-1.el7.centos.noarch --- IPA ---- [root@ipa01 log]# cat /etc/redhat-release CentOS Linux release 7.3.1611 (Core) [root@ipa01 log]# uname -a Linux ipa01.domain.com 3.10.0-514.16.1.el7.x86_64 #1 SMP Wed Apr 12 15:04:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux [root@ipa01 log]# rpm -qa | grep ipa python2-ipalib-4.4.0-14.el7.centos.7.noarch python2-ipaserver-4.4.0-14.el7.centos.7.noarch libipa_hbac-1.14.0-43.el7_3.14.x86_64 python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 python-iniparse-0.4-9.el7.noarch ipa-common-4.4.0-14.el7.centos.7.noarch ipa-client-common-4.4.0-14.el7.centos.7.noarch python-ipaddress-1.0.16-2.el7.noarch sssd-ipa-1.14.0-43.el7_3.14.x86_64 python2-ipaclient-4.4.0-14.el7.centos.7.noarch ipa-client-4.4.0-14.el7.centos.7.x86_64 ipa-server-4.4.0-14.el7.centos.7.x86_64 ipa-server-common-4.4.0-14.el7.centos.7.noarch ipa-admintools-4.4.0-14.el7.centos.7.noarch ipa-server-dns-4.4.0-14.el7.centos.7.noarch ---Client--- [root@ad01 ~]# cat /etc/redhat-release CentOS Linux release 7.3.1611 (Core) [root@ad01 ~]# uname -a Linux ad01.domain.com 3.10.0-514.16.1.el7.x86_64 #1 SMP Wed Apr 12 15:04:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux [root@ad01 ~]# rpm -qa | grep ipa python2-ipaclient-4.4.0-14.el7.centos.7.noarch python-iniparse-0.4-9.el7.noarch ipa-client-common-4.4.0-14.el7.centos.7.noarch python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 ipa-client-4.4.0-14.el7.centos.7.x86_64 sssd-ipa-1.14.0-43.el7_3.14.x86_64 python-ipaddress-1.0.16-2.el7.noarch python2-ipalib-4.4.0-14.el7.centos.7.noarch ipa-common-4.4.0-14.el7.centos.7.noarch libipa_hbac-1.14.0-43.el7_3.14.x86_64 [root@ad01 ~]# rpm -qa | grep ovirt ovirt-guest-agent-pam-module-1.0.13-2.el7.x86_64 ovirt-guest-agent-common-1.0.13-2.el7.noarch ovirt-guest-agent-gdm-plugin-1.0.13-2.el7.noarch Relevant logs: --- client --- [root@ad01 ~]# vi /var/log/messages Apr 21 10:07:59 ad01 [sssd[krb5_child[2635]]]: Preauthentication failed Apr 21 10:07:59 ad01 [sssd[krb5_child[2635]]]: Preauthentication failed [root@ad01 ~]# vi /var/log/sssd/krb5_child.log (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [unpack_buffer] (0x0100): cmd [249] uid [1480400007] gid [1480400007] validate [true] enterprise principal [false] offline [false] UPN [test@DOMAIN.COM] (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ad01.domain.com@DOMAIN.COM] (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [become_user] (0x0200): Trying to become user [1480400007][1480400007]. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [k5c_send_data] (0x0200): Received error code 0 (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [unpack_buffer] (0x0100): cmd [241] uid [1480400007] gid [1480400007] validate [true] enterprise principal [false] offline [false] UPN [test@DOMAIN.COM] (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1480400007] old_ccname: [KEYRING:persistent:1480400007] keytab: [/etc/krb5.keytab] (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [switch_creds] (0x0200): Switch user to [1480400007][1480400007]. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ad01.domain.com@DOMAIN.COM] (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [become_user] (0x0200): Trying to become user [1480400007][1480400007]. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [get_and_save_tgt] (0x0020): 1296: [-1765328360][Preauthentication failed] (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [map_krb5_error] (0x0020): 1365: [-1765328360][Preauthentication failed] (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [k5c_send_data] (0x0200): Received error code 1432158221 ---IPA--- /var/log/ krb5kdc.log Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.2.2: NEEDED_PREAUTH: test@DOMAIN.COM for krbtgt/DOMAIN.COM@DOMAIN.COM, Additional pre-authentication required Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): closing down fd 12 Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.2.2: NEEDED_PREAUTH: test@DOMAIN.COM for krbtgt/DOMAIN.COM@DOMAIN.COM, Additional pre-authentication required Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): closing down fd 12 Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.2.2: NEEDED_PREAUTH: test@DOMAIN.COM for krbtgt/DOMAIN.COM@DOMAIN.COM, Additional pre-authentication required Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): closing down fd 12 Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.2.2: NEEDED_PREAUTH: test@DOMAIN.COM for krbtgt/DOMAIN.COM@DOMAIN.COM, Additional pre-authentication required Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): closing down fd 12 Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): preauth (encrypted_challenge) verify failure: Incorrect password in encrypted challenge Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.2.2: PREAUTH_FAILED: test@DOMAIN.COM for krbtgt/DOMAIN.COM@DOMAIN.COM, Incorrect password in encrypted challenge Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): closing down fd 12 -----Original Message----- From: Paul [mailto:paul@kenla.nl] Sent: zondag 20 maart 2016 16:48 To: 'Ondra Machacek' <omachace@redhat.com>; 'users@ovirt.org' <users@ovirt.org> Subject: RE: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA not working Hi Ondra, Bug 1316135 was new to me and sounds very similar to my issue "(0, 17, <NULL>) [Success (Failure setting user credentials)]" Proposed work-around with "authconfig --enablenis --update" worked for me, although this creates an issue with the keyring authentication. I can live with this for the moment, but hopefully the bug can be fixed soon. Thanks for the quick responses, Regards, Paul -----Original Message----- From: Ondra Machacek [mailto:omachace@redhat.com] Sent: donderdag 17 maart 2016 19:12 To: Paul <paul@kenla.nl>; users@ovirt.org Subject: Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA not working Hi Paul, ok, thanks for info, then there is an issue in pam configuration, most probably. There is open issue for it on rhel7, please try read this comment[1] if it helps to you. Ondra [1] https://bugzilla.redhat.com/show_bug.cgi?id=1316135#c3