[ovirt-users] Re: oVirt 4.3.1 with AD creates new user at every login

On Sat, Mar 9, 2019 at 10:43 AM <l.kamara(a)imperial.ac.uk&gt; wrote: > > I just did a clean install of oVirt 4.3.1 (engine and nodes). > > > > I setup AD authentication and gave an AD group permissions needed work > with > > VMs. I gave them PowerUserRole on the Cluster and Storage. > > > > Users in the AD group can login and create VMs but after they log out > and > > log back in they don't see any of the VMs created in the previous > session. > > > > I noticed that in Administration -> Users a new row is created for each > > user every time they login. All columns for each user are the same: same > > first and last name, same user name, authorization provider, and so on > but > > the behavior looks very much like they are being treated as new user > every > > time they login. > Ravi, is above the same issue as tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1672860 ? > >

> I have observed the same behaviour with oVirt 4.3.XY > > Delving deeper, in the oVirt engine 'users' table, external_id is *not* > being set for AD users as documented in (e.g.) > engines/packaging/dbscripts/common_sp.sql > > "The external identifier is the user identifier converted to an array of > bytes:" > > ovirt 4.3.0 > user@domain | f3de0b27-c2a0-463b-a2ff-d480bd88c77f | > ece7b8c2-4983-4c1e-9a33-c28d58d40213 > > > And under ovirt 4.2.8 for comparison: > > username | user_id | > external_id > user@domain | 364d176e-8813-4e67-bdd0-dc10b823d23c | > af5bbg/eTkuktBPXW4Ak5g== > > > Further information on replicating the issue: > > 1) Configure LDAP authentication: > > > https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html... > > > 2) Add an LDAP group via the Administration Portal: > > Administration >> Users > 'Add' button, click 'Group' > radio-button, select the relevant LDAP authorization > select the relevant LDAP authorization provider in the > drop-down list under 'Search', enter the LDAP group > in the search text-box then click 'GO'. > > The found group should appear below. Select the > toggle-button to the left of the group then click > 'Add and Close'. > > > 3) Add SuperUser system permission for the LDAP group. > > Back under Administration >> Users, click the 'Group' > button if groups are not already displayed. Click on > the LDAP group added in the previous step then click > 'Permissions' -> 'Add System Permissions' > > > 4) Log into the Administration Portal as an LDAP group member. > Logout then log back into the Administration Portal as a > member of the LDAP group specified above. Login should be > successful because that user will inherit the SuperUser > system permission but note the following issues below: > > - under Administration >> Users, note that a 'User' icon > is displayed for the LDAP user rather than an 'Admin' icon. > This is in contrast to 4.2.8, where an Admin icon would > be displayed. > > > 5) Repeat step 4 above. > If you logout then log back into the Administration Portal as > the same member of the LDAP group specified above then > check Administration >> Users, an additional user entry appears: > same First Name, Last Name, Authorization provider, Namespace > and E-mail. > _______________________________________________ > Users mailing list -- users(a)ovirt.org > To unsubscribe send an email to users-leave(a)ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/PC2JLU65QED... > -- Martin Perina Associate Manager, Software Engineering Red Hat Czech s.r.o.