Re: [Users] [Spice-devel] 3.2 final and status of spice console in ie

fre 2013-04-12 klockan 14:41 +0300 skrev Itamar Heim: > On 04/12/2013 11:27 AM, Karli Sjöberg wrote: > > Hey Everyone! > > > > I solved it! I friggin solved it, and it didn´t have anything to do with > > the spice-client, spice-plugin(ActiveX or XPI), or userportal > > specifically, it´s in the engine itself! So Juanjo here said that it > > works for him, and I took a guess that´s because he is only using > > admin@internal <mailto:admin@internal> for testing (correct me if I´m > > wrong Juanjo), so I added a "UserRole" to admin on a test VM, logged > > into Userportal, clicked for console, and it worked! So, since our setup > > is a little more complex, as it´s connected to our ActiveDirectory, I > > concluded that it must be a permissions related issue. I created a new > > UserRole, called "ConsoleOwner" that only have "Login Permissions" and > > "RemoteLogin" and added that role to our engine´s "System Permissions" > > on a directory group as "broad" as possible. After that if I also added > > an explicit UserRole permission for a directory user on any VM now it > > works 100%. Me so happy!:) > > > > A question goes out the developers: Should you have to do that? I > > thought that permissions where supposed to be calculated like Windows > > ACLs "Effective Permissions", so that if I just add sufficient > > permissions for a directory user on a VM, it´s effective permissions > > should have granted the necessary abilities in the system, without me > > having to first add that as a "big" system permission to have them > > granted? Bug, or intended? > > > > Thank you so much Juanjo, for posting the versions you are currently > > using that proved that it "should" work, and that it had to be something > > else that prevented us from using it (which it was). Thank you! > > can you please clarify again which permission you granted to a user on > the VM which didn't work before you added to the user the console > permission? I´m not really sure if I understood your question completely, so I´ll explain again: 1) Only adding directory user/group with "UserRole" permission to a VM or Pool = Fail; "Couldn´t connect to graphics server".

2) First adding a very broad directory group with "ConsoleOwner"[1] permission to the inherited "System Permissions", and then add directory user/group with "UserRole" to a VM or Pool = Success! [1] ConsoleOwner is a "User Role" I created that only needed to permit "Login Permissions" and "Remote Log In". We haz VDI now, "Powered by oVirt";) -- Med Vänliga Hälsningar ------------------------------------------------------------------------------- Karli Sjöberg Swedish University of Agricultural Sciences Box 7079 (Visiting Address Kronåsvägen 8) S-750 07 Uppsala, Sweden Phone: +46-(0)18-67 15 66 karli.sjoberg(a)slu.se <mailto:karli.sjoberg@adm.slu.se>