On 04/12/2013 04:28 PM, Karli Sjöberg wrote:
fre 2013-04-12 klockan 14:41 +0300 skrev Itamar Heim:
On 04/12/2013 11:27 AM, Karli Sjöberg wrote:
Hey Everyone!
I solved it! I friggin solved it, and it didn´t have anything to do with the spice-client, spice-plugin(ActiveX or XPI), or userportal specifically, it´s in the engine itself! So Juanjo here said that it works for him, and I took a guess that´s because he is only using admin@internal <mailto:admin@internal> for testing (correct me if I´m wrong Juanjo), so I added a "UserRole" to admin on a test VM, logged into Userportal, clicked for console, and it worked! So, since our setup is a little more complex, as it´s connected to our ActiveDirectory, I concluded that it must be a permissions related issue. I created a new UserRole, called "ConsoleOwner" that only have "Login Permissions" and "RemoteLogin" and added that role to our engine´s "System Permissions" on a directory group as "broad" as possible. After that if I also added an explicit UserRole permission for a directory user on any VM now it works 100%. Me so happy!:)
A question goes out the developers: Should you have to do that? I thought that permissions where supposed to be calculated like Windows ACLs "Effective Permissions", so that if I just add sufficient permissions for a directory user on a VM, it´s effective permissions should have granted the necessary abilities in the system, without me having to first add that as a "big" system permission to have them granted? Bug, or intended?
Thank you so much Juanjo, for posting the versions you are currently using that proved that it "should" work, and that it had to be something else that prevented us from using it (which it was). Thank you!
can you please clarify again which permission you granted to a user on the VM which didn't work before you added to the user the console permission?
I´m not really sure if I understood your question completely, so I´ll explain again:
1) Only adding directory user/group with "UserRole" permission to a VM or Pool = Fail; "Couldn´t connect to graphics server".
user role to a VM should suffice since it should already include the 'remote log in' permit. very strange - has anyone else seen something like that?
2) First adding a very broad directory group with "ConsoleOwner"[1] permission to the inherited "System Permissions", and then add directory user/group with "UserRole" to a VM or Pool = Success!
[1] ConsoleOwner is a "User Role" I created that only needed to permit "Login Permissions" and "Remote Log In".
We haz VDI now, "Powered by oVirt";)
--
Med Vänliga Hälsningar ------------------------------------------------------------------------------- Karli Sjöberg Swedish University of Agricultural Sciences Box 7079 (Visiting Address Kronåsvägen 8) S-750 07 Uppsala, Sweden Phone: +46-(0)18-67 15 66 karli.sjoberg@slu.se <mailto:karli.sjoberg@adm.slu.se>