[Users] Free IPA + oVirt setup fails
Hi guys, I'm trying to work around the impossibility of adding local users into oVirt by setting up a FreeIPA server for my test rig... :( Everything is Fedora 19 and whatever package versions come with it. 1) I have an A-record, a PTR-record and the necessary SRV records for my server in dnsmasq on my OpenWRT router: ptr-record=60.2.168.192.in-addr.arpa,"freeipa.iiordanov.com" srv-host=_kerberos-master._tcp,freeipa.iiordanov.com,88,0,100 srv-host=_kerberos-master._udp,freeipa.iiordanov.com,88,0,100 srv-host=_kerberos._tcp,freeipa.iiordanov.com,88,0,100 srv-host=_kerberos._udp,freeipa.iiordanov.com,88,0,100 srv-host=_kpasswd._tcp,freeipa.iiordanov.com,464,0,100 srv-host=_kpasswd._udp,freeipa.iiordanov.com,464,0,100 srv-host=_ldap._tcp,freeipa.iiordanov.com,389,0,100 2) I have run ipa-server-install and everything completed without error. I've disabled the firewall on the server completely and the iptables chains are all clean. I've rebooted the server just in case. 3) When I try to add the IPA server to oVirt, I get a nasty error! # engine-manage-domains -action=add -domain=iiordanov.com -user=admin -provider=ipa -interactive Enter password: General error has occurednull java.lang.NegativeArraySizeException at sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367) at sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722) at sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200) at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861) at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385) at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104) at com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.ovirt.engine.core.ldap.RootDSEData.<init>(RootDSEData.java:52) at org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:257) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:356) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135) at org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:746) at org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:917) at org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:539) at org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:311) at org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:206) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.modules.Module.run(Module.java:260) at org.jboss.modules.Main.main(Main.java:291) Failure while testing domain %1$s. Details: %2$s: One of the parameters for this error is null and no default message to show Can anybody spot the trouble here? Any help is appreciated! Many thanks! iordan -- The conscious mind has only one thread of execution.
On 11/23/2013 05:36 PM, i iordanov wrote:
Hi guys,
I'm trying to work around the impossibility of adding local users into oVirt by setting up a FreeIPA server for my test rig... :(
Everything is Fedora 19 and whatever package versions come with it.
1) I have an A-record, a PTR-record and the necessary SRV records for my server in dnsmasq on my OpenWRT router: ptr-record=60.2.168.192.in-addr.arpa,"freeipa.iiordanov.com" srv-host=_kerberos-master._tcp,freeipa.iiordanov.com,88,0,100 srv-host=_kerberos-master._udp,freeipa.iiordanov.com,88,0,100 srv-host=_kerberos._tcp,freeipa.iiordanov.com,88,0,100 srv-host=_kerberos._udp,freeipa.iiordanov.com,88,0,100 srv-host=_kpasswd._tcp,freeipa.iiordanov.com,464,0,100 srv-host=_kpasswd._udp,freeipa.iiordanov.com,464,0,100 srv-host=_ldap._tcp,freeipa.iiordanov.com,389,0,100
2) I have run ipa-server-install and everything completed without error. I've disabled the firewall on the server completely and the iptables chains are all clean. I've rebooted the server just in case.
3) When I try to add the IPA server to oVirt, I get a nasty error!
# engine-manage-domains -action=add -domain=iiordanov.com -user=admin -provider=ipa -interactive Enter password:
General error has occurednull java.lang.NegativeArraySizeException at sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367) at sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722) at sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200) at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861) at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385) at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104) at com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.ovirt.engine.core.ldap.RootDSEData.<init>(RootDSEData.java:52) at org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:257) at org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:356) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150) at org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135) at org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:746) at org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:917) at org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:539) at org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:311) at org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:206) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.modules.Module.run(Module.java:260) at org.jboss.modules.Main.main(Main.java:291) Failure while testing domain %1$s. Details: %2$s: One of the parameters for this error is null and no default message to show
Can anybody spot the trouble here? Any help is appreciated!
This is an issue that we have already detected with OpenLDAP, and it looks like at least two users (including you) are experiencing it with IPA as well, maybe something changed in a recent versions of IPA. I believe this is related to the setting of the "minimum security strength factor" in the LDAP server. I have proposed a change to make the error from engine-manage-domains more explicit: http://gerrit.ovirt.org/21505 However this doesn't fix the issue, just makes it easier (hopefully) to detect. I would really appreciate if you can test to change the minssf parameter in your LDAP server. Locate the following parameter in the /etc/dirsrv/slapd-YOUR-REALM/dse.ldif file: dn: cn=config nsslapd-minssf: 0 The value will probably be 0, as shown. Stop your IPA server, change it to 1, start the IPA server, and try again to add the domain with engine-manage-domains. Please report your results. -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
Hi Juan, I found the setting in the file you pointed me to: nsslapd-minssf: 0 I changed it to 1, but as soon as I restart the ipa service with: systemctl restart ipa or reboot it reverts back to 0! Why is this happening? Many thanks! iordan -- The conscious mind has only one thread of execution.
On 11/23/2013 07:36 PM, i iordanov wrote:
Hi Juan,
I found the setting in the file you pointed me to: nsslapd-minssf: 0
I changed it to 1, but as soon as I restart the ipa service with: systemctl restart ipa
or reboot it reverts back to 0! Why is this happening?
Did you change it while the server was running? If so during stop the server will probably overwrite the file. Try to change it after stopping the server: # systemctl stop dirsrv@YOUR-REALM # sed -r -i 's/^(nsslapd-minssf):.*$/\1: 1/' /etc/dirsrv/slapd-YOUR-REALM/dse.ldif # systemctl start dirsrv@YOUR-REALM In fact modifying the file is not good practice, you may prefer to do it using LDAP: # cat > fixssf.ldif <<. dn: cn=config replace: nsslapd-minssf nsslapd-minssf: 1 - . # ldapmodify -H ldap://your.ldap.server -D 'cn=Directory Manager' -x -w your_directory_manager_password -f fixssf.ldif I have just tested this in my local environment and with minssf=1 it works correctly, including the ability to search for users in the LDAP directory from the administration GUI and using those users to log in to both the administration GUI and to the user portal. -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
Hi Juan, On Sat, Nov 23, 2013 at 3:03 PM, Juan Hernandez <jhernand@redhat.com> wrote:
Did you change it while the server was running? If so during stop the server will probably overwrite the file. Try to change it after stopping the server:
Yes, it was absolutely because the server was running and was writing out its configuration upon being stopped. In fact modifying the file is not good practice, you may prefer to do it
using LDAP:
I guess this method would not have suffered from the clobbered config file :D. Thanks for the additional tip, I'm quite new to LDAP.
I have just tested this in my local environment and with minssf=1 it works correctly, including the ability to search for users in the LDAP directory from the administration GUI and using those users to log in to both the administration GUI and to the user portal.
I can definitely now confirm that changing minssf to 1 worked around the issue. However, I'm faced with either an issue or a misunderstanding of how things work in oVirt. I was able to add a couple of users to IPA (user A and user B) and then import them with UserRole into oVirt. What is puzzling is that both are able to see(!!) and power on/off(!!!!!) all the machines which were created by and for user admin@internal. Some of these machines are based on the Blank template and some on a different template (if that matters). Thankfully, at least the new users are unable to attach to the console of those machines. When I created a new virtual machine and in the permissions added user A as UserRole, user A now has access to the console of that VM. However, what was again puzzling is that user B can see and power on/off the new virtual machine, but at least cannot attach to the console (consistent with my previous findings). I would have thought that users would "see" and be able to power on/off only their own VMs, and something tells me that this is the way it was intended. So what do you think is broken in my test rig? Thank you very much! iordan -- The conscious mind has only one thread of execution.
Hey, I actually realized that something I wrote is inaccurate. UserB, who was not granted permission to any VM was actually able to connect to a freshly booted UserA's VM. Subsequently, UserA was unable to connect to "his own VM" anymore, and the error message was: Operation Failed: [user cannot force reconnect to vm] When UserB then shut down UserA's VM, UserA was able to power it on and attach to it. Subsequently, UserB was not able to connect to the VM again with the same message UserA was getting (user cannot force connect to vm). What I expected is that UserB would not see, not be able to power control, and not be able to attach at all to UserA's VM, so this behavior is quite puzzling to me! Any clarification and help would be appreciated! Thanks, iordan On Sat, Nov 23, 2013 at 7:50 PM, i iordanov <iiordanov@gmail.com> wrote:
Hi Juan,
On Sat, Nov 23, 2013 at 3:03 PM, Juan Hernandez <jhernand@redhat.com>wrote:
Did you change it while the server was running? If so during stop the server will probably overwrite the file. Try to change it after stopping the server:
Yes, it was absolutely because the server was running and was writing out its configuration upon being stopped.
In fact modifying the file is not good practice, you may prefer to do it
using LDAP:
I guess this method would not have suffered from the clobbered config file :D. Thanks for the additional tip, I'm quite new to LDAP.
I have just tested this in my local environment and with minssf=1 it works correctly, including the ability to search for users in the LDAP directory from the administration GUI and using those users to log in to both the administration GUI and to the user portal.
I can definitely now confirm that changing minssf to 1 worked around the issue.
However, I'm faced with either an issue or a misunderstanding of how things work in oVirt. I was able to add a couple of users to IPA (user A and user B) and then import them with UserRole into oVirt. What is puzzling is that both are able to see(!!) and power on/off(!!!!!) all the machines which were created by and for user admin@internal. Some of these machines are based on the Blank template and some on a different template (if that matters). Thankfully, at least the new users are unable to attach to the console of those machines.
When I created a new virtual machine and in the permissions added user A as UserRole, user A now has access to the console of that VM. However, what was again puzzling is that user B can see and power on/off the new virtual machine, but at least cannot attach to the console (consistent with my previous findings).
I would have thought that users would "see" and be able to power on/off only their own VMs, and something tells me that this is the way it was intended. So what do you think is broken in my test rig?
Thank you very much! iordan
-- The conscious mind has only one thread of execution.
-- The conscious mind has only one thread of execution.
On 11/24/2013 01:57 AM, i iordanov wrote:
Hey,
I actually realized that something I wrote is inaccurate.
UserB, who was not granted permission to any VM was actually able to connect to a freshly booted UserA's VM. Subsequently, UserA was unable to connect to "his own VM" anymore, and the error message was:
Operation Failed: [user cannot force reconnect to vm]
When UserB then shut down UserA's VM, UserA was able to power it on and attach to it. Subsequently, UserB was not able to connect to the VM again with the same message UserA was getting (user cannot force connect to vm).
What I expected is that UserB would not see, not be able to power control, and not be able to attach at all to UserA's VM, so this behavior is quite puzzling to me!
Any clarification and help would be appreciated!
Thanks, iordan
Here you are experiencing two security features of the engine. The first one is the multiple level administration (a.k.a. MLA). The engine organizes objets in hierarchy: a set of data centers, then inside each data center a set of clusters, and inside each cluster a set of virtual machines. When you assign a permission to a user or group you in fact assign it to one of these objects, and objects deeper in the tree inherit them. So if you assign the "create vm" permission to user A and the default data center, then that user will have permission to create VMs on any cluster of that data center. I guess that the two users that you initially created had the permission on the default data center or the default cluster, so they have the permissions apply to all the VMs. Try to go to the data center or cluster tabs and see if the users have permissions there, then remove them as needed. The other thing you are experiencing is the prevention of hijacking of the console of a VM. For desktop virtual machines the engine automatically remember who was the last user that connected to the console of the VM, and will not allow connections by other users. This is to protect the console. Imagine that user A opens the console of virtual machine X, then logs in to the operating system and opens its very confidential document in its favorite application. Then user B, tries to access the same console and gains access to the confidential document. To prevent this this console hijacking is disabled by default, in order to hijack the console the virtual machine X has to be first rebooted, because these guarantees that the confidential document isn't available. However, if you need to allow this console hijacking you can use a flag in the "Console" section of the VM properties dialog, click in "Show advanced options" and then you will see a "Advanced parameters" section that contains a "Disable strict user checking" checkbox. Checking that checkbox disables this behavior. Also, you can give the permission to hijack consoles to users editing their roles and adding the action VM -> Administration Operations -> Override opened console session.
On Sat, Nov 23, 2013 at 7:50 PM, i iordanov <iiordanov@gmail.com> wrote:
Hi Juan,
On Sat, Nov 23, 2013 at 3:03 PM, Juan Hernandez <jhernand@redhat.com>wrote:
Did you change it while the server was running? If so during stop the server will probably overwrite the file. Try to change it after stopping the server:
Yes, it was absolutely because the server was running and was writing out its configuration upon being stopped.
In fact modifying the file is not good practice, you may prefer to do it
using LDAP:
I guess this method would not have suffered from the clobbered config file :D. Thanks for the additional tip, I'm quite new to LDAP.
I have just tested this in my local environment and with minssf=1 it works correctly, including the ability to search for users in the LDAP directory from the administration GUI and using those users to log in to both the administration GUI and to the user portal.
I can definitely now confirm that changing minssf to 1 worked around the issue.
However, I'm faced with either an issue or a misunderstanding of how things work in oVirt. I was able to add a couple of users to IPA (user A and user B) and then import them with UserRole into oVirt. What is puzzling is that both are able to see(!!) and power on/off(!!!!!) all the machines which were created by and for user admin@internal. Some of these machines are based on the Blank template and some on a different template (if that matters). Thankfully, at least the new users are unable to attach to the console of those machines.
When I created a new virtual machine and in the permissions added user A as UserRole, user A now has access to the console of that VM. However, what was again puzzling is that user B can see and power on/off the new virtual machine, but at least cannot attach to the console (consistent with my previous findings).
I would have thought that users would "see" and be able to power on/off only their own VMs, and something tells me that this is the way it was intended. So what do you think is broken in my test rig?
Thank you very much! iordan
-- The conscious mind has only one thread of execution.
-- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
Hi Juan, Thanks for your suggestions! On Sun, Nov 24, 2013 at 5:36 AM, Juan Hernandez <jhernand@redhat.com> wrote:
Here you are experiencing two security features of the engine. The first one is the multiple level administration (a.k.a. MLA). The engine organizes objets in hierarchy: a set of data centers, then inside each data center a set of clusters, and inside each cluster a set of virtual machines. When you assign a permission to a user or group you in fact assign it to one of these objects, and objects deeper in the tree inherit them. So if you assign the "create vm" permission to user A and the default data center, then that user will have permission to create VMs on any cluster of that data center. I guess that the two users that you initially created had the permission on the default data center or the default cluster, so they have the permissions apply to all the VMs. Try to go to the data center or cluster tabs and see if the users have permissions there, then remove them as needed.
When I looked at the Data Centers and Clusters tabs and examined the permissions given to the users, UserA and UserB have UserRole permissions granted on both the default data center and the default cluster. Moreover, I am unable to remove them, as the "Remove" selection is always grayed out. Furthermore, examining the permissions on UserA's VM, I can see that only UserA has been granted UseRole permission on it. No other user is mentioned. So do the UserRole permissions granted to UserA and UserB in the Data Center and Cluster explain the fact that they can see and attach to "other people's VM's"? If so, do I have to take the data center and cluster down to remove the UserRole permissions for the users? Also, how could I prevent this permission from getting added to the Data Center and Cluster automatically? I haven't added it myself and it says that it's an inherited permission (System).
The other thing you are experiencing is the prevention of hijacking of the console of a VM.
Yes, I understand. I remember seeing the option you mention when creating/editing VMs. I mentioned this more as a way to explain why UserB was initially not able to connect to UserA's VM where in fact, it was possible upon a clean boot. Any additional help is appreciated! iordan -- The conscious mind has only one thread of execution.
On Nov 24, 2013 5:08 PM, "i iordanov" <iiordanov@gmail.com> wrote:
Hi Juan,
Thanks for your suggestions!
On Sun, Nov 24, 2013 at 5:36 AM, Juan Hernandez <jhernand@redhat.com>
Here you are experiencing two security features of the engine. The first one is the multiple level administration (a.k.a. MLA). The engine organizes objets in hierarchy: a set of data centers, then inside each data center a set of clusters, and inside each cluster a set of virtual machines. When you assign a permission to a user or group you in fact assign it to one of these objects, and objects deeper in the tree inherit them. So if you assign the "create vm" permission to user A and the default data center, then that user will have permission to create VMs on any cluster of that data center. I guess that the two users that you initially created had the permission on the default data center or the default cluster, so they have the permissions apply to all the VMs. Try to go to the data center or cluster tabs and see if the users have permissions there, then remove them as needed.
When I looked at the Data Centers and Clusters tabs and examined the
wrote: permissions given to the users, UserA and UserB have UserRole permissions granted on both the default data center and the default cluster. Moreover, I am unable to remove them, as the "Remove" selection is always grayed out.
Furthermore, examining the permissions on UserA's VM, I can see that only
UserA has been granted UseRole permission on it. No other user is mentioned.
So do the UserRole permissions granted to UserA and UserB in the Data
Center and Cluster explain the fact that they can see and attach to "other people's VM's"?
If so, do I have to take the data center and cluster down to remove the
UserRole permissions for the users? Also, how could I prevent this permission from getting added to the Data Center and Cluster automatically? I haven't added it myself and it says that it's an inherited permission (System). You probably added the user role to the user from the users tab, rather than just adding at vm level . You don't need to add the user first.
The other thing you are experiencing is the prevention of hijacking of the console of a VM.
Yes, I understand. I remember seeing the option you mention when
creating/editing VMs. I mentioned this more as a way to explain why UserB was initially not able to connect to UserA's VM where in fact, it was possible upon a clean boot.
Any additional help is appreciated!
iordan
-- The conscious mind has only one thread of execution.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Hi Itamar, On Sun, Nov 24, 2013 at 10:41 AM, Itamar Heim <itamarh@gmail.com> wrote:
You probably added the user role to the user from the users tab, rather than just adding at vm level . You don't need to add the user first.
This was the misunderstanding that I had. I thought I have to add the users in the Users tab first. When adding to individual VMs, the user gains access to just the VM in question. Thanks to both you and Juan! iordan -- The conscious mind has only one thread of execution.
participants (3)
-
i iordanov -
Itamar Heim -
Juan Hernandez