Re: [ovirt-users] FreeIPA with ovirt 4.1
On Feb 4, 2017 1:21 AM, "Slava Bendersky" <volga629@networklab.ca> wrote: Hello Everyone, Having trouble implement FreeIPA authentication with GSSAPI SSO and ovirt 4.1. I ran setup and it finished OK then it wrote the files bellow. Next I log to web admin with internal user and added FeeIPA user as SuperUser role. Also I added under System FreeIPA group authorized to login on any attempt to login with FreeIPA credentials getting message 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6) [] Internal Server Error: Unsupported command 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-6) [] Unsupported command 2017-02-04 00:03:08,659Z ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) [] server_error: Unsupported command Ravi, do you know what this can cause? Also when in extensions.d directory contain the following files. If I remove mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up in drop down list. Any http don't have influence on this. That is correct behavior, we dont show profiles, which uses http for authn. [root@vhe00 extensions.d]# pwd /etc/ovirt-engine/extensions.d [root@vhe00 extensions.d]# ls mydomain.lan-authn.properties mydomain.lan-http-authn.properties mydomain.lan.properties internal-authz.properties mydomain.lan-authz.properties mydomain.lan-http-mapping.properties internal-authn.properties [root@vhe00 extensions.d]# If possible clarify how it should be and what is possible issue. Can you please take a look to /var/log/httpd/ssl_error_log if any errors there? Slava. _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
<div><br data-mce-bogus=3D"1"></div><div><div>[root@vhe00 ~]# ls -la = ;/var/log/httpd/ssl_error_log</div><div>-rw-r--r--. 1 root root 0 Feb = ;2 04:45 /var/log/httpd/ssl_error_log</div></div><div><br></div><div>Slava.= </div><div><br></div><hr id=3D"zwchr" data-marker=3D"__DIVIDER__"><div data= -marker=3D"__HEADERS__"><b>From: </b>"Ondra Machacek" <omachace@redhat.c= om><br><b>To: </b>"Slava Bendersky" <volga629@networklab.ca><br><b= Cc: </b>"users" <users@ovirt.org>, "Ravi" <rnori@redhat.com><b= r><b>Sent: </b>Saturday, February 4, 2017 10:35:31 AM<br><b>Subject: </b>Re= : [ovirt-users] FreeIPA with ovirt 4.1<br></div><br><div data-marker=3D"__Q= UOTED_TEXT__"><div dir=3D"auto"><div><br><div class=3D"gmail_extra"><br><di= v class=3D"gmail_quote">On Feb 4, 2017 1:21 AM, "Slava Bendersky" <<a hr= ef=3D"mailto:volga629@networklab.ca" target=3D"_blank">volga629@networklab.= ca</a>> wrote:<br><blockquote class=3D"quote" style=3D"margin:0 0 0 .8ex= ;border-left:1px #ccc solid;padding-left:1ex"><div><div style=3D"font-famil= y:lucida console,sans-serif;font-size:12pt;color:#000000"><div>Hello Everyo= ne,</div><div>Having trouble implement FreeIPA authentication with GS= SAPI SSO and ovirt 4.1. I ran setup and it finished OK then it wrote =
<br></div><div dir=3D"auto">Ravi, do you know what this can cause?</div><d= iv dir=3D"auto"><br></div><div dir=3D"auto"><div class=3D"gmail_extra"><div= class=3D"gmail_quote"><blockquote class=3D"quote" style=3D"margin:0 0 0 .8= ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style=3D"font-fam= ily:lucida console,sans-serif;font-size:12pt;color:#000000"><br><br><div>Al= so when in extensions.d directory contain the following files. If I remove&= nbsp;<span style=3D"color:#000000;font-family:'lucida console',sans-serif;f= ont-size:16px;font-style:normal;font-variant-ligatures:normal;font-variant-= caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-= indent:0px;text-transform:none;white-space:normal;word-spacing:0px;backgrou= nd-color:#ffffff;display:inline!important;float:none">mydomain.lan-authn.pr= operties then in web ui FreeIPA domain not showing up in drop down list. An= y http don't have influence on this.</span></div></div></div></blockquote><= /div></div></div><div dir=3D"auto"><br></div><div dir=3D"auto">That is corr= ect behavior, we dont show profiles, which uses http for authn.</div><div d= ir=3D"auto"><br></div><div dir=3D"auto"><div class=3D"gmail_extra"><div cla= ss=3D"gmail_quote"><blockquote class=3D"quote" style=3D"margin:0 0 0 .8ex;b= order-left:1px #ccc solid;padding-left:1ex"><div><div style=3D"font-family:= lucida console,sans-serif;font-size:12pt;color:#000000"><div><span style=3D= "color:#000000;font-family:'lucida console',sans-serif;font-size:16px;font-=
<div><span style=3D"color:#000000;font-family:'lucida console',sans-serif;= font-size:16px;font-style:normal;font-variant-ligatures:normal;font-variant= -caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text= -indent:0px;text-transform:none;white-space:normal;word-spacing:0px;backgro= und-color:#ffffff;display:inline!important;float:none">mydomain.lan</span>-= authz.properties <span style=3D"color:#000000;font-family:'lucida cons=
--=_9e770b27-ce9e-4947-ad28-d55af2eb48ee Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Hello Ondra, Log is empty [root@vhe00 ~]# ls -la /var/log/httpd/ssl_error_log -rw-r--r--. 1 root root 0 Feb 2 04:45 /var/log/httpd/ssl_error_log Slava. From: "Ondra Machacek" <omachace@redhat.com> To: "Slava Bendersky" <volga629@networklab.ca> Cc: "users" <users@ovirt.org>, "Ravi" <rnori@redhat.com> Sent: Saturday, February 4, 2017 10:35:31 AM Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 On Feb 4, 2017 1:21 AM, "Slava Bendersky" < [ mailto:volga629@networklab.ca | volga629@networklab.ca ] > wrote: Hello Everyone, Having trouble implement FreeIPA authentication with GSSAPI SSO and ovirt 4.1. I ran setup and it finished OK then it wrote the files bellow. Next I log to web admin with internal user and added FeeIPA user as SuperUser role. Also I added under System FreeIPA group authorized to login on any attempt to login with FreeIPA credentials getting message 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6) [] Internal Server Error: Unsupported command 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-6) [] Unsupported command 2017-02-04 00:03:08,659Z ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) [] server_error: Unsupported command Ravi, do you know what this can cause? BQ_BEGIN Also when in extensions.d directory contain the following files. If I remove mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up in drop down list. Any http don't have influence on this. BQ_END That is correct behavior, we dont show profiles, which uses http for authn. BQ_BEGIN [root@vhe00 extensions.d]# pwd /etc/ovirt-engine/extensions.d [root@vhe00 extensions.d]# ls mydomain.lan-authn.properties mydomain.lan -http-authn.properties mydomain.lan .properties internal-authz.properties mydomain.lan -authz.properties mydomain.lan -http-mapping.properties internal-authn.properties [root@vhe00 extensions.d]# If possible clarify how it should be and what is possible issue. BQ_END Can you please take a look to /var/log/httpd/ssl_error_log if any errors there? BQ_BEGIN Slava. _______________________________________________ Users mailing list [ mailto:Users@ovirt.org | Users@ovirt.org ] [ http://lists.ovirt.org/mailman/listinfo/users | http://lists.ovirt.org/mailman/listinfo/users ] BQ_END --=_9e770b27-ce9e-4947-ad28-d55af2eb48ee Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><body><div style=3D"font-family: lucida console,sans-serif; font-size= : 12pt; color: #000000"><div>Hello Ondra,</div><div>Log is empty </div= the files bellow. Next I log to web admin with internal user and added FeeI= PA user as SuperUser role. Also I added under System FreeIPA group authoriz= ed to login on any attempt to login with FreeIPA credentials getting messag= e</div><br><br><div><div>2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.c= ore.sso.servlets.InteractiveAuthServlet] (default task-6) [] Internal Serve= r Error: Unsupported command</div><div>2017-02-04 00:03:08,464Z ERROR [org.= ovirt.engine.core.sso.utils.SsoUtils] (default task-6) [] Unsupported comma= nd</div><div>2017-02-04 00:03:08,659Z ERROR [org.ovirt.engine.core.aaa.serv= let.SsoPostLoginServlet] (default task-3) [] server_error: Unsupported comm= and</div></div></div></div></blockquote></div></div></div><div dir=3D"auto"= style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-we= ight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-tra= nsform:none;white-space:normal;word-spacing:0px;background-color:#ffffff;di= splay:inline!important;float:none"><br></span></div><div><div>[root@vhe00 e= xtensions.d]# pwd</div><div>/etc/ovirt-engine/extensions.d</div><br><div>[r= oot@vhe00 extensions.d]# ls</div><div>mydomain.lan-authn.properties <s= pan style=3D"color:#000000;font-family:'lucida console',sans-serif;font-siz= e:16px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:no= rmal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:= 0px;text-transform:none;white-space:normal;word-spacing:0px;background-colo= r:#ffffff;display:inline!important;float:none">mydomain.lan</span>-http-aut= hn.properties <span style=3D"color:#000000;font-family:'lucida consol= e',sans-serif;font-size:16px;font-style:normal;font-variant-ligatures:norma= l;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-al= ign:start;text-indent:0px;text-transform:none;white-space:normal;word-spaci= ng:0px;background-color:#ffffff;display:inline!important;float:none">mydoma= in.lan</span>.properties internal-authz.properties</div= ole',sans-serif;font-size:16px;font-style:normal;font-variant-ligatures:nor= mal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-= align:start;text-indent:0px;text-transform:none;white-space:normal;word-spa= cing:0px;background-color:#ffffff;display:inline!important;float:none">mydo= main.lan</span>-http-mapping.properties internal-authn.properties</di= v><div>[root@vhe00 extensions.d]# </div></div><br><br><div>If possible= clarify how it should be and what is possible issue.</div></div></div></bl= ockquote></div></div></div><div dir=3D"auto"><br></div><div dir=3D"auto">Ca= n you please take a look to /var/log/httpd/ssl_error_log if any errors ther= e?</div><div dir=3D"auto"><br></div><div dir=3D"auto"><div class=3D"gmail_e= xtra"><div class=3D"gmail_quote"><blockquote class=3D"quote" style=3D"margi= n:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style= =3D"font-family:lucida console,sans-serif;font-size:12pt;color:#000000"><sp= an color=3D"#888888" data-mce-style=3D"color: #888888;" style=3D"color: #88= 8888;"><br><br><br><div>Slava. </div></span></div></div><br>__________= _____________________________________<br> Users mailing list<br> <a href=3D"mailto:Users@ovirt.org" target=3D"_blank">Users@ovirt.org</a><br=
<a href=3D"http://lists.ovirt.org/mailman/listinfo/users" rel=3D"noreferrer= " target=3D"_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br> <br></blockquote></div></div></div></div><br></div></div></body></html> --=_9e770b27-ce9e-4947-ad28-d55af2eb48ee--
</div><br><div data-marker=3D"__QUOTED_TEXT__"><div style=3D"font-family: = lucida console,sans-serif; font-size: 12pt; color: #000000"><div>Hello Ondr= a,</div><div>Log is empty </div><br><div><div>[root@vhe00 ~]# ls -la &= nbsp;/var/log/httpd/ssl_error_log</div><div>-rw-r--r--. 1 root root 0 Feb &= nbsp;2 04:45 /var/log/httpd/ssl_error_log</div></div><br><div>Slava.</div><= br><hr id=3D"zwchr"><div><b>From: </b>"Ondra Machacek" <omachace@redhat.= com><br><b>To: </b>"Slava Bendersky" <volga629@networklab.ca><br><= b>Cc: </b>"users" <users@ovirt.org>, "Ravi" <rnori@redhat.com><= br><b>Sent: </b>Saturday, February 4, 2017 10:35:31 AM<br><b>Subject: </b>R= e: [ovirt-users] FreeIPA with ovirt 4.1<br></div><br><div><div dir=3D"auto"= <div><br><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Feb = 4, 2017 1:21 AM, "Slava Bendersky" <<a href=3D"mailto:volga629@networkla= b.ca" target=3D"_blank">volga629@networklab.ca</a>> wrote:<br><blockquot= e class=3D"quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;pad= ding-left:1ex"><div><div style=3D"font-family:lucida console,sans-serif;fon= t-size:12pt;color:#000000"><div>Hello Everyone,</div><div>Having trouble im=
--=_3b67a522-cc8c-45aa-bd36-264bacfe713b Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Hello Everyone, Anything else possible to check ? Slava. From: "Slava Bendersky" <volga629@networklab.ca> To: "Ondra Machacek" <omachace@redhat.com> Cc: "users" <users@ovirt.org> Sent: Saturday, February 4, 2017 2:27:31 PM Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 Hello Ondra, Log is empty [root@vhe00 ~]# ls -la /var/log/httpd/ssl_error_log -rw-r--r--. 1 root root 0 Feb 2 04:45 /var/log/httpd/ssl_error_log Slava. From: "Ondra Machacek" <omachace@redhat.com> To: "Slava Bendersky" <volga629@networklab.ca> Cc: "users" <users@ovirt.org>, "Ravi" <rnori@redhat.com> Sent: Saturday, February 4, 2017 10:35:31 AM Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 On Feb 4, 2017 1:21 AM, "Slava Bendersky" < [ mailto:volga629@networklab.ca | volga629@networklab.ca ] > wrote: Hello Everyone, Having trouble implement FreeIPA authentication with GSSAPI SSO and ovirt 4.1. I ran setup and it finished OK then it wrote the files bellow. Next I log to web admin with internal user and added FeeIPA user as SuperUser role. Also I added under System FreeIPA group authorized to login on any attempt to login with FreeIPA credentials getting message 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6) [] Internal Server Error: Unsupported command 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-6) [] Unsupported command 2017-02-04 00:03:08,659Z ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) [] server_error: Unsupported command Ravi, do you know what this can cause? BQ_BEGIN Also when in extensions.d directory contain the following files. If I remove mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up in drop down list. Any http don't have influence on this. BQ_END That is correct behavior, we dont show profiles, which uses http for authn. BQ_BEGIN [root@vhe00 extensions.d]# pwd /etc/ovirt-engine/extensions.d [root@vhe00 extensions.d]# ls mydomain.lan-authn.properties mydomain.lan -http-authn.properties mydomain.lan .properties internal-authz.properties mydomain.lan -authz.properties mydomain.lan -http-mapping.properties internal-authn.properties [root@vhe00 extensions.d]# If possible clarify how it should be and what is possible issue. BQ_END Can you please take a look to /var/log/httpd/ssl_error_log if any errors there? BQ_BEGIN Slava. _______________________________________________ Users mailing list [ mailto:Users@ovirt.org | Users@ovirt.org ] [ http://lists.ovirt.org/mailman/listinfo/users | http://lists.ovirt.org/mailman/listinfo/users ] BQ_END _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users --=_3b67a522-cc8c-45aa-bd36-264bacfe713b Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><body><div style=3D"font-family: lucida console,sans-serif; font-size= : 12pt; color: #000000"><div>Hello Everyone,</div><div>Anything else possib= le to check ?</div><div><br data-mce-bogus=3D"1"></div><div>Slava.</div><di= v><br></div><hr id=3D"zwchr" data-marker=3D"__DIVIDER__"><div data-marker= =3D"__HEADERS__"><b>From: </b>"Slava Bendersky" <volga629@networklab.ca&= gt;<br><b>To: </b>"Ondra Machacek" <omachace@redhat.com><br><b>Cc: </= b>"users" <users@ovirt.org><br><b>Sent: </b>Saturday, February 4, 201= 7 2:27:31 PM<br><b>Subject: </b>Re: [ovirt-users] FreeIPA with ovirt 4.1<br= plement FreeIPA authentication with GSSAPI SSO and ovirt 4.1. I= ran setup and it finished OK then it wrote the files bellow. Next I log to= web admin with internal user and added FeeIPA user as SuperUser role. Also= I added under System FreeIPA group authorized to login on any attempt to l= ogin with FreeIPA credentials getting message</div><br><br><div><div>2017-0= 2-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAut= hServlet] (default task-6) [] Internal Server Error: Unsupported command</d= iv><div>2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.Sso= Utils] (default task-6) [] Unsupported command</div><div>2017-02-04 00:03:0= 8,659Z ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (defau= lt task-3) [] server_error: Unsupported command</div></div></div></div></bl= ockquote></div></div></div><div dir=3D"auto"><br></div><div dir=3D"auto">Ra= vi, do you know what this can cause?</div><div dir=3D"auto"><br></div><div = dir=3D"auto"><div class=3D"gmail_extra"><div class=3D"gmail_quote"><blockqu= ote class=3D"quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;p= adding-left:1ex"><div><div style=3D"font-family:lucida console,sans-serif;f= ont-size:12pt;color:#000000"><br><br><div>Also when in extensions.d directo= ry contain the following files. If I remove <span style=3D"color:#0000= 00;font-family:'lucida console',sans-serif;font-size:16px;font-style:normal= ;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;= letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;= white-space:normal;word-spacing:0px;background-color:#ffffff;display:inline= !important;float:none">mydomain.lan-authn.properties then in web ui FreeIPA= domain not showing up in drop down list. Any http don't have influence on = this.</span></div></div></div></blockquote></div></div></div><div dir=3D"au= to"><br></div><div dir=3D"auto">That is correct behavior, we dont show prof= iles, which uses http for authn.</div><div dir=3D"auto"><br></div><div dir= =3D"auto"><div class=3D"gmail_extra"><div class=3D"gmail_quote"><blockquote= class=3D"quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padd= ing-left:1ex"><div><div style=3D"font-family:lucida console,sans-serif;font= -size:12pt;color:#000000"><div><span style=3D"color:#000000;font-family:'lu= cida console',sans-serif;font-size:16px;font-style:normal;font-variant-liga= tures:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:nor= mal;text-align:start;text-indent:0px;text-transform:none;white-space:normal= ;word-spacing:0px;background-color:#ffffff;display:inline!important;float:n= one"><br></span></div><div><div>[root@vhe00 extensions.d]# pwd</div><div>/e= tc/ovirt-engine/extensions.d</div><br><div>[root@vhe00 extensions.d]# ls</d= iv><div>mydomain.lan-authn.properties <span style=3D"color:#000000;fon= t-family:'lucida console',sans-serif;font-size:16px;font-style:normal;font-= variant-ligatures:normal;font-variant-caps:normal;font-weight:normal;letter= -spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-= space:normal;word-spacing:0px;background-color:#ffffff;display:inline!impor= tant;float:none">mydomain.lan</span>-http-authn.properties <span styl= e=3D"color:#000000;font-family:'lucida console',sans-serif;font-size:16px;f= ont-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;fon= t-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text= -transform:none;white-space:normal;word-spacing:0px;background-color:#fffff= f;display:inline!important;float:none">mydomain.lan</span>.properties = ; internal-authz.properties</div><div><span style=3D"color:#00= 0000;font-family:'lucida console',sans-serif;font-size:16px;font-style:norm= al;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:norma= l;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:non= e;white-space:normal;word-spacing:0px;background-color:#ffffff;display:inli= ne!important;float:none">mydomain.lan</span>-authz.properties <span st= yle=3D"color:#000000;font-family:'lucida console',sans-serif;font-size:16px= ;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;f= ont-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;te= xt-transform:none;white-space:normal;word-spacing:0px;background-color:#fff= fff;display:inline!important;float:none">mydomain.lan</span>-http-mapping.p= roperties internal-authn.properties</div><div>[root@vhe00 extensions.= d]# </div></div><br><br><div>If possible clarify how it should be and = what is possible issue.</div></div></div></blockquote></div></div></div><di= v dir=3D"auto"><br></div><div dir=3D"auto">Can you please take a look to /v= ar/log/httpd/ssl_error_log if any errors there?</div><div dir=3D"auto"><br>= </div><div dir=3D"auto"><div class=3D"gmail_extra"><div class=3D"gmail_quot= e"><blockquote class=3D"quote" style=3D"margin:0 0 0 .8ex;border-left:1px #= ccc solid;padding-left:1ex"><div><div style=3D"font-family:lucida console,s= ans-serif;font-size:12pt;color:#000000"><span style=3D"color: #888888;"><br=
<br><br><div>Slava. </div></span></div></div><br>____________________= ___________________________<br> Users mailing list<br> <a href=3D"mailto:Users@ovirt.org" target=3D"_blank">Users@ovirt.org</a><br=
<a href=3D"http://lists.ovirt.org/mailman/listinfo/users" rel=3D"noreferrer= " target=3D"_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br> <br></blockquote></div></div></div></div><br></div></div><br>______________= _________________________________<br>Users mailing list<br>Users@ovirt.org<= br>http://lists.ovirt.org/mailman/listinfo/users<br></div></div></body></ht= ml> --=_3b67a522-cc8c-45aa-bd36-264bacfe713b--
Can you please enable DEBUG log of the SSO package and try login and then share the logs, please? You can enable the debug log as following (use admin@internal password): /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller=127.0.0.1:8706 --connect --user=admin@internal "/subsystem=logging/logger=org.ovirt.engine.core.sso:add" && /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller=127.0.0.1:8706 --connect --user=admin@internal "/subsystem=logging/logger=org.ovirt.engine.core.sso:write-attribute(name=level,value=DEBUG)" After tests you can disable it later as follows: $ /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller=127.0.0.1:8706 --connect --user=admin@internal "/subsystem=logging/logger=org.ovirt.engine.core.sso:remove" On Thu, Feb 9, 2017 at 3:08 PM, Slava Bendersky <volga629@networklab.ca> wrote:
Hello Everyone, Anything else possible to check ?
Slava.
________________________________ From: "Slava Bendersky" <volga629@networklab.ca> To: "Ondra Machacek" <omachace@redhat.com> Cc: "users" <users@ovirt.org> Sent: Saturday, February 4, 2017 2:27:31 PM
Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1
Hello Ondra, Log is empty
[root@vhe00 ~]# ls -la /var/log/httpd/ssl_error_log -rw-r--r--. 1 root root 0 Feb 2 04:45 /var/log/httpd/ssl_error_log
Slava.
________________________________ From: "Ondra Machacek" <omachace@redhat.com> To: "Slava Bendersky" <volga629@networklab.ca> Cc: "users" <users@ovirt.org>, "Ravi" <rnori@redhat.com> Sent: Saturday, February 4, 2017 10:35:31 AM Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1
On Feb 4, 2017 1:21 AM, "Slava Bendersky" <volga629@networklab.ca> wrote:
Hello Everyone, Having trouble implement FreeIPA authentication with GSSAPI SSO and ovirt 4.1. I ran setup and it finished OK then it wrote the files bellow. Next I log to web admin with internal user and added FeeIPA user as SuperUser role. Also I added under System FreeIPA group authorized to login on any attempt to login with FreeIPA credentials getting message
2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6) [] Internal Server Error: Unsupported command 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-6) [] Unsupported command 2017-02-04 00:03:08,659Z ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) [] server_error: Unsupported command
Ravi, do you know what this can cause?
Also when in extensions.d directory contain the following files. If I remove mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up in drop down list. Any http don't have influence on this.
That is correct behavior, we dont show profiles, which uses http for authn.
[root@vhe00 extensions.d]# pwd /etc/ovirt-engine/extensions.d
[root@vhe00 extensions.d]# ls mydomain.lan-authn.properties mydomain.lan-http-authn.properties mydomain.lan.properties internal-authz.properties mydomain.lan-authz.properties mydomain.lan-http-mapping.properties internal-authn.properties [root@vhe00 extensions.d]#
If possible clarify how it should be and what is possible issue.
Can you please take a look to /var/log/httpd/ssl_error_log if any errors there?
Slava.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--=_88f329a8-7b89-4d76-9087-ff4f0ae05113 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Hello Ondra, I tried increase logging and command fail "outcome" => "failed", "failure-description" => "WFLYCTL0216: Management resource '[ (\"subsystem\" => \"logging\"), (\"logger\" => \"org.ovirt.engine.core.sso\") ]' not found", "rolled-back" => true } Slava, From: "Ondra Machacek" <omachace@redhat.com> To: "Slava Bendersky" <volga629@networklab.ca> Cc: "users" <users@ovirt.org> Sent: Thursday, February 9, 2017 2:31:16 PM Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 Can you please enable DEBUG log of the SSO package and try login and then share the logs, please? You can enable the debug log as following (use admin@internal password): /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller=127.0.0.1:8706 --connect --user=admin@internal "/subsystem=logging/logger=org.ovirt.engine.core.sso:add" && /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller=127.0.0.1:8706 --connect --user=admin@internal "/subsystem=logging/logger=org.ovirt.engine.core.sso:write-attribute(name=level,value=DEBUG)" After tests you can disable it later as follows: $ /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller=127.0.0.1:8706 --connect --user=admin@internal "/subsystem=logging/logger=org.ovirt.engine.core.sso:remove" On Thu, Feb 9, 2017 at 3:08 PM, Slava Bendersky <volga629@networklab.ca> wrote:
Hello Everyone, Anything else possible to check ?
Slava.
________________________________ From: "Slava Bendersky" <volga629@networklab.ca> To: "Ondra Machacek" <omachace@redhat.com> Cc: "users" <users@ovirt.org> Sent: Saturday, February 4, 2017 2:27:31 PM
Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1
Hello Ondra, Log is empty
[root@vhe00 ~]# ls -la /var/log/httpd/ssl_error_log -rw-r--r--. 1 root root 0 Feb 2 04:45 /var/log/httpd/ssl_error_log
Slava.
________________________________ From: "Ondra Machacek" <omachace@redhat.com> To: "Slava Bendersky" <volga629@networklab.ca> Cc: "users" <users@ovirt.org>, "Ravi" <rnori@redhat.com> Sent: Saturday, February 4, 2017 10:35:31 AM Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1
On Feb 4, 2017 1:21 AM, "Slava Bendersky" <volga629@networklab.ca> wrote:
Hello Everyone, Having trouble implement FreeIPA authentication with GSSAPI SSO and ovirt 4.1. I ran setup and it finished OK then it wrote the files bellow. Next I log to web admin with internal user and added FeeIPA user as SuperUser role. Also I added under System FreeIPA group authorized to login on any attempt to login with FreeIPA credentials getting message
2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6) [] Internal Server Error: Unsupported command 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-6) [] Unsupported command 2017-02-04 00:03:08,659Z ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) [] server_error: Unsupported command
Ravi, do you know what this can cause?
Also when in extensions.d directory contain the following files. If I remove mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up in drop down list. Any http don't have influence on this.
That is correct behavior, we dont show profiles, which uses http for authn.
[root@vhe00 extensions.d]# pwd /etc/ovirt-engine/extensions.d
[root@vhe00 extensions.d]# ls mydomain.lan-authn.properties mydomain.lan-http-authn.properties mydomain.lan.properties internal-authz.properties mydomain.lan-authz.properties mydomain.lan-http-mapping.properties internal-authn.properties [root@vhe00 extensions.d]#
If possible clarify how it should be and what is possible issue.
Can you please take a look to /var/log/httpd/ssl_error_log if any errors there?
Slava.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Subject: </b>Re: [ovirt-users] FreeIPA with ovirt 4.1<br></div><br><div da= ta-marker=3D"__QUOTED_TEXT__">Can you please enable DEBUG log of the SSO pa= ckage and try login and<br>then share the logs, please?<br><br>You can enab= le the debug log as following (use admin@internal password):<br><br>/usr/sh= are/ovirt-engine-wildfly/bin/jboss-cli.sh<br>--controller=3D127.0.0.1:8706 = --connect --user=3Dadmin@internal<br>"/subsystem=3Dlogging/logger=3Dorg.ovi= rt.engine.core.sso:add" &&<br>/usr/share/ovirt-engine-wildfly/bin/j= boss-cli.sh<br>--controller=3D127.0.0.1:8706 --connect --user=3Dadmin@inter= nal<br>"/subsystem=3Dlogging/logger=3Dorg.ovirt.engine.core.sso:write-attri= bute(name=3Dlevel,value=3DDEBUG)"<br><br>After tests you can disable it lat= er as follows:<br><br> $ /usr/share/ovirt-engine-wildfly/bin/jboss-cli= .sh<br>--controller=3D127.0.0.1:8706 --connect --user=3Dadmin@internal<br>"= /subsystem=3Dlogging/logger=3Dorg.ovirt.engine.core.sso:remove"<br><br>On T= hu, Feb 9, 2017 at 3:08 PM, Slava Bendersky <volga629@networklab.ca> = wrote:<br>> Hello Everyone,<br>> Anything else possible to check ?<br= ><br>> Slava.<br>><br>> ________________________________<br>&g= t; From: "Slava Bendersky" <volga629@networklab.ca><br>> To: "Ondr= a Machacek" <omachace@redhat.com><br>> Cc: "users" <users@ovirt= .org><br>> Sent: Saturday, February 4, 2017 2:27:31 PM<br>><br>>= ; Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1<br>><br>> Hello O= ndra,<br>> Log is empty<br>><br>> [root@vhe00 ~]# ls -la /va= r/log/httpd/ssl_error_log<br>> -rw-r--r--. 1 root root 0 Feb 2 04:= 45 /var/log/httpd/ssl_error_log<br>><br>> Slava.<br>><br>> ____= ____________________________<br>> From: "Ondra Machacek" <omachace@re= dhat.com><br>> To: "Slava Bendersky" <volga629@networklab.ca><b= r>> Cc: "users" <users@ovirt.org>, "Ravi" <rnori@redhat.com>= <br>> Sent: Saturday, February 4, 2017 10:35:31 AM<br>> Subject: Re: = [ovirt-users] FreeIPA with ovirt 4.1<br>><br>><br>><br>> On Feb= 4, 2017 1:21 AM, "Slava Bendersky" <volga629@networklab.ca> wrote:<b= r>><br>> Hello Everyone,<br>> Having trouble implement FreeI= PA authentication with GSSAPI SSO and ovirt<br>> 4.1. I ran setup = and it finished OK then it wrote the files bellow. Next I<br>> log to we= b admin with internal user and added FeeIPA user as SuperUser role.<br>>= Also I added under System FreeIPA group authorized to login on any attempt= <br>> to login with FreeIPA credentials getting message<br>><br>><= br>> 2017-02-04 00:03:08,464Z ERROR<br>> [org.ovirt.engine.core.sso.s= ervlets.InteractiveAuthServlet] (default task-6)<br>> [] Internal Server= Error: Unsupported command<br>> 2017-02-04 00:03:08,464Z ERROR [org.ovi= rt.engine.core.sso.utils.SsoUtils]<br>> (default task-6) [] Unsupported = command<br>> 2017-02-04 00:03:08,659Z ERROR<br>> [org.ovirt.engine.co= re.aaa.servlet.SsoPostLoginServlet] (default task-3) []<br>> server_erro= r: Unsupported command<br>><br>><br>> Ravi, do you know what this = can cause?<br>><br>><br>><br>> Also when in extensions.d direct= ory contain the following files. If I remove<br>> mydomain.lan-authn.pro=
--=_88f329a8-7b89-4d76-9087-ff4f0ae05113 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><body><div style=3D"font-family: lucida console,sans-serif; font-size= : 12pt; color: #000000"><div>Hello Ondra,</div><div>I tried increase loggin= g and command fail</div><div><br data-mce-bogus=3D"1"></div><div><div> = ; "outcome" =3D> "failed",</div><div> "failure-descr= iption" =3D> "WFLYCTL0216: Management resource '[</div><div> = ; (\"subsystem\" =3D> \"logging\"),</div><div> (\"logger\" = =3D> \"org.ovirt.engine.core.sso\")</div><div>]' not found",</div><div>&= nbsp; "rolled-back" =3D> true</div><div>}</div></div><div><br></d= iv><div><br data-mce-bogus=3D"1"></div><div>Slava,</div><div><br></div><hr = id=3D"zwchr" data-marker=3D"__DIVIDER__"><div data-marker=3D"__HEADERS__"><= b>From: </b>"Ondra Machacek" <omachace@redhat.com><br><b>To: </b>"Sla= va Bendersky" <volga629@networklab.ca><br><b>Cc: </b>"users" <user= s@ovirt.org><br><b>Sent: </b>Thursday, February 9, 2017 2:31:16 PM<br><b= perties then in web ui FreeIPA domain not showing up<br>> in drop down l= ist. Any http don't have influence on this.<br>><br>><br>> That is= correct behavior, we dont show profiles, which uses http for authn.<br>>= ;<br>><br>> [root@vhe00 extensions.d]# pwd<br>> /etc/ovirt-engine/= extensions.d<br>><br>> [root@vhe00 extensions.d]# ls<br>> mydomain= .lan-authn.properties mydomain.lan-http-authn.properties<br>> mydomain.l= an.properties internal-authz.properties<br>> mydomai= n.lan-authz.properties mydomain.lan-http-mapping.properties<br>> interna= l-authn.properties<br>> [root@vhe00 extensions.d]#<br>><br>><br>&g= t; If possible clarify how it should be and what is possible issue.<br>>= <br>><br>> Can you please take a look to /var/log/httpd/ssl_error_log= if any errors<br>> there?<br>><br>><br>><br>><br>> Slava= .<br>><br>> _______________________________________________<br>> U= sers mailing list<br>> Users@ovirt.org<br>> http://lists.ovirt.org/ma= ilman/listinfo/users<br>><br>><br>><br>> ______________________= _________________________<br>> Users mailing list<br>> Users@ovirt.or= g<br>> http://lists.ovirt.org/mailman/listinfo/users<br></div></div></bo= dy></html> --=_88f329a8-7b89-4d76-9087-ff4f0ae05113--
Looking at the error message again it says 'Unsupported command', Can you please share your properties files? I think that you have misconfugred it, I guess you use for example AuthzExtension instead of AuthnExtension or vice versa, maybe misconfigured mapping. On Fri, Feb 10, 2017 at 6:28 PM, Slava Bendersky <volga629@networklab.ca> wrote:
Hello Ondra, I tried increase logging and command fail
"outcome" => "failed", "failure-description" => "WFLYCTL0216: Management resource '[ (\"subsystem\" => \"logging\"), (\"logger\" => \"org.ovirt.engine.core.sso\") ]' not found", "rolled-back" => true }
Slava,
________________________________ From: "Ondra Machacek" <omachace@redhat.com> To: "Slava Bendersky" <volga629@networklab.ca> Cc: "users" <users@ovirt.org> Sent: Thursday, February 9, 2017 2:31:16 PM
Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1
Can you please enable DEBUG log of the SSO package and try login and then share the logs, please?
You can enable the debug log as following (use admin@internal password):
/usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller=127.0.0.1:8706 --connect --user=admin@internal "/subsystem=logging/logger=org.ovirt.engine.core.sso:add" && /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller=127.0.0.1:8706 --connect --user=admin@internal "/subsystem=logging/logger=org.ovirt.engine.core.sso:write-attribute(name=level,value=DEBUG)"
After tests you can disable it later as follows:
$ /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller=127.0.0.1:8706 --connect --user=admin@internal "/subsystem=logging/logger=org.ovirt.engine.core.sso:remove"
On Thu, Feb 9, 2017 at 3:08 PM, Slava Bendersky <volga629@networklab.ca> wrote:
Hello Everyone, Anything else possible to check ?
Slava.
________________________________ From: "Slava Bendersky" <volga629@networklab.ca> To: "Ondra Machacek" <omachace@redhat.com> Cc: "users" <users@ovirt.org> Sent: Saturday, February 4, 2017 2:27:31 PM
Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1
Hello Ondra, Log is empty
[root@vhe00 ~]# ls -la /var/log/httpd/ssl_error_log -rw-r--r--. 1 root root 0 Feb 2 04:45 /var/log/httpd/ssl_error_log
Slava.
________________________________ From: "Ondra Machacek" <omachace@redhat.com> To: "Slava Bendersky" <volga629@networklab.ca> Cc: "users" <users@ovirt.org>, "Ravi" <rnori@redhat.com> Sent: Saturday, February 4, 2017 10:35:31 AM Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1
On Feb 4, 2017 1:21 AM, "Slava Bendersky" <volga629@networklab.ca> wrote:
Hello Everyone, Having trouble implement FreeIPA authentication with GSSAPI SSO and ovirt 4.1. I ran setup and it finished OK then it wrote the files bellow. Next I log to web admin with internal user and added FeeIPA user as SuperUser role. Also I added under System FreeIPA group authorized to login on any attempt to login with FreeIPA credentials getting message
2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6) [] Internal Server Error: Unsupported command 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-6) [] Unsupported command 2017-02-04 00:03:08,659Z ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) [] server_error: Unsupported command
Ravi, do you know what this can cause?
Also when in extensions.d directory contain the following files. If I remove mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up in drop down list. Any http don't have influence on this.
That is correct behavior, we dont show profiles, which uses http for authn.
[root@vhe00 extensions.d]# pwd /etc/ovirt-engine/extensions.d
[root@vhe00 extensions.d]# ls mydomain.lan-authn.properties mydomain.lan-http-authn.properties mydomain.lan.properties internal-authz.properties mydomain.lan-authz.properties mydomain.lan-http-mapping.properties internal-authn.properties [root@vhe00 extensions.d]#
If possible clarify how it should be and what is possible issue.
Can you please take a look to /var/log/httpd/ssl_error_log if any errors there?
Slava.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (2)
-
Ondra Machacek -
Slava Bendersky