6:22 p.m.
This is a multipart message in MIME format.
------=_NextPart_000_0050_01D18069.35C995E0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Hi,
I am having an issue with getting SSO to work when a standard user(UserRole)
logs in to the UserPortal.
The user has permission to use only this VM, so after login the console is
automatically opened for that VM.
Problem is that it doesn't login on the VM system with the provided
credentials. Manual login at the console works without any issues.
HBAC-rule check on IPA shows access is granted. Client has SELINUX in
permissive mode and a disabled firewalld.
On the client side I do see some PAM related errors in the logs (see details
below). Extensive Google search on error 17 "Failure setting user
credentials" didn't show helpful information :-(
AFAIK this is did a pretty standard set-up, all working with RH-family
products. I would expect others to encounter this issue as well.
If someone knows any solution or has some directions to fix this it would be
greatly appreciated.
Thanks,
Paul
------------------------------------------------------
System setup: I have 3 systems
The connection between the Engine and IPA is working fine. (I can log in
with IPA users etc.) Connection is made according to this document:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualizat
ion/3.6/html-single/Administration_Guide/index.html#sect-Configuring_an_Exte
rnal_LDAP_Provider
Configuration of the client is done according to this document:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualizat
ion/3.6/html/Virtual_Machine_Management_Guide/chap-Additional_Configuration.
html#sect-Configuring_Single_Sign-On_for_Virtual_Machines
--- Hosted Engine:
[root@engine ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@engine ~]# uname -a
Linux engine.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@engine ~]# rpm -qa | grep ovirt
ovirt-vmconsole-1.0.0-1.el7.centos.noarch
ovirt-engine-restapi-3.6.2.6-1.el7.centos.noarch
ovirt-setup-lib-1.0.1-1.el7.centos.noarch
ovirt-engine-setup-plugin-ovirt-engine-common-3.6.3.4-1.el7.centos.noarch
ovirt-engine-setup-3.6.3.4-1.el7.centos.noarch
ovirt-image-uploader-3.6.0-1.el7.centos.noarch
ovirt-engine-extension-aaa-jdbc-1.0.5-1.el7.noarch
ovirt-host-deploy-1.4.1-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch
ovirt-engine-wildfly-overlay-8.0.4-1.el7.noarch
ovirt-engine-wildfly-8.2.1-1.el7.x86_64
ovirt-vmconsole-proxy-1.0.0-1.el7.centos.noarch
ovirt-engine-tools-3.6.2.6-1.el7.centos.noarch
ovirt-engine-dbscripts-3.6.2.6-1.el7.centos.noarch
ovirt-engine-backend-3.6.2.6-1.el7.centos.noarch
ovirt-engine-3.6.2.6-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noarch
ovirt-engine-setup-base-3.6.3.4-1.el7.centos.noarch
ovirt-engine-setup-plugin-ovirt-engine-3.6.3.4-1.el7.centos.noarch
ovirt-engine-setup-plugin-websocket-proxy-3.6.3.4-1.el7.centos.noarch
ovirt-engine-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch
ovirt-engine-cli-3.6.2.0-1.el7.centos.noarch
ovirt-host-deploy-java-1.4.1-1.el7.centos.noarch
ovirt-engine-userportal-3.6.2.6-1.el7.centos.noarch
ovirt-engine-webadmin-portal-3.6.2.6-1.el7.centos.noarch
ovirt-guest-agent-common-1.0.11-1.el7.noarch
ovirt-release36-003-1.noarch
ovirt-iso-uploader-3.6.0-1.el7.centos.noarch
ovirt-engine-lib-3.6.3.4-1.el7.centos.noarch
ovirt-engine-sdk-python-3.6.3.0-1.el7.centos.noarch
ovirt-engine-setup-plugin-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch
ovirt-engine-websocket-proxy-3.6.3.4-1.el7.centos.noarch
ovirt-log-collector-3.6.1-1.el7.centos.noarch
ovirt-engine-extensions-api-impl-3.6.3.4-1.el7.centos.noarch
--- FreeIPA:
[root@ipa01 ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@ipa01 ~]# uname -a
Linux ipa01.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50
UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@ipa01 ~]# rpm -qa | grep ipa
ipa-python-4.2.0-15.el7_2.6.x86_64
ipa-client-4.2.0-15.el7_2.6.x86_64
python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
python-iniparse-0.4-9.el7.noarch
libipa_hbac-1.13.0-40.el7_2.1.x86_64
sssd-ipa-1.13.0-40.el7_2.1.x86_64
ipa-admintools-4.2.0-15.el7_2.6.x86_64
ipa-server-4.2.0-15.el7_2.6.x86_64
ipa-server-dns-4.2.0-15.el7_2.6.x86_64
--- Client:
[root@test06 ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@test06 ~]# uname -a
Linux test06.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@test06 ~]# rpm -qa | grep ipa
python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
python-iniparse-0.4-9.el7.noarch
sssd-ipa-1.13.0-40.el7_2.1.x86_64
ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64
libipa_hbac-1.13.0-40.el7_2.1.x86_64
ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64
device-mapper-multipath-0.4.9-85.el7.x86_64
device-mapper-multipath-libs-0.4.9-85.el7.x86_64
[root@test06 ~]# rpm -qa | grep guest-agent
qemu-guest-agent-2.3.0-4.el7.x86_64
ovirt-guest-agent-pam-module-1.0.11-1.el7.x86_64
ovirt-guest-agent-gdm-plugin-1.0.11-1.el7.noarch
ovirt-guest-agent-common-1.0.11-1.el7.noarch
---------------------------------------------------
Relevant logs:
--- Engine:
//var/log/ovirt-engine/engine
2016-03-17 15:22:10,516 INFO
[org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-22) []
Running command: LoginUserCommand internal: false.
2016-03-17 15:22:10,568 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(default task-22) [] Correlation ID: null, Call Stack: null, Custom Event
ID: -1, Message: User test6@DOMAIN logged in.
2016-03-17 15:22:13,795 WARN
[org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (default task-6)
[7400ae46] The message key 'VmLogon' is missing from
'bundles/ExecutionMessages'
2016-03-17 15:22:13,839 INFO [org.ovirt.engine.core.bll.VmLogonCommand]
(default task-6) [7400ae46] Running command: VmLogonCommand internal: false.
Entities affected : ID: 64a84b40-6050-4a96-a59d-d557a317c38c Type: VMAction
group CONNECT_TO_VM with role type USER
2016-03-17 15:22:13,842 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default
task-6) [7400ae46] START, VmLogonVDSCommand(HostName = host01,
VmLogonVDSCommandParameters:{runAsync='true',
hostId='225157c0-224b-4aa6-9210-db4de7c7fc30',
vmId='64a84b40-6050-4a96-a59d-d557a317c38c', domain='DOMAIN-authz',
password='***', userName='test6@DOMAIN'}), log id: 2015a1e0
2016-03-17 15:22:14,848 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default
task-6) [7400ae46] FINISH, VmLogonVDSCommand, log id: 2015a1e0
2016-03-17 15:22:15,317 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand]
(default task-18) [10dad788] Running command: SetVmTicketCommand internal:
true. Entities affected : ID: 64a84b40-6050-4a96-a59d-d557a317c38c Type:
VMAction group CONNECT_TO_VM with role type USER
2016-03-17 15:22:15,322 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (default
task-18) [10dad788] START, SetVmTicketVDSCommand(HostName = host01,
SetVmTicketVDSCommandParameters:{runAsync='true',
hostId='225157c0-224b-4aa6-9210-db4de7c7fc30',
vmId='64a84b40-6050-4a96-a59d-d557a317c38c', protocol='SPICE',
ticket='rd8avqvdBnRl', validTime='120', userName='test6',
userId='10b2da3e-6401-4a09-a330-c0780bc0faef',
disconnectAction='LOCK_SCREEN'}), log id: 72efb73b
2016-03-17 15:22:16,340 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (default
task-18) [10dad788] FINISH, SetVmTicketVDSCommand, log id: 72efb73b
2016-03-17 15:22:16,377 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(default task-18) [10dad788] Correlation ID: 10dad788, Call Stack: null,
Custom Event ID: -1, Message: User test6@DOMAIN initiated console session
for VM test06
2016-03-17 15:22:19,418 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(DefaultQuartzScheduler_Worker-53) [] Correlation ID: null, Call Stack:
null, Custom Event ID: -1, Message: User test6@DOMAIN-authz is connected to
VM test06.
--- Client:
/var/log/ovirt-guest-agent/ovirt-guest-agent.log
MainThread::INFO::2016-03-17
15:20:58,145::ovirt-guest-agent::57::root::Starting oVirt guest agent
CredServer::INFO::2016-03-17 15:20:58,214::CredServer::257::root::CredServer
is running...
Dummy-1::INFO::2016-03-17 15:20:58,216::OVirtAgentLogic::294::root::Received
an external command: lock-screen...
Dummy-1::INFO::2016-03-17 15:22:13,104::OVirtAgentLogic::294::root::Received
an external command: login...
Dummy-1::INFO::2016-03-17 15:22:13,104::CredServer::207::root::The following
users are allowed to connect: [0]
Dummy-1::INFO::2016-03-17 15:22:13,104::CredServer::273::root::Opening
credentials channel...
Dummy-1::INFO::2016-03-17 15:22:13,105::CredServer::132::root::Emitting user
authenticated signal (651416).
CredChannel::INFO::2016-03-17 15:22:13,188::CredServer::225::root::Incomming
connection from user: 0 process: 2570
CredChannel::INFO::2016-03-17 15:22:13,188::CredServer::232::root::Sending
user's credential (token: 651416)
Dummy-1::INFO::2016-03-17 15:22:13,189::CredServer::277::root::Credentials
channel was closed.
/var/log/secure
Mar 17 15:21:07 test06 gdm-launch-environment]:
pam_unix(gdm-launch-environment:session): session opened for user gdm by
(uid=0)
Mar 17 15:21:10 test06 polkitd[749]: Registered Authentication Agent for
unix-session:c1 (system bus name :1.34 [gnome-shell --mode=gdm], object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 17 15:22:13 test06 gdm-ovirtcred]: pam_sss(gdm-ovirtcred:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=test6
Mar 17 15:22:13 test06 gdm-ovirtcred]: pam_sss(gdm-ovirtcred:auth): received
for user test6: 17 (Failure setting user credentials)
/var/log/sssd/krb5_child.log (debug-level 10)
(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [get_and_save_tgt]
(0x0020): 1234: [-1765328360][Preauthentication failed]
(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [map_krb5_error]
(0x0020): 1303: [-1765328360][Preauthentication failed]
(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [k5c_send_data]
(0x0200): Received error code 1432158215
(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [pack_response_packet]
(0x2000): response packet size: [4]
(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [k5c_send_data]
(0x4000): Response sent.
(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [main] (0x0400):
krb5_child completed successfully
/var/log/sssd/sssd_DOMAIN.COM.log (debug-level 10)
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [be_pam_handler] (0x0100):
Got request with the following data
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
command: PAM_AUTHENTICATE
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
domain: DOMAIN.COM
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
user: test6
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
service: gdm-ovirtcred
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
tty:
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
ruser:
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
rhost:
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
authtok type: 1
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
newauthtok type: 0
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
priv: 1
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
cli_pid: 2570
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100):
logon name: not set
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [krb5_auth_queue_send]
(0x1000): Wait queue of user [test6] is empty, running request
[0x7fe30df03cc0] immediately.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [krb5_setup] (0x4000): No
mapping for: test6
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Added
timed event "ltdb_callback": 0x7fe30df07120
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Added
timed event "ltdb_timeout": 0x7fe30df16590
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Running
timer event 0x7fe30df07120 "ltdb_callback"
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Destroying
timer event 0x7fe30df16590 "ltdb_timeout"
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Ending
timer event 0x7fe30df07120 "ltdb_callback"
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'IPA'
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [get_server_status]
(0x1000): Status of server 'ipa01.DOMAIN.COM' is 'working'
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [get_port_status]
(0x1000): Port status of port 389 for server 'ipa01.DOMAIN.COM' is
'working'
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6
seconds
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [resolve_srv_send]
(0x0200): The status of SRV lookup is resolved
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [get_server_status]
(0x1000): Status of server 'ipa01.DOMAIN.COM' is 'working'
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[be_resolve_server_process] (0x0200): Found address for server
ipa01.DOMAIN.COM: [10.0.1.21] TTL 1200
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ipa_resolve_callback]
(0x0400): Constructed uri 'ldap://ipa01.DOMAIN.COM'
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sss_krb5_realm_has_proxy]
(0x0040): profile_get_values failed.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_handler_setup]
(0x2000): Setting up signal handler up for pid [2575]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_handler_setup]
(0x2000): Signal handler set up for pid [2575]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [write_pipe_handler]
(0x0400): All data has been sent!
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_sig_handler]
(0x1000): Waiting for child [2575].
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_sig_handler]
(0x0100): child [2575] finished successfully.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [check_wait_queue]
(0x1000): Wait queue for user [test6] is empty.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [krb5_auth_queue_done]
(0x1000): krb5_auth_queue request [0x7fe30df03cc0] done.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_id_op_connect_step]
(0x4000): reusing cached connection
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_print_server]
(0x2000): Searching 10.0.1.21
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=DOMAIN,dc=com].
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaMigrationEnabled]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaSELinuxUserMapDefault]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaSELinuxUserMapOrder]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 122
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_op_add] (0x2000):
New operation 122 timeout 60
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fe30deef090], connected[1], ops[0x7fe30df094a0],
ldap[0x7fe30def2920]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_entry]
(0x1000): OriginalDN: [cn=ipaConfig,cn=etc,dc=DOMAIN,dc=com].
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaMigrationEnabled]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaSELinuxUserMapDefault]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaSELinuxUserMapOrder]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fe30deef090], connected[1], ops[0x7fe30df094a0],
ldap[0x7fe30def2920]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_op_destructor]
(0x2000): Operation 122 finished
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_id_op_destroy]
(0x4000): releasing operation connection
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[ipa_get_migration_flag_done] (0x0100): Password migration is not enabled.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 17, <NULL>) [Success (Failure setting user
credentials)]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [be_pam_handler_callback]
(0x0100): Sending result [17][DOMAIN.COM]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [be_pam_handler_callback]
(0x0100): Sent result [17][DOMAIN.COM]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fe30deef090], connected[1], ops[(nil)],
ldap[0x7fe30def2920]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
------=_NextPart_000_0050_01D18069.35C995E0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii"><meta name=3DGenerator content=3D"Microsoft Word 15 =
(filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US =
link=3D"#0563C1" vlink=3D"#954F72"><div class=3DWordSection1
<p =
class=3DMsoNormal>Hi,<o:p></o:p></p<p =
class=3DMsoNormal><o:p> </o:p></p><p
class=3DMsoNormal>I am having =
an issue with getting SSO to work when a standard user(UserRole) logs in =
to the UserPortal.<o:p></o:p></p><p class=3DMsoNormal>The user has
=
permission to use only this VM, so after login the console is =
automatically opened for that VM.<o:p></o:p></p<p =
class=3DMsoNormal>Problem is that it doesn't
login on the VM system with =
the provided credentials. Manual login at the console works without any =
issues. <o:p></o:p></p><p class=3DMsoNormal>HBAC-rule check on IPA
shows =
access is granted. Client has SELINUX in permissive mode and a disabled =
firewalld. <o:p></o:p></p><p
class=3DMsoNormal><o:p> </o:p></p<p =
class=3DMsoNormal>On the client side I do see some PAM related errors in =
the logs (see details below). Extensive Google search on error 17 =
"Failure setting user credentials" didn't show helpful =
information :-(<o:p></o:p></p<p =
class=3DMsoNormal><o:p> </o:p></p><p
class=3DMsoNormal>AFAIK this =
is did a pretty standard set-up, all working with RH-family products. I =
would expect others to encounter this issue as well. <o:p></o:p></p<p =
class=3DMsoNormal>If someone knows any solution or
has some directions =
to fix this it would be greatly appreciated.<o:p></o:p></p<p =
class=3DMsoNormal><o:p> </o:p></p<p =
class=3DMsoNormal>Thanks,<o:p></o:p></p<p =
class=3DMsoNormal><o:p> </o:p></p<p =
class=3DMsoNormal>Paul<o:p></o:p></p<p =
class=3DMsoNormal><o:p> </o:p></p<p =
class=3DMsoNormal>------------------------------------------------------<=
o:p></o:p></p><p class=3DMsoNormal>System setup: I have 3 systems =
<o:p></o:p></p><p
class=3DMsoNormal><o:p> </o:p></p<p =
class=3DMsoNormal>The connection between the Engine and IPA is working =
fine. (I can log in with IPA users etc.) Connection is made according to =
this document: =
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtuali=
zation/3.6/html-single/Administration_Guide/index.html#sect-Configuring_a=
n_External_LDAP_Provider<o:p></o:p></p<p =
class=3DMsoNormal><o:p> </o:p></p<p =
class=3DMsoNormal>Configuration of the client is done
according to this =
document: =
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtuali=
zation/3.6/html/Virtual_Machine_Management_Guide/chap-Additional_Configur=
ation.html#sect-Configuring_Single_Sign-On_for_Virtual_Machines<o:p></o:p=
</p><p
class=3DMsoNormal><o:p> </o:p></p><p
class=3DMsoNormal>--- =
Hosted Engine:<o:p></o:p></p><p
class=3DMsoNormal>[root@engine ~]# cat =
/etc/redhat-release<o:p></o:p></p><p class=3DMsoNormal>CentOS
Linux =
release 7.2.1511 (Core)<o:p></o:p></p><p
class=3DMsoNormal>[root@engine =
~]# uname -a<o:p></o:p></p><p class=3DMsoNormal>Linux
engine.DOMAIN.COM =
3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64 =
x86_64 x86_64 GNU/Linux<o:p></o:p></p><p
class=3DMsoNormal>[root@engine =
~]# rpm -qa | grep ovirt<o:p></o:p></p<p =
class=3DMsoNormal>ovirt-vmconsole-1.0.0-1.el7.centos.noarch<o:p></o:p></p=
<p =
class=3DMsoNormal>ovirt-engine-restapi-3.6.2.6-1.el7.centos.noarch<o:p></=
o:p></p<p =
class=3DMsoNormal>ovirt-setup-lib-1.0.1-1.el7.centos.noarch<o:p></o:p></p=
<p =
class=3DMsoNormal>ovirt-engine-setup-plugin-ovirt-engine-common-3.6.3.4-1=
.el7.centos.noarch<o:p></o:p></p<p =
class=3DMsoNormal>ovirt-engine-setup-3.6.3.4-1.el7.centos.noarch<o:p></o:=
p></p<p =
class=3DMsoNormal>ovirt-image-uploader-3.6.0-1.el7.centos.noarch<o:p></o:=
p></p<p =
class=3DMsoNormal>ovirt-engine-extension-aaa-jdbc-1.0.5-1.el7.noarch<o:p>=
</o:p></p<p =
class=3DMsoNormal>ovirt-host-deploy-1.4.1-1.el7.centos.noarch<o:p></o:p><=
/p<p =
class=3DMsoNormal>ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.cento=
s.noarch<o:p></o:p></p<p =
class=3DMsoNormal>ovirt-engine-wildfly-overlay-8.0.4-1.el7.noarch<o:p></o=
:p></p<p =
class=3DMsoNormal>ovirt-engine-wildfly-8.2.1-1.el7.x86_64<o:p></o:p></p><=
p =
class=3DMsoNormal>ovirt-vmconsole-proxy-1.0.0-1.el7.centos.noarch<o:p></o=
:p></p<p =
class=3DMsoNormal>ovirt-engine-tools-3.6.2.6-1.el7.centos.noarch<o:p></o:=
p></p<p =
class=3DMsoNormal>ovirt-engine-dbscripts-3.6.2.6-1.el7.centos.noarch<o:p>=
</o:p></p<p =
class=3DMsoNormal>ovirt-engine-backend-3.6.2.6-1.el7.centos.noarch<o:p></=
o:p></p<p =
class=3DMsoNormal>ovirt-engine-3.6.2.6-1.el7.centos.noarch<o:p></o:p></p>=
<p =
class=3DMsoNormal>ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noar=
ch<o:p></o:p></p<p =
class=3DMsoNormal>ovirt-engine-setup-base-3.6.3.4-1.el7.centos.noarch<o:p=
></o:p></p<p =
class=3DMsoNormal>ovirt-engine-setup-plugin-ovirt-engine-3.6.3.4-1.el7.ce=
ntos.noarch<o:p></o:p></p<p =
class=3DMsoNormal>ovirt-engine-setup-plugin-websocket-proxy-3.6.3.4-1.el7=
.centos.noarch<o:p></o:p></p<p =
class=3DMsoNormal>ovirt-engine-vmconsole-proxy-helper-3.6.3.4-1.el7.cento=
s.noarch<o:p></o:p></p<p =
class=3DMsoNormal>ovirt-engine-cli-3.6.2.0-1.el7.centos.noarch<o:p></o:p>=
</p<p =
class=3DMsoNormal>ovirt-host-deploy-java-1.4.1-1.el7.centos.noarch<o:p></=
o:p></p<p =
class=3DMsoNormal>ovirt-engine-userportal-3.6.2.6-1.el7.centos.noarch<o:p=
></o:p></p<p =
class=3DMsoNormal>ovirt-engine-webadmin-portal-3.6.2.6-1.el7.centos.noarc=
h<o:p></o:p></p<p =
class=3DMsoNormal>ovirt-guest-agent-common-1.0.11-1.el7.noarch<o:p></o:p>=
</p><p
class=3DMsoNormal>ovirt-release36-003-1.noarch<o:p></o:p></p<p =
class=3DMsoNormal>ovirt-iso-uploader-3.6.0-1.el7.centos.noarch<o:p></o:p>=
</p<p =
class=3DMsoNormal>ovirt-engine-lib-3.6.3.4-1.el7.centos.noarch<o:p></o:p>=
</p<p =
class=3DMsoNormal>ovirt-engine-sdk-python-3.6.3.0-1.el7.centos.noarch<o:p=
></o:p></p<p =
class=3DMsoNormal>ovirt-engine-setup-plugin-vmconsole-proxy-helper-3.6.3.=
4-1.el7.centos.noarch<o:p></o:p></p<p =
class=3DMsoNormal>ovirt-engine-websocket-proxy-3.6.3.4-1.el7.centos.noarc=
h<o:p></o:p></p<p =
class=3DMsoNormal>ovirt-log-collector-3.6.1-1.el7.centos.noarch<o:p></o:p=
></p<p =
class=3DMsoNormal>ovirt-engine-extensions-api-impl-3.6.3.4-1.el7.centos.n=
oarch<o:p></o:p></p><p
class=3DMsoNormal><o:p> </o:p></p<p =
class=3DMsoNormal>--- FreeIPA:<o:p></o:p></p<p =
class=3DMsoNormal>[root@ipa01 ~]# cat =
/etc/redhat-release<o:p></o:p></p><p class=3DMsoNormal>CentOS
Linux =
release 7.2.1511 (Core) <o:p></o:p></p><p
class=3DMsoNormal>[root@ipa01 =
~]# uname -a<o:p></o:p></p><p class=3DMsoNormal>Linux =
ipa01.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 =
UTC 2016 x86_64 x86_64 x86_64 GNU/Linux<o:p></o:p></p<p =
class=3DMsoNormal>[root@ipa01 ~]# rpm -qa | grep
ipa<o:p></o:p></p<p =
class=3DMsoNormal>ipa-python-4.2.0-15.el7_2.6.x86_64<o:p></o:p></p<p =
class=3DMsoNormal>ipa-client-4.2.0-15.el7_2.6.x86_64<o:p></o:p></p<p =
class=3DMsoNormal>python-libipa_hbac-1.13.0-40.el7_2.1.x86_64<o:p></o:p><=
/p<p =
class=3DMsoNormal>python-iniparse-0.4-9.el7.noarch<o:p></o:p></p<p =
class=3DMsoNormal>libipa_hbac-1.13.0-40.el7_2.1.x86_64<o:p></o:p></p<p =
class=3DMsoNormal>sssd-ipa-1.13.0-40.el7_2.1.x86_64<o:p></o:p></p<p =
class=3DMsoNormal>ipa-admintools-4.2.0-15.el7_2.6.x86_64<o:p></o:p></p><p=
class=3DMsoNormal>ipa-server-4.2.0-15.el7_2.6.x86_64<o:p></o:p></p<p =
class=3DMsoNormal>ipa-server-dns-4.2.0-15.el7_2.6.x86_64<o:p></o:p></p><p=
class=3DMsoNormal><o:p> </o:p></p><p
class=3DMsoNormal>--- =
Client:<o:p></o:p></p><p class=3DMsoNormal>[root@test06 ~]# cat =
/etc/redhat-release<o:p></o:p></p><p class=3DMsoNormal>CentOS
Linux =
release 7.2.1511 (Core) <o:p></o:p></p><p
class=3DMsoNormal>[root@test06 =
~]# uname -a<o:p></o:p></p><p class=3DMsoNormal>Linux
test06.DOMAIN.COM =
3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64 =
x86_64 x86_64 GNU/Linux<o:p></o:p></p><p
class=3DMsoNormal>[root@test06 =
~]# rpm -qa | grep ipa<o:p></o:p></p<p =
class=3DMsoNormal>python-libipa_hbac-1.13.0-40.el7_2.1.x86_64<o:p></o:p><=
/p<p =
class=3DMsoNormal>python-iniparse-0.4-9.el7.noarch<o:p></o:p></p<p =
class=3DMsoNormal>sssd-ipa-1.13.0-40.el7_2.1.x86_64<o:p></o:p></p<p =
class=3DMsoNormal>ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64<o:p></o:p><=
/p<p =
class=3DMsoNormal>libipa_hbac-1.13.0-40.el7_2.1.x86_64<o:p></o:p></p<p =
class=3DMsoNormal>ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64<o:p></o:p><=
/p<p =
class=3DMsoNormal>device-mapper-multipath-0.4.9-85.el7.x86_64<o:p></o:p><=
/p<p =
class=3DMsoNormal>device-mapper-multipath-libs-0.4.9-85.el7.x86_64<o:p></=
o:p></p><p class=3DMsoNormal>[root@test06 ~]# rpm -qa | grep =
guest-agent<o:p></o:p></p<p =
class=3DMsoNormal>qemu-guest-agent-2.3.0-4.el7.x86_64<o:p></o:p></p<p =
class=3DMsoNormal>ovirt-guest-agent-pam-module-1.0.11-1.el7.x86_64<o:p></=
o:p></p<p =
class=3DMsoNormal>ovirt-guest-agent-gdm-plugin-1.0.11-1.el7.noarch<o:p></=
o:p></p<p =
class=3DMsoNormal>ovirt-guest-agent-common-1.0.11-1.el7.noarch<o:p></o:p>=
</p><p class=3DMsoNormal><o:p> </o:p></p<p =
class=3DMsoNormal>---------------------------------------------------<o:p=
></o:p></p><p class=3DMsoNormal>Relevant
logs:<o:p></o:p></p<p =
class=3DMsoNormal>---
Engine:<o:p></o:p></p<p =
class=3DMsoNormal>//var/log/ovirt-engine/engine<o:p></o:p></p<p =
class=3DMsoNormal>2016-03-17 15:22:10,516
INFO =
[org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-22) [] =
Running command: LoginUserCommand internal: false.<o:p></o:p></p<p =
class=3DMsoNormal>2016-03-17 15:22:10,568
INFO =
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] =
(default task-22) [] Correlation ID: null, Call Stack: null, Custom =
Event ID: -1, Message: User test6@DOMAIN logged in.<o:p></o:p></p<p =
class=3DMsoNormal>2016-03-17 15:22:13,795
WARN =
[org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (default =
task-6) [7400ae46] The message key 'VmLogon' is missing from =
'bundles/ExecutionMessages'<o:p></o:p></p<p =
class=3DMsoNormal>2016-03-17 15:22:13,839
INFO =
[org.ovirt.engine.core.bll.VmLogonCommand] (default task-6) [7400ae46] =
Running command: VmLogonCommand internal: false. Entities affected =
: ID: 64a84b40-6050-4a96-a59d-d557a317c38c Type: VMAction group =
CONNECT_TO_VM with role type USER<o:p></o:p></p<p =
class=3DMsoNormal>2016-03-17 15:22:13,842
INFO =
[org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default =
task-6) [7400ae46] START, VmLogonVDSCommand(HostName =3D host01, =
VmLogonVDSCommandParameters:{runAsync=3D'true', =
hostId=3D'225157c0-224b-4aa6-9210-db4de7c7fc30', =
vmId=3D'64a84b40-6050-4a96-a59d-d557a317c38c', domain=3D'DOMAIN-authz', =
password=3D'***', userName=3D'test6@DOMAIN'}), log id: =
2015a1e0<o:p></o:p></p><p class=3DMsoNormal>2016-03-17
15:22:14,848 =
INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] =
(default task-6) [7400ae46] FINISH, VmLogonVDSCommand, log id: =
2015a1e0<o:p></o:p></p><p class=3DMsoNormal>2016-03-17
15:22:15,317 =
INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (default =
task-18) [10dad788] Running command: SetVmTicketCommand internal: true. =
Entities affected : ID: 64a84b40-6050-4a96-a59d-d557a317c38c Type: =
VMAction group CONNECT_TO_VM with role type USER<o:p></o:p></p<p =
class=3DMsoNormal>2016-03-17 15:22:15,322
INFO =
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] =
(default task-18) [10dad788] START, SetVmTicketVDSCommand(HostName =3D =
host01, SetVmTicketVDSCommandParameters:{runAsync=3D'true', =
hostId=3D'225157c0-224b-4aa6-9210-db4de7c7fc30', =
vmId=3D'64a84b40-6050-4a96-a59d-d557a317c38c', protocol=3D'SPICE', =
ticket=3D'rd8avqvdBnRl', validTime=3D'120', userName=3D'test6', =
userId=3D'10b2da3e-6401-4a09-a330-c0780bc0faef', =
disconnectAction=3D'LOCK_SCREEN'}), log id:
72efb73b<o:p></o:p></p<p =
class=3DMsoNormal>2016-03-17 15:22:16,340 INFO =
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] =
(default task-18) [10dad788] FINISH, SetVmTicketVDSCommand, log id: =
72efb73b<o:p></o:p></p><p class=3DMsoNormal>2016-03-17
15:22:16,377 =
INFO =
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] =
(default task-18) [10dad788] Correlation ID: 10dad788, Call Stack: null, =
Custom Event ID: -1, Message: User test6@DOMAIN initiated console =
session for VM test06<o:p></o:p></p><p
class=3DMsoNormal>2016-03-17 =
15:22:19,418 INFO =
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] =
(DefaultQuartzScheduler_Worker-53) [] Correlation ID: null, Call Stack: =
null, Custom Event ID: -1, Message: User test6@DOMAIN-authz is connected =
to VM test06.<o:p></o:p></p><p
class=3DMsoNormal><o:p> </o:p></p<p =
class=3DMsoNormal>--- Client:<o:p></o:p></p<p =
class=3DMsoNormal>/var/log/ovirt-guest-agent/ovirt-guest-agent.log<o:p></=
o:p></p><p class=3DMsoNormal>MainThread::INFO::2016-03-17 =
15:20:58,145::ovirt-guest-agent::57::root::Starting oVirt guest =
agent<o:p></o:p></p><p
class=3DMsoNormal>CredServer::INFO::2016-03-17 =
15:20:58,214::CredServer::257::root::CredServer is =
running...<o:p></o:p></p><p
class=3DMsoNormal>Dummy-1::INFO::2016-03-17 =
15:20:58,216::OVirtAgentLogic::294::root::Received an external command: =
lock-screen...<o:p></o:p></p<p =
class=3DMsoNormal>Dummy-1::INFO::2016-03-17 =
15:22:13,104::OVirtAgentLogic::294::root::Received an external command: =
login...<o:p></o:p></p><p
class=3DMsoNormal>Dummy-1::INFO::2016-03-17 =
15:22:13,104::CredServer::207::root::The following users are allowed to =
connect: [0]<o:p></o:p></p<p =
class=3DMsoNormal>Dummy-1::INFO::2016-03-17 =
15:22:13,104::CredServer::273::root::Opening credentials =
channel...<o:p></o:p></p><p
class=3DMsoNormal>Dummy-1::INFO::2016-03-17 =
15:22:13,105::CredServer::132::root::Emitting user authenticated signal =
(651416).<o:p></o:p></p<p =
class=3DMsoNormal>CredChannel::INFO::2016-03-17 =
15:22:13,188::CredServer::225::root::Incomming connection from user: 0 =
process: 2570<o:p></o:p></p<p =
class=3DMsoNormal>CredChannel::INFO::2016-03-17 =
15:22:13,188::CredServer::232::root::Sending user's credential (token: =
651416)<o:p></o:p></p><p
class=3DMsoNormal>Dummy-1::INFO::2016-03-17 =
15:22:13,189::CredServer::277::root::Credentials channel was =
closed.<o:p></o:p></p><p
class=3DMsoNormal><o:p> </o:p></p<p =
class=3DMsoNormal>/var/log/secure<o:p></o:p></p><p
class=3DMsoNormal>Mar =
17 15:21:07 test06 gdm-launch-environment]: =
pam_unix(gdm-launch-environment:session): session opened for user gdm by =
(uid=3D0)<o:p></o:p></p><p class=3DMsoNormal>Mar 17 15:21:10
test06 =
polkitd[749]: Registered Authentication Agent for unix-session:c1 =
(system bus name :1.34 [gnome-shell --mode=3Dgdm], object path =
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale =
en_US.UTF-8)<o:p></o:p></p><p class=3DMsoNormal>Mar 17 15:22:13
test06 =
gdm-ovirtcred]: pam_sss(gdm-ovirtcred:auth): authentication failure; =
logname=3D uid=3D0 euid=3D0 tty=3D ruser=3D rhost=3D =
user=3Dtest6<o:p></o:p></p><p class=3DMsoNormal><b><span
=
style=3D'color:red'>Mar 17 15:22:13 test06 gdm-ovirtcred]: =
pam_sss(gdm-ovirtcred:auth): received for user test6: 17 (Failure =
setting user credentials)<o:p></o:p></span></b></p<p =
class=3DMsoNormal><o:p> </o:p></p><p
class=3DMsoNormal><span =
lang=3DNL>/var/log/sssd/krb5_child.log (debug-level =
10)<o:p></o:p></span></p><p
class=3DMsoNormal><b><span =
style=3D'color:red'>(Thu Mar 17 15:22:13 2016) =
[[sssd[krb5_child[2575]]]] [get_and_save_tgt] (0x0020): 1234: =
[-1765328360][Preauthentication
failed]<o:p></o:p></span></b></p<p =
class=3DMsoNormal><b><span style=3D'color:red'>(Thu Mar 17
15:22:13 =
2016) [[sssd[krb5_child[2575]]]] [map_krb5_error] (0x0020): 1303: =
[-1765328360][Preauthentication
failed]<o:p></o:p></span></b></p<p =
class=3DMsoNormal><b><span style=3D'color:red'>(Thu Mar 17
15:22:13 =
2016) [[sssd[krb5_child[2575]]]] [k5c_send_data] (0x0200): Received =
error code 1432158215<o:p></o:p></span></b></p><p
class=3DMsoNormal>(Thu =
Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [pack_response_packet] =
(0x2000): response packet size: [4]<o:p></o:p></p<p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016)
[[sssd[krb5_child[2575]]]] =
[k5c_send_data] (0x4000): Response sent.<o:p></o:p></p<p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016)
[[sssd[krb5_child[2575]]]] =
[main] (0x0400): krb5_child completed successfully<o:p></o:p></p<p =
class=3DMsoNormal><o:p> </o:p></p<p =
class=3DMsoNormal>/var/log/sssd/sssd_DOMAIN.COM.log
(debug-level =
10)<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016)
=
[sssd[be[DOMAIN.COM]]] [be_pam_handler] (0x0100): Got request with the =
following data<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17
15:22:13 =
2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): command: =
PAM_AUTHENTICATE<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17
15:22:13 =
2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): domain: =
DOMAIN.COM<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13
2016) =
[sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): user: =
test6<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13
2016) =
[sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): service: =
gdm-ovirtcred<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17
15:22:13 =
2016) [sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): =
tty:<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016)
=
[sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): =
ruser:<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13
2016) =
[sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): =
rhost:<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13
2016) =
[sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): authtok type: =
1<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): newauthtok type: =
0<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): priv: =
1<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): cli_pid: =
2570<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016)
=
[sssd[be[DOMAIN.COM]]] [pam_print_data] (0x0100): logon name: not =
set<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016)
=
[sssd[be[DOMAIN.COM]]] [krb5_auth_queue_send] (0x1000): Wait queue of =
user [test6] is empty, running request [0x7fe30df03cc0] =
immediately.<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17
15:22:13 =
2016) [sssd[be[DOMAIN.COM]]] [krb5_setup] (0x4000): No mapping for: =
test6<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13
2016) =
[sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Added timed event =
"ltdb_callback": 0x7fe30df07120<o:p></o:p></p<p =
class=3DMsoNormal><o:p> </o:p></p><p
class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Added timed event =
"ltdb_timeout": 0x7fe30df16590<o:p></o:p></p<p =
class=3DMsoNormal><o:p> </o:p></p><p
class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Running timer =
event 0x7fe30df07120 "ltdb_callback"<o:p></o:p></p<p =
class=3DMsoNormal><o:p> </o:p></p><p
class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Destroying timer =
event 0x7fe30df16590 "ltdb_timeout"<o:p></o:p></p<p =
class=3DMsoNormal><o:p> </o:p></p><p
class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Ending timer event =
0x7fe30df07120 "ltdb_callback"<o:p></o:p></p<p =
class=3DMsoNormal><o:p> </o:p></p><p
class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [fo_resolve_service_send] =
(0x0100): Trying to resolve service 'IPA'<o:p></o:p></p<p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016)
[sssd[be[DOMAIN.COM]]] =
[get_server_status] (0x1000): Status of server 'ipa01.DOMAIN.COM' is =
'working'<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17
15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [get_port_status] (0x1000): Port status of port =
389 for server 'ipa01.DOMAIN.COM' is
'working'<o:p></o:p></p<p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] =
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 =
seconds<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13
2016) =
[sssd[be[DOMAIN.COM]]] [resolve_srv_send] (0x0200): The status of SRV =
lookup is resolved<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17
=
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [get_server_status] (0x1000): =
Status of server 'ipa01.DOMAIN.COM' is
'working'<o:p></o:p></p<p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] =
[be_resolve_server_process] (0x1000): Saving the first resolved =
server<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13
2016) =
[sssd[be[DOMAIN.COM]]] [be_resolve_server_process] (0x0200): Found =
address for server ipa01.DOMAIN.COM: [10.0.1.21] TTL =
1200<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016)
=
[sssd[be[DOMAIN.COM]]] [ipa_resolve_callback] (0x0400): Constructed uri =
'ldap://ipa01.DOMAIN.COM'<o:p></o:p></p><p
class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sss_krb5_realm_has_proxy] =
(0x0040): profile_get_values failed.<o:p></o:p></p<p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016)
[sssd[be[DOMAIN.COM]]] =
[child_handler_setup] (0x2000): Setting up signal handler up for pid =
[2575]<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13
2016) =
[sssd[be[DOMAIN.COM]]] [child_handler_setup] (0x2000): Signal handler =
set up for pid [2575]<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar
17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [write_pipe_handler] (0x0400): All =
data has been sent!<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17
=
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_sig_handler] (0x1000): =
Waiting for child [2575].<o:p></o:p></p<p =
class=3DMsoNormal><o:p> </o:p></p><p
class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_sig_handler] (0x0100): =
child [2575] finished successfully.<o:p></o:p></p<p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016)
[sssd[be[DOMAIN.COM]]] =
[read_pipe_handler] (0x0400): EOF received, client =
finished<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13
2016) =
[sssd[be[DOMAIN.COM]]] [check_wait_queue] (0x1000): Wait queue for user =
[test6] is empty.<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17
=
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [krb5_auth_queue_done] (0x1000): =
krb5_auth_queue request [0x7fe30df03cc0] done.<o:p></o:p></p<p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016)
[sssd[be[DOMAIN.COM]]] =
[sdap_id_op_connect_step] (0x4000): reusing cached =
connection<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13
2016) =
[sssd[be[DOMAIN.COM]]] [sdap_print_server] (0x2000): Searching =
10.0.1.21<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13
2016) =
[sssd[be[DOMAIN.COM]]] [sdap_get_generic_ext_step] (0x0400): calling =
ldap_search_ext with =
[(&(cn=3DipaConfig)(objectClass=3DipaGuiConfig))][cn=3Detc,dc=3DDOMAI=
N,dc=3Dcom].<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17
15:22:13 =
2016) [sssd[be[DOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): =
Requesting attrs: [ipaMigrationEnabled]<o:p></o:p></p<p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016)
[sssd[be[DOMAIN.COM]]] =
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: =
[ipaSELinuxUserMapDefault]<o:p></o:p></p><p class=3DMsoNormal>(Thu
Mar =
17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_get_generic_ext_step] =
(0x1000): Requesting attrs: [ipaSELinuxUserMapOrder]<o:p></o:p></p<p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016)
[sssd[be[DOMAIN.COM]]] =
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid =3D =
122<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016)
=
[sssd[be[DOMAIN.COM]]] [sdap_op_add] (0x2000): New operation 122 timeout =
60<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016)
=
[sssd[be[DOMAIN.COM]]] [sdap_process_result] (0x2000): Trace: =
sh[0x7fe30deef090], connected[1], ops[0x7fe30df094a0], =
ldap[0x7fe30def2920]<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar
17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_message] (0x4000): =
Message type: [LDAP_RES_SEARCH_ENTRY]<o:p></o:p></p<p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016)
[sssd[be[DOMAIN.COM]]] =
[sdap_parse_entry] (0x1000): OriginalDN: =
[cn=3DipaConfig,cn=3Detc,dc=3DDOMAIN,dc=3Dcom].<o:p></o:p></p<p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016)
[sssd[be[DOMAIN.COM]]] =
[sdap_parse_range] (0x2000): No sub-attributes for =
[ipaMigrationEnabled]<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar
17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_range] (0x2000): No =
sub-attributes for [ipaSELinuxUserMapDefault]<o:p></o:p></p<p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016)
[sssd[be[DOMAIN.COM]]] =
[sdap_parse_range] (0x2000): No sub-attributes for =
[ipaSELinuxUserMapOrder]<o:p></o:p></p><p class=3DMsoNormal>(Thu
Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_result] (0x2000): =
Trace: sh[0x7fe30deef090], connected[1], ops[0x7fe30df094a0], =
ldap[0x7fe30def2920]<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar
17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_message] (0x4000): =
Message type: [LDAP_RES_SEARCH_RESULT]<o:p></o:p></p<p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016)
[sssd[be[DOMAIN.COM]]] =
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no =
errmsg set<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13
2016) =
[sssd[be[DOMAIN.COM]]] [sdap_op_destructor] (0x2000): Operation 122 =
finished <o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13
2016) =
[sssd[be[DOMAIN.COM]]] [sdap_id_op_destroy] (0x4000): releasing =
operation connection <o:p></o:p></p><p class=3DMsoNormal>(Thu Mar
17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ipa_get_migration_flag_done] =
(0x0100): Password migration is not enabled. <o:p></o:p></p<p =
class=3DMsoNormal><b><span
style=3D'color:red'>(Thu Mar 17 15:22:13 =
2016) [sssd[be[DOMAIN.COM]]] [be_pam_handler_callback] (0x0100): Backend =
returned: (0, 17, <NULL>) [Success (Failure setting user =
credentials)] <o:p></o:p></span></b></p><p
class=3DMsoNormal>(Thu Mar 17 =
15:22:13 2016) [sssd[be[DOMAIN.COM]]] [be_pam_handler_callback] =
(0x0100): Sending result [17][DOMAIN.COM] <o:p></o:p></p<p =
class=3DMsoNormal>(Thu Mar 17 15:22:13 2016)
[sssd[be[DOMAIN.COM]]] =
[be_pam_handler_callback] (0x0100): Sent result [17][DOMAIN.COM] =
<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [sdap_process_result] (0x2000): Trace: =
sh[0x7fe30deef090], connected[1], ops[(nil)], ldap[0x7fe30def2920] =
<o:p></o:p></p><p class=3DMsoNormal>(Thu Mar 17 15:22:13 2016) =
[sssd[be[DOMAIN.COM]]] [sdap_process_result] (0x2000): Trace: =
ldap_result found nothing!<o:p></o:p></p<p =
class=3DMsoNormal><o:p> </o:p></p><p
class=3DMsoNormal> =
<o:p></o:p></p><p
class=3DMsoNormal><o:p> </o:p></p<p =
class=3DMsoNormal><o:p> </o:p></p<p =
class=3DMsoNormal><o:p> </o:p></p<p =
class=3DMsoNormal><o:p> </o:p></p<p =
class=3DMsoNormal><o:p> </o:p></p<p =
class=3DMsoNormal><o:p> </o:p></p<p =
class=3DMsoNormal><o:p> </o:p></p></div></body></html>
------=_NextPart_000_0050_01D18069.35C995E0--
6:57 p.m.
Hi,
your authz name should match kerberos name.
So please change your authz name from 'DOMAIN-authz' to 'DOMAIN'
Please see this bz[1] for more detail.
Ondra
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137#c7
On 03/17/2016 04:22 PM, Paul wrote:
Hi,
I am having an issue with getting SSO to work when a standard
user(UserRole) logs in to the UserPortal.
The user has permission to use only this VM, so after login the console
is automatically opened for that VM.
Problem is that it doesn't login on the VM system with the provided
credentials. Manual login at the console works without any issues.
HBAC-rule check on IPA shows access is granted. Client has SELINUX in
permissive mode and a disabled firewalld.
On the client side I do see some PAM related errors in the logs (see
details below). Extensive Google search on error 17 "Failure setting
user credentials" didn't show helpful information :-(
AFAIK this is did a pretty standard set-up, all working with RH-family
products. I would expect others to encounter this issue as well.
If someone knows any solution or has some directions to fix this it
would be greatly appreciated.
Thanks,
Paul
------------------------------------------------------
System setup: I have 3 systems
The connection between the Engine and IPA is working fine. (I can log in
with IPA users etc.) Connection is made according to this document:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtuali...
Configuration of the client is done according to this document:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtuali...
--- Hosted Engine:
[root@engine ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@engine ~]# uname -a
Linux engine.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@engine ~]# rpm -qa | grep ovirt
ovirt-vmconsole-1.0.0-1.el7.centos.noarch
ovirt-engine-restapi-3.6.2.6-1.el7.centos.noarch
ovirt-setup-lib-1.0.1-1.el7.centos.noarch
ovirt-engine-setup-plugin-ovirt-engine-common-3.6.3.4-1.el7.centos.noarch
ovirt-engine-setup-3.6.3.4-1.el7.centos.noarch
ovirt-image-uploader-3.6.0-1.el7.centos.noarch
ovirt-engine-extension-aaa-jdbc-1.0.5-1.el7.noarch
ovirt-host-deploy-1.4.1-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch
ovirt-engine-wildfly-overlay-8.0.4-1.el7.noarch
ovirt-engine-wildfly-8.2.1-1.el7.x86_64
ovirt-vmconsole-proxy-1.0.0-1.el7.centos.noarch
ovirt-engine-tools-3.6.2.6-1.el7.centos.noarch
ovirt-engine-dbscripts-3.6.2.6-1.el7.centos.noarch
ovirt-engine-backend-3.6.2.6-1.el7.centos.noarch
ovirt-engine-3.6.2.6-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noarch
ovirt-engine-setup-base-3.6.3.4-1.el7.centos.noarch
ovirt-engine-setup-plugin-ovirt-engine-3.6.3.4-1.el7.centos.noarch
ovirt-engine-setup-plugin-websocket-proxy-3.6.3.4-1.el7.centos.noarch
ovirt-engine-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch
ovirt-engine-cli-3.6.2.0-1.el7.centos.noarch
ovirt-host-deploy-java-1.4.1-1.el7.centos.noarch
ovirt-engine-userportal-3.6.2.6-1.el7.centos.noarch
ovirt-engine-webadmin-portal-3.6.2.6-1.el7.centos.noarch
ovirt-guest-agent-common-1.0.11-1.el7.noarch
ovirt-release36-003-1.noarch
ovirt-iso-uploader-3.6.0-1.el7.centos.noarch
ovirt-engine-lib-3.6.3.4-1.el7.centos.noarch
ovirt-engine-sdk-python-3.6.3.0-1.el7.centos.noarch
ovirt-engine-setup-plugin-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch
ovirt-engine-websocket-proxy-3.6.3.4-1.el7.centos.noarch
ovirt-log-collector-3.6.1-1.el7.centos.noarch
ovirt-engine-extensions-api-impl-3.6.3.4-1.el7.centos.noarch
--- FreeIPA:
[root@ipa01 ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@ipa01 ~]# uname -a
Linux ipa01.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@ipa01 ~]# rpm -qa | grep ipa
ipa-python-4.2.0-15.el7_2.6.x86_64
ipa-client-4.2.0-15.el7_2.6.x86_64
python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
python-iniparse-0.4-9.el7.noarch
libipa_hbac-1.13.0-40.el7_2.1.x86_64
sssd-ipa-1.13.0-40.el7_2.1.x86_64
ipa-admintools-4.2.0-15.el7_2.6.x86_64
ipa-server-4.2.0-15.el7_2.6.x86_64
ipa-server-dns-4.2.0-15.el7_2.6.x86_64
--- Client:
[root@test06 ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@test06 ~]# uname -a
Linux test06.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@test06 ~]# rpm -qa | grep ipa
python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
python-iniparse-0.4-9.el7.noarch
sssd-ipa-1.13.0-40.el7_2.1.x86_64
ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64
libipa_hbac-1.13.0-40.el7_2.1.x86_64
ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64
device-mapper-multipath-0.4.9-85.el7.x86_64
device-mapper-multipath-libs-0.4.9-85.el7.x86_64
[root@test06 ~]# rpm -qa | grep guest-agent
qemu-guest-agent-2.3.0-4.el7.x86_64
ovirt-guest-agent-pam-module-1.0.11-1.el7.x86_64
ovirt-guest-agent-gdm-plugin-1.0.11-1.el7.noarch
ovirt-guest-agent-common-1.0.11-1.el7.noarch
---------------------------------------------------
Relevant logs:
--- Engine:
//var/log/ovirt-engine/engine
2016-03-17 15:22:10,516 INFO
[org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-22) []
Running command: LoginUserCommand internal: false.
2016-03-17 15:22:10,568 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(default task-22) [] Correlation ID: null, Call Stack: null, Custom
Event ID: -1, Message: User test6@DOMAIN logged in.
2016-03-17 15:22:13,795 WARN
[org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (default
task-6) [7400ae46] The message key 'VmLogon' is missing from
'bundles/ExecutionMessages'
2016-03-17 15:22:13,839 INFO [org.ovirt.engine.core.bll.VmLogonCommand]
(default task-6) [7400ae46] Running command: VmLogonCommand internal:
false. Entities affected : ID: 64a84b40-6050-4a96-a59d-d557a317c38c
Type: VMAction group CONNECT_TO_VM with role type USER
2016-03-17 15:22:13,842 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default
task-6) [7400ae46] START, VmLogonVDSCommand(HostName = host01,
VmLogonVDSCommandParameters:{runAsync='true',
hostId='225157c0-224b-4aa6-9210-db4de7c7fc30',
vmId='64a84b40-6050-4a96-a59d-d557a317c38c', domain='DOMAIN-authz',
password='***', userName='test6@DOMAIN'}), log id: 2015a1e0
2016-03-17 15:22:14,848 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default
task-6) [7400ae46] FINISH, VmLogonVDSCommand, log id: 2015a1e0
2016-03-17 15:22:15,317 INFO
[org.ovirt.engine.core.bll.SetVmTicketCommand] (default task-18)
[10dad788] Running command: SetVmTicketCommand internal: true. Entities
affected : ID: 64a84b40-6050-4a96-a59d-d557a317c38c Type: VMAction
group CONNECT_TO_VM with role type USER
2016-03-17 15:22:15,322 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
(default task-18) [10dad788] START, SetVmTicketVDSCommand(HostName =
host01, SetVmTicketVDSCommandParameters:{runAsync='true',
hostId='225157c0-224b-4aa6-9210-db4de7c7fc30',
vmId='64a84b40-6050-4a96-a59d-d557a317c38c', protocol='SPICE',
ticket='rd8avqvdBnRl', validTime='120', userName='test6',
userId='10b2da3e-6401-4a09-a330-c0780bc0faef',
disconnectAction='LOCK_SCREEN'}), log id: 72efb73b
2016-03-17 15:22:16,340 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
(default task-18) [10dad788] FINISH, SetVmTicketVDSCommand, log id: 72efb73b
2016-03-17 15:22:16,377 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(default task-18) [10dad788] Correlation ID: 10dad788, Call Stack: null,
Custom Event ID: -1, Message: User test6@DOMAIN initiated console
session for VM test06
2016-03-17 15:22:19,418 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(DefaultQuartzScheduler_Worker-53) [] Correlation ID: null, Call Stack:
null, Custom Event ID: -1, Message: User test6@DOMAIN-authz is connected
to VM test06.
--- Client:
/var/log/ovirt-guest-agent/ovirt-guest-agent.log
MainThread::INFO::2016-03-17
15:20:58,145::ovirt-guest-agent::57::root::Starting oVirt guest agent
CredServer::INFO::2016-03-17
15:20:58,214::CredServer::257::root::CredServer is running...
Dummy-1::INFO::2016-03-17
15:20:58,216::OVirtAgentLogic::294::root::Received an external command:
lock-screen...
Dummy-1::INFO::2016-03-17
15:22:13,104::OVirtAgentLogic::294::root::Received an external command:
login...
Dummy-1::INFO::2016-03-17 15:22:13,104::CredServer::207::root::The
following users are allowed to connect: [0]
Dummy-1::INFO::2016-03-17 15:22:13,104::CredServer::273::root::Opening
credentials channel...
Dummy-1::INFO::2016-03-17 15:22:13,105::CredServer::132::root::Emitting
user authenticated signal (651416).
CredChannel::INFO::2016-03-17
15:22:13,188::CredServer::225::root::Incomming connection from user: 0
process: 2570
CredChannel::INFO::2016-03-17
15:22:13,188::CredServer::232::root::Sending user's credential (token:
651416)
Dummy-1::INFO::2016-03-17
15:22:13,189::CredServer::277::root::Credentials channel was closed.
/var/log/secure
Mar 17 15:21:07 test06 gdm-launch-environment]:
pam_unix(gdm-launch-environment:session): session opened for user gdm by
(uid=0)
Mar 17 15:21:10 test06 polkitd[749]: Registered Authentication Agent for
unix-session:c1 (system bus name :1.34 [gnome-shell --mode=gdm], object
path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 17 15:22:13 test06 gdm-ovirtcred]: pam_sss(gdm-ovirtcred:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=test6
*Mar 17 15:22:13 test06 gdm-ovirtcred]: pam_sss(gdm-ovirtcred:auth):
received for user test6: 17 (Failure setting user credentials)*
/var/log/sssd/krb5_child.log (debug-level 10)
*(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]]
[get_and_save_tgt] (0x0020): 1234: [-1765328360][Preauthentication failed]*
*(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [map_krb5_error]
(0x0020): 1303: [-1765328360][Preauthentication failed]*
*(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [k5c_send_data]
(0x0200): Received error code 1432158215*
(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]]
[pack_response_packet] (0x2000): response packet size: [4]
(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [k5c_send_data]
(0x4000): Response sent.
(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [main] (0x0400):
krb5_child completed successfully
/var/log/sssd/sssd_DOMAIN.COM.log (debug-level 10)
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [be_pam_handler]
(0x0100): Got request with the following data
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): command: PAM_AUTHENTICATE
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): domain: DOMAIN.COM
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): user: test6
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): service: gdm-ovirtcred
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): tty:
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): ruser:
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): rhost:
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): authtok type: 1
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): priv: 1
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): cli_pid: 2570
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): logon name: not set
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [krb5_auth_queue_send]
(0x1000): Wait queue of user [test6] is empty, running request
[0x7fe30df03cc0] immediately.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [krb5_setup] (0x4000):
No mapping for: test6
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Added
timed event "ltdb_callback": 0x7fe30df07120
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Added
timed event "ltdb_timeout": 0x7fe30df16590
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000):
Running timer event 0x7fe30df07120 "ltdb_callback"
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000):
Destroying timer event 0x7fe30df16590 "ltdb_timeout"
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000): Ending
timer event 0x7fe30df07120 "ltdb_callback"
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [get_server_status]
(0x1000): Status of server 'ipa01.DOMAIN.COM' is 'working'
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [get_port_status]
(0x1000): Port status of port 389 for server 'ipa01.DOMAIN.COM' is
'working'
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6
seconds
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [resolve_srv_send]
(0x0200): The status of SRV lookup is resolved
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [get_server_status]
(0x1000): Status of server 'ipa01.DOMAIN.COM' is 'working'
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[be_resolve_server_process] (0x0200): Found address for server
ipa01.DOMAIN.COM: [10.0.1.21] TTL 1200
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ipa_resolve_callback]
(0x0400): Constructed uri 'ldap://ipa01.DOMAIN.COM'
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_handler_setup]
(0x2000): Setting up signal handler up for pid [2575]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_handler_setup]
(0x2000): Signal handler set up for pid [2575]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [write_pipe_handler]
(0x0400): All data has been sent!
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_sig_handler]
(0x1000): Waiting for child [2575].
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_sig_handler]
(0x0100): child [2575] finished successfully.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [check_wait_queue]
(0x1000): Wait queue for user [test6] is empty.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [krb5_auth_queue_done]
(0x1000): krb5_auth_queue request [0x7fe30df03cc0] done.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_id_op_connect_step] (0x4000): reusing cached connection
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_print_server]
(0x2000): Searching 10.0.1.21
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=DOMAIN,dc=com].
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaMigrationEnabled]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaSELinuxUserMapDefault]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaSELinuxUserMapOrder]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 122
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_op_add]
(0x2000): New operation 122 timeout 60
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fe30deef090], connected[1], ops[0x7fe30df094a0],
ldap[0x7fe30def2920]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_entry]
(0x1000): OriginalDN: [cn=ipaConfig,cn=etc,dc=DOMAIN,dc=com].
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaMigrationEnabled]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaSELinuxUserMapDefault]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaSELinuxUserMapOrder]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fe30deef090], connected[1], ops[0x7fe30df094a0],
ldap[0x7fe30def2920]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_op_destructor]
(0x2000): Operation 122 finished
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_id_op_destroy]
(0x4000): releasing operation connection
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[ipa_get_migration_flag_done] (0x0100): Password migration is not enabled.
*(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 17, <NULL>)
[Success (Failure setting user credentials)] *
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[be_pam_handler_callback] (0x0100): Sending result [17][DOMAIN.COM]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[be_pam_handler_callback] (0x0100): Sent result [17][DOMAIN.COM]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fe30deef090], connected[1], ops[(nil)],
ldap[0x7fe30def2920]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
8:07 p.m.
Hi Ondra,
Thanks for your reply, unfortunately this does not resolve the issue.
I had already seen this bug and tried it without the -authz appendix(maybe
should have mentioned that).
I also (may be wrongfully) assumed that the
"ovirt-engine-extension-aaa-ldap-setup" would not have this issue/bug.
Anyways, I changed it (again) to the DOMAIN without '-authz' by changing:
/etc/ovirt-engine/extensions.d/DOMAIN-authz.properties =>
ovirt.engine.extension.name = DOMAIN
/etc/ovirt-engine/extensions.d/DOMAIN-authn.properties =>
ovirt.engine.aaa.authn.authz.plugin = DOMAIN
Systemctl restart ovirt-engine
By the way: login with IPA users doesn't work anymore, you have to log in
with admin internal account and remove your IPA users and add them back to
make them work again.
But still get the error:
pam_sss(gdm-ovirtcred:auth): received for user test6: 17 (Failure setting
user credentials)
Any suggestions?
-----Original Message-----
From: Ondra Machacek [mailto:omachace@redhat.com]
Sent: donderdag 17 maart 2016 16:58
To: Paul <paul(a)kenla.nl>; users(a)ovirt.org
Subject: Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA
not working
Hi,
your authz name should match kerberos name.
So please change your authz name from 'DOMAIN-authz' to 'DOMAIN'
Please see this bz[1] for more detail.
Ondra
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137#c7
On 03/17/2016 04:22 PM, Paul wrote:
Hi,
I am having an issue with getting SSO to work when a standard
user(UserRole) logs in to the UserPortal.
The user has permission to use only this VM, so after login the
console is automatically opened for that VM.
Problem is that it doesn't login on the VM system with the provided
credentials. Manual login at the console works without any issues.
HBAC-rule check on IPA shows access is granted. Client has SELINUX in
permissive mode and a disabled firewalld.
On the client side I do see some PAM related errors in the logs (see
details below). Extensive Google search on error 17 "Failure setting
user credentials" didn't show helpful information :-(
AFAIK this is did a pretty standard set-up, all working with RH-family
products. I would expect others to encounter this issue as well.
If someone knows any solution or has some directions to fix this it
would be greatly appreciated.
Thanks,
Paul
------------------------------------------------------
System setup: I have 3 systems
The connection between the Engine and IPA is working fine. (I can log
in with IPA users etc.) Connection is made according to this document:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtu
alization/3.6/html-single/Administration_Guide/index.html#sect-Configu
ring_an_External_LDAP_Provider
Configuration of the client is done according to this document:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtu
alization/3.6/html/Virtual_Machine_Management_Guide/chap-Additional_Co
nfiguration.html#sect-Configuring_Single_Sign-On_for_Virtual_Machines
--- Hosted Engine:
[root@engine ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@engine ~]# uname -a
Linux engine.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@engine ~]# rpm -qa | grep ovirt
ovirt-vmconsole-1.0.0-1.el7.centos.noarch
ovirt-engine-restapi-3.6.2.6-1.el7.centos.noarch
ovirt-setup-lib-1.0.1-1.el7.centos.noarch
ovirt-engine-setup-plugin-ovirt-engine-common-3.6.3.4-1.el7.centos.noa
rch
ovirt-engine-setup-3.6.3.4-1.el7.centos.noarch
ovirt-image-uploader-3.6.0-1.el7.centos.noarch
ovirt-engine-extension-aaa-jdbc-1.0.5-1.el7.noarch
ovirt-host-deploy-1.4.1-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch
ovirt-engine-wildfly-overlay-8.0.4-1.el7.noarch
ovirt-engine-wildfly-8.2.1-1.el7.x86_64
ovirt-vmconsole-proxy-1.0.0-1.el7.centos.noarch
ovirt-engine-tools-3.6.2.6-1.el7.centos.noarch
ovirt-engine-dbscripts-3.6.2.6-1.el7.centos.noarch
ovirt-engine-backend-3.6.2.6-1.el7.centos.noarch
ovirt-engine-3.6.2.6-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noarch
ovirt-engine-setup-base-3.6.3.4-1.el7.centos.noarch
ovirt-engine-setup-plugin-ovirt-engine-3.6.3.4-1.el7.centos.noarch
ovirt-engine-setup-plugin-websocket-proxy-3.6.3.4-1.el7.centos.noarch
ovirt-engine-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch
ovirt-engine-cli-3.6.2.0-1.el7.centos.noarch
ovirt-host-deploy-java-1.4.1-1.el7.centos.noarch
ovirt-engine-userportal-3.6.2.6-1.el7.centos.noarch
ovirt-engine-webadmin-portal-3.6.2.6-1.el7.centos.noarch
ovirt-guest-agent-common-1.0.11-1.el7.noarch
ovirt-release36-003-1.noarch
ovirt-iso-uploader-3.6.0-1.el7.centos.noarch
ovirt-engine-lib-3.6.3.4-1.el7.centos.noarch
ovirt-engine-sdk-python-3.6.3.0-1.el7.centos.noarch
ovirt-engine-setup-plugin-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.
noarch
ovirt-engine-websocket-proxy-3.6.3.4-1.el7.centos.noarch
ovirt-log-collector-3.6.1-1.el7.centos.noarch
ovirt-engine-extensions-api-impl-3.6.3.4-1.el7.centos.noarch
--- FreeIPA:
[root@ipa01 ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@ipa01 ~]# uname -a
Linux ipa01.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@ipa01 ~]# rpm -qa | grep ipa
ipa-python-4.2.0-15.el7_2.6.x86_64
ipa-client-4.2.0-15.el7_2.6.x86_64
python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
python-iniparse-0.4-9.el7.noarch
libipa_hbac-1.13.0-40.el7_2.1.x86_64
sssd-ipa-1.13.0-40.el7_2.1.x86_64
ipa-admintools-4.2.0-15.el7_2.6.x86_64
ipa-server-4.2.0-15.el7_2.6.x86_64
ipa-server-dns-4.2.0-15.el7_2.6.x86_64
--- Client:
[root@test06 ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@test06 ~]# uname -a
Linux test06.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@test06 ~]# rpm -qa | grep ipa
python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
python-iniparse-0.4-9.el7.noarch
sssd-ipa-1.13.0-40.el7_2.1.x86_64
ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64
libipa_hbac-1.13.0-40.el7_2.1.x86_64
ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64
device-mapper-multipath-0.4.9-85.el7.x86_64
device-mapper-multipath-libs-0.4.9-85.el7.x86_64
[root@test06 ~]# rpm -qa | grep guest-agent
qemu-guest-agent-2.3.0-4.el7.x86_64
ovirt-guest-agent-pam-module-1.0.11-1.el7.x86_64
ovirt-guest-agent-gdm-plugin-1.0.11-1.el7.noarch
ovirt-guest-agent-common-1.0.11-1.el7.noarch
---------------------------------------------------
Relevant logs:
--- Engine:
//var/log/ovirt-engine/engine
2016-03-17 15:22:10,516 INFO
[org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-22) []
Running command: LoginUserCommand internal: false.
2016-03-17 15:22:10,568 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(default task-22) [] Correlation ID: null, Call Stack: null, Custom
Event ID: -1, Message: User test6@DOMAIN logged in.
2016-03-17 15:22:13,795 WARN
[org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (default
task-6) [7400ae46] The message key 'VmLogon' is missing from
'bundles/ExecutionMessages'
2016-03-17 15:22:13,839 INFO
[org.ovirt.engine.core.bll.VmLogonCommand]
(default task-6) [7400ae46] Running command: VmLogonCommand internal:
false. Entities affected : ID: 64a84b40-6050-4a96-a59d-d557a317c38c
Type: VMAction group CONNECT_TO_VM with role type USER
2016-03-17 15:22:13,842 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default
task-6) [7400ae46] START, VmLogonVDSCommand(HostName = host01,
VmLogonVDSCommandParameters:{runAsync='true',
hostId='225157c0-224b-4aa6-9210-db4de7c7fc30',
vmId='64a84b40-6050-4a96-a59d-d557a317c38c', domain='DOMAIN-authz',
password='***', userName='test6@DOMAIN'}), log id: 2015a1e0
2016-03-17 15:22:14,848 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default
task-6) [7400ae46] FINISH, VmLogonVDSCommand, log id: 2015a1e0
2016-03-17 15:22:15,317 INFO
[org.ovirt.engine.core.bll.SetVmTicketCommand] (default task-18)
[10dad788] Running command: SetVmTicketCommand internal: true.
Entities affected : ID: 64a84b40-6050-4a96-a59d-d557a317c38c Type:
VMAction group CONNECT_TO_VM with role type USER
2016-03-17 15:22:15,322 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
(default task-18) [10dad788] START, SetVmTicketVDSCommand(HostName =
host01, SetVmTicketVDSCommandParameters:{runAsync='true',
hostId='225157c0-224b-4aa6-9210-db4de7c7fc30',
vmId='64a84b40-6050-4a96-a59d-d557a317c38c', protocol='SPICE',
ticket='rd8avqvdBnRl', validTime='120', userName='test6',
userId='10b2da3e-6401-4a09-a330-c0780bc0faef',
disconnectAction='LOCK_SCREEN'}), log id: 72efb73b
2016-03-17 15:22:16,340 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
(default task-18) [10dad788] FINISH, SetVmTicketVDSCommand, log id:
72efb73b
2016-03-17 15:22:16,377 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(default task-18) [10dad788] Correlation ID: 10dad788, Call Stack:
null, Custom Event ID: -1, Message: User test6@DOMAIN initiated
console session for VM test06
2016-03-17 15:22:19,418 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(DefaultQuartzScheduler_Worker-53) [] Correlation ID: null, Call Stack:
null, Custom Event ID: -1, Message: User test6@DOMAIN-authz is
connected to VM test06.
--- Client:
/var/log/ovirt-guest-agent/ovirt-guest-agent.log
MainThread::INFO::2016-03-17
15:20:58,145::ovirt-guest-agent::57::root::Starting oVirt guest agent
CredServer::INFO::2016-03-17
15:20:58,214::CredServer::257::root::CredServer is running...
Dummy-1::INFO::2016-03-17
15:20:58,216::OVirtAgentLogic::294::root::Received an external command:
lock-screen...
Dummy-1::INFO::2016-03-17
15:22:13,104::OVirtAgentLogic::294::root::Received an external command:
login...
Dummy-1::INFO::2016-03-17 15:22:13,104::CredServer::207::root::The
following users are allowed to connect: [0]
Dummy-1::INFO::2016-03-17 15:22:13,104::CredServer::273::root::Opening
credentials channel...
Dummy-1::INFO::2016-03-17
15:22:13,105::CredServer::132::root::Emitting
user authenticated signal (651416).
CredChannel::INFO::2016-03-17
15:22:13,188::CredServer::225::root::Incomming connection from user: 0
process: 2570
CredChannel::INFO::2016-03-17
15:22:13,188::CredServer::232::root::Sending user's credential (token:
651416)
Dummy-1::INFO::2016-03-17
15:22:13,189::CredServer::277::root::Credentials channel was closed.
/var/log/secure
Mar 17 15:21:07 test06 gdm-launch-environment]:
pam_unix(gdm-launch-environment:session): session opened for user gdm
by
(uid=0)
Mar 17 15:21:10 test06 polkitd[749]: Registered Authentication Agent
for
unix-session:c1 (system bus name :1.34 [gnome-shell --mode=gdm],
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale
en_US.UTF-8)
Mar 17 15:22:13 test06 gdm-ovirtcred]: pam_sss(gdm-ovirtcred:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=test6
*Mar 17 15:22:13 test06 gdm-ovirtcred]: pam_sss(gdm-ovirtcred:auth):
received for user test6: 17 (Failure setting user credentials)*
/var/log/sssd/krb5_child.log (debug-level 10)
*(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]]
[get_and_save_tgt] (0x0020): 1234: [-1765328360][Preauthentication
failed]*
*(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]]
[map_krb5_error]
(0x0020): 1303: [-1765328360][Preauthentication failed]*
*(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [k5c_send_data]
(0x0200): Received error code 1432158215*
(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]]
[pack_response_packet] (0x2000): response packet size: [4]
(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [k5c_send_data]
(0x4000): Response sent.
(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [main] (0x0400):
krb5_child completed successfully
/var/log/sssd/sssd_DOMAIN.COM.log (debug-level 10)
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [be_pam_handler]
(0x0100): Got request with the following data
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): command: PAM_AUTHENTICATE
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): domain: DOMAIN.COM
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): user: test6
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): service: gdm-ovirtcred
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): tty:
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): ruser:
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): rhost:
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): authtok type: 1
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): priv: 1
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): cli_pid: 2570
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
(0x0100): logon name: not set
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[krb5_auth_queue_send]
(0x1000): Wait queue of user [test6] is empty, running request
[0x7fe30df03cc0] immediately.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [krb5_setup] (0x4000):
No mapping for: test6
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000):
Added timed event "ltdb_callback": 0x7fe30df07120
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000):
Added timed event "ltdb_timeout": 0x7fe30df16590
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000):
Running timer event 0x7fe30df07120 "ltdb_callback"
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000):
Destroying timer event 0x7fe30df16590 "ltdb_timeout"
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000):
Ending timer event 0x7fe30df07120 "ltdb_callback"
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [get_server_status]
(0x1000): Status of server 'ipa01.DOMAIN.COM' is 'working'
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [get_port_status]
(0x1000): Port status of port 389 for server 'ipa01.DOMAIN.COM' is
'working'
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to
6 seconds
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [resolve_srv_send]
(0x0200): The status of SRV lookup is resolved
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [get_server_status]
(0x1000): Status of server 'ipa01.DOMAIN.COM' is 'working'
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[be_resolve_server_process] (0x0200): Found address for server
ipa01.DOMAIN.COM: [10.0.1.21] TTL 1200
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[ipa_resolve_callback]
(0x0400): Constructed uri 'ldap://ipa01.DOMAIN.COM'
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[child_handler_setup]
(0x2000): Setting up signal handler up for pid [2575]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[child_handler_setup]
(0x2000): Signal handler set up for pid [2575]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [write_pipe_handler]
(0x0400): All data has been sent!
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_sig_handler]
(0x1000): Waiting for child [2575].
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_sig_handler]
(0x0100): child [2575] finished successfully.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [check_wait_queue]
(0x1000): Wait queue for user [test6] is empty.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[krb5_auth_queue_done]
(0x1000): krb5_auth_queue request [0x7fe30df03cc0] done.
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_id_op_connect_step] (0x4000): reusing cached connection
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_print_server]
(0x2000): Searching 10.0.1.21
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=DOMAIN,dc=com].
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaMigrationEnabled]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaSELinuxUserMapDefault]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[ipaSELinuxUserMapOrder]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid =
122
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_op_add]
(0x2000): New operation 122 timeout 60
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_process_result]
(0x2000): Trace: sh[0x7fe30deef090], connected[1],
ops[0x7fe30df094a0], ldap[0x7fe30def2920]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_entry]
(0x1000): OriginalDN: [cn=ipaConfig,cn=etc,dc=DOMAIN,dc=com].
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaMigrationEnabled]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaSELinuxUserMapDefault]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_range]
(0x2000): No sub-attributes for [ipaSELinuxUserMapOrder]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_process_result]
(0x2000): Trace: sh[0x7fe30deef090], connected[1],
ops[0x7fe30df094a0], ldap[0x7fe30def2920]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_op_destructor]
(0x2000): Operation 122 finished
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_id_op_destroy]
(0x4000): releasing operation connection
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[ipa_get_migration_flag_done] (0x0100): Password migration is not enabled.
*(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 17, <NULL>)
[Success (Failure setting user credentials)] *
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[be_pam_handler_callback] (0x0100): Sending result [17][DOMAIN.COM]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[be_pam_handler_callback] (0x0100): Sent result [17][DOMAIN.COM]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_process_result]
(0x2000): Trace: sh[0x7fe30deef090], connected[1], ops[(nil)],
ldap[0x7fe30def2920]
(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
[sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
9:12 p.m.
Hi Paul,
ok, thanks for info, then there is an issue in pam configuration, most
probably.
There is open issue for it on rhel7, please try read this comment[1] if
it helps to you.
Ondra
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1316135#c3
On 03/17/2016 06:07 PM, Paul wrote:
Hi Ondra,
Thanks for your reply, unfortunately this does not resolve the issue.
I had already seen this bug and tried it without the -authz appendix(maybe
should have mentioned that).
I also (may be wrongfully) assumed that the
"ovirt-engine-extension-aaa-ldap-setup" would not have this issue/bug.
Anyways, I changed it (again) to the DOMAIN without '-authz' by changing:
/etc/ovirt-engine/extensions.d/DOMAIN-authz.properties =>
ovirt.engine.extension.name = DOMAIN
/etc/ovirt-engine/extensions.d/DOMAIN-authn.properties =>
ovirt.engine.aaa.authn.authz.plugin = DOMAIN
Systemctl restart ovirt-engine
By the way: login with IPA users doesn't work anymore, you have to log in
with admin internal account and remove your IPA users and add them back to
make them work again.
But still get the error:
pam_sss(gdm-ovirtcred:auth): received for user test6: 17 (Failure setting
user credentials)
Any suggestions?
-----Original Message-----
From: Ondra Machacek [mailto:omachace@redhat.com]
Sent: donderdag 17 maart 2016 16:58
To: Paul <paul(a)kenla.nl>; users(a)ovirt.org
Subject: Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA
not working
Hi,
your authz name should match kerberos name.
So please change your authz name from 'DOMAIN-authz' to 'DOMAIN'
Please see this bz[1] for more detail.
Ondra
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137#c7
On 03/17/2016 04:22 PM, Paul wrote:
> Hi,
>
> I am having an issue with getting SSO to work when a standard
> user(UserRole) logs in to the UserPortal.
>
> The user has permission to use only this VM, so after login the
> console is automatically opened for that VM.
>
> Problem is that it doesn't login on the VM system with the provided
> credentials. Manual login at the console works without any issues.
>
> HBAC-rule check on IPA shows access is granted. Client has SELINUX in
> permissive mode and a disabled firewalld.
>
> On the client side I do see some PAM related errors in the logs (see
> details below). Extensive Google search on error 17 "Failure setting
> user credentials" didn't show helpful information :-(
>
> AFAIK this is did a pretty standard set-up, all working with RH-family
> products. I would expect others to encounter this issue as well.
>
> If someone knows any solution or has some directions to fix this it
> would be greatly appreciated.
>
> Thanks,
>
> Paul
>
> ------------------------------------------------------
>
> System setup: I have 3 systems
>
> The connection between the Engine and IPA is working fine. (I can log
> in with IPA users etc.) Connection is made according to this document:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtu
> alization/3.6/html-single/Administration_Guide/index.html#sect-Configu
> ring_an_External_LDAP_Provider
>
> Configuration of the client is done according to this document:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtu
> alization/3.6/html/Virtual_Machine_Management_Guide/chap-Additional_Co
> nfiguration.html#sect-Configuring_Single_Sign-On_for_Virtual_Machines
>
> --- Hosted Engine:
>
> [root@engine ~]# cat /etc/redhat-release
>
> CentOS Linux release 7.2.1511 (Core)
>
> [root@engine ~]# uname -a
>
> Linux engine.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
> 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
>
> [root@engine ~]# rpm -qa | grep ovirt
>
> ovirt-vmconsole-1.0.0-1.el7.centos.noarch
>
> ovirt-engine-restapi-3.6.2.6-1.el7.centos.noarch
>
> ovirt-setup-lib-1.0.1-1.el7.centos.noarch
>
> ovirt-engine-setup-plugin-ovirt-engine-common-3.6.3.4-1.el7.centos.noa
> rch
>
> ovirt-engine-setup-3.6.3.4-1.el7.centos.noarch
>
> ovirt-image-uploader-3.6.0-1.el7.centos.noarch
>
> ovirt-engine-extension-aaa-jdbc-1.0.5-1.el7.noarch
>
> ovirt-host-deploy-1.4.1-1.el7.centos.noarch
>
> ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch
>
> ovirt-engine-wildfly-overlay-8.0.4-1.el7.noarch
>
> ovirt-engine-wildfly-8.2.1-1.el7.x86_64
>
> ovirt-vmconsole-proxy-1.0.0-1.el7.centos.noarch
>
> ovirt-engine-tools-3.6.2.6-1.el7.centos.noarch
>
> ovirt-engine-dbscripts-3.6.2.6-1.el7.centos.noarch
>
> ovirt-engine-backend-3.6.2.6-1.el7.centos.noarch
>
> ovirt-engine-3.6.2.6-1.el7.centos.noarch
>
> ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noarch
>
> ovirt-engine-setup-base-3.6.3.4-1.el7.centos.noarch
>
> ovirt-engine-setup-plugin-ovirt-engine-3.6.3.4-1.el7.centos.noarch
>
> ovirt-engine-setup-plugin-websocket-proxy-3.6.3.4-1.el7.centos.noarch
>
> ovirt-engine-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch
>
> ovirt-engine-cli-3.6.2.0-1.el7.centos.noarch
>
> ovirt-host-deploy-java-1.4.1-1.el7.centos.noarch
>
> ovirt-engine-userportal-3.6.2.6-1.el7.centos.noarch
>
> ovirt-engine-webadmin-portal-3.6.2.6-1.el7.centos.noarch
>
> ovirt-guest-agent-common-1.0.11-1.el7.noarch
>
> ovirt-release36-003-1.noarch
>
> ovirt-iso-uploader-3.6.0-1.el7.centos.noarch
>
> ovirt-engine-lib-3.6.3.4-1.el7.centos.noarch
>
> ovirt-engine-sdk-python-3.6.3.0-1.el7.centos.noarch
>
> ovirt-engine-setup-plugin-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.
> noarch
>
> ovirt-engine-websocket-proxy-3.6.3.4-1.el7.centos.noarch
>
> ovirt-log-collector-3.6.1-1.el7.centos.noarch
>
> ovirt-engine-extensions-api-impl-3.6.3.4-1.el7.centos.noarch
>
> --- FreeIPA:
>
> [root@ipa01 ~]# cat /etc/redhat-release
>
> CentOS Linux release 7.2.1511 (Core)
>
> [root@ipa01 ~]# uname -a
>
> Linux ipa01.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
> 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
>
> [root@ipa01 ~]# rpm -qa | grep ipa
>
> ipa-python-4.2.0-15.el7_2.6.x86_64
>
> ipa-client-4.2.0-15.el7_2.6.x86_64
>
> python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
>
> python-iniparse-0.4-9.el7.noarch
>
> libipa_hbac-1.13.0-40.el7_2.1.x86_64
>
> sssd-ipa-1.13.0-40.el7_2.1.x86_64
>
> ipa-admintools-4.2.0-15.el7_2.6.x86_64
>
> ipa-server-4.2.0-15.el7_2.6.x86_64
>
> ipa-server-dns-4.2.0-15.el7_2.6.x86_64
>
> --- Client:
>
> [root@test06 ~]# cat /etc/redhat-release
>
> CentOS Linux release 7.2.1511 (Core)
>
> [root@test06 ~]# uname -a
>
> Linux test06.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
> 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
>
> [root@test06 ~]# rpm -qa | grep ipa
>
> python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
>
> python-iniparse-0.4-9.el7.noarch
>
> sssd-ipa-1.13.0-40.el7_2.1.x86_64
>
> ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64
>
> libipa_hbac-1.13.0-40.el7_2.1.x86_64
>
> ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64
>
> device-mapper-multipath-0.4.9-85.el7.x86_64
>
> device-mapper-multipath-libs-0.4.9-85.el7.x86_64
>
> [root@test06 ~]# rpm -qa | grep guest-agent
>
> qemu-guest-agent-2.3.0-4.el7.x86_64
>
> ovirt-guest-agent-pam-module-1.0.11-1.el7.x86_64
>
> ovirt-guest-agent-gdm-plugin-1.0.11-1.el7.noarch
>
> ovirt-guest-agent-common-1.0.11-1.el7.noarch
>
> ---------------------------------------------------
>
> Relevant logs:
>
> --- Engine:
>
> //var/log/ovirt-engine/engine
>
> 2016-03-17 15:22:10,516 INFO
> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-22) []
> Running command: LoginUserCommand internal: false.
>
> 2016-03-17 15:22:10,568 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-22) [] Correlation ID: null, Call Stack: null, Custom
> Event ID: -1, Message: User test6@DOMAIN logged in.
>
> 2016-03-17 15:22:13,795 WARN
> [org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (default
> task-6) [7400ae46] The message key 'VmLogon' is missing from
> 'bundles/ExecutionMessages'
>
> 2016-03-17 15:22:13,839 INFO
> [org.ovirt.engine.core.bll.VmLogonCommand]
> (default task-6) [7400ae46] Running command: VmLogonCommand internal:
> false. Entities affected : ID: 64a84b40-6050-4a96-a59d-d557a317c38c
> Type: VMAction group CONNECT_TO_VM with role type USER
>
> 2016-03-17 15:22:13,842 INFO
> [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default
> task-6) [7400ae46] START, VmLogonVDSCommand(HostName = host01,
> VmLogonVDSCommandParameters:{runAsync='true',
> hostId='225157c0-224b-4aa6-9210-db4de7c7fc30',
> vmId='64a84b40-6050-4a96-a59d-d557a317c38c', domain='DOMAIN-authz',
> password='***', userName='test6@DOMAIN'}), log id: 2015a1e0
>
> 2016-03-17 15:22:14,848 INFO
> [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default
> task-6) [7400ae46] FINISH, VmLogonVDSCommand, log id: 2015a1e0
>
> 2016-03-17 15:22:15,317 INFO
> [org.ovirt.engine.core.bll.SetVmTicketCommand] (default task-18)
> [10dad788] Running command: SetVmTicketCommand internal: true.
> Entities affected : ID: 64a84b40-6050-4a96-a59d-d557a317c38c Type:
> VMAction group CONNECT_TO_VM with role type USER
>
> 2016-03-17 15:22:15,322 INFO
> [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
> (default task-18) [10dad788] START, SetVmTicketVDSCommand(HostName =
> host01, SetVmTicketVDSCommandParameters:{runAsync='true',
> hostId='225157c0-224b-4aa6-9210-db4de7c7fc30',
> vmId='64a84b40-6050-4a96-a59d-d557a317c38c', protocol='SPICE',
> ticket='rd8avqvdBnRl', validTime='120', userName='test6',
> userId='10b2da3e-6401-4a09-a330-c0780bc0faef',
> disconnectAction='LOCK_SCREEN'}), log id: 72efb73b
>
> 2016-03-17 15:22:16,340 INFO
> [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
> (default task-18) [10dad788] FINISH, SetVmTicketVDSCommand, log id:
> 72efb73b
>
> 2016-03-17 15:22:16,377 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-18) [10dad788] Correlation ID: 10dad788, Call Stack:
> null, Custom Event ID: -1, Message: User test6@DOMAIN initiated
> console session for VM test06
>
> 2016-03-17 15:22:19,418 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (DefaultQuartzScheduler_Worker-53) [] Correlation ID: null, Call Stack:
> null, Custom Event ID: -1, Message: User test6@DOMAIN-authz is
> connected to VM test06.
>
> --- Client:
>
> /var/log/ovirt-guest-agent/ovirt-guest-agent.log
>
> MainThread::INFO::2016-03-17
> 15:20:58,145::ovirt-guest-agent::57::root::Starting oVirt guest agent
>
> CredServer::INFO::2016-03-17
> 15:20:58,214::CredServer::257::root::CredServer is running...
>
> Dummy-1::INFO::2016-03-17
> 15:20:58,216::OVirtAgentLogic::294::root::Received an external command:
> lock-screen...
>
> Dummy-1::INFO::2016-03-17
> 15:22:13,104::OVirtAgentLogic::294::root::Received an external command:
> login...
>
> Dummy-1::INFO::2016-03-17 15:22:13,104::CredServer::207::root::The
> following users are allowed to connect: [0]
>
> Dummy-1::INFO::2016-03-17 15:22:13,104::CredServer::273::root::Opening
> credentials channel...
>
> Dummy-1::INFO::2016-03-17
> 15:22:13,105::CredServer::132::root::Emitting
> user authenticated signal (651416).
>
> CredChannel::INFO::2016-03-17
> 15:22:13,188::CredServer::225::root::Incomming connection from user: 0
> process: 2570
>
> CredChannel::INFO::2016-03-17
> 15:22:13,188::CredServer::232::root::Sending user's credential (token:
> 651416)
>
> Dummy-1::INFO::2016-03-17
> 15:22:13,189::CredServer::277::root::Credentials channel was closed.
>
> /var/log/secure
>
> Mar 17 15:21:07 test06 gdm-launch-environment]:
> pam_unix(gdm-launch-environment:session): session opened for user gdm
> by
> (uid=0)
>
> Mar 17 15:21:10 test06 polkitd[749]: Registered Authentication Agent
> for
> unix-session:c1 (system bus name :1.34 [gnome-shell --mode=gdm],
> object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale
> en_US.UTF-8)
>
> Mar 17 15:22:13 test06 gdm-ovirtcred]: pam_sss(gdm-ovirtcred:auth):
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
> user=test6
>
> *Mar 17 15:22:13 test06 gdm-ovirtcred]: pam_sss(gdm-ovirtcred:auth):
> received for user test6: 17 (Failure setting user credentials)*
>
> /var/log/sssd/krb5_child.log (debug-level 10)
>
> *(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]]
> [get_and_save_tgt] (0x0020): 1234: [-1765328360][Preauthentication
> failed]*
>
> *(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]]
> [map_krb5_error]
> (0x0020): 1303: [-1765328360][Preauthentication failed]*
>
> *(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [k5c_send_data]
> (0x0200): Received error code 1432158215*
>
> (Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]]
> [pack_response_packet] (0x2000): response packet size: [4]
>
> (Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [k5c_send_data]
> (0x4000): Response sent.
>
> (Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [main] (0x0400):
> krb5_child completed successfully
>
> /var/log/sssd/sssd_DOMAIN.COM.log (debug-level 10)
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [be_pam_handler]
> (0x0100): Got request with the following data
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): command: PAM_AUTHENTICATE
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): domain: DOMAIN.COM
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): user: test6
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): service: gdm-ovirtcred
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): tty:
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): ruser:
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): rhost:
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): authtok type: 1
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): newauthtok type: 0
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): priv: 1
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): cli_pid: 2570
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): logon name: not set
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [krb5_auth_queue_send]
> (0x1000): Wait queue of user [test6] is empty, running request
> [0x7fe30df03cc0] immediately.
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [krb5_setup] (0x4000):
> No mapping for: test6
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000):
> Added timed event "ltdb_callback": 0x7fe30df07120
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000):
> Added timed event "ltdb_timeout": 0x7fe30df16590
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000):
> Running timer event 0x7fe30df07120 "ltdb_callback"
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000):
> Destroying timer event 0x7fe30df16590 "ltdb_timeout"
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000):
> Ending timer event 0x7fe30df07120 "ltdb_callback"
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [get_server_status]
> (0x1000): Status of server 'ipa01.DOMAIN.COM' is 'working'
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [get_port_status]
> (0x1000): Port status of port 389 for server 'ipa01.DOMAIN.COM' is
'working'
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to
> 6 seconds
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [resolve_srv_send]
> (0x0200): The status of SRV lookup is resolved
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [get_server_status]
> (0x1000): Status of server 'ipa01.DOMAIN.COM' is 'working'
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [be_resolve_server_process] (0x1000): Saving the first resolved server
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [be_resolve_server_process] (0x0200): Found address for server
> ipa01.DOMAIN.COM: [10.0.1.21] TTL 1200
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [ipa_resolve_callback]
> (0x0400): Constructed uri 'ldap://ipa01.DOMAIN.COM'
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed.
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [child_handler_setup]
> (0x2000): Setting up signal handler up for pid [2575]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [child_handler_setup]
> (0x2000): Signal handler set up for pid [2575]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [write_pipe_handler]
> (0x0400): All data has been sent!
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_sig_handler]
> (0x1000): Waiting for child [2575].
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_sig_handler]
> (0x0100): child [2575] finished successfully.
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [read_pipe_handler]
> (0x0400): EOF received, client finished
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [check_wait_queue]
> (0x1000): Wait queue for user [test6] is empty.
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [krb5_auth_queue_done]
> (0x1000): krb5_auth_queue request [0x7fe30df03cc0] done.
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_id_op_connect_step] (0x4000): reusing cached connection
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_print_server]
> (0x2000): Searching 10.0.1.21
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=DOMAIN,dc=com].
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [ipaMigrationEnabled]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [ipaSELinuxUserMapDefault]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [ipaSELinuxUserMapOrder]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid =
> 122
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_op_add]
> (0x2000): New operation 122 timeout 60
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_process_result]
> (0x2000): Trace: sh[0x7fe30deef090], connected[1],
> ops[0x7fe30df094a0], ldap[0x7fe30def2920]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_process_message]
> (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_entry]
> (0x1000): OriginalDN: [cn=ipaConfig,cn=etc,dc=DOMAIN,dc=com].
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_range]
> (0x2000): No sub-attributes for [ipaMigrationEnabled]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_range]
> (0x2000): No sub-attributes for [ipaSELinuxUserMapDefault]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_range]
> (0x2000): No sub-attributes for [ipaSELinuxUserMapOrder]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_process_result]
> (0x2000): Trace: sh[0x7fe30deef090], connected[1],
> ops[0x7fe30df094a0], ldap[0x7fe30def2920]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_process_message]
> (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_op_destructor]
> (0x2000): Operation 122 finished
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_id_op_destroy]
> (0x4000): releasing operation connection
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [ipa_get_migration_flag_done] (0x0100): Password migration is not enabled.
>
> *(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [be_pam_handler_callback] (0x0100): Backend returned: (0, 17, <NULL>)
> [Success (Failure setting user credentials)] *
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [be_pam_handler_callback] (0x0100): Sending result [17][DOMAIN.COM]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [be_pam_handler_callback] (0x0100): Sent result [17][DOMAIN.COM]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_process_result]
> (0x2000): Trace: sh[0x7fe30deef090], connected[1], ops[(nil)],
> ldap[0x7fe30def2920]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_process_result]
> (0x2000): Trace: ldap_result found nothing!
>
>
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
6:47 p.m.
Hi Ondra,
Bug 1316135 was new to me and sounds very similar to my issue "(0, 17,
<NULL>) [Success (Failure setting user credentials)]"
Proposed work-around with "authconfig --enablenis --update" worked for me,
although this creates an issue with the keyring authentication. I can live
with this for the moment, but hopefully the bug can be fixed soon.
Thanks for the quick responses,
Regards,
Paul
-----Original Message-----
From: Ondra Machacek [mailto:omachace@redhat.com]
Sent: donderdag 17 maart 2016 19:12
To: Paul <paul(a)kenla.nl>; users(a)ovirt.org
Subject: Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA
not working
Hi Paul,
ok, thanks for info, then there is an issue in pam configuration, most
probably.
There is open issue for it on rhel7, please try read this comment[1] if it
helps to you.
Ondra
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1316135#c3
On 03/17/2016 06:07 PM, Paul wrote:
Hi Ondra,
Thanks for your reply, unfortunately this does not resolve the issue.
I had already seen this bug and tried it without the -authz
appendix(maybe should have mentioned that).
I also (may be wrongfully) assumed that the
"ovirt-engine-extension-aaa-ldap-setup" would not have this issue/bug.
Anyways, I changed it (again) to the DOMAIN without '-authz' by changing:
/etc/ovirt-engine/extensions.d/DOMAIN-authz.properties =>
ovirt.engine.extension.name = DOMAIN
/etc/ovirt-engine/extensions.d/DOMAIN-authn.properties =>
ovirt.engine.aaa.authn.authz.plugin = DOMAIN Systemctl restart
ovirt-engine
By the way: login with IPA users doesn't work anymore, you have to log
in with admin internal account and remove your IPA users and add them
back to make them work again.
But still get the error:
pam_sss(gdm-ovirtcred:auth): received for user test6: 17 (Failure
setting user credentials)
Any suggestions?
-----Original Message-----
From: Ondra Machacek [mailto:omachace@redhat.com]
Sent: donderdag 17 maart 2016 16:58
To: Paul <paul(a)kenla.nl>; users(a)ovirt.org
Subject: Re: [ovirt-users] Hosted engine Single Sign-On to VM with
freeIPA not working
Hi,
your authz name should match kerberos name.
So please change your authz name from 'DOMAIN-authz' to 'DOMAIN'
Please see this bz[1] for more detail.
Ondra
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137#c7
On 03/17/2016 04:22 PM, Paul wrote:
> Hi,
>
> I am having an issue with getting SSO to work when a standard
> user(UserRole) logs in to the UserPortal.
>
> The user has permission to use only this VM, so after login the
> console is automatically opened for that VM.
>
> Problem is that it doesn't login on the VM system with the provided
> credentials. Manual login at the console works without any issues.
>
> HBAC-rule check on IPA shows access is granted. Client has SELINUX in
> permissive mode and a disabled firewalld.
>
> On the client side I do see some PAM related errors in the logs (see
> details below). Extensive Google search on error 17 "Failure setting
> user credentials" didn't show helpful information :-(
>
> AFAIK this is did a pretty standard set-up, all working with
> RH-family products. I would expect others to encounter this issue as
well.
>
> If someone knows any solution or has some directions to fix this it
> would be greatly appreciated.
>
> Thanks,
>
> Paul
>
> ------------------------------------------------------
>
> System setup: I have 3 systems
>
> The connection between the Engine and IPA is working fine. (I can log
> in with IPA users etc.) Connection is made according to this document:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virt
> u
> alization/3.6/html-single/Administration_Guide/index.html#sect-Config
> u
> ring_an_External_LDAP_Provider
>
> Configuration of the client is done according to this document:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virt
> u
> alization/3.6/html/Virtual_Machine_Management_Guide/chap-Additional_C
> o
> nfiguration.html#sect-Configuring_Single_Sign-On_for_Virtual_Machines
>
> --- Hosted Engine:
>
> [root@engine ~]# cat /etc/redhat-release
>
> CentOS Linux release 7.2.1511 (Core)
>
> [root@engine ~]# uname -a
>
> Linux engine.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
> 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
>
> [root@engine ~]# rpm -qa | grep ovirt
>
> ovirt-vmconsole-1.0.0-1.el7.centos.noarch
>
> ovirt-engine-restapi-3.6.2.6-1.el7.centos.noarch
>
> ovirt-setup-lib-1.0.1-1.el7.centos.noarch
>
> ovirt-engine-setup-plugin-ovirt-engine-common-3.6.3.4-1.el7.centos.no
> a
> rch
>
> ovirt-engine-setup-3.6.3.4-1.el7.centos.noarch
>
> ovirt-image-uploader-3.6.0-1.el7.centos.noarch
>
> ovirt-engine-extension-aaa-jdbc-1.0.5-1.el7.noarch
>
> ovirt-host-deploy-1.4.1-1.el7.centos.noarch
>
> ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch
>
> ovirt-engine-wildfly-overlay-8.0.4-1.el7.noarch
>
> ovirt-engine-wildfly-8.2.1-1.el7.x86_64
>
> ovirt-vmconsole-proxy-1.0.0-1.el7.centos.noarch
>
> ovirt-engine-tools-3.6.2.6-1.el7.centos.noarch
>
> ovirt-engine-dbscripts-3.6.2.6-1.el7.centos.noarch
>
> ovirt-engine-backend-3.6.2.6-1.el7.centos.noarch
>
> ovirt-engine-3.6.2.6-1.el7.centos.noarch
>
> ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noarch
>
> ovirt-engine-setup-base-3.6.3.4-1.el7.centos.noarch
>
> ovirt-engine-setup-plugin-ovirt-engine-3.6.3.4-1.el7.centos.noarch
>
> ovirt-engine-setup-plugin-websocket-proxy-3.6.3.4-1.el7.centos.noarch
>
> ovirt-engine-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch
>
> ovirt-engine-cli-3.6.2.0-1.el7.centos.noarch
>
> ovirt-host-deploy-java-1.4.1-1.el7.centos.noarch
>
> ovirt-engine-userportal-3.6.2.6-1.el7.centos.noarch
>
> ovirt-engine-webadmin-portal-3.6.2.6-1.el7.centos.noarch
>
> ovirt-guest-agent-common-1.0.11-1.el7.noarch
>
> ovirt-release36-003-1.noarch
>
> ovirt-iso-uploader-3.6.0-1.el7.centos.noarch
>
> ovirt-engine-lib-3.6.3.4-1.el7.centos.noarch
>
> ovirt-engine-sdk-python-3.6.3.0-1.el7.centos.noarch
>
> ovirt-engine-setup-plugin-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.
> noarch
>
> ovirt-engine-websocket-proxy-3.6.3.4-1.el7.centos.noarch
>
> ovirt-log-collector-3.6.1-1.el7.centos.noarch
>
> ovirt-engine-extensions-api-impl-3.6.3.4-1.el7.centos.noarch
>
> --- FreeIPA:
>
> [root@ipa01 ~]# cat /etc/redhat-release
>
> CentOS Linux release 7.2.1511 (Core)
>
> [root@ipa01 ~]# uname -a
>
> Linux ipa01.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
> 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
>
> [root@ipa01 ~]# rpm -qa | grep ipa
>
> ipa-python-4.2.0-15.el7_2.6.x86_64
>
> ipa-client-4.2.0-15.el7_2.6.x86_64
>
> python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
>
> python-iniparse-0.4-9.el7.noarch
>
> libipa_hbac-1.13.0-40.el7_2.1.x86_64
>
> sssd-ipa-1.13.0-40.el7_2.1.x86_64
>
> ipa-admintools-4.2.0-15.el7_2.6.x86_64
>
> ipa-server-4.2.0-15.el7_2.6.x86_64
>
> ipa-server-dns-4.2.0-15.el7_2.6.x86_64
>
> --- Client:
>
> [root@test06 ~]# cat /etc/redhat-release
>
> CentOS Linux release 7.2.1511 (Core)
>
> [root@test06 ~]# uname -a
>
> Linux test06.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
> 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
>
> [root@test06 ~]# rpm -qa | grep ipa
>
> python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
>
> python-iniparse-0.4-9.el7.noarch
>
> sssd-ipa-1.13.0-40.el7_2.1.x86_64
>
> ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64
>
> libipa_hbac-1.13.0-40.el7_2.1.x86_64
>
> ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64
>
> device-mapper-multipath-0.4.9-85.el7.x86_64
>
> device-mapper-multipath-libs-0.4.9-85.el7.x86_64
>
> [root@test06 ~]# rpm -qa | grep guest-agent
>
> qemu-guest-agent-2.3.0-4.el7.x86_64
>
> ovirt-guest-agent-pam-module-1.0.11-1.el7.x86_64
>
> ovirt-guest-agent-gdm-plugin-1.0.11-1.el7.noarch
>
> ovirt-guest-agent-common-1.0.11-1.el7.noarch
>
> ---------------------------------------------------
>
> Relevant logs:
>
> --- Engine:
>
> //var/log/ovirt-engine/engine
>
> 2016-03-17 15:22:10,516 INFO
> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-22) []
> Running command: LoginUserCommand internal: false.
>
> 2016-03-17 15:22:10,568 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector
> ] (default task-22) [] Correlation ID: null, Call Stack: null, Custom
> Event ID: -1, Message: User test6@DOMAIN logged in.
>
> 2016-03-17 15:22:13,795 WARN
> [org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (default
> task-6) [7400ae46] The message key 'VmLogon' is missing from
> 'bundles/ExecutionMessages'
>
> 2016-03-17 15:22:13,839 INFO
> [org.ovirt.engine.core.bll.VmLogonCommand]
> (default task-6) [7400ae46] Running command: VmLogonCommand internal:
> false. Entities affected : ID: 64a84b40-6050-4a96-a59d-d557a317c38c
> Type: VMAction group CONNECT_TO_VM with role type USER
>
> 2016-03-17 15:22:13,842 INFO
> [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand]
> (default
> task-6) [7400ae46] START, VmLogonVDSCommand(HostName = host01,
> VmLogonVDSCommandParameters:{runAsync='true',
> hostId='225157c0-224b-4aa6-9210-db4de7c7fc30',
> vmId='64a84b40-6050-4a96-a59d-d557a317c38c', domain='DOMAIN-authz',
> password='***', userName='test6@DOMAIN'}), log id: 2015a1e0
>
> 2016-03-17 15:22:14,848 INFO
> [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand]
> (default
> task-6) [7400ae46] FINISH, VmLogonVDSCommand, log id: 2015a1e0
>
> 2016-03-17 15:22:15,317 INFO
> [org.ovirt.engine.core.bll.SetVmTicketCommand] (default task-18)
> [10dad788] Running command: SetVmTicketCommand internal: true.
> Entities affected : ID: 64a84b40-6050-4a96-a59d-d557a317c38c Type:
> VMAction group CONNECT_TO_VM with role type USER
>
> 2016-03-17 15:22:15,322 INFO
> [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
> (default task-18) [10dad788] START, SetVmTicketVDSCommand(HostName =
> host01, SetVmTicketVDSCommandParameters:{runAsync='true',
> hostId='225157c0-224b-4aa6-9210-db4de7c7fc30',
> vmId='64a84b40-6050-4a96-a59d-d557a317c38c', protocol='SPICE',
> ticket='rd8avqvdBnRl', validTime='120', userName='test6',
> userId='10b2da3e-6401-4a09-a330-c0780bc0faef',
> disconnectAction='LOCK_SCREEN'}), log id: 72efb73b
>
> 2016-03-17 15:22:16,340 INFO
> [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
> (default task-18) [10dad788] FINISH, SetVmTicketVDSCommand, log id:
> 72efb73b
>
> 2016-03-17 15:22:16,377 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector
> ] (default task-18) [10dad788] Correlation ID: 10dad788, Call Stack:
> null, Custom Event ID: -1, Message: User test6@DOMAIN initiated
> console session for VM test06
>
> 2016-03-17 15:22:19,418 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector
> ]
> (DefaultQuartzScheduler_Worker-53) [] Correlation ID: null, Call Stack:
> null, Custom Event ID: -1, Message: User test6@DOMAIN-authz is
> connected to VM test06.
>
> --- Client:
>
> /var/log/ovirt-guest-agent/ovirt-guest-agent.log
>
> MainThread::INFO::2016-03-17
> 15:20:58,145::ovirt-guest-agent::57::root::Starting oVirt guest agent
>
> CredServer::INFO::2016-03-17
> 15:20:58,214::CredServer::257::root::CredServer is running...
>
> Dummy-1::INFO::2016-03-17
> 15:20:58,216::OVirtAgentLogic::294::root::Received an external command:
> lock-screen...
>
> Dummy-1::INFO::2016-03-17
> 15:22:13,104::OVirtAgentLogic::294::root::Received an external command:
> login...
>
> Dummy-1::INFO::2016-03-17 15:22:13,104::CredServer::207::root::The
> following users are allowed to connect: [0]
>
> Dummy-1::INFO::2016-03-17
> 15:22:13,104::CredServer::273::root::Opening
> credentials channel...
>
> Dummy-1::INFO::2016-03-17
> 15:22:13,105::CredServer::132::root::Emitting
> user authenticated signal (651416).
>
> CredChannel::INFO::2016-03-17
> 15:22:13,188::CredServer::225::root::Incomming connection from user:
> 0
> process: 2570
>
> CredChannel::INFO::2016-03-17
> 15:22:13,188::CredServer::232::root::Sending user's credential (token:
> 651416)
>
> Dummy-1::INFO::2016-03-17
> 15:22:13,189::CredServer::277::root::Credentials channel was closed.
>
> /var/log/secure
>
> Mar 17 15:21:07 test06 gdm-launch-environment]:
> pam_unix(gdm-launch-environment:session): session opened for user gdm
> by
> (uid=0)
>
> Mar 17 15:21:10 test06 polkitd[749]: Registered Authentication Agent
> for
> unix-session:c1 (system bus name :1.34 [gnome-shell --mode=gdm],
> object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale
> en_US.UTF-8)
>
> Mar 17 15:22:13 test06 gdm-ovirtcred]: pam_sss(gdm-ovirtcred:auth):
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
> user=test6
>
> *Mar 17 15:22:13 test06 gdm-ovirtcred]: pam_sss(gdm-ovirtcred:auth):
> received for user test6: 17 (Failure setting user credentials)*
>
> /var/log/sssd/krb5_child.log (debug-level 10)
>
> *(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]]
> [get_and_save_tgt] (0x0020): 1234: [-1765328360][Preauthentication
> failed]*
>
> *(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]]
> [map_krb5_error]
> (0x0020): 1303: [-1765328360][Preauthentication failed]*
>
> *(Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]]
> [k5c_send_data]
> (0x0200): Received error code 1432158215*
>
> (Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]]
> [pack_response_packet] (0x2000): response packet size: [4]
>
> (Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [k5c_send_data]
> (0x4000): Response sent.
>
> (Thu Mar 17 15:22:13 2016) [[sssd[krb5_child[2575]]]] [main] (0x0400):
> krb5_child completed successfully
>
> /var/log/sssd/sssd_DOMAIN.COM.log (debug-level 10)
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [be_pam_handler]
> (0x0100): Got request with the following data
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): command: PAM_AUTHENTICATE
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): domain: DOMAIN.COM
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): user: test6
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): service: gdm-ovirtcred
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): tty:
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): ruser:
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): rhost:
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): authtok type: 1
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): newauthtok type: 0
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): priv: 1
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): cli_pid: 2570
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [pam_print_data]
> (0x0100): logon name: not set
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [krb5_auth_queue_send]
> (0x1000): Wait queue of user [test6] is empty, running request
> [0x7fe30df03cc0] immediately.
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [krb5_setup] (0x4000):
> No mapping for: test6
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000):
> Added timed event "ltdb_callback": 0x7fe30df07120
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000):
> Added timed event "ltdb_timeout": 0x7fe30df16590
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000):
> Running timer event 0x7fe30df07120 "ltdb_callback"
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000):
> Destroying timer event 0x7fe30df16590 "ltdb_timeout"
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [ldb] (0x4000):
> Ending timer event 0x7fe30df07120 "ltdb_callback"
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [get_server_status]
> (0x1000): Status of server 'ipa01.DOMAIN.COM' is 'working'
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [get_port_status]
> (0x1000): Port status of port 389 for server 'ipa01.DOMAIN.COM' is
'working'
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set
> to
> 6 seconds
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [resolve_srv_send]
> (0x0200): The status of SRV lookup is resolved
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [get_server_status]
> (0x1000): Status of server 'ipa01.DOMAIN.COM' is 'working'
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [be_resolve_server_process] (0x1000): Saving the first resolved
> server
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [be_resolve_server_process] (0x0200): Found address for server
> ipa01.DOMAIN.COM: [10.0.1.21] TTL 1200
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [ipa_resolve_callback]
> (0x0400): Constructed uri 'ldap://ipa01.DOMAIN.COM'
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed.
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [child_handler_setup]
> (0x2000): Setting up signal handler up for pid [2575]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [child_handler_setup]
> (0x2000): Signal handler set up for pid [2575]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [write_pipe_handler]
> (0x0400): All data has been sent!
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_sig_handler]
> (0x1000): Waiting for child [2575].
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [child_sig_handler]
> (0x0100): child [2575] finished successfully.
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [read_pipe_handler]
> (0x0400): EOF received, client finished
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [check_wait_queue]
> (0x1000): Wait queue for user [test6] is empty.
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [krb5_auth_queue_done]
> (0x1000): krb5_auth_queue request [0x7fe30df03cc0] done.
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_id_op_connect_step] (0x4000): reusing cached connection
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_print_server]
> (0x2000): Searching 10.0.1.21
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=DOMAIN,dc=com].
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [ipaMigrationEnabled]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [ipaSELinuxUserMapDefault]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
> [ipaSELinuxUserMapOrder]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid =
> 122
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_op_add]
> (0x2000): New operation 122 timeout 60
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_process_result]
> (0x2000): Trace: sh[0x7fe30deef090], connected[1],
> ops[0x7fe30df094a0], ldap[0x7fe30def2920]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_process_message]
> (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_entry]
> (0x1000): OriginalDN: [cn=ipaConfig,cn=etc,dc=DOMAIN,dc=com].
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_range]
> (0x2000): No sub-attributes for [ipaMigrationEnabled]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_range]
> (0x2000): No sub-attributes for [ipaSELinuxUserMapDefault]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]] [sdap_parse_range]
> (0x2000): No sub-attributes for [ipaSELinuxUserMapOrder]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_process_result]
> (0x2000): Trace: sh[0x7fe30deef090], connected[1],
> ops[0x7fe30df094a0], ldap[0x7fe30def2920]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_process_message]
> (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0),
> no errmsg set
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_op_destructor]
> (0x2000): Operation 122 finished
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_id_op_destroy]
> (0x4000): releasing operation connection
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [ipa_get_migration_flag_done] (0x0100): Password migration is not
enabled.
>
> *(Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [be_pam_handler_callback] (0x0100): Backend returned: (0, 17, <NULL>)
> [Success (Failure setting user credentials)] *
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [be_pam_handler_callback] (0x0100): Sending result [17][DOMAIN.COM]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [be_pam_handler_callback] (0x0100): Sent result [17][DOMAIN.COM]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_process_result]
> (0x2000): Trace: sh[0x7fe30deef090], connected[1], ops[(nil)],
> ldap[0x7fe30def2920]
>
> (Thu Mar 17 15:22:13 2016) [sssd[be[DOMAIN.COM]]]
> [sdap_process_result]
> (0x2000): Trace: ldap_result found nothing!
>
>
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
12:01 p.m.
Hi Ondra,
It is over a year since the last message, so I thought let's give this a new
try.
Did setup a new test environment with latest versions, all RH-family (Centos
7.3 with ovirt 4.1)
Ovirt engine works fine with IPA, in the console I can log in with
credentials. But SSO still does not work :-(
Unfortunately the workaround with "authconfig --enablenis --update" breaks
polkit.service and cascades in a lot of other fails making the VM failing to
boot properly.
Any suggestions?
Regards,
Paul
System setup:
--- Engine----
[root@engine ~]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[root@engine ~]# uname -a
Linux engine.domain.com 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@engine ~]# rpm -qa | grep ovirt
ovirt-engine-setup-plugin-ovirt-engine-common-4.1.1.8-1.el7.centos.noarch
ovirt-imageio-proxy-1.0.0-0.201701151456.git89ae3b4.el7.centos.noarch
ovirt-iso-uploader-4.0.2-1.el7.centos.noarch
ovirt-engine-setup-plugin-ovirt-engine-4.1.1.8-1.el7.centos.noarch
ovirt-engine-tools-4.1.1.8-1.el7.centos.noarch
ovirt-engine-backend-4.1.1.8-1.el7.centos.noarch
ovirt-engine-extension-aaa-jdbc-1.1.4-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-setup-1.3.1-1.el7.centos.noarch
ovirt-release41-4.1.1.1-1.el7.centos.noarch
ovirt-setup-lib-1.1.0-1.el7.centos.noarch
ovirt-imageio-common-1.0.0-1.el7.noarch
ovirt-engine-sdk-python-3.6.9.1-1.el7.centos.noarch
ovirt-engine-extensions-api-impl-4.1.1.8-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-1.3.1-1.el7.centos.noarch
ovirt-imageio-proxy-setup-1.0.0-0.201701151456.git89ae3b4.el7.centos.noarch
ovirt-engine-dwh-4.1.1-1.el7.centos.noarch
ovirt-engine-setup-plugin-websocket-proxy-4.1.1.8-1.el7.centos.noarch
ovirt-engine-tools-backup-4.1.1.8-1.el7.centos.noarch
ovirt-engine-setup-4.1.1.8-1.el7.centos.noarch
ovirt-engine-vmconsole-proxy-helper-4.1.1.8-1.el7.centos.noarch
ovirt-engine-dashboard-1.1.0-7.el7.centos.noarch
ovirt-engine-metrics-1.0.2-1.el7.centos.noarch
ovirt-engine-userportal-4.1.1.8-1.el7.centos.noarch
ovirt-engine-dbscripts-4.1.1.8-1.el7.centos.noarch
ovirt-engine-4.1.1.8-1.el7.centos.noarch
ovirt-engine-wildfly-10.1.0-1.el7.x86_64
python-ovirt-engine-sdk4-4.1.3-2.el7.centos.x86_64
ovirt-vmconsole-proxy-1.0.4-1.el7.centos.noarch
ovirt-engine-wildfly-overlay-10.0.0-1.el7.noarch
ovirt-engine-cli-3.6.9.2-1.el7.centos.noarch
ovirt-engine-lib-4.1.1.8-1.el7.centos.noarch
ovirt-host-deploy-java-1.6.3-1.el7.centos.noarch
ovirt-engine-dwh-setup-4.1.1-1.el7.centos.noarch
ovirt-engine-websocket-proxy-4.1.1.8-1.el7.centos.noarch
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.1.1.8-1.el7.centos.noarch
ovirt-engine-webadmin-portal-4.1.1.8-1.el7.centos.noarch
ovirt-engine-restapi-4.1.1.8-1.el7.centos.noarch
ovirt-guest-agent-common-1.0.13-2.el7.noarch
ovirt-host-deploy-1.6.3-1.el7.centos.noarch
ovirt-vmconsole-1.0.4-1.el7.centos.noarch
ovirt-engine-extension-aaa-misc-1.0.1-1.el7.noarch
ovirt-web-ui-0.1.2-4.el7.centos.x86_64
ovirt-engine-setup-base-4.1.1.8-1.el7.centos.noarch
--- IPA ----
[root@ipa01 log]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[root@ipa01 log]# uname -a
Linux ipa01.domain.com 3.10.0-514.16.1.el7.x86_64 #1 SMP Wed Apr 12 15:04:24
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@ipa01 log]# rpm -qa | grep ipa
python2-ipalib-4.4.0-14.el7.centos.7.noarch
python2-ipaserver-4.4.0-14.el7.centos.7.noarch
libipa_hbac-1.14.0-43.el7_3.14.x86_64
python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-common-4.4.0-14.el7.centos.7.noarch
ipa-client-common-4.4.0-14.el7.centos.7.noarch
python-ipaddress-1.0.16-2.el7.noarch
sssd-ipa-1.14.0-43.el7_3.14.x86_64
python2-ipaclient-4.4.0-14.el7.centos.7.noarch
ipa-client-4.4.0-14.el7.centos.7.x86_64
ipa-server-4.4.0-14.el7.centos.7.x86_64
ipa-server-common-4.4.0-14.el7.centos.7.noarch
ipa-admintools-4.4.0-14.el7.centos.7.noarch
ipa-server-dns-4.4.0-14.el7.centos.7.noarch
---Client---
[root@ad01 ~]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[root@ad01 ~]# uname -a
Linux ad01.domain.com 3.10.0-514.16.1.el7.x86_64 #1 SMP Wed Apr 12 15:04:24
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@ad01 ~]# rpm -qa | grep ipa
python2-ipaclient-4.4.0-14.el7.centos.7.noarch
python-iniparse-0.4-9.el7.noarch
ipa-client-common-4.4.0-14.el7.centos.7.noarch
python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
ipa-client-4.4.0-14.el7.centos.7.x86_64
sssd-ipa-1.14.0-43.el7_3.14.x86_64
python-ipaddress-1.0.16-2.el7.noarch
python2-ipalib-4.4.0-14.el7.centos.7.noarch
ipa-common-4.4.0-14.el7.centos.7.noarch
libipa_hbac-1.14.0-43.el7_3.14.x86_64
[root@ad01 ~]# rpm -qa | grep ovirt
ovirt-guest-agent-pam-module-1.0.13-2.el7.x86_64
ovirt-guest-agent-common-1.0.13-2.el7.noarch
ovirt-guest-agent-gdm-plugin-1.0.13-2.el7.noarch
Relevant logs:
--- client ---
[root@ad01 ~]# vi /var/log/messages
Apr 21 10:07:59 ad01 [sssd[krb5_child[2635]]]: Preauthentication failed
Apr 21 10:07:59 ad01 [sssd[krb5_child[2635]]]: Preauthentication failed
[root@ad01 ~]# vi /var/log/sssd/krb5_child.log
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [unpack_buffer]
(0x0100): cmd [249] uid [1480400007] gid [1480400007] validate [true]
enterprise principal [false] offline [false] UPN [test(a)DOMAIN.COM]
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
[host/ad01.domain.com(a)DOMAIN.COM]
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [check_fast_ccache]
(0x0200): FAST TGT is still valid.
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [become_user]
(0x0200): Trying to become user [1480400007][1480400007].
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [set_lifetime_options]
(0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [set_lifetime_options]
(0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [sss_krb5_prompter]
(0x0020): Cannot handle password prompts.
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634]]]] [k5c_send_data]
(0x0200): Received error code 0
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [unpack_buffer]
(0x0100): cmd [241] uid [1480400007] gid [1480400007] validate [true]
enterprise principal [false] offline [false] UPN [test(a)DOMAIN.COM]
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [unpack_buffer]
(0x0100): ccname: [KEYRING:persistent:1480400007] old_ccname:
[KEYRING:persistent:1480400007] keytab: [/etc/krb5.keytab]
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [switch_creds]
(0x0200): Switch user to [1480400007][1480400007].
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [switch_creds]
(0x0200): Switch user to [0][0].
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
[host/ad01.domain.com(a)DOMAIN.COM]
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [check_fast_ccache]
(0x0200): FAST TGT is still valid.
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [become_user]
(0x0200): Trying to become user [1480400007][1480400007].
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [set_lifetime_options]
(0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [set_lifetime_options]
(0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [get_and_save_tgt]
(0x0020): 1296: [-1765328360][Preauthentication failed]
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [map_krb5_error]
(0x0020): 1365: [-1765328360][Preauthentication failed]
(Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635]]]] [k5c_send_data]
(0x0200): Received error code 1432158221
---IPA---
/var/log/ krb5kdc.log
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): AS_REQ (6 etypes {18
17 16 23 25 26}) 10.0.2.2: NEEDED_PREAUTH: test(a)DOMAIN.COM for
krbtgt/DOMAIN.COM(a)DOMAIN.COM, Additional pre-authentication required
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): closing down fd 12
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): AS_REQ (6 etypes {18
17 16 23 25 26}) 10.0.2.2: NEEDED_PREAUTH: test(a)DOMAIN.COM for
krbtgt/DOMAIN.COM(a)DOMAIN.COM, Additional pre-authentication required
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): closing down fd 12
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): AS_REQ (6 etypes {18
17 16 23 25 26}) 10.0.2.2: NEEDED_PREAUTH: test(a)DOMAIN.COM for
krbtgt/DOMAIN.COM(a)DOMAIN.COM, Additional pre-authentication required
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): closing down fd 12
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): AS_REQ (6 etypes {18
17 16 23 25 26}) 10.0.2.2: NEEDED_PREAUTH: test(a)DOMAIN.COM for
krbtgt/DOMAIN.COM(a)DOMAIN.COM, Additional pre-authentication required
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): closing down fd 12
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): preauth
(encrypted_challenge) verify failure: Incorrect password in encrypted
challenge
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): AS_REQ (6 etypes {18
17 16 23 25 26}) 10.0.2.2: PREAUTH_FAILED: test(a)DOMAIN.COM for
krbtgt/DOMAIN.COM(a)DOMAIN.COM, Incorrect password in encrypted challenge
Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): closing down fd 12
-----Original Message-----
From: Paul [mailto:paul@kenla.nl]
Sent: zondag 20 maart 2016 16:48
To: 'Ondra Machacek' <omachace(a)redhat.com>; 'users(a)ovirt.org'
<users(a)ovirt.org>
Subject: RE: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA
not working
Hi Ondra,
Bug 1316135 was new to me and sounds very similar to my issue "(0, 17,
<NULL>) [Success (Failure setting user credentials)]"
Proposed work-around with "authconfig --enablenis --update" worked for me,
although this creates an issue with the keyring authentication. I can live
with this for the moment, but hopefully the bug can be fixed soon.
Thanks for the quick responses,
Regards,
Paul
-----Original Message-----
From: Ondra Machacek [mailto:omachace@redhat.com]
Sent: donderdag 17 maart 2016 19:12
To: Paul <paul(a)kenla.nl>; users(a)ovirt.org
Subject: Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA
not working
Hi Paul,
ok, thanks for info, then there is an issue in pam configuration, most
probably.
There is open issue for it on rhel7, please try read this comment[1] if it
helps to you.
Ondra
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1316135#c3
2771
days inactive
3171
days old
5 comments
2 participants
participants (2)
-
Ondra Machacek -
Paul