ovirt-engine-extension-aaa-ldap and sysprep domain join

Hi, I tried to migrate to ovirt-engine-extension-aaa-ldap from engine-manage-domains. Everything seems to work fine so far except the automatic join to domain during sysprep. Is it supposed to work? Where should I investigate further? Thank you

Hi, The usage of the engine-manage-domain user to anything else but ldap searches is something that is unexpected and insecure. As a solution, you may either paste a modified sysprep file into the pool at UI or set up a different osinfo profile with modified sysprep file, this modified sysprep file can contain the credentials of the user that is being used for joining the domain. CCing Shahar which may assist farther. Regards, Alon ----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "users" <users@ovirt.org> Sent: Monday, October 26, 2015 12:01:54 PM Subject: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
Hi, I tried to migrate to ovirt-engine-extension-aaa-ldap from engine-manage-domains. Everything seems to work fine so far except the automatic join to domain during sysprep.
Is it supposed to work? Where should I investigate further?
Thank you _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

On 26.10.15 06:23, Alon Bar-Lev wrote:
Hi, The usage of the engine-manage-domain user to anything else but ldap searches is something that is unexpected and insecure. As a solution, you may either paste a modified sysprep file into the pool at UI or set up a different osinfo profile with modified sysprep file, this modified sysprep file can contain the credentials of the user that is being used for joining the domain. CCing Shahar which may assist farther. Hi, You can paste a modified sysprep file to "new Pool"->"Initial run"->"Custom Script" As Alon mentioned. Regards, Alon
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "users" <users@ovirt.org> Sent: Monday, October 26, 2015 12:01:54 PM Subject: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
Hi, I tried to migrate to ovirt-engine-extension-aaa-ldap from engine-manage-domains. Everything seems to work fine so far except the automatic join to domain during sysprep.
Is it supposed to work? Where should I investigate further?
Thank you _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

Thank you Il 26/10/2015 12:43, Shahar Havivi ha scritto:
On 26.10.15 06:23, Alon Bar-Lev wrote:
Hi, The usage of the engine-manage-domain user to anything else but ldap searches is something that is unexpected and insecure. As a solution, you may either paste a modified sysprep file into the pool at UI or set up a different osinfo profile with modified sysprep file, this modified sysprep file can contain the credentials of the user that is being used for joining the domain. CCing Shahar which may assist farther. Hi, You can paste a modified sysprep file to "new Pool"->"Initial run"->"Custom Script"

So just pasting there the contents of a modified /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should work right? The variables like '
yes, you should probably only customize: $JoinDomain$, $DomainAdminPassword$, $DomainAdmin$ maybe, not sure: $JoinDomain$, $MachineObjectOU$ the rest should be the same as any other. ----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Tuesday, October 27, 2015 11:19:02 AM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
So just pasting there the contents of a modified /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should work right?
The variables like '
On 27.10.15 05:25, Alon Bar-Lev wrote:
yes, you should probably only customize: $JoinDomain$, $DomainAdminPassword$, $DomainAdmin$ maybe, not sure: $JoinDomain$, $MachineObjectOU$ the rest should be the same as any other. Please make sure that the file is the full sysprep file such as you can find in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file. You can leave the variables such as $OrgName$ which will be replaces (exept from the variables that Alon mentioned which where the original problem).
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Tuesday, October 27, 2015 11:19:02 AM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
So just pasting there the contents of a modified /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should work right?
The variables like '
This is a multi-part message in MIME format. --------------000908080408080501060102 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit It works fine, but it kills SSO as user... Poking in the windows logs I see a failed login as: myuser@mydomain.tld-authz !! Il 27/10/2015 11:51, Shahar Havivi ha scritto:
On 27.10.15 05:25, Alon Bar-Lev wrote:
yes, you should probably only customize: $JoinDomain$, $DomainAdminPassword$, $DomainAdmin$ maybe, not sure: $JoinDomain$, $MachineObjectOU$ the rest should be the same as any other. Please make sure that the file is the full sysprep file such as you can find in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file. You can leave the variables such as $OrgName$ which will be replaces (exept from the variables that Alon mentioned which where the original problem).
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Tuesday, October 27, 2015 11:19:02 AM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
So just pasting there the contents of a modified /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should work right?
The variables like '![CDATA[$OrgName$' will be replaced?
Il 26/10/2015 12:43, Shahar Havivi ha scritto:
On 26.10.15 06:23, Alon Bar-Lev wrote:
Hi, The usage of the engine-manage-domain user to anything else but ldap searches is something that is unexpected and insecure. As a solution, you may either paste a modified sysprep file into the pool at UI or set up a different osinfo profile with modified sysprep file, this modified sysprep file can contain the credentials of the user that is being used for joining the domain. CCing Shahar which may assist farther. Hi, You can paste a modified sysprep file to "new Pool"->"Initial run"->"Custom Script" As Alon mentioned. -- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an)
-- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an) --------------000908080408080501060102 Content-Type: multipart/related; boundary="------------070409000103030101070908" --------------070409000103030101070908 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 7bit <html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> It works fine, but it kills SSO as user...<br> <br> Poking in the windows logs I see a failed login as:<br> <br> <a class="moz-txt-link-abbreviated" href="mailto:myuser@mydomain.tld-authz">myuser@mydomain.tld-authz</a> !!<br> <br> <div class="moz-cite-prefix">Il 27/10/2015 11:51, Shahar Havivi ha scritto:<br> </div> <blockquote cite="mid:20151027105144.GA16392@redhat.com" type="cite"> <pre wrap="">On 27.10.15 05:25, Alon Bar-Lev wrote: </pre> <blockquote type="cite"> <pre wrap="">yes, you should probably only customize: $JoinDomain$, $DomainAdminPassword$, $DomainAdmin$ maybe, not sure: $JoinDomain$, $MachineObjectOU$ the rest should be the same as any other. </pre> </blockquote> <pre wrap="">Please make sure that the file is the full sysprep file such as you can find in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file. You can leave the variables such as $OrgName$ which will be replaces (exept from the variables that Alon mentioned which where the original problem). </pre> <blockquote type="cite"> <pre wrap=""> ----- Original Message ----- </pre> <blockquote type="cite"> <pre wrap="">From: "Cristian Mammoli" <a class="moz-txt-link-rfc2396E" href="mailto:c.mammoli@apra.it"><c.mammoli@apra.it></a> To: "Shahar Havivi" <a class="moz-txt-link-rfc2396E" href="mailto:shaharh@redhat.com"><shaharh@redhat.com></a>, "Alon Bar-Lev" <a class="moz-txt-link-rfc2396E" href="mailto:alonbl@redhat.com"><alonbl@redhat.com></a> Cc: "users" <a class="moz-txt-link-rfc2396E" href="mailto:users@ovirt.org"><users@ovirt.org></a> Sent: Tuesday, October 27, 2015 11:19:02 AM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join So just pasting there the contents of a modified /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should work right? The variables like '
What do you mean? Maybe the password delegation into the virtual machine? If engine does not know the password, it cannot delegate it to virtual machine. Solution is described here[1], so far no resources were allocated. [1] http://www.ovirt.org/Features/SSO ----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Friday, October 30, 2015 9:33:02 PM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
It works fine, but it kills SSO as user...
Poking in the windows logs I see a failed login as:
myuser@mydomain.tld-authz !!
Il 27/10/2015 11:51, Shahar Havivi ha scritto:
On 27.10.15 05:25, Alon Bar-Lev wrote:
yes, you should probably only customize: $JoinDomain$, $DomainAdminPassword$, $DomainAdmin$ maybe, not sure: $JoinDomain$, $MachineObjectOU$ the rest should be the same as any other. Please make sure that the file is the full sysprep file such as you can find in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file. You can leave the variables such as $OrgName$ which will be replaces (exept from the variables that Alon mentioned which where the original problem).
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Tuesday, October 27, 2015 11:19:02 AM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
So just pasting there the contents of a modified /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should work right?
The variables like '
As long as I user engine-manage-domains SSO with spice client worked fine: User logins in the user portal, clicks on a vm and get logged in the windows vm With ovirt-engine-extension-aaa-ldap, configured with ovirt-engine-extension-aaa-ldap-setup, the SSO didn't work. The vm says I tried t login with an invalid username or password. After enabling audit logs in the vm I see that the spice clients tries to login as user@domain-authz I changed "ovirt.engine.extension.name" from "domain-authz" to "domain" in "/etc/ovirt-engine/extensions.d/domain.net-authz.properties" and "ovirt.engine.aaa.authn.authz.plugin" from "domain-authz" to "domain" in "/etc/ovirt-engine/extensions.d/domain-authn.properties" And now SSO works fine Is it the correct way to go?? Il 30/10/2015 20:37, Alon Bar-Lev ha scritto:
What do you mean? Maybe the password delegation into the virtual machine? If engine does not know the password, it cannot delegate it to virtual machine. Solution is described here[1], so far no resources were allocated.
[1] http://www.ovirt.org/Features/SSO
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Friday, October 30, 2015 9:33:02 PM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
It works fine, but it kills SSO as user...
Poking in the windows logs I see a failed login as:
myuser@mydomain.tld-authz !!
Il 27/10/2015 11:51, Shahar Havivi ha scritto:
On 27.10.15 05:25, Alon Bar-Lev wrote:
yes, you should probably only customize: $JoinDomain$, $DomainAdminPassword$, $DomainAdmin$ maybe, not sure: $JoinDomain$, $MachineObjectOU$ the rest should be the same as any other. Please make sure that the file is the full sysprep file such as you can find in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file. You can leave the variables such as $OrgName$ which will be replaces (exept from the variables that Alon mentioned which where the original problem).
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Tuesday, October 27, 2015 11:19:02 AM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
So just pasting there the contents of a modified /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should work right?
The variables like '
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Shahar Havivi" <shaharh@redhat.com>, "users" <users@ovirt.org> Sent: Friday, October 30, 2015 9:48:04 PM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
As long as I user engine-manage-domains SSO with spice client worked fine: User logins in the user portal, clicks on a vm and get logged in the windows vm
With ovirt-engine-extension-aaa-ldap, configured with ovirt-engine-extension-aaa-ldap-setup, the SSO didn't work. The vm says I tried t login with an invalid username or password.
After enabling audit logs in the vm I see that the spice clients tries to login as
user@domain-authz
I changed "ovirt.engine.extension.name" from "domain-authz" to "domain" in "/etc/ovirt-engine/extensions.d/domain.net-authz.properties"
and "ovirt.engine.aaa.authn.authz.plugin" from "domain-authz" to "domain" in "/etc/ovirt-engine/extensions.d/domain-authn.properties"
And now SSO works fine
Is it the correct way to go??
Oh... I did not understand this is what you are trying to do. Yes, this is [1]. There are lots of invalid assumptions in the product, one of them is that the profile name within the ovirt application matches the domain name of the VM. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137#c7
Il 30/10/2015 20:37, Alon Bar-Lev ha scritto:
What do you mean? Maybe the password delegation into the virtual machine? If engine does not know the password, it cannot delegate it to virtual machine. Solution is described here[1], so far no resources were allocated.
[1] http://www.ovirt.org/Features/SSO
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Friday, October 30, 2015 9:33:02 PM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
It works fine, but it kills SSO as user...
Poking in the windows logs I see a failed login as:
myuser@mydomain.tld-authz !!
Il 27/10/2015 11:51, Shahar Havivi ha scritto:
On 27.10.15 05:25, Alon Bar-Lev wrote:
yes, you should probably only customize: $JoinDomain$, $DomainAdminPassword$, $DomainAdmin$ maybe, not sure: $JoinDomain$, $MachineObjectOU$ the rest should be the same as any other. Please make sure that the file is the full sysprep file such as you can find in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file. You can leave the variables such as $OrgName$ which will be replaces (exept from the variables that Alon mentioned which where the original problem).
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Tuesday, October 27, 2015 11:19:02 AM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
So just pasting there the contents of a modified /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should work right?
The variables like '![CDATA[$OrgName$' will be replaced?
Il 26/10/2015 12:43, Shahar Havivi ha scritto: > On 26.10.15 06:23, Alon Bar-Lev wrote: >> Hi, >> The usage of the engine-manage-domain user to anything else but ldap >> searches is something that is unexpected and insecure. >> As a solution, you may either paste a modified sysprep file into the >> pool >> at UI or set up a different osinfo profile with modified sysprep >> file, >> this modified sysprep file can contain the credentials of the user >> that >> is being used for joining the domain. >> CCing Shahar which may assist farther. > Hi, > You can paste a modified sysprep file to "new Pool"->"Initial > run"->"Custom > Script" > As Alon mentioned. -- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an)
-- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an)
-- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an)
participants (3)
-
Alon Bar-Lev
-
Cristian Mammoli
-
Shahar Havivi