oVirt 4.3.1 with AD creates new user at every login
I just did a clean install of oVirt 4.3.1 (engine and nodes). I setup AD authentication and gave an AD group permissions needed work with VMs. I gave them PowerUserRole on the Cluster and Storage. Users in the AD group can login and create VMs but after they log out and log back in they don't see any of the VMs created in the previous session. I noticed that in Administration -> Users a new row is created for each user every time they login. All columns for each user are the same: same first and last name, same user name, authorization provider, and so on but the behavior looks very much like they are being treated as new user every time they login. Any idea what may be causing this? Thanks, -- Peter
I just did a clean install of oVirt 4.3.1 (engine and nodes).
I setup AD authentication and gave an AD group permissions needed work with VMs. I gave them PowerUserRole on the Cluster and Storage.
Users in the AD group can login and create VMs but after they log out and log back in they don't see any of the VMs created in the previous session.
I noticed that in Administration -> Users a new row is created for each user every time they login. All columns for each user are the same: same first and last name, same user name, authorization provider, and so on but the behavior looks very much like they are being treated as new user every time they login.
I have observed the same behaviour with oVirt 4.3.XY Delving deeper, in the oVirt engine 'users' table, external_id is *not* being set for AD users as documented in (e.g.) engines/packaging/dbscripts/common_sp.sql "The external identifier is the user identifier converted to an array of bytes:" ovirt 4.3.0 user@domain | f3de0b27-c2a0-463b-a2ff-d480bd88c77f | ece7b8c2-4983-4c1e-9a33-c28d58d40213 And under ovirt 4.2.8 for comparison: username | user_id | external_id user@domain | 364d176e-8813-4e67-bdd0-dc10b823d23c | af5bbg/eTkuktBPXW4Ak5g== Further information on replicating the issue: 1) Configure LDAP authentication: https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html#co... 2) Add an LDAP group via the Administration Portal: Administration >> Users > 'Add' button, click 'Group' radio-button, select the relevant LDAP authorization select the relevant LDAP authorization provider in the drop-down list under 'Search', enter the LDAP group in the search text-box then click 'GO'. The found group should appear below. Select the toggle-button to the left of the group then click 'Add and Close'. 3) Add SuperUser system permission for the LDAP group. Back under Administration >> Users, click the 'Group' button if groups are not already displayed. Click on the LDAP group added in the previous step then click 'Permissions' -> 'Add System Permissions' 4) Log into the Administration Portal as an LDAP group member. Logout then log back into the Administration Portal as a member of the LDAP group specified above. Login should be successful because that user will inherit the SuperUser system permission but note the following issues below: - under Administration >> Users, note that a 'User' icon is displayed for the LDAP user rather than an 'Admin' icon. This is in contrast to 4.2.8, where an Admin icon would be displayed. 5) Repeat step 4 above. If you logout then log back into the Administration Portal as the same member of the LDAP group specified above then check Administration >> Users, an additional user entry appears: same First Name, Last Name, Authorization provider, Namespace and E-mail.
On Sat, Mar 9, 2019 at 10:43 AM <l.kamara@imperial.ac.uk> wrote:
I just did a clean install of oVirt 4.3.1 (engine and nodes).
I setup AD authentication and gave an AD group permissions needed work with VMs. I gave them PowerUserRole on the Cluster and Storage.
Users in the AD group can login and create VMs but after they log out and log back in they don't see any of the VMs created in the previous session.
I noticed that in Administration -> Users a new row is created for each user every time they login. All columns for each user are the same: same first and last name, same user name, authorization provider, and so on but the behavior looks very much like they are being treated as new user every time they login.
Ravi, is above the same issue as tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1672860 ?
I have observed the same behaviour with oVirt 4.3.XY
Delving deeper, in the oVirt engine 'users' table, external_id is *not* being set for AD users as documented in (e.g.) engines/packaging/dbscripts/common_sp.sql
"The external identifier is the user identifier converted to an array of bytes:"
ovirt 4.3.0 user@domain | f3de0b27-c2a0-463b-a2ff-d480bd88c77f | ece7b8c2-4983-4c1e-9a33-c28d58d40213
And under ovirt 4.2.8 for comparison:
username | user_id | external_id user@domain | 364d176e-8813-4e67-bdd0-dc10b823d23c | af5bbg/eTkuktBPXW4Ak5g==
Further information on replicating the issue:
1) Configure LDAP authentication:
https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html#co...
2) Add an LDAP group via the Administration Portal:
Administration >> Users > 'Add' button, click 'Group' radio-button, select the relevant LDAP authorization select the relevant LDAP authorization provider in the drop-down list under 'Search', enter the LDAP group in the search text-box then click 'GO'.
The found group should appear below. Select the toggle-button to the left of the group then click 'Add and Close'.
3) Add SuperUser system permission for the LDAP group.
Back under Administration >> Users, click the 'Group' button if groups are not already displayed. Click on the LDAP group added in the previous step then click 'Permissions' -> 'Add System Permissions'
4) Log into the Administration Portal as an LDAP group member. Logout then log back into the Administration Portal as a member of the LDAP group specified above. Login should be successful because that user will inherit the SuperUser system permission but note the following issues below:
- under Administration >> Users, note that a 'User' icon is displayed for the LDAP user rather than an 'Admin' icon. This is in contrast to 4.2.8, where an Admin icon would be displayed.
5) Repeat step 4 above. If you logout then log back into the Administration Portal as the same member of the LDAP group specified above then check Administration >> Users, an additional user entry appears: same First Name, Last Name, Authorization provider, Namespace and E-mail. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PC2JLU65QED36M...
-- Martin Perina Associate Manager, Software Engineering Red Hat Czech s.r.o.
On Mon, Mar 11, 2019 at 4:49 AM Martin Perina <mperina@redhat.com> wrote:
On Sat, Mar 9, 2019 at 10:43 AM <l.kamara@imperial.ac.uk> wrote:
I just did a clean install of oVirt 4.3.1 (engine and nodes).
I setup AD authentication and gave an AD group permissions needed work with VMs. I gave them PowerUserRole on the Cluster and Storage.
Users in the AD group can login and create VMs but after they log out and log back in they don't see any of the VMs created in the previous session.
I noticed that in Administration -> Users a new row is created for each user every time they login. All columns for each user are the same: same first and last name, same user name, authorization provider, and so on but the behavior looks very much like they are being treated as new user every time they login.
Ravi, is above the same issue as tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1672860 ?
Yes it is the same issue and should be fixed by [1] [1] https://gerrit.ovirt.org/#/c/98169/
I have observed the same behaviour with oVirt 4.3.XY
Delving deeper, in the oVirt engine 'users' table, external_id is *not* being set for AD users as documented in (e.g.) engines/packaging/dbscripts/common_sp.sql
"The external identifier is the user identifier converted to an array of bytes:"
ovirt 4.3.0 user@domain | f3de0b27-c2a0-463b-a2ff-d480bd88c77f | ece7b8c2-4983-4c1e-9a33-c28d58d40213
And under ovirt 4.2.8 for comparison:
username | user_id | external_id user@domain | 364d176e-8813-4e67-bdd0-dc10b823d23c | af5bbg/eTkuktBPXW4Ak5g==
Further information on replicating the issue:
1) Configure LDAP authentication:
https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html#co...
2) Add an LDAP group via the Administration Portal:
Administration >> Users > 'Add' button, click 'Group' radio-button, select the relevant LDAP authorization select the relevant LDAP authorization provider in the drop-down list under 'Search', enter the LDAP group in the search text-box then click 'GO'.
The found group should appear below. Select the toggle-button to the left of the group then click 'Add and Close'.
3) Add SuperUser system permission for the LDAP group.
Back under Administration >> Users, click the 'Group' button if groups are not already displayed. Click on the LDAP group added in the previous step then click 'Permissions' -> 'Add System Permissions'
4) Log into the Administration Portal as an LDAP group member. Logout then log back into the Administration Portal as a member of the LDAP group specified above. Login should be successful because that user will inherit the SuperUser system permission but note the following issues below:
- under Administration >> Users, note that a 'User' icon is displayed for the LDAP user rather than an 'Admin' icon. This is in contrast to 4.2.8, where an Admin icon would be displayed.
5) Repeat step 4 above. If you logout then log back into the Administration Portal as the same member of the LDAP group specified above then check Administration >> Users, an additional user entry appears: same First Name, Last Name, Authorization provider, Namespace and E-mail. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PC2JLU65QED36M...
-- Martin Perina Associate Manager, Software Engineering Red Hat Czech s.r.o.
Thank you for the replies. What would be the proper way to apply the fix? I see the change in the source but I can't find the corresponding file on the system. Thanks, -- Peter On Mon, Mar 11, 2019 at 4:21 AM Ravi Shankar Nori <rnori@redhat.com> wrote:
On Mon, Mar 11, 2019 at 4:49 AM Martin Perina <mperina@redhat.com> wrote:
On Sat, Mar 9, 2019 at 10:43 AM <l.kamara@imperial.ac.uk> wrote:
I just did a clean install of oVirt 4.3.1 (engine and nodes).
I setup AD authentication and gave an AD group permissions needed work with VMs. I gave them PowerUserRole on the Cluster and Storage.
Users in the AD group can login and create VMs but after they log out and log back in they don't see any of the VMs created in the previous session.
I noticed that in Administration -> Users a new row is created for each user every time they login. All columns for each user are the same: same first and last name, same user name, authorization provider, and so on but the behavior looks very much like they are being treated as new user every time they login.
Ravi, is above the same issue as tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1672860 ?
Yes it is the same issue and should be fixed by [1]
[1] https://gerrit.ovirt.org/#/c/98169/
I have observed the same behaviour with oVirt 4.3.XY
Delving deeper, in the oVirt engine 'users' table, external_id is *not* being set for AD users as documented in (e.g.) engines/packaging/dbscripts/common_sp.sql
"The external identifier is the user identifier converted to an array of bytes:"
ovirt 4.3.0 user@domain | f3de0b27-c2a0-463b-a2ff-d480bd88c77f | ece7b8c2-4983-4c1e-9a33-c28d58d40213
And under ovirt 4.2.8 for comparison:
username | user_id | external_id user@domain | 364d176e-8813-4e67-bdd0-dc10b823d23c | af5bbg/eTkuktBPXW4Ak5g==
Further information on replicating the issue:
1) Configure LDAP authentication:
https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html#co...
2) Add an LDAP group via the Administration Portal:
Administration >> Users > 'Add' button, click 'Group' radio-button, select the relevant LDAP authorization select the relevant LDAP authorization provider in the drop-down list under 'Search', enter the LDAP group in the search text-box then click 'GO'.
The found group should appear below. Select the toggle-button to the left of the group then click 'Add and Close'.
3) Add SuperUser system permission for the LDAP group.
Back under Administration >> Users, click the 'Group' button if groups are not already displayed. Click on the LDAP group added in the previous step then click 'Permissions' -> 'Add System Permissions'
4) Log into the Administration Portal as an LDAP group member. Logout then log back into the Administration Portal as a member of the LDAP group specified above. Login should be successful because that user will inherit the SuperUser system permission but note the following issues below:
- under Administration >> Users, note that a 'User' icon is displayed for the LDAP user rather than an 'Admin' icon. This is in contrast to 4.2.8, where an Admin icon would be displayed.
5) Repeat step 4 above. If you logout then log back into the Administration Portal as the same member of the LDAP group specified above then check Administration >> Users, an additional user entry appears: same First Name, Last Name, Authorization provider, Namespace and E-mail. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PC2JLU65QED36M...
-- Martin Perina Associate Manager, Software Engineering Red Hat Czech s.r.o.
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/REPKBSLKHRM5QX...
participants (4)
-
l.kamara@imperial.ac.uk -
Martin Perina -
Ravi Shankar Nori -
Wood Peter