[Users] [Spice-devel] 3.2 final and status of spice console in ie

Itamar Heim iheim at redhat.com
Sun Apr 14 10:02:13 EDT 2013


On 04/12/2013 04:28 PM, Karli Sjöberg wrote:
> fre 2013-04-12 klockan 14:41 +0300 skrev Itamar Heim:
>> On 04/12/2013 11:27 AM, Karli Sjöberg wrote:
>> > Hey Everyone!
>> >
>> > I solved it! I friggin solved it, and it didn´t have anything to do with
>> > the spice-client, spice-plugin(ActiveX or XPI), or userportal
>> > specifically, it´s in the engine itself! So Juanjo here said that it
>> > works for him, and I took a guess that´s because he is only using
>> > admin at internal <mailto:admin at internal> for testing (correct me if I´m
>> > wrong Juanjo), so I added a "UserRole" to admin on a test VM, logged
>> > into Userportal, clicked for console, and it worked! So, since our setup
>> > is a little more complex, as it´s connected to our ActiveDirectory, I
>> > concluded that it must be a permissions related issue. I created a new
>> > UserRole, called "ConsoleOwner" that only have "Login Permissions" and
>> > "RemoteLogin" and added that role to our engine´s "System Permissions"
>> > on a directory group as "broad" as possible. After that if I also added
>> > an explicit UserRole permission for a directory user on any VM now it
>> > works 100%. Me so happy!:)
>> >
>> > A question goes out the developers: Should you have to do that? I
>> > thought that permissions where supposed to be calculated like Windows
>> > ACLs "Effective Permissions", so that if I just add sufficient
>> > permissions for a directory user on a VM, it´s effective permissions
>> > should have granted the necessary abilities in the system, without me
>> > having to first add that as a "big" system permission to have them
>> > granted? Bug, or intended?
>> >
>> > Thank you so much Juanjo, for posting the versions you are currently
>> > using that proved that it "should" work, and that it had to be something
>> > else that prevented us from using it (which it was). Thank you!
>>
>> can you please clarify again which permission you granted to a user on
>> the VM which didn't work before you added to the user the console
>> permission?
>
> I´m not really sure if I understood your question completely, so I´ll
> explain again:
>
> 1) Only adding directory user/group with "UserRole" permission to a VM
> or Pool = Fail; "Couldn´t connect to graphics server".

user role to a VM should suffice since it should already include the 
'remote log in' permit.
very strange - has anyone else seen something like that?


>
> 2) First adding a very broad directory group with "ConsoleOwner"[1]
> permission to the inherited "System Permissions", and then add directory
> user/group with "UserRole" to a VM or Pool = Success!
>
> [1] ConsoleOwner is a "User Role" I created that only needed to permit
> "Login Permissions" and "Remote Log In".
>
> We haz VDI now, "Powered by oVirt";)
>
> --
>
> Med Vänliga Hälsningar
> -------------------------------------------------------------------------------
> Karli Sjöberg
> Swedish University of Agricultural Sciences
> Box 7079 (Visiting Address Kronåsvägen 8)
> S-750 07 Uppsala, Sweden
> Phone:  +46-(0)18-67 15 66
> karli.sjoberg at slu.se <mailto:karli.sjoberg at adm.slu.se>
>



More information about the Users mailing list