[ovirt-users] Troubleshooting Windows SSO

Vinzenz Feenstra vfeenstr at redhat.com
Fri Jul 24 11:43:29 UTC 2015 

On 07/24/2015 01:33 PM, Alon Bar-Lev wrote:
>
> ----- Original Message -----
>> From: "Cristian Mammoli" <c.mammoli at apra.it>
>> To: "Alon Bar-Lev" <alonbl at redhat.com>
>> Cc: users at ovirt.org
>> Sent: Friday, July 24, 2015 1:00:46 PM
>> Subject: Re: [ovirt-users] Troubleshooting Windows SSO
>>
>> Are you referring to this: http://www.ovirt.org/Features/AAA ?
>>
>> I only configured the engine with "engine-manage-domains" isn't it enough?
> engine-manage-domain is obsoleted since 3.5, please upgrade to the new provider which performs much better.
>
> if you use this legacy provider, the name of the provider matches the name of the domain, the bug will not be manifested.
>
>> Anyway this is engine.log:
>>
>> 2015-07-24 11:59:42,337 INFO
>> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-2)
>> Running command: LoginUserCommand internal: false.
>> 2015-07-24 11:59:42,348 INFO
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom
>> Event ID: -1, Message: User c.mammoli at apra.it logged in.
>> 2015-07-24 11:59:44,364 INFO
>> [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--127.0.0.1-8702-9)
>> [44b9b110] Running command: SetVmTicketCommand internal: false. Entities
>> affected :  ID: 01453005-cbcf-47b1-a066-015777d158b5 Type: VMAction
>> group CONNECT_TO_VM with role type USER
>> 2015-07-24 11:59:44,370 INFO
>> [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
>> (ajp--127.0.0.1-8702-9) [44b9b110] START, SetVmTicketVDSCommand(HostName
>> = kvm02, HostId = 4aeb8095-1198-4afe-aab2-d9c6408c88c2,
>> vmId=01453005-cbcf-47b1-a066-015777d158b5, ticket=rdFW/mdMiBxO,
>> validTime=120,m userName=c.mammoli,
>> userId=d69d8d20-68b7-4fed-9c08-5c2ecb257583), log id: 25c99c46
>> 2015-07-24 11:59:44,412 INFO
>> [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
>> (ajp--127.0.0.1-8702-9) [44b9b110] FINISH, SetVmTicketVDSCommand, log
>> id: 25c99c46
>> 2015-07-24 11:59:44,436 INFO
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (ajp--127.0.0.1-8702-9) [44b9b110] Correlation ID: 44b9b110, Call Stack:
>> null, Custom Event ID: -1, Message: user c.mammoli at apra.it initiated
>> console session for VM TestPoolMan-1
>> 2015-07-24 11:59:44,610 WARN
>> [org.ovirt.engine.core.dal.job.ExecutionMessageDirector]
>> (ajp--127.0.0.1-8702-3) [27c3ee74] The message key VmLogon is missing
>> from bundles/ExecutionMessages
>> 2015-07-24 11:59:44,637 INFO [org.ovirt.engine.core.bll.VmLogonCommand]
>> (ajp--127.0.0.1-8702-3) [27c3ee74] Running command: VmLogonCommand
>> internal: false. Entities affected :  ID:
>> 01453005-cbcf-47b1-a066-015777d158b5 Type: VMAction group CONNECT_TO_VM
>> with role type USER
>> 2015-07-24 11:59:44,642 INFO
>> [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand]
>> (ajp--127.0.0.1-8702-3) [27c3ee74] START, VmLogonVDSCommand(HostName =
>> kvm02, HostId = 4aeb8095-1198-4afe-aab2-d9c6408c88c2,
>> vmId=01453005-cbcf-47b1-a066-015777d158b5, domain=apra.it,
>> password=******, userName=c.mammoli at apra.it), log id: 6bf25e51
> this^ is good, so now should provide the guest agent log.
I am not sure that this is good, the userName contains here also the 
domain, and the domain separately.
I am curious about the VDSM logs here as well.

I would assume that the result of this would be something like: 
apra.it\c.mammoli at apra.it in Windows which does seem wrong to me.

>
>> 2015-07-24 11:59:44,652 INFO
>> [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand]
>> (ajp--127.0.0.1-8702-3) [27c3ee74] FINISH, VmLogonVDSCommand, log id:
>> 6bf25e51
>> 2015-07-24 11:59:58,888 INFO
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (DefaultQuartzScheduler_Worker-63) Correlation ID: null, Call Stack:
>> null, Custom Event ID: -1, Message: User c.mammoli at apra.it is connected
>> to VM TestPoolMan-1.
>>
>> Il 24/07/2015 11:02, Alon Bar-Lev ha scritto:
>>> Any log will be helpful, engine side and guest agent side.
>>>
>>> Also, please note this bug[1], due to incorrect assumptions in
>>> implementation, your authz provider name must match the active directory
>>> name in order password delegation to properly work.
>>>
>>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137
>>>
>>> ----- Original Message -----
>>


-- 
Regards,

Vinzenz Feenstra | Senior Software Engineer
RedHat Engineering Virtualization R & D
Phone: +420 532 294 625
IRC: vfeenstr or evilissimo

Better technology. Faster innovation. Powered by community collaboration.
See how it works at redhat.com

More information about the Users mailing list