[ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
Alon Bar-Lev
alonbl at redhat.com
Fri Oct 30 19:37:26 UTC 2015
What do you mean?
Maybe the password delegation into the virtual machine?
If engine does not know the password, it cannot delegate it to virtual machine.
Solution is described here[1], so far no resources were allocated.
[1] http://www.ovirt.org/Features/SSO
----- Original Message -----
> From: "Cristian Mammoli" <c.mammoli at apra.it>
> To: "Shahar Havivi" <shaharh at redhat.com>, "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: "users" <users at ovirt.org>
> Sent: Friday, October 30, 2015 9:33:02 PM
> Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
>
> It works fine, but it kills SSO as user...
>
> Poking in the windows logs I see a failed login as:
>
> myuser at mydomain.tld-authz !!
>
> Il 27/10/2015 11:51, Shahar Havivi ha scritto:
> > On 27.10.15 05:25, Alon Bar-Lev wrote:
> >> yes, you should probably only customize: $JoinDomain$,
> >> $DomainAdminPassword$, $DomainAdmin$
> >> maybe, not sure: $JoinDomain$, $MachineObjectOU$
> >> the rest should be the same as any other.
> > Please make sure that the file is the full sysprep file such as you can
> > find
> > in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file.
> > You can leave the variables such as $OrgName$ which will be replaces (exept
> > from the variables that Alon mentioned which where the original problem).
> >
> >> ----- Original Message -----
> >>> From: "Cristian Mammoli" <c.mammoli at apra.it>
> >>> To: "Shahar Havivi" <shaharh at redhat.com>, "Alon Bar-Lev"
> >>> <alonbl at redhat.com>
> >>> Cc: "users" <users at ovirt.org>
> >>> Sent: Tuesday, October 27, 2015 11:19:02 AM
> >>> Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep
> >>> domain join
> >>>
> >>> So just pasting there the contents of a modified
> >>> /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should
> >>> work right?
> >>>
> >>> The variables like '![CDATA[$OrgName$' will be replaced?
> >>>
> >>> Il 26/10/2015 12:43, Shahar Havivi ha scritto:
> >>>> On 26.10.15 06:23, Alon Bar-Lev wrote:
> >>>>> Hi,
> >>>>> The usage of the engine-manage-domain user to anything else but ldap
> >>>>> searches is something that is unexpected and insecure.
> >>>>> As a solution, you may either paste a modified sysprep file into the
> >>>>> pool
> >>>>> at UI or set up a different osinfo profile with modified sysprep file,
> >>>>> this modified sysprep file can contain the credentials of the user that
> >>>>> is being used for joining the domain.
> >>>>> CCing Shahar which may assist farther.
> >>>> Hi,
> >>>> You can paste a modified sysprep file to "new Pool"->"Initial
> >>>> run"->"Custom
> >>>> Script"
> >>>> As Alon mentioned.
> >>> --
> >>> Mammoli Cristian
> >>> System administrator
> >>> T. +39 0731 22911
> >>> Via Brodolini 6 | 60035 Jesi (an)
> >>>
> >>>
>
> --
> Mammoli Cristian
> System administrator
> T. +39 0731 22911
> Via Brodolini 6 | 60035 Jesi (an)
>
>
More information about the Users
mailing list