[ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join

Alon Bar-Lev alonbl at redhat.com
Fri Oct 30 19:52:43 UTC 2015



----- Original Message -----
> From: "Cristian Mammoli" <c.mammoli at apra.it>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: "Shahar Havivi" <shaharh at redhat.com>, "users" <users at ovirt.org>
> Sent: Friday, October 30, 2015 9:48:04 PM
> Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
> 
> As long as I user engine-manage-domains SSO with spice client worked fine:
> User logins in the user portal, clicks on a vm and get logged in the
> windows vm
> 
> With ovirt-engine-extension-aaa-ldap, configured with
> ovirt-engine-extension-aaa-ldap-setup, the SSO didn't work. The vm says
> I tried t login with an invalid username or password.
> 
> After enabling audit logs in the vm I see that the spice clients tries
> to login as
> 
> user at domain-authz
> 
> I changed "ovirt.engine.extension.name" from "domain-authz" to "domain" in
> "/etc/ovirt-engine/extensions.d/domain.net-authz.properties"
> 
> and "ovirt.engine.aaa.authn.authz.plugin" from "domain-authz" to "domain" in
> "/etc/ovirt-engine/extensions.d/domain-authn.properties"
> 
> And now SSO works fine
> 
> Is it the correct way to go??

Oh... I did not understand this is what you are trying to do.
Yes, this is [1].
There are lots of invalid assumptions in the product, one of them is that the profile name within the ovirt application matches the domain name of the VM.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137#c7

> 
> Il 30/10/2015 20:37, Alon Bar-Lev ha scritto:
> > What do you mean?
> > Maybe the password delegation into the virtual machine?
> > If engine does not know the password, it cannot delegate it to virtual
> > machine.
> > Solution is described here[1], so far no resources were allocated.
> >
> > [1] http://www.ovirt.org/Features/SSO
> >
> > ----- Original Message -----
> >> From: "Cristian Mammoli" <c.mammoli at apra.it>
> >> To: "Shahar Havivi" <shaharh at redhat.com>, "Alon Bar-Lev"
> >> <alonbl at redhat.com>
> >> Cc: "users" <users at ovirt.org>
> >> Sent: Friday, October 30, 2015 9:33:02 PM
> >> Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep
> >> domain join
> >>
> >> It works fine, but it kills SSO as user...
> >>
> >> Poking in the windows logs I see a failed login as:
> >>
> >> myuser at mydomain.tld-authz !!
> >>
> >> Il 27/10/2015 11:51, Shahar Havivi ha scritto:
> >>> On 27.10.15 05:25, Alon Bar-Lev wrote:
> >>>> yes, you should probably only customize: $JoinDomain$,
> >>>> $DomainAdminPassword$, $DomainAdmin$
> >>>> maybe, not sure: $JoinDomain$, $MachineObjectOU$
> >>>> the rest should be the same as any other.
> >>> Please make sure that the file is the full sysprep file such as you can
> >>> find
> >>> in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file.
> >>> You can leave the variables such as $OrgName$ which will be replaces
> >>> (exept
> >>> from the variables that Alon mentioned which where the original problem).
> >>>
> >>>> ----- Original Message -----
> >>>>> From: "Cristian Mammoli" <c.mammoli at apra.it>
> >>>>> To: "Shahar Havivi" <shaharh at redhat.com>, "Alon Bar-Lev"
> >>>>> <alonbl at redhat.com>
> >>>>> Cc: "users" <users at ovirt.org>
> >>>>> Sent: Tuesday, October 27, 2015 11:19:02 AM
> >>>>> Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep
> >>>>> domain join
> >>>>>
> >>>>> So just pasting there the contents of a modified
> >>>>> /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should
> >>>>> work right?
> >>>>>
> >>>>> The variables like '![CDATA[$OrgName$' will be replaced?
> >>>>>
> >>>>> Il 26/10/2015 12:43, Shahar Havivi ha scritto:
> >>>>>> On 26.10.15 06:23, Alon Bar-Lev wrote:
> >>>>>>> Hi,
> >>>>>>> The usage of the engine-manage-domain user to anything else but ldap
> >>>>>>> searches is something that is unexpected and insecure.
> >>>>>>> As a solution, you may either paste a modified sysprep file into the
> >>>>>>> pool
> >>>>>>> at UI or set up a different osinfo profile with modified sysprep
> >>>>>>> file,
> >>>>>>> this modified sysprep file can contain the credentials of the user
> >>>>>>> that
> >>>>>>> is being used for joining the domain.
> >>>>>>> CCing Shahar which may assist farther.
> >>>>>> Hi,
> >>>>>> You can paste a modified sysprep file to "new Pool"->"Initial
> >>>>>> run"->"Custom
> >>>>>> Script"
> >>>>>> As Alon mentioned.
> >>>>> --
> >>>>> Mammoli Cristian
> >>>>> System administrator
> >>>>> T. +39 0731 22911
> >>>>> Via Brodolini 6 | 60035 Jesi (an)
> >>>>>
> >>>>>
> >> --
> >> Mammoli Cristian
> >> System administrator
> >> T. +39 0731 22911
> >> Via Brodolini 6 | 60035 Jesi (an)
> >>
> >>
> 
> --
> Mammoli Cristian
> System administrator
> T. +39 0731 22911
> Via Brodolini 6 | 60035 Jesi (an)
> 
> 



More information about the Users mailing list