[ovirt-users] Debian - based OS and SSO
Tadas
tadas at ring.lt
Fri Jul 29 12:10:02 UTC 2016
It seems that gdm3 is trying to start xserver using user, which was
passed to pam-ovirt plugin rights. It fails due lack of permissions on
some devices. After changing permissions a bit, I'm getting following
errors:
Jul 29 14:56:01 jessie gdm3: GdmManager: trying to register new display
Jul 29 14:56:01 jessie gdm3: GdmManager: Error while retrieving session
id for sender: Error getting session id from systemd: No such device or
address
Jul 29 14:56:01 jessie gdm-x-session: Could not register display:
GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: No display
available
Okay, after poking around a bit, i've found solution:
On Debian based distros you need this kind of /etc/pam.d/gdm-ovirtcred
#%PAM-1.0
auth required pam_ovirt_cred.so
auth include passwd
account include passwd
password include passwd
session required pam_systemd.so open
session include passwd
Now it seems, that login works just fine.
THank you for your help.
On Fri, 2016-07-29 at 14:41 +0300, Tadas wrote:
> Okay, now its different story. ovirt-agent finally passes through all
> login steps:
>
> Dummy-1::INFO::2016-07-29
> 14:37:38,088::OVirtAgentLogic::294::root::Received an external
> command:
> login...
> Dummy-1::DEBUG::2016-07-29
> 14:37:38,088::OVirtAgentLogic::328::root::User log-in (credentials =
> '\x00\x00\x00\x04test********\x00')
> Dummy-1::INFO::2016-07-29 14:37:38,088::CredServer::207::root::The
> following users are allowed to connect: [0]
> Dummy-1::DEBUG::2016-07-29
> 14:37:38,088::CredServer::272::root::Token:
> 493871
> Dummy-1::INFO::2016-07-29
> 14:37:38,088::CredServer::273::root::Opening
> credentials channel...
> Dummy-1::INFO::2016-07-29
> 14:37:38,089::CredServer::132::root::Emitting
> user authenticated signal (493871).
> CredChannel::DEBUG::2016-07-29
> 14:37:38,159::CredServer::166::root::Receiving user's credential ret
> =
> 2 errno = 0
> CredChannel::DEBUG::2016-07-29
> 14:37:38,159::CredServer::177::root::cmsgp: len=28 level=1 type=2
> CredChannel::INFO::2016-07-29
> 14:37:38,159::CredServer::225::root::Incomming connection from user:
> 0
> process: 4343
> CredChannel::INFO::2016-07-29
> 14:37:38,159::CredServer::232::root::Sending user's credential
> (token:
> 493871)
> Dummy-1::INFO::2016-07-29
> 14:37:38,160::CredServer::277::root::Credentials channel was closed.
>
>
> Though gdm3 fails to load session with following error:
>
> http://paste.ubuntu.com/21392715/
>
> On Fri, 2016-07-29 at 13:25 +0200, Vinzenz Feenstra wrote:
> >
> > >
> > >
> > > On Jul 29, 2016, at 12:35 PM, Tadas <tadas at ring.lt> wrote:
> > >
> > > There's another interesting error thrown out from ovirt-guest
> > > agent,
> > > when you try to login:
> > >
> > >
> > > Jul 29 13:30:24 jessie python[1969]: Exception in thread
> > > CredChannel:
> > > Ju
> > > l 29 13:30:24 jessie python[1969]: Traceback (most recent call
> > > last):
> > > Ju
> > > l 29 13:30:24 jessie python[1969]: File
> > > "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
> > > Jul 29
> > > 13:30:24 jessie python[1969]: self.run()
> > > Jul 29 13:30:24 jessie
> > > python[1969]: File "/usr/share/ovirt-guest-
> > > agent/CredServer.py",
> > > line
> > > 217, in run
> > > Jul 29 13:30:24 jessie python[1969]: cred =
> > > self._read_cred(conn)
> > > Jul 29 13:30:24 jessie python[1969]: File
> > > "/usr/share/ovirt-guest-agent/CredServer.py", line 146, in
> > > _read_cred
> > > Ju
> > > l 29 13:30:24 jessie
> > > python[1969]: conn.setsockopt(socket.SOL_SOCKET,
> > > socket.SO_PASSCRED, 1)
> > > Jul 29 13:30:24 jessie python[1969]:
> > > AttributeError: 'module' object has no attribute ‘SO_PASSCRED'
> >
> > I knew I forgot about something, yes you’re right - I fixed that
> > manually and continued and forgot about it.
> >
> > SO_PASSCRED seems not to be actually available by default on
> > python.
> > The systems we supported so far (excluding the debian based ones)
> > had
> > this constant available.
> > Long story short: You can replace socket.SO_PASSCRED with the value
> > 16 for now and it should work as expected.
> >
> >
> >
> > >
> > >
> > >
> > >
> > >
> > > On Fri, 2016-07-29 at 13:13 +0300, Tadas wrote:
> > > >
> > > >
> > > > Yes, it seems that authentication does not work in any of
> > > > debian
> > > > releases. Oh well.
> > > > On Fri, 2016-07-29 at 09:37 +0200, Vinzenz Feenstra wrote:
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Jul 28, 2016, at 4:11 PM, Tadas <tadas at ring.lt> wrote:
> > > > > >
> > > > > > Thank you for your reply.
> > > > > > Strange, but i do not see any errors in gdm debug log, just
> > > > > > this:
> > > > > > http://paste.ubuntu.com/21275558/
> > > > >
> > > > > Well if it works for you, the better. It didn’t work for me
> > > > > though
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > I will try installing debian unstable and several ubuntu
> > > > > > versions
> > > > > > tomorrow.
> > > > > >
> > > > > > From: Vinzenz Feenstra
> > > > > > Sent: Thursday, July 28, 2016 4:18 PM
> > > > > > To: tadas at ring.lt
> > > > > > Cc: users
> > > > > > Subject: Re: [ovirt-users] Debian - based OS and SSO
> > > > > >
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Jul 28, 2016, at 3:11 PM, Vinzenz Feenstra <vfeenstr at r
> > > > > > > ed
> > > > > > > hat.
> > > > > > > co
> > > > > > > m> wrote:
> > > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > On Jul 28, 2016, at 11:53 AM, Tadas <tadas at ring.lt>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > Hello,
> > > > > > > > still having issues with ovirt SSO and Debian OS.
> > > > > > > > Other OSes (Windows/Fedora 24) works just fine.
> > > > > > > > Some information:
> > > > > > > > OS: Debian 8.5 (jessie)
> > > > > > > > I've followed manual on https://www.ovirt.org/documenta
> > > > > > > > ti
> > > > > > > > on/h
> > > > > > > > ow
> > > > > > > > -to/gues
> > > > > > > > t-agent/install-the-guest-agent-in-debian/ and
> > > > > > > > installed
> > > > > > > > ovirt-
> > > > > > > > agent.
> > > > > > > > I can get info via spice socket on hypervisor side,
> > > > > > > > this
> > > > > > > > means
> > > > > > > > that
> > > > > > > > agent works fine.
> > > > > > > > I've compiled pam-ovirt-cred and copied it into
> > > > > > > > /lib/x86_64-
> > > > > > > > linux-
> > > > > > > > gnu/security/
> > > > > > >
> > > > > > > It should be in /lib/security afaik
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > I've configured /etc/pamd/gdm-ovirtcred (just copied
> > > > > > > > from
> > > > > > > > working
> > > > > > > > Fedora 24)
> > > > > > >
> > > > > > > replace in that file all occurences of password-auth with
> > > > > > > passwd
> > > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > But still login fails. I can see this in ovirt-agent
> > > > > > > > log
> > > > > > > > file:
> > > > > > >
> > > > > > > It some how fails for me in some cases with this now:
> > > > > > >
> > > > > >
> > > > > > Correction its here:
> > > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794064
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > https://bugs.freedesktop.org/show_bug.cgi?id=71525
> > > > > > >
> > > > > > > There’s not much I can do about that though
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Dummy-2::INFO::2016-07-28
> > > > > > > > 12:49:51,046::OVirtAgentLogic::270::root::Received an
> > > > > > > > external
> > > > > > > > command:
> > > > > > > > login...
> > > > > > > > Dummy-2::DEBUG::2016-07-28
> > > > > > > > 12:49:51,047::OVirtAgentLogic::304::root::User log-in
> > > > > > > > (credentials =
> > > > > > > > '\x00\x00\x00\x04test********\x00')
> > > > > > > > Dummy-2::INFO::2016-07-28
> > > > > > > > 12:49:51,047::CredServer::207::root::The
> > > > > > > > following users are allowed to connect: [0]
> > > > > > > > Dummy-2::DEBUG::2016-07-28
> > > > > > > > 12:49:51,047::CredServer::272::root::Token:
> > > > > > > > 760258
> > > > > > > > Dummy-2::INFO::2016-07-28
> > > > > > > > 12:49:51,047::CredServer::273::root::Opening
> > > > > > > > credentials channel...
> > > > > > > > Dummy-2::INFO::2016-07-28
> > > > > > > > 12:49:51,047::CredServer::132::root::Emitting
> > > > > > > > user authenticated signal (760258).
> > > > > > > > Dummy-2::INFO::2016-07-28
> > > > > > > > 12:49:51,178::CredServer::277::root::Credentials
> > > > > > > > channel
> > > > > > > > was
> > > > > > > > closed.
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > This looks okay. The error is on pam side (auth.log):
> > > > > > > >
> > > > > > > > Jul 28 12:49:39 desktop64 gdm-ovirtcred]:
> > > > > > > > pam_succeed_if(gdm-
> > > > > > > > ovirtcred:auth): error retrieving user name:
> > > > > > > > Conversation
> > > > > > > > error
> > > > > > > > Jul 28 12:49:39 desktop64 gdm-ovirtcred]:
> > > > > > > > pam_ovirt_cred(gdm-
> > > > > > > > ovirtcred:auth): Failed to acquire user's credentials
> > > > > > > >
> > > > > > > > Have no idea, where it fails.
> > > > > > > > Would appreciate, if you could help me here a bit.
> > > > > > > > Thank you.
> > > > > > > >
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > Users mailing list
> > > > > > > > Users at ovirt.org
> > > > > > > > http://lists.ovirt.org/mailman/listinfo/users
> > > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > Users mailing list
> > > > > > Users at ovirt.org
> > > > > > http://lists.ovirt.org/mailman/listinfo/users
> > > > >
> > > > _______________________________________________
> > > > Users mailing list
> > > > Users at ovirt.org
> > > > http://lists.ovirt.org/mailman/listinfo/users
> > > _______________________________________________
> > > Users mailing list
> > > Users at ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> >
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
More information about the Users
mailing list