[ovirt-users] User admin at internal can't login in oVirt 3.6
Julián Tete
danteconrad14 at gmail.com
Mon Jun 20 18:33:53 UTC 2016
Thanks Ondra :)
With the command:
su - postgres -c "psql -t engine -c \"insert into permissions values
('0000001b-001b-001b-001b-00000000029f',
'00000000-0000-0000-0000-000000000001',
'fdfc627c-d875-11e0-90f0-83df133b58cc',
'aaa00000-0000-0000-0000-123456789aaa', 1);\""
I get:
ERROR: duplicate key value violates unique constraint
"idx_combined_ad_role_object"
DETAIL: Key (ad_element_id, role_id,
object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc,
00000000-0000-0000-0000-000000000001, aaa00000-0000-0000-0000-123456789aaa)
already exists.
History
261 yum install ovirt-engine-extension-aaa-ldap
262 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
/etc/ovirt-engine/
263 cd /etc/ovirt-engine/
264 ll
265 vim profile1.properties
266 ll
267 cd cp
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
/etc/ovirt-engine/extensions.d/
268 cd cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/
269 cd
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
270 ll
271 cp
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
/etc/ovirt-engine/extensions.d/
272 cd /etc/ovirt-engine/extensions.d/
273 ll
274 find / -type f -iname profile1.properties
275 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
/etc/ovirt-engine/aaa/
276 find / -type f -iname profile1.properties
277 vim /etc/ovirt-engine/aaa/profile1.properties
278 chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
279 chmod 600 /etc/ovirt-engine/aaa/profile1.properties
280 systemctl restart ovirt-engine
281 vim /etc/ovirt-engine/extensions.d/profile1-authn.properties
282 cd /usr/share/
283 ls
284 cd ovirt-engine-aaa-ldap
285 ls
286 cd ovirt-engine-extension-aaa-ldap/
287 ls
288 cd examples/
289 ls
290 cd ad
291 ls
292 cd extensions.d/
293 ls
294 vim profile1-authn.properties
295 pwd
296 cd ..
297 pwd
298 cd ..
299 ls
300 cd simple
301 ls
302 cd aaa/
303 ls
304 vim profile1.properties
305 pwd
306 rm -rf /etc/ovirt-engine/aaa/profile1.properties
307 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties
/etc/ovirt-engine/aaa/
308 vim /etc/ovirt-engine/aaa/profile1.properties
309 history
310 chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
311 chmod 600 /etc/ovirt-engine/aaa/profile1.properties
312 systemctl restart ovirt-engine
313 updatedb
314 locate domain1-authn.properties
315 history
316 cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/
317 ll
318 cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/
319 ls
320 cd extensions.d/
321 ls
322 pwd
323 cd /etc/ovirt-engine/extensions.d/
324 ls
325 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
/etc/ovirt-engine/extensions.d/
326 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
/etc/ovirt-engine/extensions.d/
327 rm -rf /etc/ovirt-engine/extensions.d/profile1-authn.properties
328 rm -rf /etc/ovirt-engine/extensions.d/profile1-authz.properties
329 cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
/etc/ovirt-engine/extensions.d/
330 ll
331 history
332 chown ovirt:ovirt /etc/ovirt-engine/extensions.d/*
333 chmod 600 /etc/ovirt-engine/extensions.d/*
334 ll
335 cd extensions.d/
336 ll
337 cd
338 engine-config -s SASL_QOP=auth
339 systemctl restart ovirt-engine
340 engine-manage-domains add --domain=udistritaloas.edu.co
--provider=ipa --user=admin --ldap-servers=freeipa.udistritaloas.edu.co
341 systemctl restart ovirt-engine
342 engine-manage-domains list
343 history
344 cd /etc/ovirt-engine/extensions.d/
345 ll
346 rm -rf internal-authn.properties
347 rm -rf internal-authz.properties
348 rm -rf profile1-authn.properties
349 rm -rf profile1-authz.properties
350 history
351 cd /etc/ovirt-engine/aaa/
352 ll
353 rm -rf profile1.properties
354 vim internal.properties
355 systemctl restart ovirt-engine
356 ovirt-aaa-jdbc-tool user edit admin --account-valid-to="2100-01-01
00:00:00Z"
357 ovirt-aaa-jdbc-tool user password-reset admin
--password-valid-to="2100-01-01 00:00:00Z"
358 engine-config -s AdminPassword=interactive
359 ovirt-aaa-jdbc-tool user password-reset admin
--password-valid-to="2100-01-01 00:00:00Z"
360 systemctl restart ovirt-engine
361 exit
362 cd /etc/ovirt-engine/aaa/
363 ll
364 vim internal.properties
365 /etc/ovirt-engine/extensions.d/
366 cd /etc/ovirt-engine/extensions.d/
367 ll
368 cd extensions.d/
369 ll
370 pwd
371 ll
372 cd ..
373 ll
374 cd ..
375 ll
376 cd /etc/ovirt-engine/extensions.d/
377 ll
378 cd extensions.d/
379 ll
380 pwd
381 ll
382 cd ..
383 ll
384 systemctl restart ovirt-engine.service
385 ovirt-aaa-jdbc-tool user edit admin --account-valid-to="2100-01-01
00:00:00Z"
386 ovirt-aaa-jdbc-tool user password-reset admin
--password-valid-to="2100-01-01 00:00:00Z"
387 systemctl restart ovirt-engine.service
388 ovirt-aaa-jdbc-tool user password-reset admin at internal
--password-valid-to="2100-01-01 00:00:00Z"
389 yum install -y ovirt-engine-extension-aaa-jdbc
390 engine-setup
391 ovirt-aaa-jdbc-tool user show admin
392 ovirt-aaa-jdbc-tool settings show
393 cd /var/log
394 ll
395 cd ovirt-engine
396 ll
397 tail -f n 100 ui.log
398 ll
399 tail -f -n engine.log
400 tail -f -n 1000 engine.log
401 tail -n 5000 engine.log | grep admin at internal
402 ovirt-aaa-jdbc-tool user show admin
403 ovirt-aaa-jdbc-tool user show admin at internal
404 ovirt-aaa-jdbc-tool query --what=user
405 engine-config -s AdminPassword=interactive
406 vim /etc/ovirt-engine/extension.d/internal-authn.properties
407 vim /etc/ovirt-engine/extensions.d/internal-authn.properties
408 cd /etc/ovirt-engine/extensions.d/
409 ll
410 vim /etc/ovirt-engine/aaa/internal.properties
411 cd /etc/ovirt-engine/aaa/
412 ll
413 vim internal.properties
414 pwd
415 ovirt-aaa-jdbc-tool user add julian
--attribute=firstName=Julian --attribute=lastName=Tete
--attribute=email=danteconrad14 at gmail.com
416 ovirt-aaa-jdbc-tool user password-reset julian
--password-valid-to="2025-08-15 10:30:00Z"
417 history
418 tail -n 5000 engine.log | grep admin at internal
419 tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin at internal
420 ovirt-aaa-jdbc-tool user edit admin --account-valid-from="2015-10-01
00:00:00Z"
421 ovirt-aaa-jdbc-tool user password-reset admin --force
--password-valid-to="2100-01-01 00:00:00Z"
422 systemctl restart ovirt-engine.service
423 history
424 ovirt-aaa-jdbc-tool query --what=user
425 updatedb
426 locate internal
427 yum install -y ovirt-engine-cli
428 cd /opt
429 cd /opt/
2016-06-20 13:24 GMT-05:00 Ondra Machacek <omachace at redhat.com>:
> On 06/20/2016 06:36 PM, Julián Tete wrote:
>
>> oVirt: 3.6.2
>>
>> Trying to use:
>>
>> https://github.com/machacekondra/ovirt-engine-kerbldap-migration
>>
>> First use:
>>
>> engine-manage-domains add --domain=udistritaloas.edu.co
>> <http://udistritaloas.edu.co> --provider=ipa --user=admin
>> --ldap-servers=freeipa.udistritaloas.edu.co
>> <http://freeipa.udistritaloas.edu.co>
>>
>>
>> The domain was added, but a I can't access to the webadmin portal :/
>>
>> I get the message:
>>
>> "User is not authorized to perform this action."
>>
>> In ovirt-cli
>>
>> [401] - Unauthorized
>>
>> tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin at internal
>>
>> 2016-06-20 10:52:22,835 ERROR
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (default task-32) [] Correlation ID: null, Call Stack: null, Custom
>> Event ID: -1, Message: User admin at internal failed to log in.
>> 2016-06-20 10:52:22,836 WARN
>> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (default task-32)
>> [] CanDoAction of action 'LoginAdminUser' failed for user
>> admin at internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>> 2016-06-20 11:00:37,679 ERROR
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (default task-3) [] Correlation ID: null, Call Stack: null, Custom Event
>> ID: -1, Message: User admin at internal failed to log in.
>> 2016-06-20 11:00:37,679 WARN
>> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-3) []
>> CanDoAction of action 'LoginUser' failed for user admin at internal.
>> Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>> 2016-06-20 11:01:04,016 ERROR
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (default task-4) [] Correlation ID: null, Call Stack: null, Custom Event
>> ID: -1, Message: User admin at internal failed to log in.
>> 2016-06-20 11:01:04,016 WARN
>> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-4) []
>> CanDoAction of action 'LoginUser' failed for user admin at internal.
>> Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>>
>
> I am little bit lost, what was your steps, to get into this state, but it
> looks that your admin at internal user was removed SuperUser permissions, I
> am really not sure how could you achieve that, but to fix it please run
> following command:
>
> $ su - postgres -c "psql -t engine -c \"insert into permissions values
> ('0000001b-001b-001b-001b-00000000029f',
> '00000000-0000-0000-0000-000000000001',
> 'fdfc627c-d875-11e0-90f0-83df133b58cc',
> 'aaa00000-0000-0000-0000-123456789aaa', 1);\""
>
> This command will add your admin at internal SuperUser permissions on system.
>
> Can you please describe what have you done a bit more, so we can
> understand the problem?
>
> Thanks.
>
>
>> Properties of Internal domain:
>>
>> cat /etc/ovirt-engine/aaa/internal.properties
>>
>> ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
>> internal-authn
>> ovirt.engine.extension.bindings.method = jbossmodule
>> ovirt.engine.extension.binding.jbossmodule.module =
>> org.ovirt.engine.extension.aaa.jdbc
>> ovirt.engine.extension.binding.jbossmodule.class =
>> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
>> ovirt.engine.extension.provides =
>> org.ovirt.engine.api.extensions.aaa.Authn
>> ovirt.engine.aaa.authn.profile.name
>> <http://ovirt.engine.aaa.authn.profile.name> = internal
>> ovirt.engine.aaa.authn.authz.plugin = internal-authz
>> config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>>
>> cat /etc/ovirt-engine/extensions.d/internal-authn.properties
>>
>> ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
>> internal-authn
>> ovirt.engine.extension.bindings.method = jbossmodule
>> ovirt.engine.extension.binding.jbossmodule.module =
>> org.ovirt.engine.extension.aaa.jdbc
>> ovirt.engine.extension.binding.jbossmodule.class =
>> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
>> ovirt.engine.extension.provides =
>> org.ovirt.engine.api.extensions.aaa.Authn
>> ovirt.engine.aaa.authn.profile.name
>> <http://ovirt.engine.aaa.authn.profile.name> = internal
>> ovirt.engine.aaa.authn.authz.plugin = internal-authz
>> config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>>
>> cat /etc/ovirt-engine/extensions.d/internal-authz.properties
>>
>> ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
>>
>> internal-authz
>> ovirt.engine.extension.bindings.method = jbossmodule
>> ovirt.engine.extension.binding.jbossmodule.module =
>> org.ovirt.engine.extension.aaa.jdbc
>> ovirt.engine.extension.binding.jbossmodule.class =
>> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension
>> ovirt.engine.extension.provides =
>> org.ovirt.engine.api.extensions.aaa.Authz
>> config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>>
>> Properties of admin at internal user:
>>
>> ovirt-aaa-jdbc-tool user show admin
>>
>> -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
>> Namespace: *
>> Name: admin
>> ID: fdfc627c-d875-11e0-90f0-83df133b58cc
>> Display Name:
>> Email:
>> First Name: admin
>> Last Name:
>> Department:
>> Title:
>> Description:
>> Account Disabled: false
>> Account Unlocked At: 1970-01-01 00:00:00Z
>> Account Valid From: 2015-10-01 00:00:00Z
>> Account Valid To: 2100-01-01 00:00:00Z
>> Account Without Password: false
>> Last successful Login At: 2016-06-20 16:01:03Z
>> Last unsuccessful Login At: 2016-06-19 16:53:07Z
>> Password Valid To: 2100-01-01 00:00:00Z
>>
>> ¿ Can I assign privilegies to the user ? ¿ Any idea ?
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160620/23689273/attachment-0001.html>
More information about the Users
mailing list