[ovirt-users] User admin at internal can't login in oVirt 3.6

Julián Tete danteconrad14 at gmail.com
Mon Jun 20 18:33:53 UTC 2016


Thanks Ondra :)

With the command:

su - postgres -c "psql -t engine -c \"insert into permissions values
('0000001b-001b-001b-001b-00000000029f',
'00000000-0000-0000-0000-000000000001',
'fdfc627c-d875-11e0-90f0-83df133b58cc',
'aaa00000-0000-0000-0000-123456789aaa', 1);\""

I get:

ERROR:  duplicate key value violates unique constraint
"idx_combined_ad_role_object"
DETAIL:  Key (ad_element_id, role_id,
object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc,
00000000-0000-0000-0000-000000000001, aaa00000-0000-0000-0000-123456789aaa)
already exists.

History

  261  yum install ovirt-engine-extension-aaa-ldap
  262  cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
/etc/ovirt-engine/
  263  cd /etc/ovirt-engine/
  264  ll
  265  vim profile1.properties
  266  ll
  267  cd cp
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
/etc/ovirt-engine/extensions.d/
  268  cd cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/
  269  cd
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
  270  ll
  271  cp
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
/etc/ovirt-engine/extensions.d/
  272  cd /etc/ovirt-engine/extensions.d/
  273  ll
  274  find / -type f -iname profile1.properties
  275  cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
/etc/ovirt-engine/aaa/
  276  find / -type f -iname profile1.properties
  277  vim /etc/ovirt-engine/aaa/profile1.properties
  278  chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
  279  chmod 600 /etc/ovirt-engine/aaa/profile1.properties
  280  systemctl restart ovirt-engine
  281  vim /etc/ovirt-engine/extensions.d/profile1-authn.properties
  282  cd /usr/share/
  283  ls
  284  cd ovirt-engine-aaa-ldap
  285  ls
  286  cd ovirt-engine-extension-aaa-ldap/
  287  ls
  288  cd examples/
  289  ls
  290  cd ad
  291  ls
  292  cd extensions.d/
  293  ls
  294  vim profile1-authn.properties
  295  pwd
  296  cd ..
  297  pwd
  298  cd ..
  299  ls
  300  cd simple
  301  ls
  302  cd aaa/
  303  ls
  304  vim profile1.properties
  305  pwd
  306  rm -rf /etc/ovirt-engine/aaa/profile1.properties
  307  cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties
/etc/ovirt-engine/aaa/
  308  vim /etc/ovirt-engine/aaa/profile1.properties
  309  history
  310  chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
  311  chmod 600 /etc/ovirt-engine/aaa/profile1.properties
  312  systemctl restart ovirt-engine
  313  updatedb
  314  locate domain1-authn.properties
  315  history
  316  cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/
  317  ll
  318  cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/
  319  ls
  320  cd extensions.d/
  321  ls
  322  pwd
  323  cd /etc/ovirt-engine/extensions.d/
  324  ls
  325  cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
/etc/ovirt-engine/extensions.d/
  326   cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
/etc/ovirt-engine/extensions.d/
  327  rm -rf /etc/ovirt-engine/extensions.d/profile1-authn.properties
  328  rm -rf /etc/ovirt-engine/extensions.d/profile1-authz.properties
  329   cp -r
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
/etc/ovirt-engine/extensions.d/
  330  ll
  331  history
  332  chown ovirt:ovirt /etc/ovirt-engine/extensions.d/*
  333  chmod 600 /etc/ovirt-engine/extensions.d/*
  334  ll
  335  cd extensions.d/
  336  ll
  337  cd
  338  engine-config -s SASL_QOP=auth
  339  systemctl restart ovirt-engine
  340  engine-manage-domains add --domain=udistritaloas.edu.co
--provider=ipa --user=admin --ldap-servers=freeipa.udistritaloas.edu.co
  341  systemctl restart ovirt-engine
  342  engine-manage-domains list
  343  history
  344  cd /etc/ovirt-engine/extensions.d/
  345  ll
  346  rm -rf internal-authn.properties
  347  rm -rf internal-authz.properties
  348  rm -rf profile1-authn.properties
  349  rm -rf profile1-authz.properties
  350  history
  351  cd /etc/ovirt-engine/aaa/
  352  ll
  353  rm -rf profile1.properties
  354  vim internal.properties
  355  systemctl restart ovirt-engine
  356  ovirt-aaa-jdbc-tool user edit admin --account-valid-to="2100-01-01
00:00:00Z"
  357  ovirt-aaa-jdbc-tool user password-reset admin
--password-valid-to="2100-01-01 00:00:00Z"
  358  engine-config -s AdminPassword=interactive
  359  ovirt-aaa-jdbc-tool user password-reset admin
--password-valid-to="2100-01-01 00:00:00Z"
  360  systemctl restart ovirt-engine
  361  exit
  362  cd /etc/ovirt-engine/aaa/
  363  ll
  364  vim internal.properties
  365  /etc/ovirt-engine/extensions.d/
  366  cd /etc/ovirt-engine/extensions.d/
  367  ll
  368  cd extensions.d/
  369  ll
  370  pwd
  371  ll
  372  cd ..
  373  ll
  374  cd ..
  375  ll
  376  cd /etc/ovirt-engine/extensions.d/
  377  ll
  378  cd extensions.d/
  379  ll
  380  pwd
  381  ll
  382  cd ..
  383  ll
  384  systemctl restart ovirt-engine.service
  385  ovirt-aaa-jdbc-tool user edit admin --account-valid-to="2100-01-01
00:00:00Z"
  386  ovirt-aaa-jdbc-tool user password-reset admin
--password-valid-to="2100-01-01 00:00:00Z"
  387  systemctl restart ovirt-engine.service
  388  ovirt-aaa-jdbc-tool user password-reset admin at internal
--password-valid-to="2100-01-01 00:00:00Z"
  389  yum install -y ovirt-engine-extension-aaa-jdbc
  390  engine-setup
  391  ovirt-aaa-jdbc-tool user show admin
  392  ovirt-aaa-jdbc-tool settings show
  393  cd /var/log
  394  ll
  395  cd ovirt-engine
  396  ll
  397  tail -f n 100 ui.log
  398  ll
  399  tail -f -n engine.log
  400  tail -f -n 1000 engine.log
  401  tail -n 5000 engine.log | grep admin at internal
  402  ovirt-aaa-jdbc-tool user show admin
  403  ovirt-aaa-jdbc-tool user show admin at internal
  404  ovirt-aaa-jdbc-tool query --what=user
  405  engine-config -s AdminPassword=interactive
  406  vim /etc/ovirt-engine/extension.d/internal-authn.properties
  407  vim /etc/ovirt-engine/extensions.d/internal-authn.properties
  408  cd /etc/ovirt-engine/extensions.d/
  409  ll
  410  vim /etc/ovirt-engine/aaa/internal.properties
  411  cd /etc/ovirt-engine/aaa/
  412  ll
  413  vim internal.properties
  414  pwd
  415  ovirt-aaa-jdbc-tool user add julian
--attribute=firstName=Julian     --attribute=lastName=Tete
--attribute=email=danteconrad14 at gmail.com
  416  ovirt-aaa-jdbc-tool user password-reset julian
--password-valid-to="2025-08-15 10:30:00Z"
  417  history
  418  tail -n 5000 engine.log | grep admin at internal
  419  tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin at internal
  420  ovirt-aaa-jdbc-tool user edit admin --account-valid-from="2015-10-01
00:00:00Z"
  421  ovirt-aaa-jdbc-tool user password-reset admin --force
--password-valid-to="2100-01-01 00:00:00Z"
  422  systemctl restart ovirt-engine.service
  423  history
  424  ovirt-aaa-jdbc-tool query --what=user
  425  updatedb
  426  locate internal
  427  yum install -y ovirt-engine-cli
  428  cd /opt
  429  cd /opt/



2016-06-20 13:24 GMT-05:00 Ondra Machacek <omachace at redhat.com>:

> On 06/20/2016 06:36 PM, Julián Tete wrote:
>
>> oVirt: 3.6.2
>>
>> Trying to use:
>>
>> https://github.com/machacekondra/ovirt-engine-kerbldap-migration
>>
>> First use:
>>
>> engine-manage-domains add --domain=udistritaloas.edu.co
>> <http://udistritaloas.edu.co> --provider=ipa --user=admin
>> --ldap-servers=freeipa.udistritaloas.edu.co
>> <http://freeipa.udistritaloas.edu.co>
>>
>>
>> The domain was added, but a I can't access to the webadmin portal :/
>>
>> I get the message:
>>
>> "User is not authorized to perform this action."
>>
>> In ovirt-cli
>>
>> [401] - Unauthorized
>>
>> tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin at internal
>>
>> 2016-06-20 10:52:22,835 ERROR
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (default task-32) [] Correlation ID: null, Call Stack: null, Custom
>> Event ID: -1, Message: User admin at internal failed to log in.
>> 2016-06-20 10:52:22,836 WARN
>> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (default task-32)
>> [] CanDoAction of action 'LoginAdminUser' failed for user
>> admin at internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>> 2016-06-20 11:00:37,679 ERROR
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (default task-3) [] Correlation ID: null, Call Stack: null, Custom Event
>> ID: -1, Message: User admin at internal failed to log in.
>> 2016-06-20 11:00:37,679 WARN
>> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-3) []
>> CanDoAction of action 'LoginUser' failed for user admin at internal.
>> Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>> 2016-06-20 11:01:04,016 ERROR
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (default task-4) [] Correlation ID: null, Call Stack: null, Custom Event
>> ID: -1, Message: User admin at internal failed to log in.
>> 2016-06-20 11:01:04,016 WARN
>> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-4) []
>> CanDoAction of action 'LoginUser' failed for user admin at internal.
>> Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>>
>
> I am little bit lost, what was your steps, to get into this state, but it
> looks that your admin at internal user was removed SuperUser permissions, I
> am really not sure how could you achieve that, but to fix it please run
> following command:
>
>  $ su - postgres -c "psql -t engine -c \"insert into permissions values
> ('0000001b-001b-001b-001b-00000000029f',
> '00000000-0000-0000-0000-000000000001',
> 'fdfc627c-d875-11e0-90f0-83df133b58cc',
> 'aaa00000-0000-0000-0000-123456789aaa', 1);\""
>
> This command will add your admin at internal SuperUser permissions on system.
>
> Can you please describe what have you done a bit more, so we can
> understand the problem?
>
> Thanks.
>
>
>> Properties of Internal domain:
>>
>> cat /etc/ovirt-engine/aaa/internal.properties
>>
>> ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
>> internal-authn
>> ovirt.engine.extension.bindings.method = jbossmodule
>> ovirt.engine.extension.binding.jbossmodule.module =
>> org.ovirt.engine.extension.aaa.jdbc
>> ovirt.engine.extension.binding.jbossmodule.class =
>> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
>> ovirt.engine.extension.provides =
>> org.ovirt.engine.api.extensions.aaa.Authn
>> ovirt.engine.aaa.authn.profile.name
>> <http://ovirt.engine.aaa.authn.profile.name> = internal
>> ovirt.engine.aaa.authn.authz.plugin = internal-authz
>> config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>>
>> cat /etc/ovirt-engine/extensions.d/internal-authn.properties
>>
>> ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
>> internal-authn
>> ovirt.engine.extension.bindings.method = jbossmodule
>> ovirt.engine.extension.binding.jbossmodule.module =
>> org.ovirt.engine.extension.aaa.jdbc
>> ovirt.engine.extension.binding.jbossmodule.class =
>> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
>> ovirt.engine.extension.provides =
>> org.ovirt.engine.api.extensions.aaa.Authn
>> ovirt.engine.aaa.authn.profile.name
>> <http://ovirt.engine.aaa.authn.profile.name> = internal
>> ovirt.engine.aaa.authn.authz.plugin = internal-authz
>> config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>>
>> cat /etc/ovirt-engine/extensions.d/internal-authz.properties
>>
>> ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
>>
>> internal-authz
>> ovirt.engine.extension.bindings.method = jbossmodule
>> ovirt.engine.extension.binding.jbossmodule.module =
>> org.ovirt.engine.extension.aaa.jdbc
>> ovirt.engine.extension.binding.jbossmodule.class =
>> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension
>> ovirt.engine.extension.provides =
>> org.ovirt.engine.api.extensions.aaa.Authz
>> config.datasource.file = /etc/ovirt-engine/aaa/internal.properties
>>
>> Properties of admin at internal user:
>>
>> ovirt-aaa-jdbc-tool user show admin
>>
>> -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
>> Namespace: *
>> Name: admin
>> ID: fdfc627c-d875-11e0-90f0-83df133b58cc
>> Display Name:
>> Email:
>> First Name: admin
>> Last Name:
>> Department:
>> Title:
>> Description:
>> Account Disabled: false
>> Account Unlocked At: 1970-01-01 00:00:00Z
>> Account Valid From: 2015-10-01 00:00:00Z
>> Account Valid To: 2100-01-01 00:00:00Z
>> Account Without Password: false
>> Last successful Login At: 2016-06-20 16:01:03Z
>> Last unsuccessful Login At: 2016-06-19 16:53:07Z
>> Password Valid To: 2100-01-01 00:00:00Z
>>
>> ¿ Can I assign privilegies to the user ? ¿ Any idea ?
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160620/23689273/attachment-0001.html>


More information about the Users mailing list