[ovirt-users] User admin at internal can't login in oVirt 3.6
Julián Tete
danteconrad14 at gmail.com
Wed Jun 22 16:37:36 UTC 2016
Thanks again :)
2016-06-22 11:14 GMT-05:00 Ondra Machacek <omachace at redhat.com>:
> On 06/22/2016 05:21 PM, Julián Tete wrote:
>
>> S-O-L-V-E-D!!!
>>
>> You are a Wizard Ondra Machacek!!!
>>
>> Thank you very much !!! How Apache says: "It works"
>>
>
> Great! You are welcome
>
>
>> A have a question for you
>>
>> In the command
>>
>> su - postgres -c "psql -t engine -c \"insert into permissions values
>> ('0000001b-001b-001b-001b-00000000029f',
>> '00000000-0000-0000-0000-000000000001',
>> 'fdfc627c-d875-11e0-90f0-83df133b58cc',
>> 'aaa00000-0000-0000-0000-123456789aaa', 1);\"
>>
>> What's the meaning of:
>>
>> 0000001b-001b-001b-001b-00000000029f
>>
>
> This one is id of permission. It's auto generated.
>
>
>> 00000000-0000-0000-0000-000000000001
>>
>
> This one is id of role. This is id of SuperUser as you can see by running:
>
> select * from roles;
>
>
>> aaa00000-0000-0000-0000-123456789aaa
>>
>
> This one is object id, in this case it's id of system.
>
>
>> 1
>>
>
> This one represent object type, it is number that represent some object
> for example 1 represent
> system object, number 2 represent Vm, number 3 Host... etc
>
>
>> ¿?
>>
>> Thanks again
>>
>>
>> 2016-06-22 5:22 GMT-05:00 Ondra Machacek <omachace at redhat.com
>> <mailto:omachace at redhat.com>>:
>>
>> On 06/21/2016 09:18 PM, Julián Tete wrote:
>>
>> Roger Ondra!
>>
>> 1) su - postgres -c "psql -t engine -c \"delete from users where
>> user_id='7f300f43-9972-4c0e-bfa9-e86df6f1659f';\""
>>
>> Output:
>>
>> DELETE 1
>>
>> 2) su - postgres -c "psql -t engine -c \"UPDATE users set
>> domain='internal-authz' where
>> user_id='fdfc627c-d875-11e0-90f0-83df133b58cc';\""
>>
>> Output:
>>
>> ERROR: duplicate key value violates unique constraint
>> "users_domain_external_id_unique"
>> DETAIL: Key (domain, external_id)=(internal-authz,
>> fdfc627c-d875-11e0-90f0-83df133b58cc) already exists.
>>
>>
>> OK, this is really strange, because this shouldn't be printed as you
>> removed all contraints in step 1).
>>
>> So, can you please first stop ovirt-engine, before running steps
>> above? So the steps now
>> would be:
>>
>> 1) service ovirt-engine stop
>>
>> 2) remove admin at internal-authz
>> (c9dcda67-9b3e-4255-aa9f-d69043a02b2b) (note id
>> changed, from last time) If there is more admin users with domain
>> internal-authz, please
>> remove them all.
>> $ su - postgres -c "psql -t engine -c \"delete from users
>> where user_id='c9dcda67-9b3e-4255-aa9f-d69043a02b2b';\""
>>
>> 3) rename admin at internal to admin at internal-authz
>> $ su - postgres -c "psql -t engine -c \"UPDATE users set
>> domain='internal-authz' where
>> user_id='fdfc627c-d875-11e0-90f0-83df133b58cc;\""
>>
>> 4) service ovirt-engine start
>>
>>
>> 3) systemctl restart ovirt-engine.service
>>
>> No login yet :(
>>
>> Look at this:
>>
>> ovirt-aaa-jdbc-tool user show admin
>>
>> Output:
>> -- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
>> Namespace: *
>> Name: admin
>> ID: fdfc627c-d875-11e0-90f0-83df133b58cc
>> Display Name:
>> Email:
>> First Name: admin
>> Last Name:
>> Department:
>> Title:
>> Description:
>> Account Disabled: false
>> Account Unlocked At: 1970-01-01 00:00:00Z
>> Account Valid From: 2015-10-01 00:00:00Z
>> Account Valid To: 2100-01-01 00:00:00Z
>> Account Without Password: false
>> Last successful Login At: 2016-06-21 19:15:59Z
>> Last unsuccessful Login At: 2016-06-20 17:33:24Z
>> Password Valid To: 2100-01-01 00:00:00Z
>>
>> su - postgres -c "psql -t engine -c \"select * from users;\""
>>
>> Output:
>>
>> fdfc627c-d875-11e0-90f0-83df133b58cc | admin | |
>> internal | admin | |
>> | | t |
>> fdfc627c-d875-11e0-90f0-83df133b58cc
>> | 2015-09-19 21:38:44.838161-
>> 05 | 2016-06-18 20:42:18.883738-05 | *
>> 16f666bb-b4c8-44c9-8264-30c3aff63a6e | | Administrator |
>> udistritaloas.edu.co <http://udistritaloas.edu.co>
>> <http://udistritaloas.edu.co> | admin
>> | | | | f
>> | 41cd26a2-0e0a-11e6-aa00-001a4a160159 | 2016-06-19
>> 11:53:39.249812-
>> 05 | 2016-06-19 12:24:41.590162-05 <tel:41.590162-05> | *
>> c01c263a-78c5-4524-a94e-c9aa38141ea9 | Julian | Tete |
>> internal-authz | julian | |
>> danteconrad14 at gmail.com <mailto:danteconrad14 at gmail.com>
>> <mailto:danteconrad14 at gmail.com
>> <mailto:danteconrad14 at gmail.com>> | | f
>> |
>> 1ad3dc19-b15a-493c-9610-2ccdd0dac6af | 2016-06-20 11:22:56.483292-
>> 05 | 2016-06-20 11:23:19.261686-05 | *
>> c9dcda67-9b3e-4255-aa9f-d69043a02b2b | admin | |
>> internal-authz | admin | |
>> | | f |
>> fdfc627c-d875-11e0-90f0-83df133b58cc
>> | 2016-06-21 13:54:07.765767-
>> 05 | 2016-06-21 14:15:59.352697-05 | *
>>
>>
>> su - postgres -c "psql -t engine -c \"select * from
>> permissions;\""
>>
>> Output:
>>
>> 00000004-0004-0004-0004-00000000025e |
>> def00009-0000-0000-0000-def000000009 |
>> eee00000-0000-0000-0000-123456789eee |
>> 00000000-0000-0000-0000-000000000000 | 4 |
>> 1447535033
>> 0000000f-000f-000f-000f-000000000293 |
>> def0000a-0000-0000-0000-def000000010 |
>> eee00000-0000-0000-0000-123456789eee |
>> 0000000e-000e-000e-000e-0000000002d6 | 27 |
>> 1447535033
>> 00000003-0003-0003-0003-00000000009c |
>> 00000000-0000-0000-0000-000000000001 |
>> fdfc627c-d875-11e0-90f0-83df133b58cc |
>> aaa00000-0000-0000-0000-123456789aaa | 1 |
>> 1447535033
>> 00000006-0006-0006-0006-0000000000e3 |
>> 00000000-0000-0000-0001-000000000002 |
>> fdfc627c-d875-11e0-90f0-83df133b58cc |
>> aaa00000-0000-0000-0000-123456789aaa | 1 |
>> 1447535033
>> 00000011-0011-0011-0011-0000000002a9 |
>> def00009-0000-0000-0000-def000000009 |
>> eee00000-0000-0000-0000-123456789eee |
>> 00000010-0010-0010-0010-0000000001d1 | 4 |
>> 1447535033
>> 00000013-0013-0013-0013-00000000031e |
>> def00009-0000-0000-0000-def000000009 |
>> eee00000-0000-0000-0000-123456789eee |
>> 00000012-0012-0012-0012-0000000001c6 | 4 |
>> 1447535033
>> 00000015-0015-0015-0015-0000000003b8 |
>> def00009-0000-0000-0000-def000000009 |
>> eee00000-0000-0000-0000-123456789eee |
>> 00000014-0014-0014-0014-0000000002fd | 4 |
>> 1447535033
>> 00000017-0017-0017-0017-000000000388 |
>> def00009-0000-0000-0000-def000000009 |
>> eee00000-0000-0000-0000-123456789eee |
>> 00000016-0016-0016-0016-0000000002b0 | 4 |
>> 1447535033
>> 00000019-0019-0019-0019-0000000003d5 |
>> def00009-0000-0000-0000-def000000009 |
>> eee00000-0000-0000-0000-123456789eee |
>> 00000018-0018-0018-0018-000000000314 | 4 |
>> 1447535033
>> 00000027-0027-0027-0027-00000000027e |
>> def00021-0000-0000-0000-def000000015 |
>> eee00000-0000-0000-0000-123456789eee |
>> aaa00000-0000-0000-0000-123456789aaa | 1 |
>> 1447535037
>> 7a3917ea-b2df-444f-938c-f768feeaee04 |
>> def00009-0000-0000-0000-def000000009 |
>> eee00000-0000-0000-0000-123456789eee |
>> 8fa947f7-c698-4661-aea4-a093bbd0ba0b | 4 |
>> 1457665842
>> e8abc833-b860-451c-b580-780c7d1049d4 |
>> def0000a-0000-0000-0000-def00000000f |
>> fdfc627c-d875-11e0-90f0-83df133b58cc |
>> 8fa947f7-c698-4661-aea4-a093bbd0ba0b | 4 |
>> 1457665842
>> c4d609ca-f2de-4c13-a9a6-b73e9dd9c34c |
>> def0000a-0000-0000-0000-def00000000b |
>> fdfc627c-d875-11e0-90f0-83df133b58cc |
>> 9881e686-90d0-4da3-85b4-b8a1b3638396 | 19 |
>> 1463161875
>>
>>
>>
>>
>> 2016-06-21 13:30 GMT-05:00 Ondra Machacek <omachace at redhat.com
>> <mailto:omachace at redhat.com>
>> <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>>:
>>
>>
>> On 06/21/2016 04:54 PM, Julián Tete wrote:
>>
>> That's right I remove internal properties :/
>>
>> This is the output of the commands:
>>
>> */usr/share/ovirt-engine/bin/o**virt-engine-role.sh
>> --command=add
>> --user-name=admin --authz-name=internal-authz
>> --role=SuperUser
>>
>> *
>> *Output:
>> *
>>
>> FATAL: Please specify provider namespace
>>
>>
>> You don't have to run it, I've just send it for a future
>> reference :)
>> But if you for example want to add SuperUser permissions to
>> user
>> 'julian', you can run:
>>
>> /usr/share/ovirt-engine/bin/ovirt-engine-role.sh
>> --command=add
>> --principal-id='c01c263a-78c5-4524-a94e-c9aa38141ea9'
>> --role=SuperUser --user-name=julian
>> --authz-name=internal-authz
>> --principal-namespace=*
>>
>> And you don't need admin at internal-authz user.
>>
>>
>> *su - postgres -c "psql -t engine -c \"select * from
>> users;\""
>>
>> *
>> *Output:*
>>
>> fdfc627c-d875-11e0-90f0-83df133b58cc | admin |
>> |
>> internal | admin | |
>> | | t |
>> fdfc627c-d875-11e0-90f0-83df133b58cc
>> | 2015-09-19 21:38:44.838161-
>> 05 | 2016-06-18 20:42:18.883738-05 | *
>> 16f666bb-b4c8-44c9-8264-30c3aff63a6e | |
>> Administrator |
>> udistritaloas.edu.co <http://udistritaloas.edu.co>
>> <http://udistritaloas.edu.co>
>> <http://udistritaloas.edu.co> | admin
>> | | | | f
>> | 41cd26a2-0e0a-11e6-aa00-001a4a160159 | 2016-06-19
>> 11:53:39.249812-
>> 05 | 2016-06-19 12:24:41.590162-05 <tel:41.590162-05>
>> <tel:41.590162-05 <tel:41.590162-05>> | *
>> c01c263a-78c5-4524-a94e-c9aa38141ea9 | Julian | Tete
>> |
>> internal-authz | julian | |
>> danteconrad14 at gmail.com <mailto:danteconrad14 at gmail.com>
>> <mailto:danteconrad14 at gmail.com <mailto:danteconrad14 at gmail.com>>
>> <mailto:danteconrad14 at gmail.com
>> <mailto:danteconrad14 at gmail.com>
>>
>> <mailto:danteconrad14 at gmail.com
>> <mailto:danteconrad14 at gmail.com>>> | | f
>> |
>> 1ad3dc19-b15a-493c-9610-2ccdd0dac6af | 2016-06-20
>> 11:22:56.483292-
>> 05 | 2016-06-20 11:23:19.261686-05 | *
>> 7f300f43-9972-4c0e-bfa9-e86df6f1659f | admin |
>> |
>> internal-authz | admin | |
>> | | f |
>> fdfc627c-d875-11e0-90f0-83df133b58cc
>> | 2016-06-19 11:43:51.644981-
>> 05 | 2016-06-20 16:06:49.138862-05 | *
>> *
>> su - postgres -c "psql -t engine -c \"select * from
>> permissions;\""
>>
>>
>> Ok, according to current status I would suggest you to:
>>
>> 1) remove admin at internal-authz
>> (7f300f43-9972-4c0e-bfa9-e86df6f1659f)
>> $ su - postgres -c "psql -t engine -c \"delete from
>> users
>> where user_id='7f300f43-9972-4c0e-bfa9-e86df6f1659f';\""
>>
>> 2) rename admin at internal to admin at internal-authz
>> $ su - postgres -c "psql -t engine -c \"UPDATE users set
>> domain='internal-authz' where
>> user_id='fdfc627c-d875-11e0-90f0-83df133b58cc;\""
>>
>> Then restart ovirt-engine and try to login.
>>
>> The problem here is that it tries to login with admin user
>> which
>> don't have any permissions, and
>> you have two admin users, because you have removed
>> internal-*properties files, so it added
>> another one.
>>
>>
>> *
>> *Otput:
>> *
>>
>>
>> 00000004-0004-0004-0004-00000000025e |
>> def00009-0000-0000-0000-def000000009 |
>> eee00000-0000-0000-0000-123456789eee |
>> 00000000-0000-0000-0000-000000000000 | 4 |
>> 1447535033
>> 0000000f-000f-000f-000f-000000000293 |
>> def0000a-0000-0000-0000-def000000010 |
>> eee00000-0000-0000-0000-123456789eee |
>> 0000000e-000e-000e-000e-0000000002d6 | 27 |
>> 1447535033
>> 00000003-0003-0003-0003-00000000009c |
>> 00000000-0000-0000-0000-000000000001 |
>> fdfc627c-d875-11e0-90f0-83df133b58cc |
>> aaa00000-0000-0000-0000-123456789aaa | 1 |
>> 1447535033
>> 00000006-0006-0006-0006-0000000000e3 |
>> 00000000-0000-0000-0001-000000000002 |
>> fdfc627c-d875-11e0-90f0-83df133b58cc |
>> aaa00000-0000-0000-0000-123456789aaa | 1 |
>> 1447535033
>> 00000011-0011-0011-0011-0000000002a9 |
>> def00009-0000-0000-0000-def000000009 |
>> eee00000-0000-0000-0000-123456789eee |
>> 00000010-0010-0010-0010-0000000001d1 | 4 |
>> 1447535033
>> 00000013-0013-0013-0013-00000000031e |
>> def00009-0000-0000-0000-def000000009 |
>> eee00000-0000-0000-0000-123456789eee |
>> 00000012-0012-0012-0012-0000000001c6 | 4 |
>> 1447535033
>> 00000015-0015-0015-0015-0000000003b8 |
>> def00009-0000-0000-0000-def000000009 |
>> eee00000-0000-0000-0000-123456789eee |
>> 00000014-0014-0014-0014-0000000002fd | 4 |
>> 1447535033
>> 00000017-0017-0017-0017-000000000388 |
>> def00009-0000-0000-0000-def000000009 |
>> eee00000-0000-0000-0000-123456789eee |
>> 00000016-0016-0016-0016-0000000002b0 | 4 |
>> 1447535033
>> 00000019-0019-0019-0019-0000000003d5 |
>> def00009-0000-0000-0000-def000000009 |
>> eee00000-0000-0000-0000-123456789eee |
>> 00000018-0018-0018-0018-000000000314 | 4 |
>> 1447535033
>> 00000027-0027-0027-0027-00000000027e |
>> def00021-0000-0000-0000-def000000015 |
>> eee00000-0000-0000-0000-123456789eee |
>> aaa00000-0000-0000-0000-123456789aaa | 1 |
>> 1447535037
>> 7a3917ea-b2df-444f-938c-f768feeaee04 |
>> def00009-0000-0000-0000-def000000009 |
>> eee00000-0000-0000-0000-123456789eee |
>> 8fa947f7-c698-4661-aea4-a093bbd0ba0b | 4 |
>> 1457665842
>> e8abc833-b860-451c-b580-780c7d1049d4 |
>> def0000a-0000-0000-0000-def00000000f |
>> fdfc627c-d875-11e0-90f0-83df133b58cc |
>> 8fa947f7-c698-4661-aea4-a093bbd0ba0b | 4 |
>> 1457665842
>> c4d609ca-f2de-4c13-a9a6-b73e9dd9c34c |
>> def0000a-0000-0000-0000-def00000000b |
>> fdfc627c-d875-11e0-90f0-83df133b58cc |
>> 9881e686-90d0-4da3-85b4-b8a1b3638396 | 19 |
>> 1463161875
>>
>>
>> 2016-06-21 9:18 GMT-05:00 Ondra Machacek
>> <omachace at redhat.com <mailto:omachace at redhat.com>
>> <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>
>> <mailto:omachace at redhat.com <mailto:omachace at redhat.com>
>> <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>>>:
>>
>>
>> On 06/20/2016 08:33 PM, Julián Tete wrote:
>>
>> Thanks Ondra :)
>>
>> With the command:
>>
>> su - postgres -c "psql -t engine -c \"insert into
>> permissions values
>> ('0000001b-001b-001b-001b-00000000029f',
>> '00000000-0000-0000-0000-000000000001',
>> 'fdfc627c-d875-11e0-90f0-83df133b58cc',
>> 'aaa00000-0000-0000-0000-123456789aaa', 1);\""
>>
>>
>> I've just remembered, that there is bash script for
>> it:
>>
>> /usr/share/ovirt-engine/bin/ovirt-engine-role.sh
>>
>> You can use it as follows:
>>
>> /usr/share/ovirt-engine/bin/ovirt-engine-role.sh
>> --command=add
>> --user-name=admin --authz-name=internal-authz
>> --role=SuperUser
>>
>> But, as per your output above, obviously your
>> problem is not
>> missing
>> permissions.
>> I think the problem is that you removed
>> internal*.properties
>> files
>> and then re-add it.
>> Can you please send output of users table and
>> permissions
>> table. Thanks.
>>
>> su - postgres -c "psql -t engine -c \"select * from
>> users;\""
>> su - postgres -c "psql -t engine -c \"select * from
>> permissions;\""
>>
>> I get:
>>
>> ERROR: duplicate key value violates unique
>> constraint
>> "idx_combined_ad_role_object"
>> DETAIL: Key (ad_element_id, role_id,
>> object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc,
>> 00000000-0000-0000-0000-000000000001,
>> aaa00000-0000-0000-0000-123456789aaa) already
>> exists.
>>
>> History
>>
>> 261 yum install ovirt-engine-extension-aaa-ldap
>> 262 cp -r
>>
>>
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
>> /etc/ovirt-engine/
>> 263 cd /etc/ovirt-engine/
>> 264 ll
>> 265 vim profile1.properties
>> 266 ll
>> 267 cd cp
>>
>>
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
>> /etc/ovirt-engine/extensions.d/
>> 268 cd cp
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/
>> 269 cd
>>
>>
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
>> 270 ll
>> 271 cp
>>
>>
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
>> /etc/ovirt-engine/extensions.d/
>> 272 cd /etc/ovirt-engine/extensions.d/
>> 273 ll
>> 274 find / -type f -iname profile1.properties
>> 275 cp -r
>>
>>
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties
>> /etc/ovirt-engine/aaa/
>> 276 find / -type f -iname profile1.properties
>> 277 vim
>> /etc/ovirt-engine/aaa/profile1.properties
>> 278 chown ovirt:ovirt
>> /etc/ovirt-engine/aaa/profile1.properties
>> 279 chmod 600
>> /etc/ovirt-engine/aaa/profile1.properties
>> 280 systemctl restart ovirt-engine
>> 281 vim
>> /etc/ovirt-engine/extensions.d/profile1-authn.properties
>> 282 cd /usr/share/
>> 283 ls
>> 284 cd ovirt-engine-aaa-ldap
>> 285 ls
>> 286 cd ovirt-engine-extension-aaa-ldap/
>> 287 ls
>> 288 cd examples/
>> 289 ls
>> 290 cd ad
>> 291 ls
>> 292 cd extensions.d/
>> 293 ls
>> 294 vim profile1-authn.properties
>> 295 pwd
>> 296 cd ..
>> 297 pwd
>> 298 cd ..
>> 299 ls
>> 300 cd simple
>> 301 ls
>> 302 cd aaa/
>> 303 ls
>> 304 vim profile1.properties
>> 305 pwd
>> 306 rm -rf
>> /etc/ovirt-engine/aaa/profile1.properties
>> 307 cp -r
>>
>>
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties
>> /etc/ovirt-engine/aaa/
>> 308 vim
>> /etc/ovirt-engine/aaa/profile1.properties
>> 309 history
>> 310 chown ovirt:ovirt
>> /etc/ovirt-engine/aaa/profile1.properties
>> 311 chmod 600
>> /etc/ovirt-engine/aaa/profile1.properties
>> 312 systemctl restart ovirt-engine
>> 313 updatedb
>> 314 locate domain1-authn.properties
>> 315 history
>> 316 cd
>>
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/
>> 317 ll
>> 318 cd
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/
>> 319 ls
>> 320 cd extensions.d/
>> 321 ls
>> 322 pwd
>> 323 cd /etc/ovirt-engine/extensions.d/
>> 324 ls
>> 325 cp -r
>>
>>
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
>> /etc/ovirt-engine/extensions.d/
>> 326 cp -r
>>
>>
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
>> /etc/ovirt-engine/extensions.d/
>> 327 rm -rf
>>
>> /etc/ovirt-engine/extensions.d/profile1-authn.properties
>> 328 rm -rf
>>
>> /etc/ovirt-engine/extensions.d/profile1-authz.properties
>> 329 cp -r
>>
>>
>>
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/*
>> /etc/ovirt-engine/extensions.d/
>> 330 ll
>> 331 history
>> 332 chown ovirt:ovirt
>> /etc/ovirt-engine/extensions.d/*
>> 333 chmod 600 /etc/ovirt-engine/extensions.d/*
>> 334 ll
>> 335 cd extensions.d/
>> 336 ll
>> 337 cd
>> 338 engine-config -s SASL_QOP=auth
>> 339 systemctl restart ovirt-engine
>> 340 engine-manage-domains add
>> --domain=udistritaloas.edu.co
>> <http://udistritaloas.edu.co> <http://udistritaloas.edu.co>
>> <http://udistritaloas.edu.co>
>> <http://udistritaloas.edu.co> --provider=ipa
>> --user=admin
>> --ldap-servers=freeipa.udistritaloas.edu.co
>> <http://freeipa.udistritaloas.edu.co>
>> <http://freeipa.udistritaloas.edu.co>
>> <http://freeipa.udistritaloas.edu.co>
>> <http://freeipa.udistritaloas.edu.co>
>> 341 systemctl restart ovirt-engine
>> 342 engine-manage-domains list
>> 343 history
>> 344 cd /etc/ovirt-engine/extensions.d/
>> 345 ll
>> 346 rm -rf internal-authn.properties
>> 347 rm -rf internal-authz.properties
>> 348 rm -rf profile1-authn.properties
>> 349 rm -rf profile1-authz.properties
>> 350 history
>> 351 cd /etc/ovirt-engine/aaa/
>> 352 ll
>> 353 rm -rf profile1.properties
>> 354 vim internal.properties
>> 355 systemctl restart ovirt-engine
>> 356 ovirt-aaa-jdbc-tool user edit admin
>> --account-valid-to="2100-01-01 00:00:00Z"
>> 357 ovirt-aaa-jdbc-tool user password-reset
>> admin
>> --password-valid-to="2100-01-01 00:00:00Z"
>> 358 engine-config -s AdminPassword=interactive
>> 359 ovirt-aaa-jdbc-tool user password-reset
>> admin
>> --password-valid-to="2100-01-01 00:00:00Z"
>> 360 systemctl restart ovirt-engine
>> 361 exit
>> 362 cd /etc/ovirt-engine/aaa/
>> 363 ll
>> 364 vim internal.properties
>> 365 /etc/ovirt-engine/extensions.d/
>> 366 cd /etc/ovirt-engine/extensions.d/
>> 367 ll
>> 368 cd extensions.d/
>> 369 ll
>> 370 pwd
>> 371 ll
>> 372 cd ..
>> 373 ll
>> 374 cd ..
>> 375 ll
>> 376 cd /etc/ovirt-engine/extensions.d/
>> 377 ll
>> 378 cd extensions.d/
>> 379 ll
>> 380 pwd
>> 381 ll
>> 382 cd ..
>> 383 ll
>> 384 systemctl restart ovirt-engine.service
>> 385 ovirt-aaa-jdbc-tool user edit admin
>> --account-valid-to="2100-01-01 00:00:00Z"
>> 386 ovirt-aaa-jdbc-tool user password-reset
>> admin
>> --password-valid-to="2100-01-01 00:00:00Z"
>> 387 systemctl restart ovirt-engine.service
>> 388 ovirt-aaa-jdbc-tool user password-reset
>> admin at internal
>> --password-valid-to="2100-01-01 00:00:00Z"
>> 389 yum install -y
>> ovirt-engine-extension-aaa-jdbc
>> 390 engine-setup
>> 391 ovirt-aaa-jdbc-tool user show admin
>> 392 ovirt-aaa-jdbc-tool settings show
>> 393 cd /var/log
>> 394 ll
>> 395 cd ovirt-engine
>> 396 ll
>> 397 tail -f n 100 ui.log
>> 398 ll
>> 399 tail -f -n engine.log
>> 400 tail -f -n 1000 engine.log
>> 401 tail -n 5000 engine.log | grep
>> admin at internal
>> 402 ovirt-aaa-jdbc-tool user show admin
>> 403 ovirt-aaa-jdbc-tool user show
>> admin at internal
>> 404 ovirt-aaa-jdbc-tool query --what=user
>> 405 engine-config -s AdminPassword=interactive
>> 406 vim
>> /etc/ovirt-engine/extension.d/internal-authn.properties
>> 407 vim
>> /etc/ovirt-engine/extensions.d/internal-authn.properties
>> 408 cd /etc/ovirt-engine/extensions.d/
>> 409 ll
>> 410 vim
>> /etc/ovirt-engine/aaa/internal.properties
>> 411 cd /etc/ovirt-engine/aaa/
>> 412 ll
>> 413 vim internal.properties
>> 414 pwd
>> 415 ovirt-aaa-jdbc-tool user add julian
>> --attribute=firstName=Julian
>> --attribute=lastName=Tete
>> --attribute=email=danteconrad14 at gmail.com
>> <mailto:danteconrad14 at gmail.com>
>> <mailto:danteconrad14 at gmail.com
>> <mailto:danteconrad14 at gmail.com>>
>> <mailto:danteconrad14 at gmail.com
>> <mailto:danteconrad14 at gmail.com>
>> <mailto:danteconrad14 at gmail.com
>> <mailto:danteconrad14 at gmail.com>>>
>> <mailto:danteconrad14 at gmail.com
>> <mailto:danteconrad14 at gmail.com> <mailto:danteconrad14 at gmail.com
>> <mailto:danteconrad14 at gmail.com>>
>> <mailto:danteconrad14 at gmail.com
>> <mailto:danteconrad14 at gmail.com>
>> <mailto:danteconrad14 at gmail.com
>> <mailto:danteconrad14 at gmail.com>>>>
>> 416 ovirt-aaa-jdbc-tool user password-reset
>> julian
>> --password-valid-to="2025-08-15 10:30:00Z"
>> 417 history
>> 418 tail -n 5000 engine.log | grep
>> admin at internal
>> 419 tail -n 5000
>> /var/log/ovirt-engine/engine.log | grep
>> admin at internal
>> 420 ovirt-aaa-jdbc-tool user edit admin
>> --account-valid-from="2015-10-01 00:00:00Z"
>> 421 ovirt-aaa-jdbc-tool user password-reset
>> admin --force
>> --password-valid-to="2100-01-01 00:00:00Z"
>> 422 systemctl restart ovirt-engine.service
>> 423 history
>> 424 ovirt-aaa-jdbc-tool query --what=user
>> 425 updatedb
>> 426 locate internal
>> 427 yum install -y ovirt-engine-cli
>> 428 cd /opt
>> 429 cd /opt/
>>
>>
>>
>> 2016-06-20 13:24 GMT-05:00 Ondra Machacek
>> <omachace at redhat.com <mailto:omachace at redhat.com>
>> <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>
>> <mailto:omachace at redhat.com
>> <mailto:omachace at redhat.com> <mailto:omachace at redhat.com
>> <mailto:omachace at redhat.com>>>
>> <mailto:omachace at redhat.com
>> <mailto:omachace at redhat.com> <mailto:omachace at redhat.com
>> <mailto:omachace at redhat.com>>
>> <mailto:omachace at redhat.com <mailto:omachace at redhat.com>
>> <mailto:omachace at redhat.com <mailto:omachace at redhat.com>>>>>:
>>
>>
>>
>> On 06/20/2016 06:36 PM, Julián Tete wrote:
>>
>> oVirt: 3.6.2
>>
>> Trying to use:
>>
>>
>>
>>
>> https://github.com/machacekondra/ovirt-engine-kerbldap-migration
>>
>> First use:
>>
>> engine-manage-domains add
>> --domain=udistritaloas.edu.co
>> <http://udistritaloas.edu.co> <http://udistritaloas.edu.co>
>> <http://udistritaloas.edu.co>
>> <http://udistritaloas.edu.co>
>> <http://udistritaloas.edu.co>
>> --provider=ipa
>> --user=admin
>>
>> --ldap-servers=freeipa.udistritaloas.edu.co
>> <http://freeipa.udistritaloas.edu.co>
>> <http://freeipa.udistritaloas.edu.co>
>> <http://freeipa.udistritaloas.edu.co>
>> <http://freeipa.udistritaloas.edu.co>
>> <http://freeipa.udistritaloas.edu.co>
>>
>>
>> The domain was added, but a I can't
>> access to the
>> webadmin portal :/
>>
>> I get the message:
>>
>> "User is not authorized to perform this
>> action."
>>
>> In ovirt-cli
>>
>> [401] - Unauthorized
>>
>> tail -n 5000
>> /var/log/ovirt-engine/engine.log | grep
>> admin at internal
>>
>> 2016-06-20 10:52:22,835 ERROR
>>
>>
>>
>>
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (default task-32) [] Correlation ID:
>> null, Call
>> Stack:
>> null, Custom
>> Event ID: -1, Message: User admin at internal
>> failed to log in.
>> 2016-06-20 10:52:22,836 WARN
>>
>> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
>> (default
>> task-32)
>> [] CanDoAction of action
>> 'LoginAdminUser' failed
>> for user
>> admin at internal. Reasons:
>> USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>> 2016-06-20 11:00:37,679 ERROR
>>
>>
>>
>>
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (default task-3) [] Correlation ID:
>> null, Call
>> Stack: null,
>> Custom Event
>> ID: -1, Message: User admin at internal
>> failed to
>> log in.
>> 2016-06-20 11:00:37,679 WARN
>>
>> [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
>> (default task-3) []
>> CanDoAction of action 'LoginUser' failed
>> for user
>> admin at internal.
>> Reasons:
>> USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>> 2016-06-20 11:01:04,016 ERROR
>>
>>
>>
>>
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (default task-4) [] Correlation ID:
>> null, Call
>> Stack: null,
>> Custom Event
>> ID: -1, Message: User admin at internal
>> failed to
>> log in.
>> 2016-06-20 11:01:04,016 WARN
>>
>> [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
>> (default task-4) []
>> CanDoAction of action 'LoginUser' failed
>> for user
>> admin at internal.
>> Reasons:
>> USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>>
>>
>> I am little bit lost, what was your steps,
>> to get
>> into this
>> state,
>> but it looks that your admin at internal user
>> was
>> removed SuperUser
>> permissions, I am really not sure how could
>> you achieve
>> that, but to
>> fix it please run following command:
>>
>> $ su - postgres -c "psql -t engine -c
>> \"insert into
>> permissions
>> values
>> ('0000001b-001b-001b-001b-00000000029f',
>> '00000000-0000-0000-0000-000000000001',
>> 'fdfc627c-d875-11e0-90f0-83df133b58cc',
>> 'aaa00000-0000-0000-0000-123456789aaa', 1);\""
>>
>> This command will add your admin at internal
>> SuperUser
>> permissions on
>> system.
>>
>> Can you please describe what have you done a
>> bit
>> more, so we can
>> understand the problem?
>>
>> Thanks.
>>
>>
>> Properties of Internal domain:
>>
>> cat
>> /etc/ovirt-engine/aaa/internal.properties
>>
>> ovirt.engine.extension.name
>> <http://ovirt.engine.extension.name>
>> <http://ovirt.engine.extension.name>
>> <http://ovirt.engine.extension.name>
>> <http://ovirt.engine.extension.name>
>> <http://ovirt.engine.extension.name> =
>> internal-authn
>> ovirt.engine.extension.bindings.method =
>> jbossmodule
>>
>> ovirt.engine.extension.binding.jbossmodule.module =
>> org.ovirt.engine.extension.aaa.jdbc
>>
>> ovirt.engine.extension.binding.jbossmodule.class =
>>
>>
>>
>> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
>> ovirt.engine.extension.provides =
>> org.ovirt.engine.api.extensions.aaa.Authn
>> ovirt.engine.aaa.authn.profile.name
>> <http://ovirt.engine.aaa.authn.profile.name>
>> <http://ovirt.engine.aaa.authn.profile.name>
>> <http://ovirt.engine.aaa.authn.profile.name>
>> <
>> http://ovirt.engine.aaa.authn.profile.name>
>>
>> <http://ovirt.engine.aaa.authn.profile.name> =
>> internal
>> ovirt.engine.aaa.authn.authz.plugin =
>> internal-authz
>> config.datasource.file =
>> /etc/ovirt-engine/aaa/internal.properties
>>
>> cat
>> /etc/ovirt-engine/extensions.d/internal-authn.properties
>>
>> ovirt.engine.extension.name
>> <http://ovirt.engine.extension.name>
>> <http://ovirt.engine.extension.name>
>> <http://ovirt.engine.extension.name>
>> <http://ovirt.engine.extension.name>
>> <http://ovirt.engine.extension.name> =
>> internal-authn
>> ovirt.engine.extension.bindings.method =
>> jbossmodule
>>
>> ovirt.engine.extension.binding.jbossmodule.module =
>> org.ovirt.engine.extension.aaa.jdbc
>>
>> ovirt.engine.extension.binding.jbossmodule.class =
>>
>>
>>
>> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
>> ovirt.engine.extension.provides =
>> org.ovirt.engine.api.extensions.aaa.Authn
>> ovirt.engine.aaa.authn.profile.name
>> <http://ovirt.engine.aaa.authn.profile.name>
>> <http://ovirt.engine.aaa.authn.profile.name>
>> <http://ovirt.engine.aaa.authn.profile.name>
>> <
>> http://ovirt.engine.aaa.authn.profile.name>
>>
>> <http://ovirt.engine.aaa.authn.profile.name> =
>> internal
>> ovirt.engine.aaa.authn.authz.plugin =
>> internal-authz
>> config.datasource.file =
>> /etc/ovirt-engine/aaa/internal.properties
>>
>> cat
>> /etc/ovirt-engine/extensions.d/internal-authz.properties
>>
>> ovirt.engine.extension.name
>> <http://ovirt.engine.extension.name>
>> <http://ovirt.engine.extension.name>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160622/d9307e0b/attachment-0001.html>
More information about the Users
mailing list