[ovirt-users] oVirt AD integration problems

cmc iucounu at gmail.com
Fri Oct 14 10:30:14 EDT 2016


Hi Ondra,

It manages to authenticate, but appends the domain again once I'm logged
in, for instance, if I log in as user 'cam', it will log me in,
and display the login name in the top right corner as 'cam at domain.com@
domain.com' (this shows up in the log as well: it shows me
logging in as cam at domain.com, but then returns an error as user
cam at domain.com@domain.com is not authorized). My thought was
that something done earlier when I was playing around with sssd, kerberos
and AD is doing this, though I have removed these packages
and run authconfig to remove sssd. Any ideas?

Cheers,

Cam

On Thu, Oct 13, 2016 at 2:04 PM, cmc <iucounu at gmail.com> wrote:

> Hi Ondra,
>
> That is good to know that we don't need Kerberos - it complicates things a
> lot.
>
> I think the errors might be the options I'd selected during the setup. I
> was thrown a bit that
> it passed all the internal tests provided by the setup script, but failed
> on the web GUI. When
> I've seen 'unspecified GSS failure' and 'peer not authenticated' it's
> usually been due to
> Kerberos (though admittedly these are just generic errors). So I tried the
> Redhat guide for SSO at:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_
> Enterprise_Virtualization/3.6/html/Administration_Guide/
> Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html
>
> which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink to the
> Apache
> config it says to create, as it results in internal server errors in
> Apache. It uses an SPN for
> Apache in the keytab.
>
> Now that you've confirmed that it can actually work without any need for
> the Kerberos stuff,
> I will start afresh from a clean setup and apply what I've learnt during
> this process.
>
> I'll try it out and let you know either way.
>
> Many thanks for all the help!
>
> Kind regards,
>
> Cam
>
>
>
>> Yes, you really do not need anything kerberos related to securely bind
>> to AD via LDAP simple bind over TLS/SSL. This is really strange to me
>> what errors you are getting, but you probably configured apache (or
>> something else?) to require keytab, but you don't have to, and you can
>> remove that configuration.
>>
>>
>>> Thanks,
>>>
>>> Cam
>>>
>>>
>>>
>>>
>>>         Thanks,
>>>
>>>         Cam
>>>
>>>         _______________________________________________
>>>
>>>                 Users mailing list
>>>                 Users at ovirt.org <mailto:Users at ovirt.org>
>>>         <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>>>                 http://lists.ovirt.org/mailman/listinfo/users
>>>         <http://lists.ovirt.org/mailman/listinfo/users>
>>>                 <http://lists.ovirt.org/mailman/listinfo/users
>>>         <http://lists.ovirt.org/mailman/listinfo/users>>
>>>
>>>
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161014/6b6b74c9/attachment.html>


More information about the Users mailing list