[ovirt-users] oVirt AD integration problems
Ondra Machacek
omachace at redhat.com
Mon Oct 17 05:06:40 EDT 2016
Hi Cam,
this is OK, because we use user principal name(UPN)[1] for the
'username' field of the oVirt. So the result username will consist of
UPN at authz-extension, so if your user's UPN is 'user at domain' and you
will name your authz extension as 'domain', then the result username
will be 'user at domain@domain'.
The problem, that you can't get authorized is that you didn't assigned
any permissions to your user.
[1] https://msdn.microsoft.com/en-us/library/ms680857(v=vs.85).aspx
On 10/14/2016 04:30 PM, cmc wrote:
> Hi Ondra,
>
> It manages to authenticate, but appends the domain again once I'm logged
> in, for instance, if I log in as user 'cam', it will log me in,
> and display the login name in the top right corner as
> 'cam at domain.com@domain.com <http://domain.com>' (this shows up in the
> log as well: it shows me
> logging in as cam at domain.com <mailto:cam at domain.com>, but then returns
> an error as user cam at domain.com@domain.com <http://domain.com> is not
> authorized). My thought was
> that something done earlier when I was playing around with sssd,
> kerberos and AD is doing this, though I have removed these packages
> and run authconfig to remove sssd. Any ideas?
>
> Cheers,
>
> Cam
>
> On Thu, Oct 13, 2016 at 2:04 PM, cmc <iucounu at gmail.com
> <mailto:iucounu at gmail.com>> wrote:
>
> Hi Ondra,
>
> That is good to know that we don't need Kerberos - it complicates
> things a lot.
>
> I think the errors might be the options I'd selected during the
> setup. I was thrown a bit that
> it passed all the internal tests provided by the setup script, but
> failed on the web GUI. When
> I've seen 'unspecified GSS failure' and 'peer not authenticated'
> it's usually been due to
> Kerberos (though admittedly these are just generic errors). So I
> tried the Redhat guide for SSO at:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html>
>
> which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink
> to the Apache
> config it says to create, as it results in internal server errors in
> Apache. It uses an SPN for
> Apache in the keytab.
>
> Now that you've confirmed that it can actually work without any need
> for the Kerberos stuff,
> I will start afresh from a clean setup and apply what I've learnt
> during this process.
>
> I'll try it out and let you know either way.
>
> Many thanks for all the help!
>
> Kind regards,
>
> Cam
>
>
>
> Yes, you really do not need anything kerberos related to
> securely bind
> to AD via LDAP simple bind over TLS/SSL. This is really strange
> to me
> what errors you are getting, but you probably configured apache (or
> something else?) to require keytab, but you don't have to, and
> you can
> remove that configuration.
>
>
> Thanks,
>
> Cam
>
>
>
>
> Thanks,
>
> Cam
>
> _______________________________________________
>
> Users mailing list
> Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
> <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>
>
> http://lists.ovirt.org/mailman/listinfo/users
> <http://lists.ovirt.org/mailman/listinfo/users>
> <http://lists.ovirt.org/mailman/listinfo/users
> <http://lists.ovirt.org/mailman/listinfo/users>>
>
> <http://lists.ovirt.org/mailman/listinfo/users
> <http://lists.ovirt.org/mailman/listinfo/users>
> <http://lists.ovirt.org/mailman/listinfo/users
> <http://lists.ovirt.org/mailman/listinfo/users>>>
>
>
>
>
>
More information about the Users
mailing list