[ovirt-users] oVirt AD integration problems

cmc iucounu at gmail.com
Thu Oct 13 13:04:43 UTC 2016


Hi Ondra,

That is good to know that we don't need Kerberos - it complicates things a
lot.

I think the errors might be the options I'd selected during the setup. I
was thrown a bit that
it passed all the internal tests provided by the setup script, but failed
on the web GUI. When
I've seen 'unspecified GSS failure' and 'peer not authenticated' it's
usually been due to
Kerberos (though admittedly these are just generic errors). So I tried the
Redhat guide for SSO at:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html

which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink to the
Apache
config it says to create, as it results in internal server errors in
Apache. It uses an SPN for
Apache in the keytab.

Now that you've confirmed that it can actually work without any need for
the Kerberos stuff,
I will start afresh from a clean setup and apply what I've learnt during
this process.

I'll try it out and let you know either way.

Many thanks for all the help!

Kind regards,

Cam



> Yes, you really do not need anything kerberos related to securely bind
> to AD via LDAP simple bind over TLS/SSL. This is really strange to me
> what errors you are getting, but you probably configured apache (or
> something else?) to require keytab, but you don't have to, and you can
> remove that configuration.
>
>
>> Thanks,
>>
>> Cam
>>
>>
>>
>>
>>         Thanks,
>>
>>         Cam
>>
>>         _______________________________________________
>>
>>                 Users mailing list
>>                 Users at ovirt.org <mailto:Users at ovirt.org>
>>         <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>>                 http://lists.ovirt.org/mailman/listinfo/users
>>         <http://lists.ovirt.org/mailman/listinfo/users>
>>                 <http://lists.ovirt.org/mailman/listinfo/users
>>         <http://lists.ovirt.org/mailman/listinfo/users>>
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161013/39c228f4/attachment-0001.html>


More information about the Users mailing list