[ovirt-users] oVirt AD integration problems

Karli Sjöberg karli.sjoberg at slu.se
Fri Oct 14 20:43:44 UTC 2016 

Den 14 okt. 2016 4:30 em skrev cmc <iucounu at gmail.com>:
>
> Hi Ondra,
>
> It manages to authenticate, but appends the domain again once I'm logged in, for instance, if I log in as user 'cam', it will log me in,
> and display the login name in the top right corner as 'cam at domain.com@domain.com' (this shows up in the log as well: it shows me
> logging in as cam at domain.com, but then returns an error as user  cam at domain.com@domain.com is not authorized). My thought was
> that something done earlier when I was playing around with sssd, kerberos and AD is doing this, though I have removed these packages
> and run authconfig to remove sssd. Any ideas?

Can't say why, but it's the same for us. It's unsightly, kindly put.

/K

>
> Cheers,
>
> Cam
>
> On Thu, Oct 13, 2016 at 2:04 PM, cmc <iucounu at gmail.com> wrote:
>>
>> Hi Ondra,
>>
>> That is good to know that we don't need Kerberos - it complicates things a lot.
>>
>> I think the errors might be the options I'd selected during the setup. I was thrown a bit that
>> it passed all the internal tests provided by the setup script, but failed on the web GUI. When
>> I've seen 'unspecified GSS failure' and 'peer not authenticated' it's usually been due to
>> Kerberos (though admittedly these are just generic errors). So I tried the Redhat guide for SSO at:
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html
>>
>> which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink to the Apache
>> config it says to create, as it results in internal server errors in Apache. It uses an SPN for
>> Apache in the keytab.
>>
>> Now that you've confirmed that it can actually work without any need for the Kerberos stuff,
>> I will start afresh from a clean setup and apply what I've learnt during this process.
>>
>> I'll try it out and let you know either way.
>>
>> Many thanks for all the help!
>>
>> Kind regards,
>>
>> Cam
>>
>>
>>>
>>> Yes, you really do not need anything kerberos related to securely bind
>>> to AD via LDAP simple bind over TLS/SSL. This is really strange to me
>>> what errors you are getting, but you probably configured apache (or
>>> something else?) to require keytab, but you don't have to, and you can
>>> remove that configuration.
>>>
>>>>
>>>> Thanks,
>>>>
>>>> Cam
>>>>
>>>>
>>>>
>>>>
>>>>         Thanks,
>>>>
>>>>         Cam
>>>>
>>>>         _______________________________________________
>>>>
>>>>                 Users mailing list
>>>>                 Users at ovirt.org <mailto:Users at ovirt.org>
>>>>         <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>>>>                 http://lists.ovirt.org/mailman/listinfo/users
>>>>         <http://lists.ovirt.org/mailman/listinfo/users>
>>>>                 <http://lists.ovirt.org/mailman/listinfo/users
>>>>         <http://lists.ovirt.org/mailman/listinfo/users>>
>>>>
>>>>
>>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161014/1a5ea0b6/attachment-0001.html>

More information about the Users mailing list