[ovirt-users] oVirt AD integration problems

cmc iucounu at gmail.com
Mon Oct 17 11:03:15 UTC 2016 

Hi Ondra,

I assigned permissions to an LDAP group and it just needed me to remove
that group and re-add it for it to authorize again.

Yes, the UPN is user at domain in our case. Not a big deal, but is there a
plan to change the display name? I get confused looks
and questions when people log in.

All working now, many thanks once again for all your help!

Cheers,

Cam

On Mon, Oct 17, 2016 at 10:06 AM, Ondra Machacek <omachace at redhat.com>
wrote:

> Hi Cam,
>
> this is OK, because we use user principal name(UPN)[1] for the
> 'username' field of the oVirt. So the result username will consist of
> UPN at authz-extension, so if your user's UPN is 'user at domain' and you
> will name your authz extension as 'domain', then the result username
> will be 'user at domain@domain'.
>
> The problem, that you can't get authorized is that you didn't assigned
> any permissions to your user.
>
> [1] https://msdn.microsoft.com/en-us/library/ms680857(v=vs.85).aspx
>
> On 10/14/2016 04:30 PM, cmc wrote:
>
>> Hi Ondra,
>>
>> It manages to authenticate, but appends the domain again once I'm logged
>> in, for instance, if I log in as user 'cam', it will log me in,
>> and display the login name in the top right corner as
>> 'cam at domain.com@domain.com <http://domain.com>' (this shows up in the
>> log as well: it shows me
>> logging in as cam at domain.com <mailto:cam at domain.com>, but then returns
>> an error as user  cam at domain.com@domain.com <http://domain.com> is not
>> authorized). My thought was
>> that something done earlier when I was playing around with sssd,
>> kerberos and AD is doing this, though I have removed these packages
>> and run authconfig to remove sssd. Any ideas?
>>
>> Cheers,
>>
>> Cam
>>
>> On Thu, Oct 13, 2016 at 2:04 PM, cmc <iucounu at gmail.com
>> <mailto:iucounu at gmail.com>> wrote:
>>
>>     Hi Ondra,
>>
>>     That is good to know that we don't need Kerberos - it complicates
>>     things a lot.
>>
>>     I think the errors might be the options I'd selected during the
>>     setup. I was thrown a bit that
>>     it passed all the internal tests provided by the setup script, but
>>     failed on the web GUI. When
>>     I've seen 'unspecified GSS failure' and 'peer not authenticated'
>>     it's usually been due to
>>     Kerberos (though admittedly these are just generic errors). So I
>>     tried the Redhat guide for SSO at:
>>
>>     https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
>> rise_Virtualization/3.6/html/Administration_Guide/Configuri
>> ng_LDAP_and_Kerberos_for_Single_Sign-on.html
>>     <https://access.redhat.com/documentation/en-US/Red_Hat_Enter
>> prise_Virtualization/3.6/html/Administration_Guide/Configuri
>> ng_LDAP_and_Kerberos_for_Single_Sign-on.html>
>>
>>     which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink
>>     to the Apache
>>     config it says to create, as it results in internal server errors in
>>     Apache. It uses an SPN for
>>     Apache in the keytab.
>>
>>     Now that you've confirmed that it can actually work without any need
>>     for the Kerberos stuff,
>>     I will start afresh from a clean setup and apply what I've learnt
>>     during this process.
>>
>>     I'll try it out and let you know either way.
>>
>>     Many thanks for all the help!
>>
>>     Kind regards,
>>
>>     Cam
>>
>>
>>
>>         Yes, you really do not need anything kerberos related to
>>         securely bind
>>         to AD via LDAP simple bind over TLS/SSL. This is really strange
>>         to me
>>         what errors you are getting, but you probably configured apache
>> (or
>>         something else?) to require keytab, but you don't have to, and
>>         you can
>>         remove that configuration.
>>
>>
>>             Thanks,
>>
>>             Cam
>>
>>
>>
>>
>>                     Thanks,
>>
>>                     Cam
>>
>>                     _______________________________________________
>>
>>                             Users mailing list
>>                             Users at ovirt.org <mailto:Users at ovirt.org>
>>             <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>
>>                     <mailto:Users at ovirt.org <mailto:Users at ovirt.org>
>>             <mailto:Users at ovirt.org <mailto:Users at ovirt.org>>>
>>
>>             http://lists.ovirt.org/mailman/listinfo/users
>>             <http://lists.ovirt.org/mailman/listinfo/users>
>>                     <http://lists.ovirt.org/mailman/listinfo/users
>>             <http://lists.ovirt.org/mailman/listinfo/users>>
>>
>>             <http://lists.ovirt.org/mailman/listinfo/users
>>             <http://lists.ovirt.org/mailman/listinfo/users>
>>                     <http://lists.ovirt.org/mailman/listinfo/users
>>             <http://lists.ovirt.org/mailman/listinfo/users>>>
>>
>>
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161017/ed2b77cd/attachment-0001.html>

More information about the Users mailing list