[ovirt-users] Ovirt and active directory integration

Ondra Machacek omachace at redhat.com
Wed Oct 26 17:43:07 UTC 2016 

On 10/26/2016 12:01 PM, nicola.gentile.to wrote:
> Hi,
> I would like to submit a problem with active directory authentication.
> Let me make an introduction.
> Actually my infrastructure consists in 1 manager and 2 nodes (version
> 4.0.4).
> The active directory forest consists in many subdomains.
> In the active directory forest there are 2 type of accounts:
> -1- normal users, this account is similar to name.surname at domain.it
> -2- particular users, this account is similar to s123456 at subdomain.domain.it
>
> Important note: the subdomain of the account type 2 is an alias domain
> for example:
>
>         s123456 at subdomain.domain.it is an alias of s123456 at domain.it
>
> When I do login from user portal:
>
> - with normal users I login correctly and I can start the vm without problem
> - with particular users I login correctly but I can not start the vm
> although I have permissions. To solve this problem I must insert the
> account in the db of ovirt from administration portal in the users tab
>
> I noticed that, with a particular users (s123456 at subdomain.domain.it),
> the ovirt infrastructure does not automatically insert this account in
> the own db.

We do not insert those users in database only in case they are member
of group which is added in system. But once you log in with this user
it should inherit all permissions of the group which is member of.

So can you please double check the group which those users are members
has appropriate permissions to start the VM?

You can also see what groups are resolved by oVirt engine to specific 
user by running following command:

  $ ovirt-engine-extensions-tool aaa login-user 
--user-name=s123456 at subdomain.domain.it --profile=domain.it

You could also hit this bug:

  https://bugzilla.redhat.com/show_bug.cgi?id=1336707

What's the groups scopes?

>
> Also the subdomain.domain.it is not in the list of the subdomains of the
> forest, perhaps it is for this reason that does not work properly.
>
> I deduced that is an active directory problem (that in not resolvable
> for the complexity of the AD infrastructure), I ask you if exist a
> script for insert of many accounts at one time. Something like:
>
>     script.sh < list-users.txt

Something like this[1] should work for you. I didn't test it. Note it 
uses oVirt Python SDK version4. Which can be downloaded from pip as follows:

  pip install ovirt-engine-sdk-python


But I wouldn't do it and would rather find the root cause as I think 
this is issue on oVirt side.

[1] https://paste.fedoraproject.org/461499/

>
> where the file lists-users.txt consists of a sequential list of accounts
> like this:
>
>     s000001 at subdomain.polito.it
>     s000002 at subdomain.polito.it
>     s000003 at subdomain.polito.it
>     s000004 at subdomain.polito.it
>
> Thank you very much for your help
>
> Nicola
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list