[ovirt-users] Samba 4 Active Directory & ovirt 4

Ondra Machacek omachace at redhat.com
Wed Sep 21 10:16:27 UTC 2016 

On 09/21/2016 12:03 PM, Maxence Sartiaux wrote:
> Hello,
>
> I try to connect ovirt 4.0.3 to my Samba 4.5 Active Directory to permit
> the login of AD users to ovirt.
>
> For now i installed ovirt-engine-extension-aaa-ldap-setup.noarch
> and ovirt-engine-extension-aaa-misc.noarch
>
> # ovirt-engine-extension-aaa-ldap-setup
> - selected "Active Directory"
> - Anonymous search user
>
> I can run a search but when i try to login with the username alone
> "testuser" -> error "CREDENTIALS_INCORRECT", if i login with the
> user+domain "testuser at abc.lan <mailto:testuser at abc.lan>" my auth succeed
> but -> "Cannot resolve principal 'testuser at abc.lan'"
>
>
> # ovirt-engine-extensions-tool aaa login-user --profile=abc.lan
> --user-name=testuser <mailto:--user-name=testuser at abc.lan>
>
> ...
> 2016-09-21 09:53:29 INFO    API:
> <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='abc.lan'
> result=CREDENTIALS_INCORRECT
> 2016-09-21 09:53:29 SEVERE  Authn.Result code is: CREDENTIALS_INCORRECT
>
> # ovirt-engine-extensions-tool aaa login-user --profile=abc.lan
> --user-name=testuser at abc.lan
>
> ...
> 2016-09-21 09:52:02 INFO    API:
> -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
> principal='testuser at abc.lan <mailto:principal='msartiaux at abc.lan>'
> 2016-09-21 09:52:02 SEVERE  Cannot resolve principal 'testuser at abc.lan'
>
>
> After some search i configured the mapping plugin to automaticaly add
> @abc.lan to the user like that i don't need to add the @abc.lan to
> connect but still the same error, cannot resolve principal ...
>
> /# cat /etc/ovirt-engine/extensions.d/mapping-suffix.properties/
>
> ovirt.engine.extension.name = mapping-suffix
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.misc
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
> ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Mapping
> config.mapUser.type = regex
> config.mapUser.regex.pattern = ^(?<user>[^@]*)$
> config.mapUser.regex.replacement = ${user}@abc.lan <mailto:${user}@abc.lan>
> config.mapUser.regex.mustMatch = false
>
> /# cat /etc/ovirt-engine/extensions.d/mapping-suffix.properties/
>
> ...
> ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
>
> Any ideas ?

What's the user principal name of the user 'testuser'?
You can check out as follows:

  $ ldapsearch -x -b 'DC=abc,DC=lan -H 'ldap://abc.lan' 
'sAMAccountName=testuser' userPrincipalName

Is it indeed 'testuser at abc.lan' or different? If different then you need 
to use that UPN.

Anyway debug log of test tool of login command would be helpful.

  $ ovirt-engine-extensions-tool --log-level=FINEST 
--log-file=/tmp/aaa.log aaa login-user --profile=abc.lan 
--user-name=testuser

>
> Thank you.
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list