[ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting
omachace at redhat.com
Fri Sep 30 13:45:47 UTC 2016
'/etc/httpd/s-oVirt-Krb.keytab' is apache keytab, you can't try to test
login with it. You should try something like `kinit myuser` and then
curl. And be sure that 'myuser' has appropriate permissions in oVirt.
Do you have properly setup your browser and enabled negotiation (for
example for firefox )?
On 09/30/2016 03:34 PM, aleksey.maksimov at it-kb.ru wrote:
> # kinit -V -k -t /etc/httpd/s-oVirt-Krb.keytab HTTP/kom-ad01-ovirt1.ad.holding.com
> Using existing cache: persistent:0:0
> Using principal: HTTP/kom-ad01-ovirt1.ad.holding.com at AD.HOLDING.COM
> Using keytab: /etc/httpd/s-oVirt-Krb.keytab
> Authenticated to Kerberos v5
> # klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: HTTP/kom-ad01-ovirt1.ad.holding.com at AD.HOLDING.COM
> Valid starting Expires Service principal
> 09/30/2016 16:28:02 10/01/2016 02:28:02 krbtgt/AD.HOLDING.COM at AD.HOLDING.COM
> renew until 10/07/2016 16:28:02
> # curl --negotiate -u : -X GET -H "Accept: application/xml" -k https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
> However, if I open this URL (https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api) in browser it opens without errors and authorization requests
> # tail -f /var/log/httpd/ssl_error_log
> # tail -f /var/log/ovirt-engine/engine.log
> In the logs nothing in that moment when I open the portal in the browser.
> 30.09.2016, 15:52, "Ondra Machacek" <omachace at redhat.com>:
>> So if you run kinit and then:
>> $ curl --negotiate -u : -X GET -H "Accept: application/xml" -k
>> It's fine?
>>> Please tell me how to find the cause of the problem. What are the steps to troubleshooting to do?
>> On oVirt engine check:
>> On AD check kerberos log.
>>> Users mailing list
>>> Users at ovirt.org
More information about the Users