<div dir="ltr"><div><div>Thanks Ondra :)<br></div><div><br>With the command:<br><br>su - postgres -c "psql -t engine -c \"insert into permissions values ('0000001b-001b-001b-001b-00000000029f', '00000000-0000-0000-0000-000000000001', 'fdfc627c-d875-11e0-90f0-83df133b58cc', 'aaa00000-0000-0000-0000-123456789aaa', 1);\""<br><br></div>I get:<br><br>ERROR: duplicate key value violates unique constraint "idx_combined_ad_role_object"<br>DETAIL: Key (ad_element_id, role_id, object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc, 00000000-0000-0000-0000-000000000001, aaa00000-0000-0000-0000-123456789aaa) already exists.<br><br></div>History<br><br> 261 yum install ovirt-engine-extension-aaa-ldap<br> 262 cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties /etc/ovirt-engine/<br> 263 cd /etc/ovirt-engine/<br> 264 ll<br> 265 vim profile1.properties<br> 266 ll<br> 267 cd cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/<br> 268 cd cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/<br> 269 cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/<br> 270 ll<br> 271 cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/<br> 272 cd /etc/ovirt-engine/extensions.d/<br> 273 ll<br> 274 find / -type f -iname profile1.properties<br> 275 cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties /etc/ovirt-engine/aaa/<br> 276 find / -type f -iname profile1.properties<br> 277 vim /etc/ovirt-engine/aaa/profile1.properties<br> 278 chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties<br> 279 chmod 600 /etc/ovirt-engine/aaa/profile1.properties<br> 280 systemctl restart ovirt-engine<br> 281 vim /etc/ovirt-engine/extensions.d/profile1-authn.properties<br> 282 cd /usr/share/<br> 283 ls<br> 284 cd ovirt-engine-aaa-ldap<br> 285 ls<br> 286 cd ovirt-engine-extension-aaa-ldap/<br> 287 ls<br> 288 cd examples/<br> 289 ls<br> 290 cd ad<br> 291 ls<br> 292 cd extensions.d/<br> 293 ls<br> 294 vim profile1-authn.properties<br> 295 pwd<br> 296 cd ..<br> 297 pwd<br> 298 cd ..<br> 299 ls<br> 300 cd simple<br> 301 ls<br> 302 cd aaa/<br> 303 ls<br> 304 vim profile1.properties<br> 305 pwd<br> 306 rm -rf /etc/ovirt-engine/aaa/profile1.properties<br> 307 cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties /etc/ovirt-engine/aaa/<br> 308 vim /etc/ovirt-engine/aaa/profile1.properties<br> 309 history<br> 310 chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties<br> 311 chmod 600 /etc/ovirt-engine/aaa/profile1.properties<br> 312 systemctl restart ovirt-engine<br> 313 updatedb<br> 314 locate domain1-authn.properties<br> 315 history<br> 316 cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/<br> 317 ll<br> 318 cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/<br> 319 ls<br> 320 cd extensions.d/<br> 321 ls<br> 322 pwd<br> 323 cd /etc/ovirt-engine/extensions.d/<br> 324 ls<br> 325 cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/ /etc/ovirt-engine/extensions.d/<br> 326 cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/<br> 327 rm -rf /etc/ovirt-engine/extensions.d/profile1-authn.properties<br> 328 rm -rf /etc/ovirt-engine/extensions.d/profile1-authz.properties<br> 329 cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/<br> 330 ll<br> 331 history<br> 332 chown ovirt:ovirt /etc/ovirt-engine/extensions.d/*<br> 333 chmod 600 /etc/ovirt-engine/extensions.d/*<br> 334 ll<br> 335 cd extensions.d/<br> 336 ll<br> 337 cd<br> 338 engine-config -s SASL_QOP=auth<br> 339 systemctl restart ovirt-engine<br> 340 engine-manage-domains add --domain=<a href="http://udistritaloas.edu.co">udistritaloas.edu.co</a> --provider=ipa --user=admin --ldap-servers=<a href="http://freeipa.udistritaloas.edu.co">freeipa.udistritaloas.edu.co</a><br> 341 systemctl restart ovirt-engine<br> 342 engine-manage-domains list<br> 343 history<br> 344 cd /etc/ovirt-engine/extensions.d/<br> 345 ll<br> 346 rm -rf internal-authn.properties<br> 347 rm -rf internal-authz.properties<br> 348 rm -rf profile1-authn.properties<br> 349 rm -rf profile1-authz.properties<br> 350 history<br> 351 cd /etc/ovirt-engine/aaa/<br> 352 ll<br> 353 rm -rf profile1.properties<br> 354 vim internal.properties<br> 355 systemctl restart ovirt-engine<br> 356 ovirt-aaa-jdbc-tool user edit admin --account-valid-to="2100-01-01 00:00:00Z"<br> 357 ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to="2100-01-01 00:00:00Z"<br> 358 engine-config -s AdminPassword=interactive<br> 359 ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to="2100-01-01 00:00:00Z"<br> 360 systemctl restart ovirt-engine<br> 361 exit<br> 362 cd /etc/ovirt-engine/aaa/<br> 363 ll<br> 364 vim internal.properties<br> 365 /etc/ovirt-engine/extensions.d/<br> 366 cd /etc/ovirt-engine/extensions.d/<br> 367 ll<br> 368 cd extensions.d/<br> 369 ll<br> 370 pwd<br> 371 ll<br> 372 cd ..<br> 373 ll<br> 374 cd ..<br> 375 ll<br> 376 cd /etc/ovirt-engine/extensions.d/<br> 377 ll<br> 378 cd extensions.d/<br> 379 ll<br> 380 pwd<br> 381 ll<br> 382 cd ..<br> 383 ll<br> 384 systemctl restart ovirt-engine.service<br> 385 ovirt-aaa-jdbc-tool user edit admin --account-valid-to="2100-01-01 00:00:00Z"<br> 386 ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to="2100-01-01 00:00:00Z"<br> 387 systemctl restart ovirt-engine.service<br> 388 ovirt-aaa-jdbc-tool user password-reset admin@internal --password-valid-to="2100-01-01 00:00:00Z"<br> 389 yum install -y ovirt-engine-extension-aaa-jdbc<br> 390 engine-setup<br> 391 ovirt-aaa-jdbc-tool user show admin<br> 392 ovirt-aaa-jdbc-tool settings show<br> 393 cd /var/log<br> 394 ll<br> 395 cd ovirt-engine<br> 396 ll<br> 397 tail -f n 100 ui.log<br> 398 ll<br> 399 tail -f -n engine.log<br> 400 tail -f -n 1000 engine.log<br> 401 tail -n 5000 engine.log | grep admin@internal<br> 402 ovirt-aaa-jdbc-tool user show admin<br> 403 ovirt-aaa-jdbc-tool user show admin@internal<br> 404 ovirt-aaa-jdbc-tool query --what=user<br> 405 engine-config -s AdminPassword=interactive<br> 406 vim /etc/ovirt-engine/extension.d/internal-authn.properties<br> 407 vim /etc/ovirt-engine/extensions.d/internal-authn.properties<br> 408 cd /etc/ovirt-engine/extensions.d/<br> 409 ll<br> 410 vim /etc/ovirt-engine/aaa/internal.properties<br> 411 cd /etc/ovirt-engine/aaa/<br> 412 ll<br> 413 vim internal.properties<br> 414 pwd<br> 415 ovirt-aaa-jdbc-tool user add julian --attribute=firstName=Julian --attribute=lastName=Tete --attribute=email=<a href="mailto:danteconrad14@gmail.com">danteconrad14@gmail.com</a><br> 416 ovirt-aaa-jdbc-tool user password-reset julian --password-valid-to="2025-08-15 10:30:00Z"<br> 417 history<br> 418 tail -n 5000 engine.log | grep admin@internal<br> 419 tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin@internal<br> 420 ovirt-aaa-jdbc-tool user edit admin --account-valid-from="2015-10-01 00:00:00Z"<br> 421 ovirt-aaa-jdbc-tool user password-reset admin --force --password-valid-to="2100-01-01 00:00:00Z"<br> 422 systemctl restart ovirt-engine.service<br> 423 history<br> 424 ovirt-aaa-jdbc-tool query --what=user<br> 425 updatedb<br> 426 locate internal<br> 427 yum install -y ovirt-engine-cli<br> 428 cd /opt<br> 429 cd /opt/<br><br><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-06-20 13:24 GMT-05:00 Ondra Machacek <span dir="ltr"><<a href="mailto:omachace@redhat.com" target="_blank">omachace@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 06/20/2016 06:36 PM, Julián Tete wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
oVirt: 3.6.2<br>
<br>
Trying to use:<br>
<br>
<a href="https://github.com/machacekondra/ovirt-engine-kerbldap-migration" rel="noreferrer" target="_blank">https://github.com/machacekondra/ovirt-engine-kerbldap-migration</a><br>
<br>
First use:<br>
<br>
engine-manage-domains add --domain=<a href="http://udistritaloas.edu.co" rel="noreferrer" target="_blank">udistritaloas.edu.co</a><br></span>
<<a href="http://udistritaloas.edu.co" rel="noreferrer" target="_blank">http://udistritaloas.edu.co</a>> --provider=ipa --user=admin<br>
--ldap-servers=<a href="http://freeipa.udistritaloas.edu.co" rel="noreferrer" target="_blank">freeipa.udistritaloas.edu.co</a><br>
<<a href="http://freeipa.udistritaloas.edu.co" rel="noreferrer" target="_blank">http://freeipa.udistritaloas.edu.co</a>><div><div class="h5"><br>
<br>
The domain was added, but a I can't access to the webadmin portal :/<br>
<br>
I get the message:<br>
<br>
"User is not authorized to perform this action."<br>
<br>
In ovirt-cli<br>
<br>
[401] - Unauthorized<br>
<br>
tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin@internal<br>
<br>
2016-06-20 10:52:22,835 ERROR<br>
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]<br>
(default task-32) [] Correlation ID: null, Call Stack: null, Custom<br>
Event ID: -1, Message: User admin@internal failed to log in.<br>
2016-06-20 10:52:22,836 WARN<br>
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (default task-32)<br>
[] CanDoAction of action 'LoginAdminUser' failed for user<br>
admin@internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION<br>
2016-06-20 11:00:37,679 ERROR<br>
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]<br>
(default task-3) [] Correlation ID: null, Call Stack: null, Custom Event<br>
ID: -1, Message: User admin@internal failed to log in.<br>
2016-06-20 11:00:37,679 WARN<br>
[org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-3) []<br>
CanDoAction of action 'LoginUser' failed for user admin@internal.<br>
Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION<br>
2016-06-20 11:01:04,016 ERROR<br>
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]<br>
(default task-4) [] Correlation ID: null, Call Stack: null, Custom Event<br>
ID: -1, Message: User admin@internal failed to log in.<br>
2016-06-20 11:01:04,016 WARN<br>
[org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-4) []<br>
CanDoAction of action 'LoginUser' failed for user admin@internal.<br>
Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION<br>
</div></div></blockquote>
<br>
I am little bit lost, what was your steps, to get into this state, but it looks that your admin@internal user was removed SuperUser permissions, I am really not sure how could you achieve that, but to fix it please run following command:<br>
<br>
$ su - postgres -c "psql -t engine -c \"insert into permissions values ('0000001b-001b-001b-001b-00000000029f', '00000000-0000-0000-0000-000000000001', 'fdfc627c-d875-11e0-90f0-83df133b58cc', 'aaa00000-0000-0000-0000-123456789aaa', 1);\""<br>
<br>
This command will add your admin@internal SuperUser permissions on system.<br>
<br>
Can you please describe what have you done a bit more, so we can understand the problem?<br>
<br>
Thanks.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
<br>
Properties of Internal domain:<br>
<br>
cat /etc/ovirt-engine/aaa/internal.properties<br>
<br>
</span><a href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a> <<a href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">http://ovirt.engine.extension.name</a>> =<span class=""><br>
internal-authn<br>
ovirt.engine.extension.bindings.method = jbossmodule<br>
ovirt.engine.extension.binding.jbossmodule.module =<br>
org.ovirt.engine.extension.aaa.jdbc<br>
ovirt.engine.extension.binding.jbossmodule.class =<br>
org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension<br>
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn<br>
<a href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer" target="_blank">ovirt.engine.aaa.authn.profile.name</a><br></span>
<<a href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer" target="_blank">http://ovirt.engine.aaa.authn.profile.name</a>> = internal<span class=""><br>
ovirt.engine.aaa.authn.authz.plugin = internal-authz<br>
config.datasource.file = /etc/ovirt-engine/aaa/internal.properties<br>
<br>
cat /etc/ovirt-engine/extensions.d/internal-authn.properties<br>
<br>
</span><a href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a> <<a href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">http://ovirt.engine.extension.name</a>> =<span class=""><br>
internal-authn<br>
ovirt.engine.extension.bindings.method = jbossmodule<br>
ovirt.engine.extension.binding.jbossmodule.module =<br>
org.ovirt.engine.extension.aaa.jdbc<br>
ovirt.engine.extension.binding.jbossmodule.class =<br>
org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension<br>
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn<br>
<a href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer" target="_blank">ovirt.engine.aaa.authn.profile.name</a><br></span>
<<a href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer" target="_blank">http://ovirt.engine.aaa.authn.profile.name</a>> = internal<span class=""><br>
ovirt.engine.aaa.authn.authz.plugin = internal-authz<br>
config.datasource.file = /etc/ovirt-engine/aaa/internal.properties<br>
<br>
cat /etc/ovirt-engine/extensions.d/internal-authz.properties<br>
<br>
</span><a href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a> <<a href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">http://ovirt.engine.extension.name</a>> =<div><div class="h5"><br>
internal-authz<br>
ovirt.engine.extension.bindings.method = jbossmodule<br>
ovirt.engine.extension.binding.jbossmodule.module =<br>
org.ovirt.engine.extension.aaa.jdbc<br>
ovirt.engine.extension.binding.jbossmodule.class =<br>
org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension<br>
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz<br>
config.datasource.file = /etc/ovirt-engine/aaa/internal.properties<br>
<br>
Properties of admin@internal user:<br>
<br>
ovirt-aaa-jdbc-tool user show admin<br>
<br>
-- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --<br>
Namespace: *<br>
Name: admin<br>
ID: fdfc627c-d875-11e0-90f0-83df133b58cc<br>
Display Name:<br>
Email:<br>
First Name: admin<br>
Last Name:<br>
Department:<br>
Title:<br>
Description:<br>
Account Disabled: false<br>
Account Unlocked At: 1970-01-01 00:00:00Z<br>
Account Valid From: 2015-10-01 00:00:00Z<br>
Account Valid To: 2100-01-01 00:00:00Z<br>
Account Without Password: false<br>
Last successful Login At: 2016-06-20 16:01:03Z<br>
Last unsuccessful Login At: 2016-06-19 16:53:07Z<br>
Password Valid To: 2100-01-01 00:00:00Z<br>
<br>
¿ Can I assign privilegies to the user ? ¿ Any idea ?<br>
<br>
<br></div></div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
<br>
</blockquote>
</blockquote></div><br></div>