> I just did a clean install of oVirt 4.3.1 (engine and nodes). > > I setup AD authentication and gave an AD group permissions needed work with > VMs. I gave them PowerUserRole on the Cluster and Storage. > > Users in the AD group can login and create VMs but after they log out and > log back in they don't see any of the VMs created in the previous session. > > I noticed that in Administration -> Users a new row is created for each > user every time they login. All columns for each user are the same: same > first and last name, same user name, authorization provider, and so on but > the behavior looks very much like they are being treated as new user every > time they login.
I have observed the same behaviour with oVirt 4.3.XY Delving deeper, in the oVirt engine 'users' table, external_id is *not* being set for AD users as documented in (e.g.) engines/packaging/dbscripts/common_sp.sql "The external identifier is the user identifier converted to an array of bytes:" ovirt 4.3.0 user@domain | f3de0b27-c2a0-463b-a2ff-d480bd88c77f | ece7b8c2-4983-4c1e-9a33-c28d58d40213 And under ovirt 4.2.8 for comparison: username | user_id | external_id user@domain | 364d176e-8813-4e67-bdd0-dc10b823d23c | af5bbg/eTkuktBPXW4Ak5g== Further information on replicating the issue: 1) Configure LDAP authentication: https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html#configuring-an-external-ldap-provider 2) Add an LDAP group via the Administration Portal: Administration >> Users > 'Add' button, click 'Group' radio-button, select the relevant LDAP authorization select the relevant LDAP authorization provider in the drop-down list under 'Search', enter the LDAP group in the search text-box then click 'GO'. The found group should appear below. Select the toggle-button to the left of the group then click 'Add and Close'. 3) Add SuperUser system permission for the LDAP group. Back under Administration >> Users, click the 'Group' button if groups are not already displayed. Click on the LDAP group added in the previous step then click 'Permissions' -> 'Add System Permissions' 4) Log into the Administration Portal as an LDAP group member. Logout then log back into the Administration Portal as a member of the LDAP group specified above. Login should be successful because that user will inherit the SuperUser system permission but note the following issues below: - under Administration >> Users, note that a 'User' icon is displayed for the LDAP user rather than an 'Admin' icon. This is in contrast to 4.2.8, where an Admin icon would be displayed. 5) Repeat step 4 above. If you logout then log back into the Administration Portal as the same member of the LDAP group specified above then check Administration >> Users, an additional user entry appears: same First Name, Last Name, Authorization provider, Namespace and E-mail. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PC2JLU65QED36MLLN7I5BJEPYEADKUO2/