Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA not working

[Paul]

Hi Ondra,
It is over a year since the last message, so I thought let's give this a new
try.
Did setup a new test environment with latest versions, all RH-family (Centos
7.3 with ovirt 4.1)
Ovirt engine works fine with IPA, in the console I can log in with
credentials. But SSO still does not work :-(
Unfortunately the workaround with "authconfig --enablenis --update" breaks
polkit.service and cascades in a lot of other fails making the VM failing to
boot properly.
Any suggestions?
Regards,
Paul

System setup:
--- Engine
[root@engine ~]# cat /etc/redhat-release 
CentOS Linux release 7.3.1611 (Core) 
[root@engine ~]# uname -a
Linux engine.domain.com 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@engine ~]# rpm -qa | grep ovirt
ovirt-engine-setup-plugin-ovirt-engine-common-4.1.1.8-1.el7.centos.noarch
ovirt-imageio-proxy-1.0.0-0.201701151456.git89ae3b4.el7.centos.noarch
ovirt-iso-uploader-4.0.2-1.el7.centos.noarch
ovirt-engine-setup-plugin-ovirt-engine-4.1.1.8-1.el7.centos.noarch
ovirt-engine-tools-4.1.1.8-1.el7.centos.noarch
ovirt-engine-backend-4.1.1.8-1.el7.centos.noarch
ovirt-engine-extension-aaa-jdbc-1.1.4-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-setup-1.3.1-1.el7.centos.noarch
ovirt-release41-4.1.1.1-1.el7.centos.noarch
ovirt-setup-lib-1.1.0-1.el7.centos.noarch
ovirt-imageio-common-1.0.0-1.el7.noarch
ovirt-engine-sdk-python-3.6.9.1-1.el7.centos.noarch
ovirt-engine-extensions-api-impl-4.1.1.8-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-1.3.1-1.el7.centos.noarch
ovirt-imageio-proxy-setup-1.0.0-0.201701151456.git89ae3b4.el7.centos.noarch
ovirt-engine-dwh-4.1.1-1.el7.centos.noarch
ovirt-engine-setup-plugin-websocket-proxy-4.1.1.8-1.el7.centos.noarch
ovirt-engine-tools-backup-4.1.1.8-1.el7.centos.noarch
ovirt-engine-setup-4.1.1.8-1.el7.centos.noarch
ovirt-engine-vmconsole-proxy-helper-4.1.1.8-1.el7.centos.noarch
ovirt-engine-dashboard-1.1.0-7.el7.centos.noarch
ovirt-engine-metrics-1.0.2-1.el7.centos.noarch
ovirt-engine-userportal-4.1.1.8-1.el7.centos.noarch
ovirt-engine-dbscripts-4.1.1.8-1.el7.centos.noarch
ovirt-engine-4.1.1.8-1.el7.centos.noarch
ovirt-engine-wildfly-10.1.0-1.el7.x86_64
python-ovirt-engine-sdk4-4.1.3-2.el7.centos.x86_64
ovirt-vmconsole-proxy-1.0.4-1.el7.centos.noarch
ovirt-engine-wildfly-overlay-10.0.0-1.el7.noarch
ovirt-engine-cli-3.6.9.2-1.el7.centos.noarch
ovirt-engine-lib-4.1.1.8-1.el7.centos.noarch
ovirt-host-deploy-java-1.6.3-1.el7.centos.noarch
ovirt-engine-dwh-setup-4.1.1-1.el7.centos.noarch
ovirt-engine-websocket-proxy-4.1.1.8-1.el7.centos.noarch
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.1.1.8-1.el7.centos.noarch
ovirt-engine-webadmin-portal-4.1.1.8-1.el7.centos.noarch
ovirt-engine-restapi-4.1.1.8-1.el7.centos.noarch
ovirt-guest-agent-common-1.0.13-2.el7.noarch
ovirt-host-deploy-1.6.3-1.el7.centos.noarch
ovirt-vmconsole-1.0.4-1.el7.centos.noarch
ovirt-engine-extension-aaa-misc-1.0.1-1.el7.noarch
ovirt-web-ui-0.1.2-4.el7.centos.x86_64
ovirt-engine-setup-base-4.1.1.8-1.el7.centos.noarch

---  IPA 
[root@ipa01 log]# cat /etc/redhat-release 
CentOS Linux release 7.3.1611 (Core)
[root@ipa01 log]# uname -a
Linux ipa01.domain.com 3.10.0-514.16.1.el7.x86_64 #1 SMP Wed Apr 12 15:04:24
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@ipa01 log]# rpm -qa | grep ipa
python2-ipalib-4.4.0-14.el7.centos.7.noarch
python2-ipaserver-4.4.0-14.el7.centos.7.noarch
libipa_hbac-1.14.0-43.el7_3.14.x86_64
python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-common-4.4.0-14.el7.centos.7.noarch
ipa-client-common-4.4.0-14.el7.centos.7.noarch
python-ipaddress-1.0.16-2.el7.noarch
sssd-ipa-1.14.0-43.el7_3.14.x86_64
python2-ipaclient-4.4.0-14.el7.centos.7.noarch
ipa-client-4.4.0-14.el7.centos.7.x86_64
ipa-server-4.4.0-14.el7.centos.7.x86_64
ipa-server-common-4.4.0-14.el7.centos.7.noarch
ipa-admintools-4.4.0-14.el7.centos.7.noarch
ipa-server-dns-4.4.0-14.el7.centos.7.noarch

---Client---
[root@ad01 ~]# cat /etc/redhat-release 
CentOS Linux release 7.3.1611 (Core) 
[root@ad01 ~]# uname -a
Linux ad01.domain.com 3.10.0-514.16.1.el7.x86_64 #1 SMP Wed Apr 12 15:04:24
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 [root@ad01 ~]# rpm -qa | grep ipa
python2-ipaclient-4.4.0-14.el7.centos.7.noarch
python-iniparse-0.4-9.el7.noarch
ipa-client-common-4.4.0-14.el7.centos.7.noarch
python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
ipa-client-4.4.0-14.el7.centos.7.x86_64
sssd-ipa-1.14.0-43.el7_3.14.x86_64
python-ipaddress-1.0.16-2.el7.noarch
python2-ipalib-4.4.0-14.el7.centos.7.noarch
ipa-common-4.4.0-14.el7.centos.7.noarch
libipa_hbac-1.14.0-43.el7_3.14.x86_64
[root@ad01 ~]# rpm -qa | grep ovirt
ovirt-guest-agent-pam-module-1.0.13-2.el7.x86_64
ovirt-guest-agent-common-1.0.13-2.el7.noarch
ovirt-guest-agent-gdm-plugin-1.0.13-2.el7.noarch

Relevant logs:
--- client ---
[root@ad01 ~]# vi /var/log/messages
Apr 21 10:07:59 ad01 [sssd[krb5_child[2635]]]: Preauthentication failed
Apr 21 10:07:59 ad01 [sssd[krb5_child[2635]]]: 

Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA not working

[Paul]

Hi Ondra,
Bug 1316135 was new to me and sounds very similar to my issue "(0, 17,
) [Success (Failure setting user credentials)]"
Proposed work-around with "authconfig --enablenis --update" worked for me,
although this creates an issue with the keyring authentication. I can live
with this for the moment, but hopefully the bug can be fixed soon.
Thanks for the quick responses,
Regards,
Paul

-Original Message-
From: Ondra Machacek [mailto:omach...@redhat.com] 
Sent: donderdag 17 maart 2016 19:12
To: Paul ; users@ovirt.org
Subject: Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA
not working

Hi Paul,

ok, thanks for info, then there is an issue in pam configuration, most
probably.
There is open issue for it on rhel7, please try read this comment[1] if it
helps to you.

Ondra

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1316135#c3

On 03/17/2016 06:07 PM, Paul wrote:
> Hi Ondra,
>
> Thanks for your reply, unfortunately this does not resolve the issue.
> I had already seen this bug and tried it without the -authz 
> appendix(maybe should have mentioned that).
> I also (may be wrongfully) assumed that the 
> "ovirt-engine-extension-aaa-ldap-setup" would not have this issue/bug.
>
> Anyways, I changed it (again) to the DOMAIN without '-authz' by changing:
> /etc/ovirt-engine/extensions.d/DOMAIN-authz.properties => 
> ovirt.engine.extension.name =  DOMAIN 
> /etc/ovirt-engine/extensions.d/DOMAIN-authn.properties => 
> ovirt.engine.aaa.authn.authz.plugin = DOMAIN Systemctl restart 
> ovirt-engine
>
> By the way: login with IPA users doesn't work anymore, you have to log 
> in with admin internal account and remove your IPA users and add them 
> back to make them work again.
>
> But still get the error:
> pam_sss(gdm-ovirtcred:auth): received for user test6: 17 (Failure 
> setting user credentials)
>
> Any suggestions?
>
>
> -Original Message-
> From: Ondra Machacek [mailto:omach...@redhat.com]
> Sent: donderdag 17 maart 2016 16:58
> To: Paul ; users@ovirt.org
> Subject: Re: [ovirt-users] Hosted engine Single Sign-On to VM with 
> freeIPA not working
>
> Hi,
>
> your authz name should match kerberos name.
> So please change your authz name from 'DOMAIN-authz' to 'DOMAIN'
>
> Please see this bz[1] for more detail.
>
> Ondra
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137#c7
>
> On 03/17/2016 04:22 PM, Paul wrote:
>> Hi,
>>
>> I am having an issue with getting SSO to work when a standard
>> user(UserRole) logs in to the UserPortal.
>>
>> The user has permission to use only this VM, so after login the 
>> console is automatically opened for that VM.
>>
>> Problem is that it doesn't login on the VM system with the provided 
>> credentials. Manual login at the console works without any issues.
>>
>> HBAC-rule check on IPA shows access is granted. Client has SELINUX in 
>> permissive mode and a disabled firewalld.
>>
>> On the client side I do see some PAM related errors in the logs (see 
>> details below). Extensive Google search on error 17 "Failure setting 
>> user credentials" didn't show helpful information :-(
>>
>> AFAIK this is did a pretty standard set-up, all working with 
>> RH-family products. I would expect others to encounter this issue as
well.
>>
>> If someone knows any solution or has some directions to fix this it 
>> would be greatly appreciated.
>>
>> Thanks,
>>
>> Paul
>>
>> --
>>
>> System setup: I have 3 systems
>>
>> The connection between the Engine and IPA is working fine. (I can log 
>> in with IPA users etc.) Connection is made according to this document:
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virt
>> u 
>> alization/3.6/html-single/Administration_Guide/index.html#sect-Config
>> u
>> ring_an_External_LDAP_Provider
>>
>> Configuration of the client is done according to this document:
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virt
>> u 
>> alization/3.6/html/Virtual_Machine_Management_Guide/chap-Additional_C
>> o 
>> nfiguration.html#sect-Configuring_Single_Sign-On_for_Virtual_Machines
>>
>> --- Hosted Engine:
>>
>> [root@engine ~]# cat /etc/redhat-release
>>
>> CentOS Linux release 7.2.1511 (Core)
>>
>> [root@engine ~]# uname -a
>>
>> Linux engine.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
>> 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
>>
>> [root@engine ~]# rpm -qa | grep ovirt
>>
>> ovirt-vmconsole-1.0.0-1.el7.centos.noarch
>>
>> ovirt-engine-restapi-3.6.2.6-1.el7.centos.noarch
>>
>> ovirt-setup-lib-1.0.1-1.el7.centos.noarch
>>
>> ovirt-engine-setup-plugin-ovirt-engine-common-3.6.3.4-1.el7.centos.no
>> a
>> rch
>>
>> ovirt-engine-setup-3.6.3.4-1.el7.centos.noarch
>>
>> ovirt-image-uploader-3.6.0-1.el7.centos.noarch
>>
>> ovirt-engine-extension-aaa-jdbc-1.0.5-1.el7.noarch
>>
>> ovirt-host-deploy-1.4.1-1.el7.centos.noarch
>>
>> ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch
>>

Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA not working

[Ondra Machacek]

Hi Paul,

ok, thanks for info, then there is an issue in pam configuration, most 
probably.
There is open issue for it on rhel7, please try read this comment[1] if 
it helps to you.


Ondra

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1316135#c3

On 03/17/2016 06:07 PM, Paul wrote:

Hi Ondra,

Thanks for your reply, unfortunately this does not resolve the issue.
I had already seen this bug and tried it without the -authz appendix(maybe
should have mentioned that).
I also (may be wrongfully) assumed that the
"ovirt-engine-extension-aaa-ldap-setup" would not have this issue/bug.

Anyways, I changed it (again) to the DOMAIN without '-authz' by changing:
/etc/ovirt-engine/extensions.d/DOMAIN-authz.properties =>
ovirt.engine.extension.name =  DOMAIN
/etc/ovirt-engine/extensions.d/DOMAIN-authn.properties =>
ovirt.engine.aaa.authn.authz.plugin = DOMAIN
Systemctl restart ovirt-engine

By the way: login with IPA users doesn't work anymore, you have to log in
with admin internal account and remove your IPA users and add them back to
make them work again.

But still get the error:
pam_sss(gdm-ovirtcred:auth): received for user test6: 17 (Failure setting
user credentials)

Any suggestions?


-Original Message-
From: Ondra Machacek [mailto:omach...@redhat.com]
Sent: donderdag 17 maart 2016 16:58
To: Paul ; users@ovirt.org
Subject: Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA
not working

Hi,

your authz name should match kerberos name.
So please change your authz name from 'DOMAIN-authz' to 'DOMAIN'

Please see this bz[1] for more detail.

Ondra

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137#c7

On 03/17/2016 04:22 PM, Paul wrote:

Hi,

I am having an issue with getting SSO to work when a standard
user(UserRole) logs in to the UserPortal.

The user has permission to use only this VM, so after login the
console is automatically opened for that VM.

Problem is that it doesn't login on the VM system with the provided
credentials. Manual login at the console works without any issues.

HBAC-rule check on IPA shows access is granted. Client has SELINUX in
permissive mode and a disabled firewalld.

On the client side I do see some PAM related errors in the logs (see
details below). Extensive Google search on error 17 "Failure setting
user credentials" didn't show helpful information :-(

AFAIK this is did a pretty standard set-up, all working with RH-family
products. I would expect others to encounter this issue as well.

If someone knows any solution or has some directions to fix this it
would be greatly appreciated.

Thanks,

Paul

--

System setup: I have 3 systems

The connection between the Engine and IPA is working fine. (I can log
in with IPA users etc.) Connection is made according to this document:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtu
alization/3.6/html-single/Administration_Guide/index.html#sect-Configu
ring_an_External_LDAP_Provider

Configuration of the client is done according to this document:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtu
alization/3.6/html/Virtual_Machine_Management_Guide/chap-Additional_Co
nfiguration.html#sect-Configuring_Single_Sign-On_for_Virtual_Machines

--- Hosted Engine:

[root@engine ~]# cat /etc/redhat-release

CentOS Linux release 7.2.1511 (Core)

[root@engine ~]# uname -a

Linux engine.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

[root@engine ~]# rpm -qa | grep ovirt

ovirt-vmconsole-1.0.0-1.el7.centos.noarch

ovirt-engine-restapi-3.6.2.6-1.el7.centos.noarch

ovirt-setup-lib-1.0.1-1.el7.centos.noarch

ovirt-engine-setup-plugin-ovirt-engine-common-3.6.3.4-1.el7.centos.noa
rch

ovirt-engine-setup-3.6.3.4-1.el7.centos.noarch

ovirt-image-uploader-3.6.0-1.el7.centos.noarch

ovirt-engine-extension-aaa-jdbc-1.0.5-1.el7.noarch

ovirt-host-deploy-1.4.1-1.el7.centos.noarch

ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch

ovirt-engine-wildfly-overlay-8.0.4-1.el7.noarch

ovirt-engine-wildfly-8.2.1-1.el7.x86_64

ovirt-vmconsole-proxy-1.0.0-1.el7.centos.noarch

ovirt-engine-tools-3.6.2.6-1.el7.centos.noarch

ovirt-engine-dbscripts-3.6.2.6-1.el7.centos.noarch

ovirt-engine-backend-3.6.2.6-1.el7.centos.noarch

ovirt-engine-3.6.2.6-1.el7.centos.noarch

ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noarch

ovirt-engine-setup-base-3.6.3.4-1.el7.centos.noarch

ovirt-engine-setup-plugin-ovirt-engine-3.6.3.4-1.el7.centos.noarch

ovirt-engine-setup-plugin-websocket-proxy-3.6.3.4-1.el7.centos.noarch

ovirt-engine-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch

ovirt-engine-cli-3.6.2.0-1.el7.centos.noarch

ovirt-host-deploy-java-1.4.1-1.el7.centos.noarch

ovirt-engine-userportal-3.6.2.6-1.el7.centos.noarch

ovirt-engine-webadmin-portal-3.6.2.6-1.el7.centos.noarch

ovirt-guest-agent-common-1.0.11-1.el7.noarch

ovirt-release36-003-1.noarch

Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA not working

[Paul]

Hi Ondra,

Thanks for your reply, unfortunately this does not resolve the issue.
I had already seen this bug and tried it without the -authz appendix(maybe
should have mentioned that).
I also (may be wrongfully) assumed that the
"ovirt-engine-extension-aaa-ldap-setup" would not have this issue/bug.

Anyways, I changed it (again) to the DOMAIN without '-authz' by changing:
/etc/ovirt-engine/extensions.d/DOMAIN-authz.properties =>
ovirt.engine.extension.name =  DOMAIN 
/etc/ovirt-engine/extensions.d/DOMAIN-authn.properties =>
ovirt.engine.aaa.authn.authz.plugin = DOMAIN
Systemctl restart ovirt-engine

By the way: login with IPA users doesn't work anymore, you have to log in
with admin internal account and remove your IPA users and add them back to
make them work again.

But still get the error:
pam_sss(gdm-ovirtcred:auth): received for user test6: 17 (Failure setting
user credentials)

Any suggestions?


-Original Message-
From: Ondra Machacek [mailto:omach...@redhat.com] 
Sent: donderdag 17 maart 2016 16:58
To: Paul ; users@ovirt.org
Subject: Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA
not working

Hi,

your authz name should match kerberos name.
So please change your authz name from 'DOMAIN-authz' to 'DOMAIN'

Please see this bz[1] for more detail.

Ondra

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137#c7

On 03/17/2016 04:22 PM, Paul wrote:
> Hi,
>
> I am having an issue with getting SSO to work when a standard
> user(UserRole) logs in to the UserPortal.
>
> The user has permission to use only this VM, so after login the 
> console is automatically opened for that VM.
>
> Problem is that it doesn't login on the VM system with the provided 
> credentials. Manual login at the console works without any issues.
>
> HBAC-rule check on IPA shows access is granted. Client has SELINUX in 
> permissive mode and a disabled firewalld.
>
> On the client side I do see some PAM related errors in the logs (see 
> details below). Extensive Google search on error 17 "Failure setting 
> user credentials" didn't show helpful information :-(
>
> AFAIK this is did a pretty standard set-up, all working with RH-family 
> products. I would expect others to encounter this issue as well.
>
> If someone knows any solution or has some directions to fix this it 
> would be greatly appreciated.
>
> Thanks,
>
> Paul
>
> --
>
> System setup: I have 3 systems
>
> The connection between the Engine and IPA is working fine. (I can log 
> in with IPA users etc.) Connection is made according to this document:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtu
> alization/3.6/html-single/Administration_Guide/index.html#sect-Configu
> ring_an_External_LDAP_Provider
>
> Configuration of the client is done according to this document:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtu
> alization/3.6/html/Virtual_Machine_Management_Guide/chap-Additional_Co
> nfiguration.html#sect-Configuring_Single_Sign-On_for_Virtual_Machines
>
> --- Hosted Engine:
>
> [root@engine ~]# cat /etc/redhat-release
>
> CentOS Linux release 7.2.1511 (Core)
>
> [root@engine ~]# uname -a
>
> Linux engine.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
> 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
>
> [root@engine ~]# rpm -qa | grep ovirt
>
> ovirt-vmconsole-1.0.0-1.el7.centos.noarch
>
> ovirt-engine-restapi-3.6.2.6-1.el7.centos.noarch
>
> ovirt-setup-lib-1.0.1-1.el7.centos.noarch
>
> ovirt-engine-setup-plugin-ovirt-engine-common-3.6.3.4-1.el7.centos.noa
> rch
>
> ovirt-engine-setup-3.6.3.4-1.el7.centos.noarch
>
> ovirt-image-uploader-3.6.0-1.el7.centos.noarch
>
> ovirt-engine-extension-aaa-jdbc-1.0.5-1.el7.noarch
>
> ovirt-host-deploy-1.4.1-1.el7.centos.noarch
>
> ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch
>
> ovirt-engine-wildfly-overlay-8.0.4-1.el7.noarch
>
> ovirt-engine-wildfly-8.2.1-1.el7.x86_64
>
> ovirt-vmconsole-proxy-1.0.0-1.el7.centos.noarch
>
> ovirt-engine-tools-3.6.2.6-1.el7.centos.noarch
>
> ovirt-engine-dbscripts-3.6.2.6-1.el7.centos.noarch
>
> ovirt-engine-backend-3.6.2.6-1.el7.centos.noarch
>
> ovirt-engine-3.6.2.6-1.el7.centos.noarch
>
> ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noarch
>
> ovirt-engine-setup-base-3.6.3.4-1.el7.centos.noarch
>
> ovirt-engine-setup-plugin-ovirt-engine-3.6.3.4-1.el7.centos.noarch
>
> ovirt-engine-setup-plugin-websocket-proxy-3.6.3.4-1.el7.centos.noarch
>
> ovirt-engine-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch
>
> ovirt-engine-cli-3.6.2.0-1.el7.centos.noarch
>
> ovirt-host-deploy-java-1.4.1-1.el7.centos.noarch
>
> ovirt-engine-userportal-3.6.2.6-1.el7.centos.noarch
>
> ovirt-engine-webadmin-portal-3.6.2.6-1.el7.centos.noarch
>
> ovirt-guest-agent-common-1.0.11-1.el7.noarch
>
> ovirt-release36-003-1.noarch
>
> ovirt-iso-uploader-3.6.0-1.el7.centos.noarch
>
> ovirt-engine-lib-3.6.3.4-1.el7.centos.noarch
>
> 

Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA not working

[Ondra Machacek]

Hi,

your authz name should match kerberos name.
So please change your authz name from 'DOMAIN-authz' to 'DOMAIN'

Please see this bz[1] for more detail.

Ondra

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137#c7

On 03/17/2016 04:22 PM, Paul wrote:

Hi,

I am having an issue with getting SSO to work when a standard
user(UserRole) logs in to the UserPortal.

The user has permission to use only this VM, so after login the console
is automatically opened for that VM.

Problem is that it doesn't login on the VM system with the provided
credentials. Manual login at the console works without any issues.

HBAC-rule check on IPA shows access is granted. Client has SELINUX in
permissive mode and a disabled firewalld.

On the client side I do see some PAM related errors in the logs (see
details below). Extensive Google search on error 17 "Failure setting
user credentials" didn't show helpful information :-(

AFAIK this is did a pretty standard set-up, all working with RH-family
products. I would expect others to encounter this issue as well.

If someone knows any solution or has some directions to fix this it
would be greatly appreciated.

Thanks,

Paul

--

System setup: I have 3 systems

The connection between the Engine and IPA is working fine. (I can log in
with IPA users etc.) Connection is made according to this document:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html-single/Administration_Guide/index.html#sect-Configuring_an_External_LDAP_Provider

Configuration of the client is done according to this document:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Virtual_Machine_Management_Guide/chap-Additional_Configuration.html#sect-Configuring_Single_Sign-On_for_Virtual_Machines

--- Hosted Engine:

[root@engine ~]# cat /etc/redhat-release

CentOS Linux release 7.2.1511 (Core)

[root@engine ~]# uname -a

Linux engine.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

[root@engine ~]# rpm -qa | grep ovirt

ovirt-vmconsole-1.0.0-1.el7.centos.noarch

ovirt-engine-restapi-3.6.2.6-1.el7.centos.noarch

ovirt-setup-lib-1.0.1-1.el7.centos.noarch

ovirt-engine-setup-plugin-ovirt-engine-common-3.6.3.4-1.el7.centos.noarch

ovirt-engine-setup-3.6.3.4-1.el7.centos.noarch

ovirt-image-uploader-3.6.0-1.el7.centos.noarch

ovirt-engine-extension-aaa-jdbc-1.0.5-1.el7.noarch

ovirt-host-deploy-1.4.1-1.el7.centos.noarch

ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch

ovirt-engine-wildfly-overlay-8.0.4-1.el7.noarch

ovirt-engine-wildfly-8.2.1-1.el7.x86_64

ovirt-vmconsole-proxy-1.0.0-1.el7.centos.noarch

ovirt-engine-tools-3.6.2.6-1.el7.centos.noarch

ovirt-engine-dbscripts-3.6.2.6-1.el7.centos.noarch

ovirt-engine-backend-3.6.2.6-1.el7.centos.noarch

ovirt-engine-3.6.2.6-1.el7.centos.noarch

ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noarch

ovirt-engine-setup-base-3.6.3.4-1.el7.centos.noarch

ovirt-engine-setup-plugin-ovirt-engine-3.6.3.4-1.el7.centos.noarch

ovirt-engine-setup-plugin-websocket-proxy-3.6.3.4-1.el7.centos.noarch

ovirt-engine-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch

ovirt-engine-cli-3.6.2.0-1.el7.centos.noarch

ovirt-host-deploy-java-1.4.1-1.el7.centos.noarch

ovirt-engine-userportal-3.6.2.6-1.el7.centos.noarch

ovirt-engine-webadmin-portal-3.6.2.6-1.el7.centos.noarch

ovirt-guest-agent-common-1.0.11-1.el7.noarch

ovirt-release36-003-1.noarch

ovirt-iso-uploader-3.6.0-1.el7.centos.noarch

ovirt-engine-lib-3.6.3.4-1.el7.centos.noarch

ovirt-engine-sdk-python-3.6.3.0-1.el7.centos.noarch

ovirt-engine-setup-plugin-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch

ovirt-engine-websocket-proxy-3.6.3.4-1.el7.centos.noarch

ovirt-log-collector-3.6.1-1.el7.centos.noarch

ovirt-engine-extensions-api-impl-3.6.3.4-1.el7.centos.noarch

--- FreeIPA:

[root@ipa01 ~]# cat /etc/redhat-release

CentOS Linux release 7.2.1511 (Core)

[root@ipa01 ~]#  uname -a

Linux ipa01.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

[root@ipa01 ~]# rpm -qa | grep ipa

ipa-python-4.2.0-15.el7_2.6.x86_64

ipa-client-4.2.0-15.el7_2.6.x86_64

python-libipa_hbac-1.13.0-40.el7_2.1.x86_64

python-iniparse-0.4-9.el7.noarch

libipa_hbac-1.13.0-40.el7_2.1.x86_64

sssd-ipa-1.13.0-40.el7_2.1.x86_64

ipa-admintools-4.2.0-15.el7_2.6.x86_64

ipa-server-4.2.0-15.el7_2.6.x86_64

ipa-server-dns-4.2.0-15.el7_2.6.x86_64

--- Client:

[root@test06 ~]# cat /etc/redhat-release

CentOS Linux release 7.2.1511 (Core)

[root@test06 ~]# uname -a

Linux test06.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

[root@test06 ~]# rpm -qa | grep ipa

python-libipa_hbac-1.13.0-40.el7_2.1.x86_64

python-iniparse-0.4-9.el7.noarch

sssd-ipa-1.13.0-40.el7_2.1.x86_64

ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64

[ovirt-users] Hosted engine Single Sign-On to VM with freeIPA not working

[Paul]

Hi,

 

I am having an issue with getting SSO to work when a standard user(UserRole)
logs in to the UserPortal.

The user has permission to use only this VM, so after login the console is
automatically opened for that VM.

Problem is that it doesn't login on the VM system with the provided
credentials. Manual login at the console works without any issues. 

HBAC-rule check on IPA shows access is granted. Client has SELINUX in
permissive mode and a disabled firewalld. 

 

On the client side I do see some PAM related errors in the logs (see details
below). Extensive Google search on error 17 "Failure setting user
credentials" didn't show helpful information :-(

 

AFAIK this is did a pretty standard set-up, all working with RH-family
products. I would expect others to encounter this issue as well. 

If someone knows any solution or has some directions to fix this it would be
greatly appreciated.

 

Thanks,

 

Paul

 

--

System setup: I have 3 systems 

 

The connection between the Engine and IPA is working fine. (I can log in
with IPA users etc.) Connection is made according to this document:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualizat
ion/3.6/html-single/Administration_Guide/index.html#sect-Configuring_an_Exte
rnal_LDAP_Provider

 

Configuration of the client is done according to this document:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualizat
ion/3.6/html/Virtual_Machine_Management_Guide/chap-Additional_Configuration.
html#sect-Configuring_Single_Sign-On_for_Virtual_Machines

 

--- Hosted Engine:

[root@engine ~]# cat /etc/redhat-release

CentOS Linux release 7.2.1511 (Core)

[root@engine ~]# uname -a

Linux engine.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

[root@engine ~]# rpm -qa | grep ovirt

ovirt-vmconsole-1.0.0-1.el7.centos.noarch

ovirt-engine-restapi-3.6.2.6-1.el7.centos.noarch

ovirt-setup-lib-1.0.1-1.el7.centos.noarch

ovirt-engine-setup-plugin-ovirt-engine-common-3.6.3.4-1.el7.centos.noarch

ovirt-engine-setup-3.6.3.4-1.el7.centos.noarch

ovirt-image-uploader-3.6.0-1.el7.centos.noarch

ovirt-engine-extension-aaa-jdbc-1.0.5-1.el7.noarch

ovirt-host-deploy-1.4.1-1.el7.centos.noarch

ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch

ovirt-engine-wildfly-overlay-8.0.4-1.el7.noarch

ovirt-engine-wildfly-8.2.1-1.el7.x86_64

ovirt-vmconsole-proxy-1.0.0-1.el7.centos.noarch

ovirt-engine-tools-3.6.2.6-1.el7.centos.noarch

ovirt-engine-dbscripts-3.6.2.6-1.el7.centos.noarch

ovirt-engine-backend-3.6.2.6-1.el7.centos.noarch

ovirt-engine-3.6.2.6-1.el7.centos.noarch

ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noarch

ovirt-engine-setup-base-3.6.3.4-1.el7.centos.noarch

ovirt-engine-setup-plugin-ovirt-engine-3.6.3.4-1.el7.centos.noarch

ovirt-engine-setup-plugin-websocket-proxy-3.6.3.4-1.el7.centos.noarch

ovirt-engine-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch

ovirt-engine-cli-3.6.2.0-1.el7.centos.noarch

ovirt-host-deploy-java-1.4.1-1.el7.centos.noarch

ovirt-engine-userportal-3.6.2.6-1.el7.centos.noarch

ovirt-engine-webadmin-portal-3.6.2.6-1.el7.centos.noarch

ovirt-guest-agent-common-1.0.11-1.el7.noarch

ovirt-release36-003-1.noarch

ovirt-iso-uploader-3.6.0-1.el7.centos.noarch

ovirt-engine-lib-3.6.3.4-1.el7.centos.noarch

ovirt-engine-sdk-python-3.6.3.0-1.el7.centos.noarch

ovirt-engine-setup-plugin-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch

ovirt-engine-websocket-proxy-3.6.3.4-1.el7.centos.noarch

ovirt-log-collector-3.6.1-1.el7.centos.noarch

ovirt-engine-extensions-api-impl-3.6.3.4-1.el7.centos.noarch

 

--- FreeIPA:

[root@ipa01 ~]# cat /etc/redhat-release

CentOS Linux release 7.2.1511 (Core) 

[root@ipa01 ~]#  uname -a

Linux ipa01.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50
UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

[root@ipa01 ~]# rpm -qa | grep ipa

ipa-python-4.2.0-15.el7_2.6.x86_64

ipa-client-4.2.0-15.el7_2.6.x86_64

python-libipa_hbac-1.13.0-40.el7_2.1.x86_64

python-iniparse-0.4-9.el7.noarch

libipa_hbac-1.13.0-40.el7_2.1.x86_64

sssd-ipa-1.13.0-40.el7_2.1.x86_64

ipa-admintools-4.2.0-15.el7_2.6.x86_64

ipa-server-4.2.0-15.el7_2.6.x86_64

ipa-server-dns-4.2.0-15.el7_2.6.x86_64

 

--- Client:

[root@test06 ~]# cat /etc/redhat-release

CentOS Linux release 7.2.1511 (Core) 

[root@test06 ~]# uname -a

Linux test06.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16
17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

[root@test06 ~]# rpm -qa | grep ipa

python-libipa_hbac-1.13.0-40.el7_2.1.x86_64

python-iniparse-0.4-9.el7.noarch

sssd-ipa-1.13.0-40.el7_2.1.x86_64

ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64

libipa_hbac-1.13.0-40.el7_2.1.x86_64

ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64

device-mapper-multipath-0.4.9-85.el7.x86_64

device-mapper-multipath-libs-0.4.9-85.el7.x86_64

[root@test06 ~]# rpm -qa | grep guest-agent