Re: [ovirt-users] FreeIPA with ovirt 4.1
Hello Ondra, I tried increase logging and command fail "outcome" => "failed", "failure-description" => "WFLYCTL0216: Management resource '[ (\"subsystem\" => \"logging\"), (\"logger\" => \"org.ovirt.engine.core.sso\") ]' not found", "rolled-back" => true } Slava, From: "Ondra Machacek" <omach...@redhat.com> To: "Slava Bendersky" <volga...@networklab.ca> Cc: "users" <users@ovirt.org> Sent: Thursday, February 9, 2017 2:31:16 PM Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 Can you please enable DEBUG log of the SSO package and try login and then share the logs, please? You can enable the debug log as following (use admin@internal password): /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller=127.0.0.1:8706 --connect --user=admin@internal "/subsystem=logging/logger=org.ovirt.engine.core.sso:add" && /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller=127.0.0.1:8706 --connect --user=admin@internal "/subsystem=logging/logger=org.ovirt.engine.core.sso:write-attribute(name=level,value=DEBUG)" After tests you can disable it later as follows: $ /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller=127.0.0.1:8706 --connect --user=admin@internal "/subsystem=logging/logger=org.ovirt.engine.core.sso:remove" On Thu, Feb 9, 2017 at 3:08 PM, Slava Bendersky <volga...@networklab.ca> wrote: > Hello Everyone, > Anything else possible to check ? > > Slava. > > > From: "Slava Bendersky" <volga...@networklab.ca> > To: "Ondra Machacek" <omach...@redhat.com> > Cc: "users" <users@ovirt.org> > Sent: Saturday, February 4, 2017 2:27:31 PM > > Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 > > Hello Ondra, > Log is empty > > [root@vhe00 ~]# ls -la /var/log/httpd/ssl_error_log > -rw-r--r--. 1 root root 0 Feb 2 04:45 /var/log/httpd/ssl_error_log > > Slava. > > ____ > From: "Ondra Machacek" <omach...@redhat.com> > To: "Slava Bendersky" <volga...@networklab.ca> > Cc: "users" <users@ovirt.org>, "Ravi" <rn...@redhat.com> > Sent: Saturday, February 4, 2017 10:35:31 AM > Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 > > > > On Feb 4, 2017 1:21 AM, "Slava Bendersky" <volga...@networklab.ca> wrote: > > Hello Everyone, > Having trouble implement FreeIPA authentication with GSSAPI SSO and ovirt > 4.1. I ran setup and it finished OK then it wrote the files bellow. Next I > log to web admin with internal user and added FeeIPA user as SuperUser role. > Also I added under System FreeIPA group authorized to login on any attempt > to login with FreeIPA credentials getting message > > > 2017-02-04 00:03:08,464Z ERROR > [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6) > [] Internal Server Error: Unsupported command > 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] > (default task-6) [] Unsupported command > 2017-02-04 00:03:08,659Z ERROR > [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) [] > server_error: Unsupported command > > > Ravi, do you know what this can cause? > > > > Also when in extensions.d directory contain the following files. If I remove > mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up > in drop down list. Any http don't have influence on this. > > > That is correct behavior, we dont show profiles, which uses http for authn. > > > [root@vhe00 extensions.d]# pwd > /etc/ovirt-engine/extensions.d > > [root@vhe00 extensions.d]# ls > mydomain.lan-authn.properties mydomain.lan-http-authn.properties > mydomain.lan.properties internal-authz.properties > mydomain.lan-authz.properties mydomain.lan-http-mapping.properties > internal-authn.properties > [root@vhe00 extensions.d]# > > > If possible clarify how it should be and what is possible issue. > > > Can you please take a look to /var/log/httpd/ssl_error_log if any errors > there? > > > > > Slava. > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] FreeIPA with ovirt 4.1
Hello Everyone, Anything else possible to check ? Slava. From: "Slava Bendersky" <volga...@networklab.ca> To: "Ondra Machacek" <omach...@redhat.com> Cc: "users" <users@ovirt.org> Sent: Saturday, February 4, 2017 2:27:31 PM Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 Hello Ondra, Log is empty [root@vhe00 ~]# ls -la /var/log/httpd/ssl_error_log -rw-r--r--. 1 root root 0 Feb 2 04:45 /var/log/httpd/ssl_error_log Slava. From: "Ondra Machacek" <omach...@redhat.com> To: "Slava Bendersky" <volga...@networklab.ca> Cc: "users" <users@ovirt.org>, "Ravi" <rn...@redhat.com> Sent: Saturday, February 4, 2017 10:35:31 AM Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 On Feb 4, 2017 1:21 AM, "Slava Bendersky" < [ mailto:volga...@networklab.ca | volga...@networklab.ca ] > wrote: Hello Everyone, Having trouble implement FreeIPA authentication with GSSAPI SSO and ovirt 4.1. I ran setup and it finished OK then it wrote the files bellow. Next I log to web admin with internal user and added FeeIPA user as SuperUser role. Also I added under System FreeIPA group authorized to login on any attempt to login with FreeIPA credentials getting message 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6) [] Internal Server Error: Unsupported command 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-6) [] Unsupported command 2017-02-04 00:03:08,659Z ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) [] server_error: Unsupported command Ravi, do you know what this can cause? BQ_BEGIN Also when in extensions.d directory contain the following files. If I remove mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up in drop down list. Any http don't have influence on this. BQ_END That is correct behavior, we dont show profiles, which uses http for authn. BQ_BEGIN [root@vhe00 extensions.d]# pwd /etc/ovirt-engine/extensions.d [root@vhe00 extensions.d]# ls mydomain.lan-authn.properties mydomain.lan -http-authn.properties mydomain.lan .properties internal-authz.properties mydomain.lan -authz.properties mydomain.lan -http-mapping.properties internal-authn.properties [root@vhe00 extensions.d]# If possible clarify how it should be and what is possible issue. BQ_END Can you please take a look to /var/log/httpd/ssl_error_log if any errors there? BQ_BEGIN Slava. ___ Users mailing list [ mailto:Users@ovirt.org | Users@ovirt.org ] [ http://lists.ovirt.org/mailman/listinfo/users | http://lists.ovirt.org/mailman/listinfo/users ] BQ_END ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] FreeIPA with ovirt 4.1
Hello Ondra, Log is empty [root@vhe00 ~]# ls -la /var/log/httpd/ssl_error_log -rw-r--r--. 1 root root 0 Feb 2 04:45 /var/log/httpd/ssl_error_log Slava. From: "Ondra Machacek" <omach...@redhat.com> To: "Slava Bendersky" <volga...@networklab.ca> Cc: "users" <users@ovirt.org>, "Ravi" <rn...@redhat.com> Sent: Saturday, February 4, 2017 10:35:31 AM Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 On Feb 4, 2017 1:21 AM, "Slava Bendersky" < [ mailto:volga...@networklab.ca | volga...@networklab.ca ] > wrote: Hello Everyone, Having trouble implement FreeIPA authentication with GSSAPI SSO and ovirt 4.1. I ran setup and it finished OK then it wrote the files bellow. Next I log to web admin with internal user and added FeeIPA user as SuperUser role. Also I added under System FreeIPA group authorized to login on any attempt to login with FreeIPA credentials getting message 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6) [] Internal Server Error: Unsupported command 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-6) [] Unsupported command 2017-02-04 00:03:08,659Z ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) [] server_error: Unsupported command Ravi, do you know what this can cause? BQ_BEGIN Also when in extensions.d directory contain the following files. If I remove mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up in drop down list. Any http don't have influence on this. BQ_END That is correct behavior, we dont show profiles, which uses http for authn. BQ_BEGIN [root@vhe00 extensions.d]# pwd /etc/ovirt-engine/extensions.d [root@vhe00 extensions.d]# ls mydomain.lan-authn.properties mydomain.lan -http-authn.properties mydomain.lan .properties internal-authz.properties mydomain.lan -authz.properties mydomain.lan -http-mapping.properties internal-authn.properties [root@vhe00 extensions.d]# If possible clarify how it should be and what is possible issue. BQ_END Can you please take a look to /var/log/httpd/ssl_error_log if any errors there? BQ_BEGIN Slava. ___ Users mailing list [ mailto:Users@ovirt.org | Users@ovirt.org ] [ http://lists.ovirt.org/mailman/listinfo/users | http://lists.ovirt.org/mailman/listinfo/users ] BQ_END ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] FreeIPA with ovirt 4.1
Hello Everyone, Having trouble implement FreeIPA authentication with GSSAPI SSO and ovirt 4.1. I ran setup and it finished OK then it wrote the files bellow. Next I log to web admin with internal user and added FeeIPA user as SuperUser role. Also I added under System FreeIPA group authorized to login on any attempt to login with FreeIPA credentials getting message 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6) [] Internal Server Error: Unsupported command 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-6) [] Unsupported command 2017-02-04 00:03:08,659Z ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) [] server_error: Unsupported command Also when in extensions.d directory contain the following files. If I remove mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up in drop down list. Any http don't have influence on this. [root@vhe00 extensions.d]# pwd /etc/ovirt-engine/extensions.d [root@vhe00 extensions.d]# ls mydomain.lan-authn.properties mydomain.lan -http-authn.properties mydomain.lan .properties internal-authz.properties mydomain.lan -authz.properties mydomain.lan -http-mapping.properties internal-authn.properties [root@vhe00 extensions.d]# If possible clarify how it should be and what is possible issue. Slava. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] PM proxy
Hello Everyone, How to troubleshoot it further ? Slava From: "volga629" <volga...@skillsearch.ca> To: "Martin Perina" <mper...@redhat.com> Cc: "users" <users@ovirt.org> Sent: Monday, January 16, 2017 2:17:00 PM Subject: Re: [ovirt-users] PM proxy Hello Everyone, All what I see on debug 2017-01-16 18:15:16,316 DEBUG [org.ovirt.engine.core.bll.pm.FenceProxyLocator] (default task-64) [] Evaluating host 'ovirt00.domain.com' 2017-01-16 18:15:16,362 DEBUG [org.ovirt.engine.core.bll.pm.FenceProxyLocator] (default task-64) [] Evaluating host 'ovirt00.domain.com' 2017-01-16 18:15:16,362 ERROR [org.ovirt.engine.core.bll.pm.FenceProxyLocator] (default task-64) [] Can not run fence action on host 'hosted_engine_1', no suitable proxy host was found. Slava. From: "volga629" <volga...@skillsearch.ca> To: "Martin Perina" <mper...@redhat.com> Cc: "users" <users@ovirt.org> Sent: Friday, January 13, 2017 11:52:17 AM Subject: Re: [ovirt-users] PM proxy Hello Martin, Thank you for reply, I will post more detail soon. Slava. From: "Martin Perina" <mper...@redhat.com> To: "Slava Bendersky" <volga...@networklab.ca> Cc: "users" <users@ovirt.org> Sent: Friday, January 13, 2017 2:17:28 AM Subject: Re: [ovirt-users] PM proxy Hi Slava, do you have at least one another host in the same cluster or DC which doesn't have connection issues (in status Up or Maintenance)? If so, please turn on debug logging for power management part using following command: /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller= [ http://127.0.0.1:8706/ | 127.0.0.1:8706 ] --connect --user=admin@internal and enter following inside jboss-cli command prompt: /subsystem=logging/logger=org.ovirt.engine.core.bll.pm:add /subsystem=logging/logger=org.ovirt.engine.core.bll.pm:write-attribute(name=level,value=DEBUG) quit Afterwards you will see more details in engine.log why other hosts were rejected during fence proxy selection process. Btw above debug log changes are not permanent, they will be reverted on ovirt-engine restart or using following command: /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller= [ http://127.0.0.1:8706/ | 127.0.0.1:8706 ] --connect --user=admin@internal '/subsystem=logging/logger=org.ovirt.engine.core.bll.pm:remove' Regards Martin Perina On Thu, Jan 12, 2017 at 4:42 PM, Slava Bendersky < [ mailto:volga...@networklab.ca | volga...@networklab.ca ] > wrote: Hello Everyone, I need help with this error. What possible missing or miss-configured ? 2017-01-12 05:17:31,444 ERROR [ [ http://org.ovirt.engine.core.bll.pm/ | org.ovirt.engine.core.bll.pm ] .FenceProxyLocator] (default task-38) [] Can not run fence action on host 'hosted_engine_1', no suitable proxy host was found I tried from shell on host and it works fine. Right now settings default dc, cluster from PM proxy definition. Slava. ___ Users mailing list [ mailto:Users@ovirt.org | Users@ovirt.org ] [ http://lists.ovirt.org/mailman/listinfo/users | http://lists.ovirt.org/mailman/listinfo/users ] ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] PM proxy
Hello Everyone, All what I see on debug 2017-01-16 18:15:16,316 DEBUG [org.ovirt.engine.core.bll.pm.FenceProxyLocator] (default task-64) [] Evaluating host 'ovirt00.domain.com' 2017-01-16 18:15:16,362 DEBUG [org.ovirt.engine.core.bll.pm.FenceProxyLocator] (default task-64) [] Evaluating host 'ovirt00.domain.com' 2017-01-16 18:15:16,362 ERROR [org.ovirt.engine.core.bll.pm.FenceProxyLocator] (default task-64) [] Can not run fence action on host 'hosted_engine_1', no suitable proxy host was found. Slava. From: "volga629" <volga...@skillsearch.ca> To: "Martin Perina" <mper...@redhat.com> Cc: "users" <users@ovirt.org> Sent: Friday, January 13, 2017 11:52:17 AM Subject: Re: [ovirt-users] PM proxy Hello Martin, Thank you for reply, I will post more detail soon. Slava. From: "Martin Perina" <mper...@redhat.com> To: "Slava Bendersky" <volga...@networklab.ca> Cc: "users" <users@ovirt.org> Sent: Friday, January 13, 2017 2:17:28 AM Subject: Re: [ovirt-users] PM proxy Hi Slava, do you have at least one another host in the same cluster or DC which doesn't have connection issues (in status Up or Maintenance)? If so, please turn on debug logging for power management part using following command: /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller= [ http://127.0.0.1:8706/ | 127.0.0.1:8706 ] --connect --user=admin@internal and enter following inside jboss-cli command prompt: /subsystem=logging/logger=org.ovirt.engine.core.bll.pm:add /subsystem=logging/logger=org.ovirt.engine.core.bll.pm:write-attribute(name=level,value=DEBUG) quit Afterwards you will see more details in engine.log why other hosts were rejected during fence proxy selection process. Btw above debug log changes are not permanent, they will be reverted on ovirt-engine restart or using following command: /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller= [ http://127.0.0.1:8706/ | 127.0.0.1:8706 ] --connect --user=admin@internal '/subsystem=logging/logger=org.ovirt.engine.core.bll.pm:remove' Regards Martin Perina On Thu, Jan 12, 2017 at 4:42 PM, Slava Bendersky < [ mailto:volga...@networklab.ca | volga...@networklab.ca ] > wrote: Hello Everyone, I need help with this error. What possible missing or miss-configured ? 2017-01-12 05:17:31,444 ERROR [ [ http://org.ovirt.engine.core.bll.pm/ | org.ovirt.engine.core.bll.pm ] .FenceProxyLocator] (default task-38) [] Can not run fence action on host 'hosted_engine_1', no suitable proxy host was found I tried from shell on host and it works fine. Right now settings default dc, cluster from PM proxy definition. Slava. ___ Users mailing list [ mailto:Users@ovirt.org | Users@ovirt.org ] [ http://lists.ovirt.org/mailman/listinfo/users | http://lists.ovirt.org/mailman/listinfo/users ] ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] PM proxy
Hello Martin, Thank you for reply, I will post more detail soon. Slava. From: "Martin Perina" <mper...@redhat.com> To: "Slava Bendersky" <volga...@networklab.ca> Cc: "users" <users@ovirt.org> Sent: Friday, January 13, 2017 2:17:28 AM Subject: Re: [ovirt-users] PM proxy Hi Slava, do you have at least one another host in the same cluster or DC which doesn't have connection issues (in status Up or Maintenance)? If so, please turn on debug logging for power management part using following command: /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller= [ http://127.0.0.1:8706/ | 127.0.0.1:8706 ] --connect --user=admin@internal and enter following inside jboss-cli command prompt: /subsystem=logging/logger=org.ovirt.engine.core.bll.pm:add /subsystem=logging/logger=org.ovirt.engine.core.bll.pm:write-attribute(name=level,value=DEBUG) quit Afterwards you will see more details in engine.log why other hosts were rejected during fence proxy selection process. Btw above debug log changes are not permanent, they will be reverted on ovirt-engine restart or using following command: /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller= [ http://127.0.0.1:8706/ | 127.0.0.1:8706 ] --connect --user=admin@internal '/subsystem=logging/logger=org.ovirt.engine.core.bll.pm:remove' Regards Martin Perina On Thu, Jan 12, 2017 at 4:42 PM, Slava Bendersky < [ mailto:volga...@networklab.ca | volga...@networklab.ca ] > wrote: Hello Everyone, I need help with this error. What possible missing or miss-configured ? 2017-01-12 05:17:31,444 ERROR [ [ http://org.ovirt.engine.core.bll.pm/ | org.ovirt.engine.core.bll.pm ] .FenceProxyLocator] (default task-38) [] Can not run fence action on host 'hosted_engine_1', no suitable proxy host was found I tried from shell on host and it works fine. Right now settings default dc, cluster from PM proxy definition. Slava. ___ Users mailing list [ mailto:Users@ovirt.org | Users@ovirt.org ] [ http://lists.ovirt.org/mailman/listinfo/users | http://lists.ovirt.org/mailman/listinfo/users ] ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] PM proxy
Hello Everyone, I need help with this error. What possible missing or miss-configured ? 2017-01-12 05:17:31,444 ERROR [org.ovirt.engine.core.bll.pm.FenceProxyLocator] (default task-38) [] Can not run fence action on host 'hosted_engine_1', no suitable proxy host was found I tried from shell on host and it works fine. Right now settings default dc, cluster from PM proxy definition. Slava. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
