[ovirt-users] Troubleshooting Windows SSO
Hi, I can't get SSO in the spice console to work The engine is linked to a windows AD domain ant users logon work fine In the vms I configured a gpo to enable SAS: Disable or enable software Secure Attention Sequence Enabled Set which software is allowed to generate the Secure Attention Sequence Services and Ease of Access applications Anyway SSO does not work, when I open the spice console as a user I'm presented with the usual Windows login screen ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Troubleshooting Windows SSO
Hi, again. I'm new to ovirt so please tell me what logs do you need. Where is the agent log? I see nothing in the windows security log. And the vdsm log? In the host where the vm is running? Ty Il 24/07/2015 13:43, Vinzenz Feenstra ha scritto: On 07/24/2015 01:33 PM, Alon Bar-Lev wrote: - Original Message - From: "Cristian Mammoli" To: "Alon Bar-Lev" Cc: users@ovirt.org Sent: Friday, July 24, 2015 1:00:46 PM Subject: Re: [ovirt-users] Troubleshooting Windows SSO Are you referring to this: http://www.ovirt.org/Features/AAA ? I only configured the engine with "engine-manage-domains" isn't it enough? engine-manage-domain is obsoleted since 3.5, please upgrade to the new provider which performs much better. if you use this legacy provider, the name of the provider matches the name of the domain, the bug will not be manifested. Anyway this is engine.log: 2015-07-24 11:59:42,337 INFO [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-2) Running command: LoginUserCommand internal: false. 2015-07-24 11:59:42,348 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User c.mamm...@apra.it logged in. 2015-07-24 11:59:44,364 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--127.0.0.1-8702-9) [44b9b110] Running command: SetVmTicketCommand internal: false. Entities affected : ID: 01453005-cbcf-47b1-a066-015777d158b5 Type: VMAction group CONNECT_TO_VM with role type USER 2015-07-24 11:59:44,370 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--127.0.0.1-8702-9) [44b9b110] START, SetVmTicketVDSCommand(HostName = kvm02, HostId = 4aeb8095-1198-4afe-aab2-d9c6408c88c2, vmId=01453005-cbcf-47b1-a066-015777d158b5, ticket=rdFW/mdMiBxO, validTime=120,m userName=c.mammoli, userId=d69d8d20-68b7-4fed-9c08-5c2ecb257583), log id: 25c99c46 2015-07-24 11:59:44,412 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--127.0.0.1-8702-9) [44b9b110] FINISH, SetVmTicketVDSCommand, log id: 25c99c46 2015-07-24 11:59:44,436 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-9) [44b9b110] Correlation ID: 44b9b110, Call Stack: null, Custom Event ID: -1, Message: user c.mamm...@apra.it initiated console session for VM TestPoolMan-1 2015-07-24 11:59:44,610 WARN [org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (ajp--127.0.0.1-8702-3) [27c3ee74] The message key VmLogon is missing from bundles/ExecutionMessages 2015-07-24 11:59:44,637 INFO [org.ovirt.engine.core.bll.VmLogonCommand] (ajp--127.0.0.1-8702-3) [27c3ee74] Running command: VmLogonCommand internal: false. Entities affected : ID: 01453005-cbcf-47b1-a066-015777d158b5 Type: VMAction group CONNECT_TO_VM with role type USER 2015-07-24 11:59:44,642 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (ajp--127.0.0.1-8702-3) [27c3ee74] START, VmLogonVDSCommand(HostName = kvm02, HostId = 4aeb8095-1198-4afe-aab2-d9c6408c88c2, vmId=01453005-cbcf-47b1-a066-015777d158b5, domain=apra.it, password=**, userName=c.mamm...@apra.it), log id: 6bf25e51 this^ is good, so now should provide the guest agent log. I am not sure that this is good, the userName contains here also the domain, and the domain separately. I am curious about the VDSM logs here as well. I would assume that the result of this would be something like: apra.it\c.mamm...@apra.it in Windows which does seem wrong to me. 2015-07-24 11:59:44,652 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (ajp--127.0.0.1-8702-3) [27c3ee74] FINISH, VmLogonVDSCommand, log id: 6bf25e51 2015-07-24 11:59:58,888 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-63) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User c.mamm...@apra.it is connected to VM TestPoolMan-1. Il 24/07/2015 11:02, Alon Bar-Lev ha scritto: Any log will be helpful, engine side and guest agent side. Also, please note this bug[1], due to incorrect assumptions in implementation, your authz provider name must match the active directory name in order password delegation to properly work. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137 - Original Message - -- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an) ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Troubleshooting Windows SSO
On 07/24/2015 01:33 PM, Alon Bar-Lev wrote: - Original Message - From: "Cristian Mammoli" To: "Alon Bar-Lev" Cc: users@ovirt.org Sent: Friday, July 24, 2015 1:00:46 PM Subject: Re: [ovirt-users] Troubleshooting Windows SSO Are you referring to this: http://www.ovirt.org/Features/AAA ? I only configured the engine with "engine-manage-domains" isn't it enough? engine-manage-domain is obsoleted since 3.5, please upgrade to the new provider which performs much better. if you use this legacy provider, the name of the provider matches the name of the domain, the bug will not be manifested. Anyway this is engine.log: 2015-07-24 11:59:42,337 INFO [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-2) Running command: LoginUserCommand internal: false. 2015-07-24 11:59:42,348 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User c.mamm...@apra.it logged in. 2015-07-24 11:59:44,364 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--127.0.0.1-8702-9) [44b9b110] Running command: SetVmTicketCommand internal: false. Entities affected : ID: 01453005-cbcf-47b1-a066-015777d158b5 Type: VMAction group CONNECT_TO_VM with role type USER 2015-07-24 11:59:44,370 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--127.0.0.1-8702-9) [44b9b110] START, SetVmTicketVDSCommand(HostName = kvm02, HostId = 4aeb8095-1198-4afe-aab2-d9c6408c88c2, vmId=01453005-cbcf-47b1-a066-015777d158b5, ticket=rdFW/mdMiBxO, validTime=120,m userName=c.mammoli, userId=d69d8d20-68b7-4fed-9c08-5c2ecb257583), log id: 25c99c46 2015-07-24 11:59:44,412 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--127.0.0.1-8702-9) [44b9b110] FINISH, SetVmTicketVDSCommand, log id: 25c99c46 2015-07-24 11:59:44,436 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-9) [44b9b110] Correlation ID: 44b9b110, Call Stack: null, Custom Event ID: -1, Message: user c.mamm...@apra.it initiated console session for VM TestPoolMan-1 2015-07-24 11:59:44,610 WARN [org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (ajp--127.0.0.1-8702-3) [27c3ee74] The message key VmLogon is missing from bundles/ExecutionMessages 2015-07-24 11:59:44,637 INFO [org.ovirt.engine.core.bll.VmLogonCommand] (ajp--127.0.0.1-8702-3) [27c3ee74] Running command: VmLogonCommand internal: false. Entities affected : ID: 01453005-cbcf-47b1-a066-015777d158b5 Type: VMAction group CONNECT_TO_VM with role type USER 2015-07-24 11:59:44,642 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (ajp--127.0.0.1-8702-3) [27c3ee74] START, VmLogonVDSCommand(HostName = kvm02, HostId = 4aeb8095-1198-4afe-aab2-d9c6408c88c2, vmId=01453005-cbcf-47b1-a066-015777d158b5, domain=apra.it, password=**, userName=c.mamm...@apra.it), log id: 6bf25e51 this^ is good, so now should provide the guest agent log. I am not sure that this is good, the userName contains here also the domain, and the domain separately. I am curious about the VDSM logs here as well. I would assume that the result of this would be something like: apra.it\c.mamm...@apra.it in Windows which does seem wrong to me. 2015-07-24 11:59:44,652 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (ajp--127.0.0.1-8702-3) [27c3ee74] FINISH, VmLogonVDSCommand, log id: 6bf25e51 2015-07-24 11:59:58,888 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-63) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User c.mamm...@apra.it is connected to VM TestPoolMan-1. Il 24/07/2015 11:02, Alon Bar-Lev ha scritto: Any log will be helpful, engine side and guest agent side. Also, please note this bug[1], due to incorrect assumptions in implementation, your authz provider name must match the active directory name in order password delegation to properly work. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137 - Original Message - -- Regards, Vinzenz Feenstra | Senior Software Engineer RedHat Engineering Virtualization R & D Phone: +420 532 294 625 IRC: vfeenstr or evilissimo Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Troubleshooting Windows SSO
- Original Message - > From: "Cristian Mammoli" > To: "Alon Bar-Lev" > Cc: users@ovirt.org > Sent: Friday, July 24, 2015 1:00:46 PM > Subject: Re: [ovirt-users] Troubleshooting Windows SSO > > Are you referring to this: http://www.ovirt.org/Features/AAA ? > > I only configured the engine with "engine-manage-domains" isn't it enough? engine-manage-domain is obsoleted since 3.5, please upgrade to the new provider which performs much better. if you use this legacy provider, the name of the provider matches the name of the domain, the bug will not be manifested. > > Anyway this is engine.log: > > 2015-07-24 11:59:42,337 INFO > [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-2) > Running command: LoginUserCommand internal: false. > 2015-07-24 11:59:42,348 INFO > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom > Event ID: -1, Message: User c.mamm...@apra.it logged in. > 2015-07-24 11:59:44,364 INFO > [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--127.0.0.1-8702-9) > [44b9b110] Running command: SetVmTicketCommand internal: false. Entities > affected : ID: 01453005-cbcf-47b1-a066-015777d158b5 Type: VMAction > group CONNECT_TO_VM with role type USER > 2015-07-24 11:59:44,370 INFO > [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] > (ajp--127.0.0.1-8702-9) [44b9b110] START, SetVmTicketVDSCommand(HostName > = kvm02, HostId = 4aeb8095-1198-4afe-aab2-d9c6408c88c2, > vmId=01453005-cbcf-47b1-a066-015777d158b5, ticket=rdFW/mdMiBxO, > validTime=120,m userName=c.mammoli, > userId=d69d8d20-68b7-4fed-9c08-5c2ecb257583), log id: 25c99c46 > 2015-07-24 11:59:44,412 INFO > [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] > (ajp--127.0.0.1-8702-9) [44b9b110] FINISH, SetVmTicketVDSCommand, log > id: 25c99c46 > 2015-07-24 11:59:44,436 INFO > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (ajp--127.0.0.1-8702-9) [44b9b110] Correlation ID: 44b9b110, Call Stack: > null, Custom Event ID: -1, Message: user c.mamm...@apra.it initiated > console session for VM TestPoolMan-1 > 2015-07-24 11:59:44,610 WARN > [org.ovirt.engine.core.dal.job.ExecutionMessageDirector] > (ajp--127.0.0.1-8702-3) [27c3ee74] The message key VmLogon is missing > from bundles/ExecutionMessages > 2015-07-24 11:59:44,637 INFO [org.ovirt.engine.core.bll.VmLogonCommand] > (ajp--127.0.0.1-8702-3) [27c3ee74] Running command: VmLogonCommand > internal: false. Entities affected : ID: > 01453005-cbcf-47b1-a066-015777d158b5 Type: VMAction group CONNECT_TO_VM > with role type USER > 2015-07-24 11:59:44,642 INFO > [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] > (ajp--127.0.0.1-8702-3) [27c3ee74] START, VmLogonVDSCommand(HostName = > kvm02, HostId = 4aeb8095-1198-4afe-aab2-d9c6408c88c2, > vmId=01453005-cbcf-47b1-a066-015777d158b5, domain=apra.it, > password=**, userName=c.mamm...@apra.it), log id: 6bf25e51 this^ is good, so now should provide the guest agent log. > 2015-07-24 11:59:44,652 INFO > [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] > (ajp--127.0.0.1-8702-3) [27c3ee74] FINISH, VmLogonVDSCommand, log id: > 6bf25e51 > 2015-07-24 11:59:58,888 INFO > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (DefaultQuartzScheduler_Worker-63) Correlation ID: null, Call Stack: > null, Custom Event ID: -1, Message: User c.mamm...@apra.it is connected > to VM TestPoolMan-1. > > Il 24/07/2015 11:02, Alon Bar-Lev ha scritto: > > Any log will be helpful, engine side and guest agent side. > > > > Also, please note this bug[1], due to incorrect assumptions in > > implementation, your authz provider name must match the active directory > > name in order password delegation to properly work. > > > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137 > > > > - Original Message - > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Troubleshooting Windows SSO
Are you referring to this: http://www.ovirt.org/Features/AAA ? I only configured the engine with "engine-manage-domains" isn't it enough? Anyway this is engine.log: 2015-07-24 11:59:42,337 INFO [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-2) Running command: LoginUserCommand internal: false. 2015-07-24 11:59:42,348 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User c.mamm...@apra.it logged in. 2015-07-24 11:59:44,364 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--127.0.0.1-8702-9) [44b9b110] Running command: SetVmTicketCommand internal: false. Entities affected : ID: 01453005-cbcf-47b1-a066-015777d158b5 Type: VMAction group CONNECT_TO_VM with role type USER 2015-07-24 11:59:44,370 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--127.0.0.1-8702-9) [44b9b110] START, SetVmTicketVDSCommand(HostName = kvm02, HostId = 4aeb8095-1198-4afe-aab2-d9c6408c88c2, vmId=01453005-cbcf-47b1-a066-015777d158b5, ticket=rdFW/mdMiBxO, validTime=120,m userName=c.mammoli, userId=d69d8d20-68b7-4fed-9c08-5c2ecb257583), log id: 25c99c46 2015-07-24 11:59:44,412 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--127.0.0.1-8702-9) [44b9b110] FINISH, SetVmTicketVDSCommand, log id: 25c99c46 2015-07-24 11:59:44,436 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-9) [44b9b110] Correlation ID: 44b9b110, Call Stack: null, Custom Event ID: -1, Message: user c.mamm...@apra.it initiated console session for VM TestPoolMan-1 2015-07-24 11:59:44,610 WARN [org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (ajp--127.0.0.1-8702-3) [27c3ee74] The message key VmLogon is missing from bundles/ExecutionMessages 2015-07-24 11:59:44,637 INFO [org.ovirt.engine.core.bll.VmLogonCommand] (ajp--127.0.0.1-8702-3) [27c3ee74] Running command: VmLogonCommand internal: false. Entities affected : ID: 01453005-cbcf-47b1-a066-015777d158b5 Type: VMAction group CONNECT_TO_VM with role type USER 2015-07-24 11:59:44,642 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (ajp--127.0.0.1-8702-3) [27c3ee74] START, VmLogonVDSCommand(HostName = kvm02, HostId = 4aeb8095-1198-4afe-aab2-d9c6408c88c2, vmId=01453005-cbcf-47b1-a066-015777d158b5, domain=apra.it, password=**, userName=c.mamm...@apra.it), log id: 6bf25e51 2015-07-24 11:59:44,652 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (ajp--127.0.0.1-8702-3) [27c3ee74] FINISH, VmLogonVDSCommand, log id: 6bf25e51 2015-07-24 11:59:58,888 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-63) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User c.mamm...@apra.it is connected to VM TestPoolMan-1. Il 24/07/2015 11:02, Alon Bar-Lev ha scritto: Any log will be helpful, engine side and guest agent side. Also, please note this bug[1], due to incorrect assumptions in implementation, your authz provider name must match the active directory name in order password delegation to properly work. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137 - Original Message - ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Troubleshooting Windows SSO
Any log will be helpful, engine side and guest agent side. Also, please note this bug[1], due to incorrect assumptions in implementation, your authz provider name must match the active directory name in order password delegation to properly work. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137 - Original Message - > From: "Cristian Mammoli" > To: users@ovirt.org > Sent: Friday, July 24, 2015 11:16:01 AM > Subject: [ovirt-users] Troubleshooting Windows SSO > > Hi, I can't get SSO in the spice console to work > The engine is linked to a windows AD domain ant users logon work fine > In the vms I configured a gpo to enable SAS: > > Disable or enable software Secure Attention Sequence > Enabled > Set which software is allowed to generate the Secure Attention > Sequence Services and Ease of Access applications > > > Anyway SSO does not work, when I open the spice console as a user I'm > presented with the usual Windows login screen > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Troubleshooting Windows SSO
Hi, I can't get SSO in the spice console to work The engine is linked to a windows AD domain ant users logon work fine In the vms I configured a gpo to enable SAS: Disable or enable software Secure Attention Sequence Enabled Set which software is allowed to generate the Secure Attention Sequence Services and Ease of Access applications Anyway SSO does not work, when I open the spice console as a user I'm presented with the usual Windows login screen ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
