Re: [ovirt-users] Debian linux and oVirt SSO

2016-07-18 Thread Tadas

ovirt agent stops on this line and code below it is not executed:

https://github.com/oVirt/ovirt-guest-agent/blob/master/ovirt-guest-agen
t/CredServer.py#L147



On Mon, 2016-07-18 at 14:12 +0300, Tadas wrote:
> This is really interesting.
> pam-ovirt-cred is randomly failing on one of two checks:
> 
> https://github.com/oVirt/ovirt-guest-agent/blob/master/pam-ovirt-cred
> /c
> red_channel.c#L107
> 
> and
> 
> https://github.com/oVirt/ovirt-guest-agent/blob/master/pam-ovirt-cred
> /c
> red_channel.c#L134
> 
> Theres  no pattern, on which step it will fail. Sometimes it fails on
> writing to socket sometimes on reading:
> 
> Jul 18 14:11:02 desktop64 cred-debug: recv() failed
> Jul 18 14:11:14 desktop64 cred-debug: send() failed
> Jul 18 14:11:18 desktop64 cred-debug: recv() failed
> Jul 18 14:11:23 desktop64 cred-debug: recv() failed
> Jul 18 14:11:28 desktop64 cred-debug: send() failed
> Jul 18 14:11:33 desktop64 cred-debug: recv() failedOn Mon, 2016-07-18 
> at 09:51 +0300, Tadas wrote:
> > After moving to gdm, I've managed to solve the timeout issue. Now i
> > bumped into another one:
> > oVirt agent seem to emit credentials without error:
> > 
> > Dummy-1::DEBUG::2016-07-18
> > 09:29:53,293::OVirtAgentLogic::304::root::User log-in (credentials
> > =
> > '\x00\x00\x00\x04test\x00')
> > Dummy-1::INFO::2016-07-18 09:29:53,293::CredServer::207::root::The
> > following users are allowed to connect: [0]
> > Dummy-1::DEBUG::2016-07-18
> > 09:29:53,294::CredServer::272::root::Token:
> > 250954
> > Dummy-1::INFO::2016-07-18
> > 09:29:53,294::CredServer::273::root::Opening
> > credentials channel...
> > Dummy-1::INFO::2016-07-18
> > 09:29:53,294::CredServer::132::root::Emitting
> > user authenticated signal (250954).
> > Dummy-1::INFO::2016-07-18
> > 09:29:53,349::CredServer::277::root::Credentials channel was
> > closed.
> > 
> > But pam module is failing:
> > gdm-ovirtcred]: pam_ovirt_cred(gdm-ovirtcred:auth): Failed to
> > acquire
> > user's credentials
> > 
> > After poking a bit I've managed to find, that module fails on:
> > 
> >     if (ret == -1) {
> > D(("send() failed."));
> > return -1;
> > }
> > 
> > in cred_channel.c
> > 
> > 
> > Also, i have to mention, that there's no /etc/pamd/password-auth
> > file
> > in Debian Linux. I've copied it from Centos (it is needed by gdm-
> > ovirtcred.pam)
> > > > ___
> > > > Users mailing list
> > > > Users@ovirt.org
> > > > http://lists.ovirt.org/mailman/listinfo/users
> > > 
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Debian linux and oVirt SSO

2016-07-18 Thread Tadas
This is really interesting.
pam-ovirt-cred is randomly failing on one of two checks:

https://github.com/oVirt/ovirt-guest-agent/blob/master/pam-ovirt-cred/c
red_channel.c#L107

and

https://github.com/oVirt/ovirt-guest-agent/blob/master/pam-ovirt-cred/c
red_channel.c#L134

Theres  no pattern, on which step it will fail. Sometimes it fails on
writing to socket sometimes on reading:

Jul 18 14:11:02 desktop64 cred-debug: recv() failed
Jul 18 14:11:14 desktop64 cred-debug: send() failed
Jul 18 14:11:18 desktop64 cred-debug: recv() failed
Jul 18 14:11:23 desktop64 cred-debug: recv() failed
Jul 18 14:11:28 desktop64 cred-debug: send() failed
Jul 18 14:11:33 desktop64 cred-debug: recv() failedOn Mon, 2016-07-18 at 09:51 
+0300, Tadas wrote:
> After moving to gdm, I've managed to solve the timeout issue. Now i
> bumped into another one:
> oVirt agent seem to emit credentials without error:
> 
> Dummy-1::DEBUG::2016-07-18
> 09:29:53,293::OVirtAgentLogic::304::root::User log-in (credentials =
> '\x00\x00\x00\x04test\x00')
> Dummy-1::INFO::2016-07-18 09:29:53,293::CredServer::207::root::The
> following users are allowed to connect: [0]
> Dummy-1::DEBUG::2016-07-18
> 09:29:53,294::CredServer::272::root::Token:
> 250954
> Dummy-1::INFO::2016-07-18
> 09:29:53,294::CredServer::273::root::Opening
> credentials channel...
> Dummy-1::INFO::2016-07-18
> 09:29:53,294::CredServer::132::root::Emitting
> user authenticated signal (250954).
> Dummy-1::INFO::2016-07-18
> 09:29:53,349::CredServer::277::root::Credentials channel was closed.
> 
> But pam module is failing:
> gdm-ovirtcred]: pam_ovirt_cred(gdm-ovirtcred:auth): Failed to acquire
> user's credentials
> 
> After poking a bit I've managed to find, that module fails on:
> 
>     if (ret == -1) {
> D(("send() failed."));
> return -1;
> }
> 
> in cred_channel.c
> 
> 
> Also, i have to mention, that there's no /etc/pamd/password-auth file
> in Debian Linux. I've copied it from Centos (it is needed by gdm-
> ovirtcred.pam)
> > > ___
> > > Users mailing list
> > > Users@ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Debian linux and oVirt SSO

2016-07-18 Thread Tadas
After moving to gdm, I've managed to solve the timeout issue. Now i
bumped into another one:
oVirt agent seem to emit credentials without error:

Dummy-1::DEBUG::2016-07-18
09:29:53,293::OVirtAgentLogic::304::root::User log-in (credentials =
'\x00\x00\x00\x04test\x00')
Dummy-1::INFO::2016-07-18 09:29:53,293::CredServer::207::root::The
following users are allowed to connect: [0]
Dummy-1::DEBUG::2016-07-18 09:29:53,294::CredServer::272::root::Token:
250954
Dummy-1::INFO::2016-07-18 09:29:53,294::CredServer::273::root::Opening
credentials channel...
Dummy-1::INFO::2016-07-18 09:29:53,294::CredServer::132::root::Emitting
user authenticated signal (250954).
Dummy-1::INFO::2016-07-18
09:29:53,349::CredServer::277::root::Credentials channel was closed.

But pam module is failing:
gdm-ovirtcred]: pam_ovirt_cred(gdm-ovirtcred:auth): Failed to acquire
user's credentials

After poking a bit I've managed to find, that module fails on:

    if (ret == -1) {
D(("send() failed."));
return -1;
}

in cred_channel.c


Also, i have to mention, that there's no /etc/pamd/password-auth file
in Debian Linux. I've copied it from Centos (it is needed by gdm-
ovirtcred.pam)
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Debian linux and oVirt SSO

2016-07-15 Thread Vinzenz Feenstra

> On Jul 15, 2016, at 5:09 PM, Tadas  wrote:
> 
> Thank you for reply.
>  
>  
> you =hould just add ovirtcred and not remove all the other options, 
> without =he other options you’re not able to login
>  
> There are other options, i’ve just changed the folowing parameter:
> PluginsLogin=ovirtcred
> should i use somekind of plugin list and add the classic plugin also? eg:
> PluginsLogin=classic, ovirtcred
>> To me =t looks like that you’re missing
>> https://github.com/oVirt/ovirt-guest-agent/blob/master/ovirt-gu=st-agent/org.ovirt.vdsm.Credentials.conf
>>  
>> 
>>  
>>  
>>  
> seems you are right. Now i do see ovirt in dbus sessions:
>  
> DISPLAY=:0.0 dbus-send --system --dest=org.freedesktop.DBus 
> --type=method_call --print-reply /org/freedesktop/DBus 
> org.freedesktop.DBus.ListNames
>  
> array [
>string "org.freedesktop.DBus"
>string "org.freedesktop.login1"
>string ":1.72"
>string ":1.171"
>string "org.freedesktop.systemd1"
>string "org.freedesktop.PolicyKit1"
>string ":1.360"
>string ":1.66"
>string "org.freedesktop.PackageKit"
>string ":1.67"
>string "org.freedesktop.UPower"
>string ":1.363"
>string ":1.0"
>string "org.freedesktop.UDisks2"
>string ":1.68"
>string ":1.364"
>string "org.ovirt.vdsm.Credentials"
>string ":1.365"
>string ":1.366"
>string "org.freedesktop.RealtimeKit1"
> ]
>  
>  
> But still getting the samer error:
>  
> Dummy-1::INFO::2016-07-15 18:08:12,299::OVirtAgentLogic::294::root::Received 
> an external command: login...
> Dummy-1::INFO::2016-07-15 18:08:12,300::CredServer::207::root::The following 
> users are allowed to connect: [0]
> Dummy-1::INFO::2016-07-15 18:08:12,300::CredServer::273::root::Opening 
> credentials channel...
> Dummy-1::INFO::2016-07-15 18:08:12,300::CredServer::132::root::Emitting user 
> authenticated signal (656949).
> CredChannel::INFO::2016-07-15 
> 18:08:17,306::CredServer::241::root::Credentials channel timed out.
> Dummy-1::INFO::2016-07-15 18:08:17,307::CredServer::277::root::Credentials 
> channel was closed.
>  
>  
> However the KDM support =s basically not really developed anymore as 
> the majority of our users =re rather using GDM. So there’s quite the 
> possibility that =here’s a problem.
>  
> Well, i’m having different issues while trying to compile gdm plugin:
> configure: error: Package requirements (dbus-glib-1 >= 0.74
> gdmsimplegreeter >= 3.2.1.1
> gobject-2.0 >= 2.22.0
> gtk+-2.0 >= 2.18.0
> ) were not met:
>  
> Package gdmsimplegreeter was not found in the pkg-config search path.
> Found no information, o how to get gdmsimplegreeter.

That’s for GDM < 3.8ish from 3.10 we have the GDM SSO code builtin GNOME you 
only need that the conf file and the pam extension plus the gdm-ovirtcred  pam 
config

>  
> 
>> 
>> Thank you.
>> 
>> 
>> ___
>> Users mailing list
>> Users@ovirt.org <>
>> http://lists.ovirt.org/mailman/listinfo/users
> 
> =
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Debian linux and oVirt SSO

2016-07-15 Thread Tadas
Thank you for reply.


you =hould just add ovirtcred and not remove all the other options, without 
=he other options you’re not able to login
There are other options, i’ve just changed the folowing parameter:
PluginsLogin=ovirtcred
should i use somekind of plugin list and add the classic plugin also? eg:
PluginsLogin=classic, ovirtcred
  To me =t looks like that you’re missing 
  
https://github.com/oVirt/ovirt-guest-agent/blob/master/ovirt-gu=st-agent/org.ovirt.vdsm.Credentials.conf



seems you are right. Now i do see ovirt in dbus sessions:

DISPLAY=:0.0 dbus-send --system --dest=org.freedesktop.DBus --type=method_call 
--print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames

array [
   string "org.freedesktop.DBus"
   string "org.freedesktop.login1"
   string ":1.72"
   string ":1.171"
   string "org.freedesktop.systemd1"
   string "org.freedesktop.PolicyKit1"
   string ":1.360"
   string ":1.66"
   string "org.freedesktop.PackageKit"
   string ":1.67"
   string "org.freedesktop.UPower"
   string ":1.363"
   string ":1.0"
   string "org.freedesktop.UDisks2"
   string ":1.68"
   string ":1.364"
   string "org.ovirt.vdsm.Credentials"
   string ":1.365"
   string ":1.366"
   string "org.freedesktop.RealtimeKit1"
]


But still getting the samer error:

Dummy-1::INFO::2016-07-15 18:08:12,299::OVirtAgentLogic::294::root::Received an 
external command: login...
Dummy-1::INFO::2016-07-15 18:08:12,300::CredServer::207::root::The following 
users are allowed to connect: [0]
Dummy-1::INFO::2016-07-15 18:08:12,300::CredServer::273::root::Opening 
credentials channel...
Dummy-1::INFO::2016-07-15 18:08:12,300::CredServer::132::root::Emitting user 
authenticated signal (656949).
CredChannel::INFO::2016-07-15 18:08:17,306::CredServer::241::root::Credentials 
channel timed out.
Dummy-1::INFO::2016-07-15 18:08:17,307::CredServer::277::root::Credentials 
channel was closed.


However the KDM support =s basically not really developed anymore as 
the majority of our users =re rather using GDM. So there’s quite the 
possibility that =here’s a problem.

Well, i’m having different issues while trying to compile gdm plugin:
configure: error: Package requirements (dbus-glib-1 >= 0.74
gdmsimplegreeter >= 3.2.1.1
gobject-2.0 >= 2.22.0
gtk+-2.0 >= 2.18.0
) were not met:

Package gdmsimplegreeter was not found in the pkg-config search path.
Found no information, o how to get gdmsimplegreeter.




  Thank you.


  ___
  Users mailing list
  Users@ovirt.org
  http://lists.ovirt.org/mailman/listinfo/users


=___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Debian linux and oVirt SSO

2016-07-15 Thread Tadas
SSO part as simple as emitting correctly formed json to spice socket, - as I’ve 
 mentioned before, this works fine with windows guests.
Problem is only with linux guests. As for undocummented API, yes, – you are 
right, documentation should help alot. It takes time to reverse engineer code.
But having full oVirt solution or not does not change the thing, that there’s 
something wrong with linux kde plugin. I’m very confident, that this will 
persist if used Linux guest on oVirt. Perhaps this is just Debian oriented 
problem, so I was wondering if anyone had the same issue here.


From: Yaniv Kaul 
Sent: Friday, July 15, 2016 3:57 PM
To: ta...@ring.lt 
Cc: users 
Subject: Re: [ovirt-users] Debian linux and oVirt SSO


 

Part of the issue is that you are missing quite a bit of the orchestration that 
oVirt performs to make SSO work...
There may some other issues, but I warmly suggest using oVirt and not the 
undocumented APIs - which may or may not change in the future, between the 
agent and other components.
Y.


  Steps I've made:
  got oVirt guest agent up and running, I can communicate with it from
  hypervisor:

  socat /var/lib/libvirt/qemu/channel/target/domain-80-KDE64_1/com.kvm-
  vdi.0 -
  {"__name__": "os-version", "version": "4.6.0-1-amd64"}
  Compiled and copied pam_ovirt_cred.so to /lib/x86_64-linux-gnu/security

  Configured /etc/pam.d/kdm-ovirt-cred with:

  %PAM-1.0
  authrequiredpam_ovirt_cred.so
  authinclude password-auth
  account include password-auth
  passwordinclude password-auth
  session requiredpam_selinux.so close
  session requiredpam_selinux.so open
  session include password-auth

  Compiled and copied kgreet_ovirtcred.so to /usr/lib/kde4

  Configured /etc/kde4/kdm/kdmrc with:

  PluginsLogin=ovirtcred

  Symptoms:
  After starting kdm, I get login prompt with barely visible title (I
  assume it should spell "oVirt Authentication" from
  kgreet_ovirtcred.cpp). Username and password boxes are inactive - i
  cannot enter anything to them. After emitting username/password to
  oVirt agent, I can see the following log entries:

  Dummy-1::INFO::2016-07-15 12:29:51,628::CredServer::207::root::The
  following users are allowed to connect: [0]
  Dummy-1::INFO::2016-07-15 12:29:51,629::CredServer::273::root::Opening
  credentials channel...
  Dummy-1::INFO::2016-07-15 12:29:51,629::CredServer::132::root::Emitting
  user authenticated signal (509542).
  CredChannel::INFO::2016-07-15
  12:29:56,634::CredServer::241::root::Credentials channel timed out.

  The only thing that worries me, - are the entries in kdm.log file:

  klauncher(6100) kdemain: No DBUS session-bus found. Check if you have
  started the DBUS server. 

  Since oVirt guest agent sends wakeup message to greeter plugin via
  Dbus, perhaps this is the problem? Maybe someone had the same problem
  here?
  This happens on Debian 8 and 9.

  Thank you.


  ___
  Users mailing list
  Users@ovirt.org
  http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Debian linux and oVirt SSO

2016-07-15 Thread Yaniv Kaul
On Fri, Jul 15, 2016 at 12:50 PM, Tadas  wrote:

> Hello,
> i'm struggling to get oVirt SSO working on Linux guest VM.
> I can confirm, that SSO is fully functional on Windows guest (please
> note it's not a full oVirt installation - I'm just testing oVirt guest
> agent on virtual machines running on plain KVM hypervisor).
>

Part of the issue is that you are missing quite a bit of the orchestration
that oVirt performs to make SSO work...
There may some other issues, but I warmly suggest using oVirt and not the
undocumented APIs - which may or may not change in the future, between the
agent and other components.
 Y.


> Steps I've made:
> got oVirt guest agent up and running, I can communicate with it from
> hypervisor:
>
> socat /var/lib/libvirt/qemu/channel/target/domain-80-KDE64_1/com.kvm-
> vdi.0 -
> {"__name__": "os-version", "version": "4.6.0-1-amd64"}
> Compiled and copied pam_ovirt_cred.so to /lib/x86_64-linux-gnu/security
>
> Configured /etc/pam.d/kdm-ovirt-cred with:
>
> %PAM-1.0
> authrequiredpam_ovirt_cred.so
> authinclude password-auth
> account include password-auth
> passwordinclude password-auth
> session requiredpam_selinux.so close
> session requiredpam_selinux.so open
> session include password-auth
>
> Compiled and copied kgreet_ovirtcred.so to /usr/lib/kde4
>
> Configured /etc/kde4/kdm/kdmrc with:
>
> PluginsLogin=ovirtcred
>
> Symptoms:
> After starting kdm, I get login prompt with barely visible title (I
> assume it should spell "oVirt Authentication" from
> kgreet_ovirtcred.cpp). Username and password boxes are inactive - i
> cannot enter anything to them. After emitting username/password to
> oVirt agent, I can see the following log entries:
>
> Dummy-1::INFO::2016-07-15 12:29:51,628::CredServer::207::root::The
> following users are allowed to connect: [0]
> Dummy-1::INFO::2016-07-15 12:29:51,629::CredServer::273::root::Opening
> credentials channel...
> Dummy-1::INFO::2016-07-15 12:29:51,629::CredServer::132::root::Emitting
> user authenticated signal (509542).
> CredChannel::INFO::2016-07-15
> 12:29:56,634::CredServer::241::root::Credentials channel timed out.
>
> The only thing that worries me, - are the entries in kdm.log file:
>
> klauncher(6100) kdemain: No DBUS session-bus found. Check if you have
> started the DBUS server.
>
> Since oVirt guest agent sends wakeup message to greeter plugin via
> Dbus, perhaps this is the problem? Maybe someone had the same problem
> here?
> This happens on Debian 8 and 9.
>
> Thank you.
>
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] Debian linux and oVirt SSO

2016-07-15 Thread Tadas
Hello,
i'm struggling to get oVirt SSO working on Linux guest VM.
I can confirm, that SSO is fully functional on Windows guest (please
note it's not a full oVirt installation - I'm just testing oVirt guest
agent on virtual machines running on plain KVM hypervisor).

Steps I've made:
got oVirt guest agent up and running, I can communicate with it from
hypervisor:

socat /var/lib/libvirt/qemu/channel/target/domain-80-KDE64_1/com.kvm-
vdi.0 -
{"__name__": "os-version", "version": "4.6.0-1-amd64"}
Compiled and copied pam_ovirt_cred.so to /lib/x86_64-linux-gnu/security

Configured /etc/pam.d/kdm-ovirt-cred with:

%PAM-1.0
authrequiredpam_ovirt_cred.so
authinclude password-auth
account include password-auth
passwordinclude password-auth
session requiredpam_selinux.so close
session requiredpam_selinux.so open
session include password-auth

Compiled and copied kgreet_ovirtcred.so to /usr/lib/kde4

Configured /etc/kde4/kdm/kdmrc with:

PluginsLogin=ovirtcred

Symptoms:
After starting kdm, I get login prompt with barely visible title (I
assume it should spell "oVirt Authentication" from
kgreet_ovirtcred.cpp). Username and password boxes are inactive - i
cannot enter anything to them. After emitting username/password to
oVirt agent, I can see the following log entries:

Dummy-1::INFO::2016-07-15 12:29:51,628::CredServer::207::root::The
following users are allowed to connect: [0]
Dummy-1::INFO::2016-07-15 12:29:51,629::CredServer::273::root::Opening
credentials channel...
Dummy-1::INFO::2016-07-15 12:29:51,629::CredServer::132::root::Emitting
user authenticated signal (509542).
CredChannel::INFO::2016-07-15
12:29:56,634::CredServer::241::root::Credentials channel timed out.

The only thing that worries me, - are the entries in kdm.log file:

klauncher(6100) kdemain: No DBUS session-bus found. Check if you have
started the DBUS server. 

Since oVirt guest agent sends wakeup message to greeter plugin via
Dbus, perhaps this is the problem? Maybe someone had the same problem
here?
This happens on Debian 8 and 9.

Thank you.


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users