subject:"\[ovirt\-users\] Debian linux and oVirt SSO"

Re: [ovirt-users] Debian linux and oVirt SSO

2016-07-18 Thread Tadas


ovirt agent stops on this line and code below it is not executed:

https://github.com/oVirt/ovirt-guest-agent/blob/master/ovirt-guest-agen
t/CredServer.py#L147



On Mon, 2016-07-18 at 14:12 +0300, Tadas wrote:
> This is really interesting.
> pam-ovirt-cred is randomly failing on one of two checks:
> 
> https://github.com/oVirt/ovirt-guest-agent/blob/master/pam-ovirt-cred
> /c
> red_channel.c#L107
> 
> and
> 
> https://github.com/oVirt/ovirt-guest-agent/blob/master/pam-ovirt-cred
> /c
> red_channel.c#L134
> 
> Theres  no pattern, on which step it will fail. Sometimes it fails on
> writing to socket sometimes on reading:
> 
> Jul 18 14:11:02 desktop64 cred-debug: recv() failed
> Jul 18 14:11:14 desktop64 cred-debug: send() failed
> Jul 18 14:11:18 desktop64 cred-debug: recv() failed
> Jul 18 14:11:23 desktop64 cred-debug: recv() failed
> Jul 18 14:11:28 desktop64 cred-debug: send() failed
> Jul 18 14:11:33 desktop64 cred-debug: recv() failedOn Mon, 2016-07-18 
> at 09:51 +0300, Tadas wrote:
> > After moving to gdm, I've managed to solve the timeout issue. Now i
> > bumped into another one:
> > oVirt agent seem to emit credentials without error:
> > 
> > Dummy-1::DEBUG::2016-07-18
> > 09:29:53,293::OVirtAgentLogic::304::root::User log-in (credentials
> > =
> > '\x00\x00\x00\x04test\x00')
> > Dummy-1::INFO::2016-07-18 09:29:53,293::CredServer::207::root::The
> > following users are allowed to connect: [0]
> > Dummy-1::DEBUG::2016-07-18
> > 09:29:53,294::CredServer::272::root::Token:
> > 250954
> > Dummy-1::INFO::2016-07-18
> > 09:29:53,294::CredServer::273::root::Opening
> > credentials channel...
> > Dummy-1::INFO::2016-07-18
> > 09:29:53,294::CredServer::132::root::Emitting
> > user authenticated signal (250954).
> > Dummy-1::INFO::2016-07-18
> > 09:29:53,349::CredServer::277::root::Credentials channel was
> > closed.
> > 
> > But pam module is failing:
> > gdm-ovirtcred]: pam_ovirt_cred(gdm-ovirtcred:auth): Failed to
> > acquire
> > user's credentials
> > 
> > After poking a bit I've managed to find, that module fails on:
> > 
> >     if (ret == -1) {
> > D(("send() failed."));
> > return -1;
> > }
> > 
> > in cred_channel.c
> > 
> > 
> > Also, i have to mention, that there's no /etc/pamd/password-auth
> > file
> > in Debian Linux. I've copied it from Centos (it is needed by gdm-
> > ovirtcred.pam)
> > > > ___
> > > > Users mailing list
> > > > Users@ovirt.org
> > > > http://lists.ovirt.org/mailman/listinfo/users
> > > 
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Debian linux and oVirt SSO

2016-07-18 Thread Tadas

This is really interesting.
pam-ovirt-cred is randomly failing on one of two checks:

https://github.com/oVirt/ovirt-guest-agent/blob/master/pam-ovirt-cred/c
red_channel.c#L107

and

https://github.com/oVirt/ovirt-guest-agent/blob/master/pam-ovirt-cred/c
red_channel.c#L134

Theres  no pattern, on which step it will fail. Sometimes it fails on
writing to socket sometimes on reading:

Jul 18 14:11:02 desktop64 cred-debug: recv() failed
Jul 18 14:11:14 desktop64 cred-debug: send() failed
Jul 18 14:11:18 desktop64 cred-debug: recv() failed
Jul 18 14:11:23 desktop64 cred-debug: recv() failed
Jul 18 14:11:28 desktop64 cred-debug: send() failed
Jul 18 14:11:33 desktop64 cred-debug: recv() failedOn Mon, 2016-07-18 at 09:51 
+0300, Tadas wrote:
> After moving to gdm, I've managed to solve the timeout issue. Now i
> bumped into another one:
> oVirt agent seem to emit credentials without error:
> 
> Dummy-1::DEBUG::2016-07-18
> 09:29:53,293::OVirtAgentLogic::304::root::User log-in (credentials =
> '\x00\x00\x00\x04test\x00')
> Dummy-1::INFO::2016-07-18 09:29:53,293::CredServer::207::root::The
> following users are allowed to connect: [0]
> Dummy-1::DEBUG::2016-07-18
> 09:29:53,294::CredServer::272::root::Token:
> 250954
> Dummy-1::INFO::2016-07-18
> 09:29:53,294::CredServer::273::root::Opening
> credentials channel...
> Dummy-1::INFO::2016-07-18
> 09:29:53,294::CredServer::132::root::Emitting
> user authenticated signal (250954).
> Dummy-1::INFO::2016-07-18
> 09:29:53,349::CredServer::277::root::Credentials channel was closed.
> 
> But pam module is failing:
> gdm-ovirtcred]: pam_ovirt_cred(gdm-ovirtcred:auth): Failed to acquire
> user's credentials
> 
> After poking a bit I've managed to find, that module fails on:
> 
>     if (ret == -1) {
> D(("send() failed."));
> return -1;
> }
> 
> in cred_channel.c
> 
> 
> Also, i have to mention, that there's no /etc/pamd/password-auth file
> in Debian Linux. I've copied it from Centos (it is needed by gdm-
> ovirtcred.pam)
> > > ___
> > > Users mailing list
> > > Users@ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Debian linux and oVirt SSO

2016-07-17 Thread Tadas

After moving to gdm, I've managed to solve the timeout issue. Now i
bumped into another one:
oVirt agent seem to emit credentials without error:

Dummy-1::DEBUG::2016-07-18
09:29:53,293::OVirtAgentLogic::304::root::User log-in (credentials =
'\x00\x00\x00\x04test\x00')
Dummy-1::INFO::2016-07-18 09:29:53,293::CredServer::207::root::The
following users are allowed to connect: [0]
Dummy-1::DEBUG::2016-07-18 09:29:53,294::CredServer::272::root::Token:
250954
Dummy-1::INFO::2016-07-18 09:29:53,294::CredServer::273::root::Opening
credentials channel...
Dummy-1::INFO::2016-07-18 09:29:53,294::CredServer::132::root::Emitting
user authenticated signal (250954).
Dummy-1::INFO::2016-07-18
09:29:53,349::CredServer::277::root::Credentials channel was closed.

But pam module is failing:
gdm-ovirtcred]: pam_ovirt_cred(gdm-ovirtcred:auth): Failed to acquire
user's credentials

After poking a bit I've managed to find, that module fails on:

    if (ret == -1) {
D(("send() failed."));
return -1;
}

in cred_channel.c


Also, i have to mention, that there's no /etc/pamd/password-auth file
in Debian Linux. I've copied it from Centos (it is needed by gdm-
ovirtcred.pam)
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Debian linux and oVirt SSO

2016-07-15 Thread Tadas

Aha. Thank you. Will try this one

From: Vinzenz Feenstra 
Sent: Friday, July 15, 2016 7:35 PM
To: Tadas 
Cc: users@ovirt.org 
Subject: Re: [ovirt-users] Debian linux and oVirt SSO

  On Jul 15, 2016, at 5:09 PM, Tadas  wrote:

  Thank you for reply.

  you =hould just add ovirtcred and not remove all the other options, 
without =he other options you’re not able to login
  There are other options, i’ve just changed the folowing parameter:
  PluginsLogin=ovirtcred
  should i use somekind of plugin list and add the classic plugin also? eg:
  PluginsLogin=classic, ovirtcred
To me =t looks like that you’re missing 

https://github.com/oVirt/ovirt-guest-agent/blob/master/ovirt-gu=st-agent/org.ovirt.vdsm.Credentials.conf

  seems you are right. Now i do see ovirt in dbus sessions:

  DISPLAY=:0.0 dbus-send --system --dest=org.freedesktop.DBus 
--type=method_call --print-reply /org/freedesktop/DBus 
org.freedesktop.DBus.ListNames

  array [
 string "org.freedesktop.DBus"
 string "org.freedesktop.login1"
 string ":1.72"
 string ":1.171"
 string "org.freedesktop.systemd1"
 string "org.freedesktop.PolicyKit1"
 string ":1.360"
 string ":1.66"
 string "org.freedesktop.PackageKit"
 string ":1.67"
 string "org.freedesktop.UPower"
 string ":1.363"
 string ":1.0"
 string "org.freedesktop.UDisks2"
 string ":1.68"
 string ":1.364"
 string "org.ovirt.vdsm.Credentials"
 string ":1.365"
 string ":1.366"
 string "org.freedesktop.RealtimeKit1"
  ]

  But still getting the samer error:

  Dummy-1::INFO::2016-07-15 18:08:12,299::OVirtAgentLogic::294::root::Received 
an external command: login...
  Dummy-1::INFO::2016-07-15 18:08:12,300::CredServer::207::root::The following 
users are allowed to connect: [0]
  Dummy-1::INFO::2016-07-15 18:08:12,300::CredServer::273::root::Opening 
credentials channel...
  Dummy-1::INFO::2016-07-15 18:08:12,300::CredServer::132::root::Emitting user 
authenticated signal (656949).
  CredChannel::INFO::2016-07-15 
18:08:17,306::CredServer::241::root::Credentials channel timed out.
  Dummy-1::INFO::2016-07-15 18:08:17,307::CredServer::277::root::Credentials 
channel was closed.

  However the KDM support =s basically not really developed anymore as 
the majority of our users =re rather using GDM. So there’s quite the 
possibility that =here’s a problem.

  Well, i’m having different issues while trying to compile gdm plugin:
  configure: error: Package requirements (dbus-glib-1 >= 0.74
  gdmsimplegreeter >= 3.2.1.1
  gobject-2.0 >= 2.22.0
  gtk+-2.0 >= 2.18.0
  ) were not met:

  Package gdmsimplegreeter was not found in the pkg-config search path.
  Found no information, o how to get gdmsimplegreeter.

That’s for GDM < 3.8ish from 3.10 we have the GDM SSO code builtin GNOME you 
only need that the conf file and the pam extension plus the gdm-ovirtcred  pam 
config

Thank you.

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

  =
  ___
  Users mailing list
  Users@ovirt.org
  http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Debian linux and oVirt SSO

2016-07-15 Thread Vinzenz Feenstra


> On Jul 15, 2016, at 5:09 PM, Tadas  wrote:
> 
> Thank you for reply.
>  
>  
> you =hould just add ovirtcred and not remove all the other options, 
> without =he other options you’re not able to login
>  
> There are other options, i’ve just changed the folowing parameter:
> PluginsLogin=ovirtcred
> should i use somekind of plugin list and add the classic plugin also? eg:
> PluginsLogin=classic, ovirtcred
>> To me =t looks like that you’re missing
>> https://github.com/oVirt/ovirt-guest-agent/blob/master/ovirt-gu=st-agent/org.ovirt.vdsm.Credentials.conf
>>  
>> 
>>  
>>  
>>  
> seems you are right. Now i do see ovirt in dbus sessions:
>  
> DISPLAY=:0.0 dbus-send --system --dest=org.freedesktop.DBus 
> --type=method_call --print-reply /org/freedesktop/DBus 
> org.freedesktop.DBus.ListNames
>  
> array [
>string "org.freedesktop.DBus"
>string "org.freedesktop.login1"
>string ":1.72"
>string ":1.171"
>string "org.freedesktop.systemd1"
>string "org.freedesktop.PolicyKit1"
>string ":1.360"
>string ":1.66"
>string "org.freedesktop.PackageKit"
>string ":1.67"
>string "org.freedesktop.UPower"
>string ":1.363"
>string ":1.0"
>string "org.freedesktop.UDisks2"
>string ":1.68"
>string ":1.364"
>string "org.ovirt.vdsm.Credentials"
>string ":1.365"
>string ":1.366"
>string "org.freedesktop.RealtimeKit1"
> ]
>  
>  
> But still getting the samer error:
>  
> Dummy-1::INFO::2016-07-15 18:08:12,299::OVirtAgentLogic::294::root::Received 
> an external command: login...
> Dummy-1::INFO::2016-07-15 18:08:12,300::CredServer::207::root::The following 
> users are allowed to connect: [0]
> Dummy-1::INFO::2016-07-15 18:08:12,300::CredServer::273::root::Opening 
> credentials channel...
> Dummy-1::INFO::2016-07-15 18:08:12,300::CredServer::132::root::Emitting user 
> authenticated signal (656949).
> CredChannel::INFO::2016-07-15 
> 18:08:17,306::CredServer::241::root::Credentials channel timed out.
> Dummy-1::INFO::2016-07-15 18:08:17,307::CredServer::277::root::Credentials 
> channel was closed.
>  
>  
> However the KDM support =s basically not really developed anymore as 
> the majority of our users =re rather using GDM. So there’s quite the 
> possibility that =here’s a problem.
>  
> Well, i’m having different issues while trying to compile gdm plugin:
> configure: error: Package requirements (dbus-glib-1 >= 0.74
> gdmsimplegreeter >= 3.2.1.1
> gobject-2.0 >= 2.22.0
> gtk+-2.0 >= 2.18.0
> ) were not met:
>  
> Package gdmsimplegreeter was not found in the pkg-config search path.
> Found no information, o how to get gdmsimplegreeter.

That’s for GDM < 3.8ish from 3.10 we have the GDM SSO code builtin GNOME you 
only need that the conf file and the pam extension plus the gdm-ovirtcred  pam 
config

>  
> 
>> 
>> Thank you.
>> 
>> 
>> ___
>> Users mailing list
>> Users@ovirt.org <>
>> http://lists.ovirt.org/mailman/listinfo/users
> 
> =
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Debian linux and oVirt SSO

2016-07-15 Thread Tadas

Thank you for reply.


you =hould just add ovirtcred and not remove all the other options, without 
=he other options you’re not able to login
There are other options, i’ve just changed the folowing parameter:
PluginsLogin=ovirtcred
should i use somekind of plugin list and add the classic plugin also? eg:
PluginsLogin=classic, ovirtcred
  To me =t looks like that you’re missing 
  
https://github.com/oVirt/ovirt-guest-agent/blob/master/ovirt-gu=st-agent/org.ovirt.vdsm.Credentials.conf



seems you are right. Now i do see ovirt in dbus sessions:

DISPLAY=:0.0 dbus-send --system --dest=org.freedesktop.DBus --type=method_call 
--print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames

array [
   string "org.freedesktop.DBus"
   string "org.freedesktop.login1"
   string ":1.72"
   string ":1.171"
   string "org.freedesktop.systemd1"
   string "org.freedesktop.PolicyKit1"
   string ":1.360"
   string ":1.66"
   string "org.freedesktop.PackageKit"
   string ":1.67"
   string "org.freedesktop.UPower"
   string ":1.363"
   string ":1.0"
   string "org.freedesktop.UDisks2"
   string ":1.68"
   string ":1.364"
   string "org.ovirt.vdsm.Credentials"
   string ":1.365"
   string ":1.366"
   string "org.freedesktop.RealtimeKit1"
]


But still getting the samer error:

Dummy-1::INFO::2016-07-15 18:08:12,299::OVirtAgentLogic::294::root::Received an 
external command: login...
Dummy-1::INFO::2016-07-15 18:08:12,300::CredServer::207::root::The following 
users are allowed to connect: [0]
Dummy-1::INFO::2016-07-15 18:08:12,300::CredServer::273::root::Opening 
credentials channel...
Dummy-1::INFO::2016-07-15 18:08:12,300::CredServer::132::root::Emitting user 
authenticated signal (656949).
CredChannel::INFO::2016-07-15 18:08:17,306::CredServer::241::root::Credentials 
channel timed out.
Dummy-1::INFO::2016-07-15 18:08:17,307::CredServer::277::root::Credentials 
channel was closed.


However the KDM support =s basically not really developed anymore as 
the majority of our users =re rather using GDM. So there’s quite the 
possibility that =here’s a problem.

Well, i’m having different issues while trying to compile gdm plugin:
configure: error: Package requirements (dbus-glib-1 >= 0.74
gdmsimplegreeter >= 3.2.1.1
gobject-2.0 >= 2.22.0
gtk+-2.0 >= 2.18.0
) were not met:

Package gdmsimplegreeter was not found in the pkg-config search path.
Found no information, o how to get gdmsimplegreeter.




  Thank you.


  ___
  Users mailing list
  Users@ovirt.org
  http://lists.ovirt.org/mailman/listinfo/users


=___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Debian linux and oVirt SSO

2016-07-15 Thread Tadas

SSO part as simple as emitting correctly formed json to spice socket, - as I’ve 
 mentioned before, this works fine with windows guests.
Problem is only with linux guests. As for undocummented API, yes, – you are 
right, documentation should help alot. It takes time to reverse engineer code.
But having full oVirt solution or not does not change the thing, that there’s 
something wrong with linux kde plugin. I’m very confident, that this will 
persist if used Linux guest on oVirt. Perhaps this is just Debian oriented 
problem, so I was wondering if anyone had the same issue here.


From: Yaniv Kaul 
Sent: Friday, July 15, 2016 3:57 PM
To: ta...@ring.lt 
Cc: users 
Subject: Re: [ovirt-users] Debian linux and oVirt SSO


 

Part of the issue is that you are missing quite a bit of the orchestration that 
oVirt performs to make SSO work...
There may some other issues, but I warmly suggest using oVirt and not the 
undocumented APIs - which may or may not change in the future, between the 
agent and other components.
Y.


  Steps I've made:
  got oVirt guest agent up and running, I can communicate with it from
  hypervisor:

  socat /var/lib/libvirt/qemu/channel/target/domain-80-KDE64_1/com.kvm-
  vdi.0 -
  {"__name__": "os-version", "version": "4.6.0-1-amd64"}
  Compiled and copied pam_ovirt_cred.so to /lib/x86_64-linux-gnu/security

  Configured /etc/pam.d/kdm-ovirt-cred with:

  %PAM-1.0
  authrequiredpam_ovirt_cred.so
  authinclude password-auth
  account include password-auth
  passwordinclude password-auth
  session requiredpam_selinux.so close
  session requiredpam_selinux.so open
  session include password-auth

  Compiled and copied kgreet_ovirtcred.so to /usr/lib/kde4

  Configured /etc/kde4/kdm/kdmrc with:

  PluginsLogin=ovirtcred

  Symptoms:
  After starting kdm, I get login prompt with barely visible title (I
  assume it should spell "oVirt Authentication" from
  kgreet_ovirtcred.cpp). Username and password boxes are inactive - i
  cannot enter anything to them. After emitting username/password to
  oVirt agent, I can see the following log entries:

  Dummy-1::INFO::2016-07-15 12:29:51,628::CredServer::207::root::The
  following users are allowed to connect: [0]
  Dummy-1::INFO::2016-07-15 12:29:51,629::CredServer::273::root::Opening
  credentials channel...
  Dummy-1::INFO::2016-07-15 12:29:51,629::CredServer::132::root::Emitting
  user authenticated signal (509542).
  CredChannel::INFO::2016-07-15
  12:29:56,634::CredServer::241::root::Credentials channel timed out.

  The only thing that worries me, - are the entries in kdm.log file:

  klauncher(6100) kdemain: No DBUS session-bus found. Check if you have
  started the DBUS server. 

  Since oVirt guest agent sends wakeup message to greeter plugin via
  Dbus, perhaps this is the problem? Maybe someone had the same problem
  here?
  This happens on Debian 8 and 9.

  Thank you.


  ___
  Users mailing list
  Users@ovirt.org
  http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Debian linux and oVirt SSO

2016-07-15 Thread Yaniv Kaul

On Fri, Jul 15, 2016 at 12:50 PM, Tadas  wrote:

> Hello,
> i'm struggling to get oVirt SSO working on Linux guest VM.
> I can confirm, that SSO is fully functional on Windows guest (please
> note it's not a full oVirt installation - I'm just testing oVirt guest
> agent on virtual machines running on plain KVM hypervisor).
>

Part of the issue is that you are missing quite a bit of the orchestration
that oVirt performs to make SSO work...
There may some other issues, but I warmly suggest using oVirt and not the
undocumented APIs - which may or may not change in the future, between the
agent and other components.
 Y.


> Steps I've made:
> got oVirt guest agent up and running, I can communicate with it from
> hypervisor:
>
> socat /var/lib/libvirt/qemu/channel/target/domain-80-KDE64_1/com.kvm-
> vdi.0 -
> {"__name__": "os-version", "version": "4.6.0-1-amd64"}
> Compiled and copied pam_ovirt_cred.so to /lib/x86_64-linux-gnu/security
>
> Configured /etc/pam.d/kdm-ovirt-cred with:
>
> %PAM-1.0
> authrequiredpam_ovirt_cred.so
> authinclude password-auth
> account include password-auth
> passwordinclude password-auth
> session requiredpam_selinux.so close
> session requiredpam_selinux.so open
> session include password-auth
>
> Compiled and copied kgreet_ovirtcred.so to /usr/lib/kde4
>
> Configured /etc/kde4/kdm/kdmrc with:
>
> PluginsLogin=ovirtcred
>
> Symptoms:
> After starting kdm, I get login prompt with barely visible title (I
> assume it should spell "oVirt Authentication" from
> kgreet_ovirtcred.cpp). Username and password boxes are inactive - i
> cannot enter anything to them. After emitting username/password to
> oVirt agent, I can see the following log entries:
>
> Dummy-1::INFO::2016-07-15 12:29:51,628::CredServer::207::root::The
> following users are allowed to connect: [0]
> Dummy-1::INFO::2016-07-15 12:29:51,629::CredServer::273::root::Opening
> credentials channel...
> Dummy-1::INFO::2016-07-15 12:29:51,629::CredServer::132::root::Emitting
> user authenticated signal (509542).
> CredChannel::INFO::2016-07-15
> 12:29:56,634::CredServer::241::root::Credentials channel timed out.
>
> The only thing that worries me, - are the entries in kdm.log file:
>
> klauncher(6100) kdemain: No DBUS session-bus found. Check if you have
> started the DBUS server.
>
> Since oVirt guest agent sends wakeup message to greeter plugin via
> Dbus, perhaps this is the problem? Maybe someone had the same problem
> here?
> This happens on Debian 8 and 9.
>
> Thank you.
>
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Debian linux and oVirt SSO

2016-07-15 Thread Vinzenz Feenstra


> On Jul 15, 2016, at 11:50 AM, Tadas  wrote:
> 
> Hello,
> i'm struggling to get oVirt SSO working on Linux guest VM.
> I can confirm, that SSO is fully functional on Windows guest (please
> note it's not a full oVirt installation - I'm just testing oVirt guest
> agent on virtual machines running on plain KVM hypervisor).
> 
> Steps I've made:
> got oVirt guest agent up and running, I can communicate with it from
> hypervisor:
> 
> socat /var/lib/libvirt/qemu/channel/target/domain-80-KDE64_1/com.kvm-
> vdi.0 -
> {"__name__": "os-version", "version": "4.6.0-1-amd64"}
> Compiled and copied pam_ovirt_cred.so to /lib/x86_64-linux-gnu/security
> 
> Configured /etc/pam.d/kdm-ovirt-cred with:
> 
> %PAM-1.0
> authrequiredpam_ovirt_cred.so
> authinclude password-auth
> account include password-auth
> passwordinclude password-auth
> session requiredpam_selinux.so close
> session requiredpam_selinux.so open
> session include password-auth
> 
> Compiled and copied kgreet_ovirtcred.so to /usr/lib/kde4
> 
> Configured /etc/kde4/kdm/kdmrc with:
> 
> PluginsLogin=ovirtcred

you should just add ovirtcred and not remove all the other options, without the 
other options you’re not able to login

> 
> Symptoms:
> After starting kdm, I get login prompt with barely visible title (I
> assume it should spell "oVirt Authentication" from
> kgreet_ovirtcred.cpp). Username and password boxes are inactive - i
> cannot enter anything to them. After emitting username/password to
> oVirt agent, I can see the following log entries:
> 
> Dummy-1::INFO::2016-07-15 12:29:51,628::CredServer::207::root::The
> following users are allowed to connect: [0]
> Dummy-1::INFO::2016-07-15 12:29:51,629::CredServer::273::root::Opening
> credentials channel...
> Dummy-1::INFO::2016-07-15 12:29:51,629::CredServer::132::root::Emitting
> user authenticated signal (509542).
> CredChannel::INFO::2016-07-15
> 12:29:56,634::CredServer::241::root::Credentials channel timed out.
> 
> The only thing that worries me, - are the entries in kdm.log file:
> 
> klauncher(6100) kdemain: No DBUS session-bus found. Check if you have
> started the DBUS server. 

To me it looks like that you’re missing 
https://github.com/oVirt/ovirt-guest-agent/blob/master/ovirt-guest-agent/org.ovirt.vdsm.Credentials.conf
 




> 
> Since oVirt guest agent sends wakeup message to greeter plugin via
> Dbus, perhaps this is the problem? Maybe someone had the same problem
> here?
> This happens on Debian 8 and 9.


However the KDM support is basically not really developed anymore as the 
majority of our users are rather using GDM. So there’s quite the possibility 
that there’s a problem.

> 
> Thank you.
> 
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] Debian linux and oVirt SSO

2016-07-15 Thread Tadas

Hello,
i'm struggling to get oVirt SSO working on Linux guest VM.
I can confirm, that SSO is fully functional on Windows guest (please
note it's not a full oVirt installation - I'm just testing oVirt guest
agent on virtual machines running on plain KVM hypervisor).

Steps I've made:
got oVirt guest agent up and running, I can communicate with it from
hypervisor:

socat /var/lib/libvirt/qemu/channel/target/domain-80-KDE64_1/com.kvm-
vdi.0 -
{"__name__": "os-version", "version": "4.6.0-1-amd64"}
Compiled and copied pam_ovirt_cred.so to /lib/x86_64-linux-gnu/security

Configured /etc/pam.d/kdm-ovirt-cred with:

%PAM-1.0
authrequiredpam_ovirt_cred.so
authinclude password-auth
account include password-auth
passwordinclude password-auth
session requiredpam_selinux.so close
session requiredpam_selinux.so open
session include password-auth

Compiled and copied kgreet_ovirtcred.so to /usr/lib/kde4

Configured /etc/kde4/kdm/kdmrc with:

PluginsLogin=ovirtcred

Symptoms:
After starting kdm, I get login prompt with barely visible title (I
assume it should spell "oVirt Authentication" from
kgreet_ovirtcred.cpp). Username and password boxes are inactive - i
cannot enter anything to them. After emitting username/password to
oVirt agent, I can see the following log entries:

Dummy-1::INFO::2016-07-15 12:29:51,628::CredServer::207::root::The
following users are allowed to connect: [0]
Dummy-1::INFO::2016-07-15 12:29:51,629::CredServer::273::root::Opening
credentials channel...
Dummy-1::INFO::2016-07-15 12:29:51,629::CredServer::132::root::Emitting
user authenticated signal (509542).
CredChannel::INFO::2016-07-15
12:29:56,634::CredServer::241::root::Credentials channel timed out.

The only thing that worries me, - are the entries in kdm.log file:

klauncher(6100) kdemain: No DBUS session-bus found. Check if you have
started the DBUS server. 

Since oVirt guest agent sends wakeup message to greeter plugin via
Dbus, perhaps this is the problem? Maybe someone had the same problem
here?
This happens on Debian 8 and 9.

Thank you.


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Debian linux and oVirt SSO

Re: [ovirt-users] Debian linux and oVirt SSO

Re: [ovirt-users] Debian linux and oVirt SSO

Re: [ovirt-users] Debian linux and oVirt SSO

Re: [ovirt-users] Debian linux and oVirt SSO

Re: [ovirt-users] Debian linux and oVirt SSO

Re: [ovirt-users] Debian linux and oVirt SSO

Re: [ovirt-users] Debian linux and oVirt SSO

Re: [ovirt-users] Debian linux and oVirt SSO

[ovirt-users] Debian linux and oVirt SSO

10 matches

Site Navigation

Mail list logo

Footer information