Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-10-04 Thread Martin Perina 
On Tue, Oct 4, 2016 at 5:16 PM,  wrote:

> Martin, thanks for the help. It works.
>

​Glad to hear that, thanks.

Martin
​


>
> 03.10.2016, 15:01, "Martin Perina" :
> > ​Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but
> in 4.0 we have quite new OAuth base SSO, so you need to use following
> configuration:
> >
> >  oauth/token-http-auth)|^/ovirt-engine/api>
> >   
> > RewriteEngine on
> > RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
> > RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
> > RequestHeader set X-Remote-User %{REMOTE_USER}s
> > AuthType Kerberos
> > AuthName "Kerberos Login"
> > Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
> > KrbAuthRealms AD.HOLDING.COM
> > KrbMethodK5Passwd off
> > Require valid-user
> > ErrorDocument 401 " url=/ovirt-engine/sso/login-unauthorized\"/> href=\"/ovirt-engine/sso/login-unauthorized\">Here"
> >   
> > 
> > ​
> >
> > ​Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session
> instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you
> need to do following:
> >
> >   1. yum install mod_session mod_auth_gssapi
> >   2. Use following Apache configuration ​
> >
> > ​ oauth/token-http-auth)|^/ovirt-engine/api>
> >   
> > RewriteEngine on
> > RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
> > RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
> > RequestHeader set X-Remote-User %{REMOTE_USER}s
> >
> > AuthType GSSAPI
> > AuthName "Kerberos Login"
> >
> > # Modify to match installation
> > GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab
> > GssapiUseSessions On
> > Session On
> > SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;
> >
> > Require valid-user
> > ErrorDocument 401 " url=/ovirt-engine/sso/login-unauthorized\"/> href=\"/ovirt-engine/sso/login-unauthorized\">Here"
> >   
> > ​
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-10-04 Thread aleksey . maksimov 
Martin, thanks for the help. It works.

03.10.2016, 15:01, "Martin Perina" :
> ​Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but in 
> 4.0 we have quite new OAuth base SSO, so you need to use following 
> configuration:
>
>  ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api>
>   
>     RewriteEngine on
>     RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
>     RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
>     RequestHeader set X-Remote-User %{REMOTE_USER}s
>     AuthType Kerberos
>     AuthName "Kerberos Login"
>     Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
>     KrbAuthRealms AD.HOLDING.COM
>     KrbMethodK5Passwd off
>     Require valid-user
>     ErrorDocument 401 " url=/ovirt-engine/sso/login-unauthorized\"/> href=\"/ovirt-engine/sso/login-unauthorized\">Here"
>   
> 
> ​
>
> ​Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session 
> instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you need 
> to do following:
>
>   1. yum install mod_session mod_auth_gssapi
>   2. Use following Apache configuration ​
>
> ​ ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api>
>   
>     RewriteEngine on
>     RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
>     RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
>     RequestHeader set X-Remote-User %{REMOTE_USER}s
>
>     AuthType GSSAPI
>     AuthName "Kerberos Login"
>
>     # Modify to match installation
>     GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab
>     GssapiUseSessions On
>     Session On
>     SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;
>
>     Require valid-user
>     ErrorDocument 401 " url=/ovirt-engine/sso/login-unauthorized\"/> href=\"/ovirt-engine/sso/login-unauthorized\">Here"
>   
> ​
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-10-03 Thread Martin Perina 
Hi,

please take a look at inline comments:

On Mon, Oct 3, 2016 at 9:15 AM,  wrote:

> Yes. Of course. Here are my configs.
>
> 
> =
> # cat /etc/ovirt-engine/aaa/ovirt-sso.conf
>
> ​​
> 
> RewriteEngine on
> RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
> RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
> RequestHeader set X-Remote-User %{REMOTE_USER}s
> AuthType Kerberos
> AuthName "Kerberos Login"
> Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
> KrbAuthRealms AD.HOLDING.COM
> #KrbMethodNegotiate on
> #KrbMethodK5Passwd on
> KrbMethodK5Passwd off
> Require valid-user
> 
>

​Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but in
4.0 we have quite new OAuth base SSO, so you need to use following
configuration:


  
RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
RequestHeader set X-Remote-User %{REMOTE_USER}s
AuthType Kerberos
AuthName "Kerberos Login"
Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
KrbAuthRealms AD.HOLDING.COM
KrbMethodK5Passwd off
Require valid-user
ErrorDocument 401 "Here"
  

​

​Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session
instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you
need to do following:

  1. yum install mod_session mod_auth_gssapi
  2. Use following Apache configuration ​


​
  
RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
RequestHeader set X-Remote-User %{REMOTE_USER}s

AuthType GSSAPI
AuthName "Kerberos Login"

# Modify to match installation
GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab
GssapiUseSessions On
Session On
SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;

Require valid-user
ErrorDocument 401 "Here"
  
​

​


>
> # ls -la /etc/httpd/conf.d/ovirt-*
>
> -rw-r--r--. 1 root root 33 Jul 26 16:42 /etc/httpd/conf.d/ovirt-
> engine-root-redirect.conf
> lrwxrwxrwx. 1 root root 36 Sep 30 00:06 /etc/httpd/conf.d/ovirt-sso.conf
> -> /etc/ovirt-engine/aaa/ovirt-sso.conf
>
>
> 
> =
> # cat /etc/ovirt-engine/aaa/ad.holding.com.properties
>
> include = 
> vars.domain = ad.holding.com
> pool.default.auth.simple.bindDN = s-oVirt-LS@${global:vars.domain}
> pool.default.auth.simple.password = Passw0rd
> pool.default.dc-resolve.enable = false
> search.default.dc-resolve.enable = false
> search.ad-resolve-upn.search-request.baseDN = DC=ad,DC=holding,DC=com
> pool.default.serverset.type = failover
> pool.default.serverset.failover.00.server = kom-dc01.${global:vars.domain}
> pool.default.serverset.failover.01.server = kom-dc02.${global:vars.domain}
> pool.default.serverset.failover.port = 636
> pool.default.serverset.failover.domain = ${global:vars.domain}
> pool.default.ssl.enable = true
> pool.default.ssl.protocol = TLSv1.2
> pool.default.ssl.truststore.file = ${local:_basedir}/${global:
> vars.domain}.jks
> pool.default.ssl.truststore.password = changeit
>


> =
> # cat /etc/ovirt-engine/extensions.d/ad.holding.com-authz.properties
>
> ovirt.engine.extension.name = ad.holding.com-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.
> extensions.aaa.Authz
> config.profile.file.1 = ../aaa/ad.holding.com.properties
>
> 
> =
> # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-authn.properties
>
> ovirt.engine.extension.name = ad.holding.com-http-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.misc
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.
> extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name = ad.holding.com-http
> ovirt.engine.aaa.authn.authz.plugin = ad.holding.com-authz
> ovirt.engine.aaa.authn.mapping.plugin = ad.holding.com-http-mapping
> config.artifact.name = HEADER
> config.artifact.arg = X-Remote-User
>
> 
> =
> # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-mapping.
> properties
>
> ovirt.engine.extension.name = ad.holding.com-http-mapping
>

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-10-03 Thread aleksey . maksimov 
Yes. Of course. Here are my configs.

=
# cat /etc/ovirt-engine/aaa/ovirt-sso.conf


RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
RequestHeader set X-Remote-User %{REMOTE_USER}s
AuthType Kerberos
AuthName "Kerberos Login"
Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
KrbAuthRealms AD.HOLDING.COM
#KrbMethodNegotiate on
#KrbMethodK5Passwd on
KrbMethodK5Passwd off
Require valid-user



# ls -la /etc/httpd/conf.d/ovirt-*

-rw-r--r--. 1 root root 33 Jul 26 16:42 
/etc/httpd/conf.d/ovirt-engine-root-redirect.conf
lrwxrwxrwx. 1 root root 36 Sep 30 00:06 /etc/httpd/conf.d/ovirt-sso.conf -> 
/etc/ovirt-engine/aaa/ovirt-sso.conf


=
# cat /etc/ovirt-engine/aaa/ad.holding.com.properties

include = 
vars.domain = ad.holding.com
pool.default.auth.simple.bindDN = s-oVirt-LS@${global:vars.domain}
pool.default.auth.simple.password = Passw0rd
pool.default.dc-resolve.enable = false
search.default.dc-resolve.enable = false
search.ad-resolve-upn.search-request.baseDN = DC=ad,DC=holding,DC=com
pool.default.serverset.type = failover
pool.default.serverset.failover.00.server = kom-dc01.${global:vars.domain}
pool.default.serverset.failover.01.server = kom-dc02.${global:vars.domain}
pool.default.serverset.failover.port = 636
pool.default.serverset.failover.domain = ${global:vars.domain}
pool.default.ssl.enable = true
pool.default.ssl.protocol = TLSv1.2
pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.domain}.jks
pool.default.ssl.truststore.password = changeit

=
# cat /etc/ovirt-engine/extensions.d/ad.holding.com-authz.properties

ovirt.engine.extension.name = ad.holding.com-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = 
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = 
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/ad.holding.com.properties

=
# cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-authn.properties

ovirt.engine.extension.name = ad.holding.com-http-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = 
org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = 
org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = ad.holding.com-http
ovirt.engine.aaa.authn.authz.plugin = ad.holding.com-authz
ovirt.engine.aaa.authn.mapping.plugin = ad.holding.com-http-mapping
config.artifact.name = HEADER
config.artifact.arg = X-Remote-User

=
# cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-mapping.properties

ovirt.engine.extension.name = ad.holding.com-http-mapping
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = 
org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = 
org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping
config.mapAuthRecord.type = regex
config.mapAuthRecord.regex.mustMatch = true
config.mapAuthRecord.regex.pattern = 
^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}${realm}


03.10.2016, 09:56, "Martin Perina" :

> ​Ahh, so kerberos SSO works fine for API, but not for portals. Could you 
> please share your Apache configuration with oVirt kerberos configuration? 
> Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-10-03 Thread Martin Perina 
On Mon, Oct 3, 2016 at 8:52 AM,  wrote:

>  > network.negotiate-auth.delegation-uris = .ad.holding.com
>  > network.negotiate-auth.trusted-uris = .ad.holding.com
>
> Yes. Configured
>
> The URL https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api in IE and
> Firefox opens without problems and without password prompts
>
> But when opening links from start page...
>
> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/
> userportal/?locale=en_US
> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/webadmin/?locale=en_US
>
> ...opens a oVirt form prompting for credentials with a single profile
> "internal"
>

​Ahh, so kerberos SSO works fine for API, but not for portals. Could you
please share your Apache configuration with oVirt kerberos configuration?
Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf

Thanks

Martin Perina
​


>
>
> 03.10.2016, 09:37, "Martin Perina" :
>
>
>
> On Mon, Oct 3, 2016 at 8:18 AM,  wrote:
>
>
> Hello, Martin
>
> Before I wrote: Kerberos authentication FOR WINDOWS WEB SERVERS working
> successfully from Internet Explorer & Forefox.
> Kerberos authentication NOT working with oVirt Web-Portals.
>
> I expect that the users opening the oVirt web portal in the browser did
> not enter a password, and used instead of the transparent sign-on using
> Kerberos.
> It is impossible ??
>
>
> ​It's possible and it's working fine when everything is properly set up.
> But please bear in mind kerberos SSO is one of the most complicated oVirt
> setup, but usually the error is on kerberos side (environment issues on the
> client).
>
> So, you are saying that using curl you are able to access API using
> kerberos ticket but when you try to access the same API from the browser it
> does not work, right?
> I don't use IE, but you need to set following options in "about:config"
> URL for Firefox to work properly with kerberos:
>
>  network.negotiate-auth.delegation-uris = .ad.holding.com
>  network.negotiate-auth.trusted-uris = .ad.holding.com
>
> If you have those options set, what exactly happen when you try to access ​
> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
> ​
>
> ​in Firefox?
>
> Martin Perina
>
> ​
>
>
> 03.10.2016, 09:08, "Martin Perina" :
>
> Hi Aleksey,
>
> in your last email you wrote that everything works (at least that's my
> understanding, email pasted below). So what exactly doesn't work for you?
>
> Regards
>
> Martin Perina
>
>
> > # kinit aleksey
> >
> > Password for alek...@ad.holding.com: ***
> >
> > # klist
> >
> > Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9
> > Default principal: alek...@ad.holding.com
> >
> > Valid starting   Expires  Service principal
> > 09/30/2016 16:50:32  10/01/2016 02:50:32  krbtgt/AD.HOLDING.COM@AD.
> HOLDING.COM
> > renew until 10/07/2016 16:50:29
> >
> >
> > # curl --negotiate -u : -X GET -H "Accept: application/xml" -k
> ​​ 
> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
> >
> > 
> > 
> >  ... output truncated ...
> > 
> >
> > It Works.
> > The browsers are configured.
> > Kerberos authentication for Windows web servers working successfully
> from Internet Explorer & Forefox
>
>
> On Mon, Oct 3, 2016 at 7:37 AM,  wrote:
>
>
> Up
>
> 30.09.2016, 18:55, "aleksey.maksi...@it-kb.ru"  >:
> > Any other ideas?
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-10-03 Thread aleksey . maksimov 
 > network.negotiate-auth.delegation-uris = .ad.holding.com > network.negotiate-auth.trusted-uris = .ad.holding.com Yes. Configured The URL https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api in IE and Firefox opens without problems and without password prompts But when opening links from start page... https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/userportal/?locale=en_UShttps://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/webadmin/?locale=en_US ...opens a oVirt form prompting for credentials with a single profile "internal"  03.10.2016, 09:37, "Martin Perina" :  On Mon, Oct 3, 2016 at 8:18 AM,  wrote: Hello, Martin Before I wrote: Kerberos authentication FOR WINDOWS WEB SERVERS working successfully from Internet Explorer & Forefox.Kerberos authentication NOT working with oVirt Web-Portals. I expect that the users opening the oVirt web portal in the browser did not enter a password, and used instead of the transparent sign-on using Kerberos.It is impossible ?? ​It's possible and it's working fine when everything is properly set up. But please bear in mind kerberos SSO is one of the most complicated oVirt setup, but usually the error is on kerberos side (environment issues on the client). So, you are saying that using curl you are able to access API using kerberos ticket but when you try to access the same API from the browser it does not work, right?I don't use IE, but you need to set following options in "about:config" URL for Firefox to work properly with kerberos: network.negotiate-auth.delegation-uris = .ad.holding.com network.negotiate-auth.trusted-uris = .ad.holding.com If you have those options set, what exactly happen when you try to access ​https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api​ ​in Firefox? Martin Perina​ 03.10.2016, 09:08, "Martin Perina" :Hi Aleksey,in your last email you wrote that everything works (at least that's my understanding, email pasted below). So what exactly doesn't work for you?RegardsMartin Perina> # kinit aleksey>> Password for alek...@ad.holding.com: ***>> # klist>> Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9> Default principal: alek...@ad.holding.com>> Valid starting       Expires              Service principal> 09/30/2016 16:50:32  10/01/2016 02:50:32  krbtgt/ad.holding@ad.holding.com>         renew until 10/07/2016 16:50:29>>> # curl --negotiate -u : -X GET -H "Accept: application/xml" -k​​https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api>> > >  ... output truncated ...> >> It Works.> The browsers are configured.> Kerberos authentication for Windows web servers working successfully from Internet Explorer & Forefox  On Mon, Oct 3, 2016 at 7:37 AM,  wrote: Up30.09.2016, 18:55, "aleksey.maksi...@it-kb.ru" :> Any other ideas?___Users mailing listUsers@ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-10-03 Thread Martin Perina 
On Mon, Oct 3, 2016 at 8:18 AM,  wrote:

>
> Hello, Martin
>
> Before I wrote: Kerberos authentication FOR WINDOWS WEB SERVERS working
> successfully from Internet Explorer & Forefox.
> Kerberos authentication NOT working with oVirt Web-Portals.
>
> I expect that the users opening the oVirt web portal in the browser did
> not enter a password, and used instead of the transparent sign-on using
> Kerberos.
> It is impossible ??
>

​It's possible and it's working fine when everything is properly set up.
But please bear in mind kerberos SSO is one of the most complicated oVirt
setup, but usually the error is on kerberos side (environment issues on the
client).

So, you are saying that using curl you are able to access API using
kerberos ticket but when you try to access the same API from the browser it
does not work, right?
I don't use IE, but you need to set following options in "about:config" URL
for Firefox to work properly with kerberos:

 network.negotiate-auth.delegation-uris = .ad.holding.com
 network.negotiate-auth.trusted-uris = .ad.holding.com

If you have those options set, what exactly happen when you try to access ​
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
​

​in Firefox?

Martin Perina

​

>
> 03.10.2016, 09:08, "Martin Perina" :
>
> Hi Aleksey,
>
> in your last email you wrote that everything works (at least that's my
> understanding, email pasted below). So what exactly doesn't work for you?
>
> Regards
>
> Martin Perina
>
>
> > # kinit aleksey
> >
> > Password for alek...@ad.holding.com: ***
> >
> > # klist
> >
> > Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9
> > Default principal: alek...@ad.holding.com
> >
> > Valid starting   Expires  Service principal
> > 09/30/2016 16:50:32  10/01/2016 02:50:32  krbtgt/AD.HOLDING.COM@AD.
> HOLDING.COM
> > renew until 10/07/2016 16:50:29
> >
> >
> > # curl --negotiate -u : -X GET -H "Accept: application/xml" -k
> ​​
> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
> >
> > 
> > 
> >  ... output truncated ...
> > 
> >
> > It Works.
> > The browsers are configured.
> > Kerberos authentication for Windows web servers working successfully
> from Internet Explorer & Forefox
>
>
> On Mon, Oct 3, 2016 at 7:37 AM,  wrote:
>
>
> Up
>
> 30.09.2016, 18:55, "aleksey.maksi...@it-kb.ru"  >:
> > Any other ideas?
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-10-03 Thread aleksey . maksimov 
 Hello, Martin Before I wrote: Kerberos authentication FOR WINDOWS WEB SERVERS working successfully from Internet Explorer & Forefox.Kerberos authentication NOT working with oVirt Web-Portals. I expect that the users opening the oVirt web portal in the browser did not enter a password, and used instead of the transparent sign-on using Kerberos.It is impossible ?? 03.10.2016, 09:08, "Martin Perina" :Hi Aleksey,in your last email you wrote that everything works (at least that's my understanding, email pasted below). So what exactly doesn't work for you?RegardsMartin Perina> # kinit aleksey>> Password for alek...@ad.holding.com: ***>> # klist>> Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9> Default principal: alek...@ad.holding.com>> Valid starting       Expires              Service principal> 09/30/2016 16:50:32  10/01/2016 02:50:32  krbtgt/ad.holding@ad.holding.com>         renew until 10/07/2016 16:50:29>>> # curl --negotiate -u : -X GET -H "Accept: application/xml" -k https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api>> > >  ... output truncated ...> >> It Works.> The browsers are configured.> Kerberos authentication for Windows web servers working successfully from Internet Explorer & Forefox  On Mon, Oct 3, 2016 at 7:37 AM,  wrote: Up30.09.2016, 18:55, "aleksey.maksi...@it-kb.ru" :> Any other ideas?___Users mailing listUsers@ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-10-03 Thread Martin Perina 
Hi Aleksey,

in your last email you wrote that everything works (at least that's my
understanding, email pasted below). So what exactly doesn't work for you?

Regards

Martin Perina


> # kinit aleksey
>
> Password for alek...@ad.holding.com: ***
>
> # klist
>
> Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9
> Default principal: alek...@ad.holding.com
>
> Valid starting   Expires  Service principal
> 09/30/2016 16:50:32  10/01/2016 02:50:32  krbtgt/AD.HOLDING.COM@AD.
HOLDING.COM
> renew until 10/07/2016 16:50:29
>
>
> # curl --negotiate -u : -X GET -H "Accept: application/xml" -k
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
>
> 
> 
>  ... output truncated ...
> 
>
> It Works.
> The browsers are configured.
> Kerberos authentication for Windows web servers working successfully from
Internet Explorer & Forefox


On Mon, Oct 3, 2016 at 7:37 AM,  wrote:

>
> Up
>
> 30.09.2016, 18:55, "aleksey.maksi...@it-kb.ru"  >:
> > Any other ideas?
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-10-02 Thread aleksey . maksimov 

Up

30.09.2016, 18:55, "aleksey.maksi...@it-kb.ru" :
> Any other ideas?
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-09-30 Thread aleksey . maksimov 
Any other ideas?
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-09-30 Thread aleksey . maksimov 
# kinit aleksey

Password for alek...@ad.holding.com: ***

# klist

Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9
Default principal: alek...@ad.holding.com

Valid starting   Expires  Service principal
09/30/2016 16:50:32  10/01/2016 02:50:32  krbtgt/ad.holding@ad.holding.com
renew until 10/07/2016 16:50:29


# curl --negotiate -u : -X GET -H "Accept: application/xml" -k 
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api



 ... output truncated ...


It Works.
The browsers are configured.
Kerberos authentication for Windows web servers working successfully from 
Internet Explorer & Forefox

30.09.2016, 16:45, "Ondra Machacek" :
> '/etc/httpd/s-oVirt-Krb.keytab' is apache keytab, you can't try to test
> login with it. You should try something like `kinit myuser` and then
> curl. And be sure that 'myuser' has appropriate permissions in oVirt.
>
> Do you have properly setup your browser and enabled negotiation (for
> example for firefox [1])?
>
> [1]
> https://docs.fedoraproject.org/en-US/Fedora/11/html/Security_Guide/sect-Security_Guide-Single_Sign_on_SSO-Configuring_Firefox_to_use_Kerberos_for_SSO.html
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-09-30 Thread Ondra Machacek 

'/etc/httpd/s-oVirt-Krb.keytab' is apache keytab, you can't try to test
login with it. You should try something like `kinit myuser` and then
curl. And be sure that 'myuser' has appropriate permissions in oVirt.

Do you have properly setup your browser and enabled negotiation (for
example for firefox [1])?

[1] 
https://docs.fedoraproject.org/en-US/Fedora/11/html/Security_Guide/sect-Security_Guide-Single_Sign_on_SSO-Configuring_Firefox_to_use_Kerberos_for_SSO.html


On 09/30/2016 03:34 PM, aleksey.maksi...@it-kb.ru wrote:

# kinit -V -k -t /etc/httpd/s-oVirt-Krb.keytab 
HTTP/kom-ad01-ovirt1.ad.holding.com

Using existing cache: persistent:0:0
Using principal: HTTP/kom-ad01-ovirt1.ad.holding@ad.holding.com
Using keytab: /etc/httpd/s-oVirt-Krb.keytab
Authenticated to Kerberos v5

# klist

Ticket cache: KEYRING:persistent:0:0
Default principal: HTTP/kom-ad01-ovirt1.ad.holding@ad.holding.com

Valid starting   Expires  Service principal
09/30/2016 16:28:02  10/01/2016 02:28:02  krbtgt/ad.holding@ad.holding.com
renew until 10/07/2016 16:28:02

# curl --negotiate -u : -X GET -H "Accept: application/xml" -k 
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api

ErrorUnauthorized

However, if I open this URL 
(https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api) in browser it opens 
without errors and authorization requests


# tail -f  /var/log/httpd/ssl_error_log
# tail -f  /var/log/ovirt-engine/engine.log

In the logs nothing in that moment when I open the portal in the browser.

30.09.2016, 15:52, "Ondra Machacek" :


So if you run kinit and then:

  $ curl --negotiate -u : -X GET -H "Accept: application/xml" -k
https://fqdn/ovirt-engine/api

It's fine?


 Please tell me how to find the cause of the problem. What are the steps to 
troubleshooting to do?


On oVirt engine check:

  /var/log/httpd/ssl_error_log
  /var/log/ovirt-engine/engine.log

On AD check kerberos log.


 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-09-30 Thread aleksey . maksimov 
# kinit -V -k -t /etc/httpd/s-oVirt-Krb.keytab 
HTTP/kom-ad01-ovirt1.ad.holding.com

Using existing cache: persistent:0:0
Using principal: HTTP/kom-ad01-ovirt1.ad.holding@ad.holding.com
Using keytab: /etc/httpd/s-oVirt-Krb.keytab
Authenticated to Kerberos v5

# klist

Ticket cache: KEYRING:persistent:0:0
Default principal: HTTP/kom-ad01-ovirt1.ad.holding@ad.holding.com

Valid starting   Expires  Service principal
09/30/2016 16:28:02  10/01/2016 02:28:02  krbtgt/ad.holding@ad.holding.com
renew until 10/07/2016 16:28:02

# curl --negotiate -u : -X GET -H "Accept: application/xml" -k 
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api

ErrorUnauthorized

However, if I open this URL 
(https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api) in browser it opens 
without errors and authorization requests


# tail -f  /var/log/httpd/ssl_error_log
# tail -f  /var/log/ovirt-engine/engine.log

In the logs nothing in that moment when I open the portal in the browser.

30.09.2016, 15:52, "Ondra Machacek" :

> So if you run kinit and then:
>
>   $ curl --negotiate -u : -X GET -H "Accept: application/xml" -k
> https://fqdn/ovirt-engine/api
>
> It's fine?
>
>>  Please tell me how to find the cause of the problem. What are the steps to 
>> troubleshooting to do?
>
> On oVirt engine check:
>
>   /var/log/httpd/ssl_error_log
>   /var/log/ovirt-engine/engine.log
>
> On AD check kerberos log.
>
>>  ___
>>  Users mailing list
>>  Users@ovirt.org
>>  http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2016-09-30 Thread Ondra Machacek 

On 09/30/2016 02:44 PM, aleksey.maksi...@it-kb.ru wrote:

Hello oVirt guru`s!

I set up oVirt integration with Active Directory LDAP according to the manual:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/sect-Configuring_an_External_LDAP_Provider.html#Configuring_an_External_LDAP_Provider_ManualMethod

I created a profile integration with my domain. All is working well.

Now I'm trying to configure single sign-on for portals based on Kerberos.

All settings are performed according to the manual:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html

Kerberos client tested and working. However, SSO is not working.


So if you run kinit and then:

 $ curl --negotiate -u : -X GET -H "Accept: application/xml" -k 
https://fqdn/ovirt-engine/api


It's fine?



Please tell me how to find the cause of the problem. What are the steps to 
troubleshooting to do?


On oVirt engine check:

 /var/log/httpd/ssl_error_log
 /var/log/ovirt-engine/engine.log

On AD check kerberos log.


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users