The issue is most probably that your user don't have permissions to login/see vms in oVirt. Just login as admin@internal to webadmin and assign user 'aaa' some permissions.
Here[1] is example how to work with virtual machine permissions.


On 04/14/2016 11:44 AM, Marcel Galke wrote:

I'm using curl and I followed steps in [1] and double checked the
I've tested API access vs. webadmin access (see below).

$ curl -v --negotiate -X GET -H "Accept: application/xml" -k
# Result: HTTP 401
$ kinit
$ curl -v --negotiate -X GET -H "Accept: application/xml" -k # Result:
HTTP 200
$ curl --negotiate -v -u : -X GET -H "Accept: application/xml" -k # Result: HTTP 401

Therfore I believe httpd config is fine.
For engine.log and and properties file see attachment.
I've also attached console output from curl.

Thanks and regards

On 14.04.2016 08:11, Ondra Machacek wrote:
On 04/14/2016 08:06 AM, Ondra Machacek wrote:
On 04/13/2016 10:43 PM, Marcel Galke wrote:

I need to automatically create a list of all the VMs and the storage
path to their disks in the data center for offline storage for desaster
recovery. We have oVirt 3.6 and IPA 4.2.0.
To achieve this my idea was to query the API using Kerberos
authentication and a keytab. This could then run as cronjob.
Using username and password is not an option.

To configure oVirt for use with IPA I've run engine-manage-domains but
the result is not exactly what I'm looking for (despite from the fact,
that I can add direcotry users etc.).
Next I tried the generic LDAP provider as per documentation

Just to be sure did you followed these steps[1]?
If yes and it don't work, it would be nice if you can share a properties
files you have and engine.log(the part when engine starts). Please also
ensure twice you have correct permissions on properties files, keytab
and apache confiig.

Also ensure your browser is correctly setup. Example for firefox[2].

Sorry, I've just realized you use API.
So do you use SDKs or curl? Make sure you use kerberos properly in both
For cur its:  curl --negotiate
For SDKs[1], there is a parameter 'kerberos=true' in creation of api


It don't work only for API or for UserPortal and Webadmin as well? Or
you set it up only for API?



It was quite easy to get Apache to authenticate against IPA, but I did
not manage to access the API. Each try ended with an "HTTP/1.1 401
At the moment Apache authentication appears first and then the RESTAPI
auth dialog comes up.
Some facts about my setup:
oVirt Host:
-OS: CentOS 6.7
-Engine Version: 3.6
IPA Host:
-OS: CentOS 7.2
-IPA Version: 4.2.0

I might mix some things up. Please help me to find out how to achieve my
goal. I can provide more information if required.

Thanks a lot!

Best regards
Users mailing list

Users mailing list

Users mailing list

Reply via email to