Hi Ondra,

It manages to authenticate, but appends the domain again once I'm logged
in, for instance, if I log in as user 'cam', it will log me in,
and display the login name in the top right corner as 'c...@domain.com@
domain.com' (this shows up in the log as well: it shows me
logging in as c...@domain.com, but then returns an error as user
c...@domain.com@domain.com is not authorized). My thought was
that something done earlier when I was playing around with sssd, kerberos
and AD is doing this, though I have removed these packages
and run authconfig to remove sssd. Any ideas?

Cheers,

Cam

On Thu, Oct 13, 2016 at 2:04 PM, cmc <iuco...@gmail.com> wrote:

> Hi Ondra,
>
> That is good to know that we don't need Kerberos - it complicates things a
> lot.
>
> I think the errors might be the options I'd selected during the setup. I
> was thrown a bit that
> it passed all the internal tests provided by the setup script, but failed
> on the web GUI. When
> I've seen 'unspecified GSS failure' and 'peer not authenticated' it's
> usually been due to
> Kerberos (though admittedly these are just generic errors). So I tried the
> Redhat guide for SSO at:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_
> Enterprise_Virtualization/3.6/html/Administration_Guide/
> Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html
>
> which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink to the
> Apache
> config it says to create, as it results in internal server errors in
> Apache. It uses an SPN for
> Apache in the keytab.
>
> Now that you've confirmed that it can actually work without any need for
> the Kerberos stuff,
> I will start afresh from a clean setup and apply what I've learnt during
> this process.
>
> I'll try it out and let you know either way.
>
> Many thanks for all the help!
>
> Kind regards,
>
> Cam
>
>
>
>> Yes, you really do not need anything kerberos related to securely bind
>> to AD via LDAP simple bind over TLS/SSL. This is really strange to me
>> what errors you are getting, but you probably configured apache (or
>> something else?) to require keytab, but you don't have to, and you can
>> remove that configuration.
>>
>>
>>> Thanks,
>>>
>>> Cam
>>>
>>>
>>>
>>>
>>>         Thanks,
>>>
>>>         Cam
>>>
>>>         _______________________________________________
>>>
>>>                 Users mailing list
>>>                 Users@ovirt.org <mailto:Users@ovirt.org>
>>>         <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>
>>>                 http://lists.ovirt.org/mailman/listinfo/users
>>>         <http://lists.ovirt.org/mailman/listinfo/users>
>>>                 <http://lists.ovirt.org/mailman/listinfo/users
>>>         <http://lists.ovirt.org/mailman/listinfo/users>>
>>>
>>>
>>>
>>>
>
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Reply via email to