It manages to authenticate, but appends the domain again once I'm logged
in, for instance, if I log in as user 'cam', it will log me in,
and display the login name in the top right corner as 'c...@domain.com@
domain.com' (this shows up in the log as well: it shows me
logging in as c...@domain.com, but then returns an error as user
c...@email@example.com is not authorized). My thought was
that something done earlier when I was playing around with sssd, kerberos
and AD is doing this, though I have removed these packages
and run authconfig to remove sssd. Any ideas?
On Thu, Oct 13, 2016 at 2:04 PM, cmc <iuco...@gmail.com> wrote:
> Hi Ondra,
> That is good to know that we don't need Kerberos - it complicates things a
> I think the errors might be the options I'd selected during the setup. I
> was thrown a bit that
> it passed all the internal tests provided by the setup script, but failed
> on the web GUI. When
> I've seen 'unspecified GSS failure' and 'peer not authenticated' it's
> usually been due to
> Kerberos (though admittedly these are just generic errors). So I tried the
> Redhat guide for SSO at:
> which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink to the
> config it says to create, as it results in internal server errors in
> Apache. It uses an SPN for
> Apache in the keytab.
> Now that you've confirmed that it can actually work without any need for
> the Kerberos stuff,
> I will start afresh from a clean setup and apply what I've learnt during
> this process.
> I'll try it out and let you know either way.
> Many thanks for all the help!
> Kind regards,
>> Yes, you really do not need anything kerberos related to securely bind
>> to AD via LDAP simple bind over TLS/SSL. This is really strange to me
>> what errors you are getting, but you probably configured apache (or
>> something else?) to require keytab, but you don't have to, and you can
>> remove that configuration.
>>> Users mailing list
>>> Users@ovirt.org <mailto:Users@ovirt.org>
>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>
Users mailing list