Hi Ondra, It manages to authenticate, but appends the domain again once I'm logged in, for instance, if I log in as user 'cam', it will log me in, and display the login name in the top right corner as 'c...@domain.com@ domain.com' (this shows up in the log as well: it shows me logging in as c...@domain.com, but then returns an error as user c...@firstname.lastname@example.org is not authorized). My thought was that something done earlier when I was playing around with sssd, kerberos and AD is doing this, though I have removed these packages and run authconfig to remove sssd. Any ideas?
Cheers, Cam On Thu, Oct 13, 2016 at 2:04 PM, cmc <iuco...@gmail.com> wrote: > Hi Ondra, > > That is good to know that we don't need Kerberos - it complicates things a > lot. > > I think the errors might be the options I'd selected during the setup. I > was thrown a bit that > it passed all the internal tests provided by the setup script, but failed > on the web GUI. When > I've seen 'unspecified GSS failure' and 'peer not authenticated' it's > usually been due to > Kerberos (though admittedly these are just generic errors). So I tried the > Redhat guide for SSO at: > > https://access.redhat.com/documentation/en-US/Red_Hat_ > Enterprise_Virtualization/3.6/html/Administration_Guide/ > Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html > > which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink to the > Apache > config it says to create, as it results in internal server errors in > Apache. It uses an SPN for > Apache in the keytab. > > Now that you've confirmed that it can actually work without any need for > the Kerberos stuff, > I will start afresh from a clean setup and apply what I've learnt during > this process. > > I'll try it out and let you know either way. > > Many thanks for all the help! > > Kind regards, > > Cam > > > >> Yes, you really do not need anything kerberos related to securely bind >> to AD via LDAP simple bind over TLS/SSL. This is really strange to me >> what errors you are getting, but you probably configured apache (or >> something else?) to require keytab, but you don't have to, and you can >> remove that configuration. >> >> >>> Thanks, >>> >>> Cam >>> >>> >>> >>> >>> Thanks, >>> >>> Cam >>> >>> _______________________________________________ >>> >>> Users mailing list >>> Users@ovirt.org <mailto:Users@ovirt.org> >>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> >>> http://lists.ovirt.org/mailman/listinfo/users >>> <http://lists.ovirt.org/mailman/listinfo/users> >>> <http://lists.ovirt.org/mailman/listinfo/users >>> <http://lists.ovirt.org/mailman/listinfo/users>> >>> >>> >>> >>> >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users