Den 14 okt. 2016 4:30 em skrev cmc <iuco...@gmail.com>: > > Hi Ondra, > > It manages to authenticate, but appends the domain again once I'm logged in, > for instance, if I log in as user 'cam', it will log me in, > and display the login name in the top right corner as > 'c...@domain.com@domain.com' (this shows up in the log as well: it shows me > logging in as c...@domain.com, but then returns an error as user > c...@domain.com@domain.com is not authorized). My thought was > that something done earlier when I was playing around with sssd, kerberos and > AD is doing this, though I have removed these packages > and run authconfig to remove sssd. Any ideas?
Can't say why, but it's the same for us. It's unsightly, kindly put. /K > > Cheers, > > Cam > > On Thu, Oct 13, 2016 at 2:04 PM, cmc <iuco...@gmail.com> wrote: >> >> Hi Ondra, >> >> That is good to know that we don't need Kerberos - it complicates things a >> lot. >> >> I think the errors might be the options I'd selected during the setup. I was >> thrown a bit that >> it passed all the internal tests provided by the setup script, but failed on >> the web GUI. When >> I've seen 'unspecified GSS failure' and 'peer not authenticated' it's >> usually been due to >> Kerberos (though admittedly these are just generic errors). So I tried the >> Redhat guide for SSO at: >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html >> >> which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink to the >> Apache >> config it says to create, as it results in internal server errors in Apache. >> It uses an SPN for >> Apache in the keytab. >> >> Now that you've confirmed that it can actually work without any need for the >> Kerberos stuff, >> I will start afresh from a clean setup and apply what I've learnt during >> this process. >> >> I'll try it out and let you know either way. >> >> Many thanks for all the help! >> >> Kind regards, >> >> Cam >> >> >>> >>> Yes, you really do not need anything kerberos related to securely bind >>> to AD via LDAP simple bind over TLS/SSL. This is really strange to me >>> what errors you are getting, but you probably configured apache (or >>> something else?) to require keytab, but you don't have to, and you can >>> remove that configuration. >>> >>>> >>>> Thanks, >>>> >>>> Cam >>>> >>>> >>>> >>>> >>>> Thanks, >>>> >>>> Cam >>>> >>>> _______________________________________________ >>>> >>>> Users mailing list >>>> Users@ovirt.org <mailto:Users@ovirt.org> >>>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> >>>> http://lists.ovirt.org/mailman/listinfo/users >>>> <http://lists.ovirt.org/mailman/listinfo/users> >>>> <http://lists.ovirt.org/mailman/listinfo/users >>>> <http://lists.ovirt.org/mailman/listinfo/users>> >>>> >>>> >>>> >> >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users