Hi Cam,

this is OK, because we use user principal name(UPN)[1] for the
'username' field of the oVirt. So the result username will consist of
UPN@authz-extension, so if your user's UPN is 'user@domain' and you
will name your authz extension as 'domain', then the result username
will be 'user@domain@domain'.

The problem, that you can't get authorized is that you didn't assigned
any permissions to your user.

[1] https://msdn.microsoft.com/en-us/library/ms680857(v=vs.85).aspx

On 10/14/2016 04:30 PM, cmc wrote:
Hi Ondra,

It manages to authenticate, but appends the domain again once I'm logged
in, for instance, if I log in as user 'cam', it will log me in,
and display the login name in the top right corner as
'c...@domain.com@domain.com <http://domain.com>' (this shows up in the
log as well: it shows me
logging in as c...@domain.com <mailto:c...@domain.com>, but then returns
an error as user  c...@domain.com@domain.com <http://domain.com> is not
authorized). My thought was
that something done earlier when I was playing around with sssd,
kerberos and AD is doing this, though I have removed these packages
and run authconfig to remove sssd. Any ideas?



On Thu, Oct 13, 2016 at 2:04 PM, cmc <iuco...@gmail.com
<mailto:iuco...@gmail.com>> wrote:

    Hi Ondra,

    That is good to know that we don't need Kerberos - it complicates
    things a lot.

    I think the errors might be the options I'd selected during the
    setup. I was thrown a bit that
    it passed all the internal tests provided by the setup script, but
    failed on the web GUI. When
    I've seen 'unspecified GSS failure' and 'peer not authenticated'
    it's usually been due to
    Kerberos (though admittedly these are just generic errors). So I
    tried the Redhat guide for SSO at:


    which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink
    to the Apache
    config it says to create, as it results in internal server errors in
    Apache. It uses an SPN for
    Apache in the keytab.

    Now that you've confirmed that it can actually work without any need
    for the Kerberos stuff,
    I will start afresh from a clean setup and apply what I've learnt
    during this process.

    I'll try it out and let you know either way.

    Many thanks for all the help!

    Kind regards,


        Yes, you really do not need anything kerberos related to
        securely bind
        to AD via LDAP simple bind over TLS/SSL. This is really strange
        to me
        what errors you are getting, but you probably configured apache (or
        something else?) to require keytab, but you don't have to, and
        you can
        remove that configuration.






                            Users mailing list
                            Users@ovirt.org <mailto:Users@ovirt.org>
            <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>
                    <mailto:Users@ovirt.org <mailto:Users@ovirt.org>
            <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>



Users mailing list

Reply via email to