Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA not working
krb5_child[2635]]]: Preauthentication failed [root@ad01 ~]# vi /var/log/sssd/krb5_child.log (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634 [unpack_buffer] (0x0100): cmd [249] uid [148047] gid [148047] validate [true] enterprise principal [false] offline [false] UPN [t...@domain.com] (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ad01.domain@domain.com] (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634 [become_user] (0x0200): Trying to become user [148047][148047]. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634 [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2634 [k5c_send_data] (0x0200): Received error code 0 (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635 [unpack_buffer] (0x0100): cmd [241] uid [148047] gid [148047] validate [true] enterprise principal [false] offline [false] UPN [t...@domain.com] (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635 [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:148047] old_ccname: [KEYRING:persistent:148047] keytab: [/etc/krb5.keytab] (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635 [switch_creds] (0x0200): Switch user to [148047][148047]. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635 [switch_creds] (0x0200): Switch user to [0][0]. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ad01.domain@domain.com] (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635 [become_user] (0x0200): Trying to become user [148047][148047]. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635 [get_and_save_tgt] (0x0020): 1296: [-1765328360][Preauthentication failed] (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635 [map_krb5_error] (0x0020): 1365: [-1765328360][Preauthentication failed] (Fri Apr 21 10:07:59 2017) [[sssd[krb5_child[2635 [k5c_send_data] (0x0200): Received error code 1432158221 ---IPA--- /var/log/ krb5kdc.log Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.2.2: NEEDED_PREAUTH: t...@domain.com for krbtgt/domain@domain.com, Additional pre-authentication required Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): closing down fd 12 Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.2.2: NEEDED_PREAUTH: t...@domain.com for krbtgt/domain@domain.com, Additional pre-authentication required Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): closing down fd 12 Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.2.2: NEEDED_PREAUTH: t...@domain.com for krbtgt/domain@domain.com, Additional pre-authentication required Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): closing down fd 12 Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.2.2: NEEDED_PREAUTH: t...@domain.com for krbtgt/domain@domain.com, Additional pre-authentication required Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): closing down fd 12 Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): preauth (encrypted_challenge) verify failure: Incorrect password in encrypted challenge Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.2.2: PREAUTH_FAILED: t...@domain.com for krbtgt/domain@domain.com, Incorrect password in encrypted challenge Apr 21 10:08:00 ipa01.domain.com krb5kdc[2391](info): closing down fd 12 -Original Message- From: Paul [mailto:p...@kenla.nl] Sent: zondag 20 maart 2016 16:48 To: 'Ondra Machacek' ; 'users@ovirt.org' Subject: RE: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA not working Hi Ondra, Bug 1316135 was new to me and sounds very similar to my issue "
Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA not working
Hi Ondra, Bug 1316135 was new to me and sounds very similar to my issue "(0, 17, ) [Success (Failure setting user credentials)]" Proposed work-around with "authconfig --enablenis --update" worked for me, although this creates an issue with the keyring authentication. I can live with this for the moment, but hopefully the bug can be fixed soon. Thanks for the quick responses, Regards, Paul -Original Message- From: Ondra Machacek [mailto:omach...@redhat.com] Sent: donderdag 17 maart 2016 19:12 To: Paul ; users@ovirt.org Subject: Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA not working Hi Paul, ok, thanks for info, then there is an issue in pam configuration, most probably. There is open issue for it on rhel7, please try read this comment[1] if it helps to you. Ondra [1] https://bugzilla.redhat.com/show_bug.cgi?id=1316135#c3 On 03/17/2016 06:07 PM, Paul wrote: > Hi Ondra, > > Thanks for your reply, unfortunately this does not resolve the issue. > I had already seen this bug and tried it without the -authz > appendix(maybe should have mentioned that). > I also (may be wrongfully) assumed that the > "ovirt-engine-extension-aaa-ldap-setup" would not have this issue/bug. > > Anyways, I changed it (again) to the DOMAIN without '-authz' by changing: > /etc/ovirt-engine/extensions.d/DOMAIN-authz.properties => > ovirt.engine.extension.name = DOMAIN > /etc/ovirt-engine/extensions.d/DOMAIN-authn.properties => > ovirt.engine.aaa.authn.authz.plugin = DOMAIN Systemctl restart > ovirt-engine > > By the way: login with IPA users doesn't work anymore, you have to log > in with admin internal account and remove your IPA users and add them > back to make them work again. > > But still get the error: > pam_sss(gdm-ovirtcred:auth): received for user test6: 17 (Failure > setting user credentials) > > Any suggestions? > > > -Original Message- > From: Ondra Machacek [mailto:omach...@redhat.com] > Sent: donderdag 17 maart 2016 16:58 > To: Paul ; users@ovirt.org > Subject: Re: [ovirt-users] Hosted engine Single Sign-On to VM with > freeIPA not working > > Hi, > > your authz name should match kerberos name. > So please change your authz name from 'DOMAIN-authz' to 'DOMAIN' > > Please see this bz[1] for more detail. > > Ondra > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137#c7 > > On 03/17/2016 04:22 PM, Paul wrote: >> Hi, >> >> I am having an issue with getting SSO to work when a standard >> user(UserRole) logs in to the UserPortal. >> >> The user has permission to use only this VM, so after login the >> console is automatically opened for that VM. >> >> Problem is that it doesn't login on the VM system with the provided >> credentials. Manual login at the console works without any issues. >> >> HBAC-rule check on IPA shows access is granted. Client has SELINUX in >> permissive mode and a disabled firewalld. >> >> On the client side I do see some PAM related errors in the logs (see >> details below). Extensive Google search on error 17 "Failure setting >> user credentials" didn't show helpful information :-( >> >> AFAIK this is did a pretty standard set-up, all working with >> RH-family products. I would expect others to encounter this issue as well. >> >> If someone knows any solution or has some directions to fix this it >> would be greatly appreciated. >> >> Thanks, >> >> Paul >> >> -- >> >> System setup: I have 3 systems >> >> The connection between the Engine and IPA is working fine. (I can log >> in with IPA users etc.) Connection is made according to this document: >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virt >> u >> alization/3.6/html-single/Administration_Guide/index.html#sect-Config >> u >> ring_an_External_LDAP_Provider >> >> Configuration of the client is done according to this document: >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virt >> u >> alization/3.6/html/Virtual_Machine_Management_Guide/chap-Additional_C >> o >> nfiguration.html#sect-Configuring_Single_Sign-On_for_Virtual_Machines >> >> --- Hosted Engine: >> >> [root@engine ~]# cat /etc/redhat-release >> >> CentOS Linux release 7.2.1511 (Core) >> >> [root@engine ~]# uname -a >> >> Linux engine.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 >> 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux >> >> [root@
Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA not working
Hi Paul, ok, thanks for info, then there is an issue in pam configuration, most probably. There is open issue for it on rhel7, please try read this comment[1] if it helps to you. Ondra [1] https://bugzilla.redhat.com/show_bug.cgi?id=1316135#c3 On 03/17/2016 06:07 PM, Paul wrote: Hi Ondra, Thanks for your reply, unfortunately this does not resolve the issue. I had already seen this bug and tried it without the -authz appendix(maybe should have mentioned that). I also (may be wrongfully) assumed that the "ovirt-engine-extension-aaa-ldap-setup" would not have this issue/bug. Anyways, I changed it (again) to the DOMAIN without '-authz' by changing: /etc/ovirt-engine/extensions.d/DOMAIN-authz.properties => ovirt.engine.extension.name = DOMAIN /etc/ovirt-engine/extensions.d/DOMAIN-authn.properties => ovirt.engine.aaa.authn.authz.plugin = DOMAIN Systemctl restart ovirt-engine By the way: login with IPA users doesn't work anymore, you have to log in with admin internal account and remove your IPA users and add them back to make them work again. But still get the error: pam_sss(gdm-ovirtcred:auth): received for user test6: 17 (Failure setting user credentials) Any suggestions? -Original Message- From: Ondra Machacek [mailto:omach...@redhat.com] Sent: donderdag 17 maart 2016 16:58 To: Paul ; users@ovirt.org Subject: Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA not working Hi, your authz name should match kerberos name. So please change your authz name from 'DOMAIN-authz' to 'DOMAIN' Please see this bz[1] for more detail. Ondra [1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137#c7 On 03/17/2016 04:22 PM, Paul wrote: Hi, I am having an issue with getting SSO to work when a standard user(UserRole) logs in to the UserPortal. The user has permission to use only this VM, so after login the console is automatically opened for that VM. Problem is that it doesn't login on the VM system with the provided credentials. Manual login at the console works without any issues. HBAC-rule check on IPA shows access is granted. Client has SELINUX in permissive mode and a disabled firewalld. On the client side I do see some PAM related errors in the logs (see details below). Extensive Google search on error 17 "Failure setting user credentials" didn't show helpful information :-( AFAIK this is did a pretty standard set-up, all working with RH-family products. I would expect others to encounter this issue as well. If someone knows any solution or has some directions to fix this it would be greatly appreciated. Thanks, Paul -- System setup: I have 3 systems The connection between the Engine and IPA is working fine. (I can log in with IPA users etc.) Connection is made according to this document: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtu alization/3.6/html-single/Administration_Guide/index.html#sect-Configu ring_an_External_LDAP_Provider Configuration of the client is done according to this document: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtu alization/3.6/html/Virtual_Machine_Management_Guide/chap-Additional_Co nfiguration.html#sect-Configuring_Single_Sign-On_for_Virtual_Machines --- Hosted Engine: [root@engine ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) [root@engine ~]# uname -a Linux engine.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux [root@engine ~]# rpm -qa | grep ovirt ovirt-vmconsole-1.0.0-1.el7.centos.noarch ovirt-engine-restapi-3.6.2.6-1.el7.centos.noarch ovirt-setup-lib-1.0.1-1.el7.centos.noarch ovirt-engine-setup-plugin-ovirt-engine-common-3.6.3.4-1.el7.centos.noa rch ovirt-engine-setup-3.6.3.4-1.el7.centos.noarch ovirt-image-uploader-3.6.0-1.el7.centos.noarch ovirt-engine-extension-aaa-jdbc-1.0.5-1.el7.noarch ovirt-host-deploy-1.4.1-1.el7.centos.noarch ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch ovirt-engine-wildfly-overlay-8.0.4-1.el7.noarch ovirt-engine-wildfly-8.2.1-1.el7.x86_64 ovirt-vmconsole-proxy-1.0.0-1.el7.centos.noarch ovirt-engine-tools-3.6.2.6-1.el7.centos.noarch ovirt-engine-dbscripts-3.6.2.6-1.el7.centos.noarch ovirt-engine-backend-3.6.2.6-1.el7.centos.noarch ovirt-engine-3.6.2.6-1.el7.centos.noarch ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noarch ovirt-engine-setup-base-3.6.3.4-1.el7.centos.noarch ovirt-engine-setup-plugin-ovirt-engine-3.6.3.4-1.el7.centos.noarch ovirt-engine-setup-plugin-websocket-proxy-3.6.3.4-1.el7.centos.noarch ovirt-engine-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch ovirt-engine-cli-3.6.2.0-1.el7.centos.noarch ovirt-host-deploy-java-1.4.1-1.el7.centos.noarch ovirt-engine-userportal-3.6.2.6-1.el7.centos.noarch ovirt-engine-webadmin-portal-3.6.2.6-1.el7.centos.noarch ovirt-guest-agent-common-1.0.11
Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA not working
Hi Ondra, Thanks for your reply, unfortunately this does not resolve the issue. I had already seen this bug and tried it without the -authz appendix(maybe should have mentioned that). I also (may be wrongfully) assumed that the "ovirt-engine-extension-aaa-ldap-setup" would not have this issue/bug. Anyways, I changed it (again) to the DOMAIN without '-authz' by changing: /etc/ovirt-engine/extensions.d/DOMAIN-authz.properties => ovirt.engine.extension.name = DOMAIN /etc/ovirt-engine/extensions.d/DOMAIN-authn.properties => ovirt.engine.aaa.authn.authz.plugin = DOMAIN Systemctl restart ovirt-engine By the way: login with IPA users doesn't work anymore, you have to log in with admin internal account and remove your IPA users and add them back to make them work again. But still get the error: pam_sss(gdm-ovirtcred:auth): received for user test6: 17 (Failure setting user credentials) Any suggestions? -Original Message- From: Ondra Machacek [mailto:omach...@redhat.com] Sent: donderdag 17 maart 2016 16:58 To: Paul ; users@ovirt.org Subject: Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA not working Hi, your authz name should match kerberos name. So please change your authz name from 'DOMAIN-authz' to 'DOMAIN' Please see this bz[1] for more detail. Ondra [1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137#c7 On 03/17/2016 04:22 PM, Paul wrote: > Hi, > > I am having an issue with getting SSO to work when a standard > user(UserRole) logs in to the UserPortal. > > The user has permission to use only this VM, so after login the > console is automatically opened for that VM. > > Problem is that it doesn't login on the VM system with the provided > credentials. Manual login at the console works without any issues. > > HBAC-rule check on IPA shows access is granted. Client has SELINUX in > permissive mode and a disabled firewalld. > > On the client side I do see some PAM related errors in the logs (see > details below). Extensive Google search on error 17 "Failure setting > user credentials" didn't show helpful information :-( > > AFAIK this is did a pretty standard set-up, all working with RH-family > products. I would expect others to encounter this issue as well. > > If someone knows any solution or has some directions to fix this it > would be greatly appreciated. > > Thanks, > > Paul > > -- > > System setup: I have 3 systems > > The connection between the Engine and IPA is working fine. (I can log > in with IPA users etc.) Connection is made according to this document: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtu > alization/3.6/html-single/Administration_Guide/index.html#sect-Configu > ring_an_External_LDAP_Provider > > Configuration of the client is done according to this document: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtu > alization/3.6/html/Virtual_Machine_Management_Guide/chap-Additional_Co > nfiguration.html#sect-Configuring_Single_Sign-On_for_Virtual_Machines > > --- Hosted Engine: > > [root@engine ~]# cat /etc/redhat-release > > CentOS Linux release 7.2.1511 (Core) > > [root@engine ~]# uname -a > > Linux engine.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 > 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux > > [root@engine ~]# rpm -qa | grep ovirt > > ovirt-vmconsole-1.0.0-1.el7.centos.noarch > > ovirt-engine-restapi-3.6.2.6-1.el7.centos.noarch > > ovirt-setup-lib-1.0.1-1.el7.centos.noarch > > ovirt-engine-setup-plugin-ovirt-engine-common-3.6.3.4-1.el7.centos.noa > rch > > ovirt-engine-setup-3.6.3.4-1.el7.centos.noarch > > ovirt-image-uploader-3.6.0-1.el7.centos.noarch > > ovirt-engine-extension-aaa-jdbc-1.0.5-1.el7.noarch > > ovirt-host-deploy-1.4.1-1.el7.centos.noarch > > ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch > > ovirt-engine-wildfly-overlay-8.0.4-1.el7.noarch > > ovirt-engine-wildfly-8.2.1-1.el7.x86_64 > > ovirt-vmconsole-proxy-1.0.0-1.el7.centos.noarch > > ovirt-engine-tools-3.6.2.6-1.el7.centos.noarch > > ovirt-engine-dbscripts-3.6.2.6-1.el7.centos.noarch > > ovirt-engine-backend-3.6.2.6-1.el7.centos.noarch > > ovirt-engine-3.6.2.6-1.el7.centos.noarch > > ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noarch > > ovirt-engine-setup-base-3.6.3.4-1.el7.centos.noarch > > ovirt-engine-setup-plugin-ovirt-engine-3.6.3.4-1.el7.centos.noarch > > ovirt-engine-setup-plugin-websocket-proxy-3.6.3.4-1.el7.centos.noarch > > ovirt-engine-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch > > ovirt-engine-cli-3.6.2.0-1.el7.centos.noarch > > ovirt-
Re: [ovirt-users] Hosted engine Single Sign-On to VM with freeIPA not working
Hi, your authz name should match kerberos name. So please change your authz name from 'DOMAIN-authz' to 'DOMAIN' Please see this bz[1] for more detail. Ondra [1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137#c7 On 03/17/2016 04:22 PM, Paul wrote: Hi, I am having an issue with getting SSO to work when a standard user(UserRole) logs in to the UserPortal. The user has permission to use only this VM, so after login the console is automatically opened for that VM. Problem is that it doesn't login on the VM system with the provided credentials. Manual login at the console works without any issues. HBAC-rule check on IPA shows access is granted. Client has SELINUX in permissive mode and a disabled firewalld. On the client side I do see some PAM related errors in the logs (see details below). Extensive Google search on error 17 "Failure setting user credentials" didn't show helpful information :-( AFAIK this is did a pretty standard set-up, all working with RH-family products. I would expect others to encounter this issue as well. If someone knows any solution or has some directions to fix this it would be greatly appreciated. Thanks, Paul -- System setup: I have 3 systems The connection between the Engine and IPA is working fine. (I can log in with IPA users etc.) Connection is made according to this document: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html-single/Administration_Guide/index.html#sect-Configuring_an_External_LDAP_Provider Configuration of the client is done according to this document: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Virtual_Machine_Management_Guide/chap-Additional_Configuration.html#sect-Configuring_Single_Sign-On_for_Virtual_Machines --- Hosted Engine: [root@engine ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) [root@engine ~]# uname -a Linux engine.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux [root@engine ~]# rpm -qa | grep ovirt ovirt-vmconsole-1.0.0-1.el7.centos.noarch ovirt-engine-restapi-3.6.2.6-1.el7.centos.noarch ovirt-setup-lib-1.0.1-1.el7.centos.noarch ovirt-engine-setup-plugin-ovirt-engine-common-3.6.3.4-1.el7.centos.noarch ovirt-engine-setup-3.6.3.4-1.el7.centos.noarch ovirt-image-uploader-3.6.0-1.el7.centos.noarch ovirt-engine-extension-aaa-jdbc-1.0.5-1.el7.noarch ovirt-host-deploy-1.4.1-1.el7.centos.noarch ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch ovirt-engine-wildfly-overlay-8.0.4-1.el7.noarch ovirt-engine-wildfly-8.2.1-1.el7.x86_64 ovirt-vmconsole-proxy-1.0.0-1.el7.centos.noarch ovirt-engine-tools-3.6.2.6-1.el7.centos.noarch ovirt-engine-dbscripts-3.6.2.6-1.el7.centos.noarch ovirt-engine-backend-3.6.2.6-1.el7.centos.noarch ovirt-engine-3.6.2.6-1.el7.centos.noarch ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noarch ovirt-engine-setup-base-3.6.3.4-1.el7.centos.noarch ovirt-engine-setup-plugin-ovirt-engine-3.6.3.4-1.el7.centos.noarch ovirt-engine-setup-plugin-websocket-proxy-3.6.3.4-1.el7.centos.noarch ovirt-engine-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch ovirt-engine-cli-3.6.2.0-1.el7.centos.noarch ovirt-host-deploy-java-1.4.1-1.el7.centos.noarch ovirt-engine-userportal-3.6.2.6-1.el7.centos.noarch ovirt-engine-webadmin-portal-3.6.2.6-1.el7.centos.noarch ovirt-guest-agent-common-1.0.11-1.el7.noarch ovirt-release36-003-1.noarch ovirt-iso-uploader-3.6.0-1.el7.centos.noarch ovirt-engine-lib-3.6.3.4-1.el7.centos.noarch ovirt-engine-sdk-python-3.6.3.0-1.el7.centos.noarch ovirt-engine-setup-plugin-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch ovirt-engine-websocket-proxy-3.6.3.4-1.el7.centos.noarch ovirt-log-collector-3.6.1-1.el7.centos.noarch ovirt-engine-extensions-api-impl-3.6.3.4-1.el7.centos.noarch --- FreeIPA: [root@ipa01 ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) [root@ipa01 ~]# uname -a Linux ipa01.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux [root@ipa01 ~]# rpm -qa | grep ipa ipa-python-4.2.0-15.el7_2.6.x86_64 ipa-client-4.2.0-15.el7_2.6.x86_64 python-libipa_hbac-1.13.0-40.el7_2.1.x86_64 python-iniparse-0.4-9.el7.noarch libipa_hbac-1.13.0-40.el7_2.1.x86_64 sssd-ipa-1.13.0-40.el7_2.1.x86_64 ipa-admintools-4.2.0-15.el7_2.6.x86_64 ipa-server-4.2.0-15.el7_2.6.x86_64 ipa-server-dns-4.2.0-15.el7_2.6.x86_64 --- Client: [root@test06 ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) [root@test06 ~]# uname -a Linux test06.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux [root@test06 ~]# rpm -qa | grep ipa python-libipa_hbac-1.13.0-40.el7_2.1.x86_64 python-iniparse-0.4-9.el7.noarch sssd-ipa-1.13.0-40.el7_2.1.x86_64 ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64 libipa_hbac-1.13.0-40.el7_2
[ovirt-users] Hosted engine Single Sign-On to VM with freeIPA not working
Hi, I am having an issue with getting SSO to work when a standard user(UserRole) logs in to the UserPortal. The user has permission to use only this VM, so after login the console is automatically opened for that VM. Problem is that it doesn't login on the VM system with the provided credentials. Manual login at the console works without any issues. HBAC-rule check on IPA shows access is granted. Client has SELINUX in permissive mode and a disabled firewalld. On the client side I do see some PAM related errors in the logs (see details below). Extensive Google search on error 17 "Failure setting user credentials" didn't show helpful information :-( AFAIK this is did a pretty standard set-up, all working with RH-family products. I would expect others to encounter this issue as well. If someone knows any solution or has some directions to fix this it would be greatly appreciated. Thanks, Paul -- System setup: I have 3 systems The connection between the Engine and IPA is working fine. (I can log in with IPA users etc.) Connection is made according to this document: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualizat ion/3.6/html-single/Administration_Guide/index.html#sect-Configuring_an_Exte rnal_LDAP_Provider Configuration of the client is done according to this document: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualizat ion/3.6/html/Virtual_Machine_Management_Guide/chap-Additional_Configuration. html#sect-Configuring_Single_Sign-On_for_Virtual_Machines --- Hosted Engine: [root@engine ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) [root@engine ~]# uname -a Linux engine.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux [root@engine ~]# rpm -qa | grep ovirt ovirt-vmconsole-1.0.0-1.el7.centos.noarch ovirt-engine-restapi-3.6.2.6-1.el7.centos.noarch ovirt-setup-lib-1.0.1-1.el7.centos.noarch ovirt-engine-setup-plugin-ovirt-engine-common-3.6.3.4-1.el7.centos.noarch ovirt-engine-setup-3.6.3.4-1.el7.centos.noarch ovirt-image-uploader-3.6.0-1.el7.centos.noarch ovirt-engine-extension-aaa-jdbc-1.0.5-1.el7.noarch ovirt-host-deploy-1.4.1-1.el7.centos.noarch ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch ovirt-engine-wildfly-overlay-8.0.4-1.el7.noarch ovirt-engine-wildfly-8.2.1-1.el7.x86_64 ovirt-vmconsole-proxy-1.0.0-1.el7.centos.noarch ovirt-engine-tools-3.6.2.6-1.el7.centos.noarch ovirt-engine-dbscripts-3.6.2.6-1.el7.centos.noarch ovirt-engine-backend-3.6.2.6-1.el7.centos.noarch ovirt-engine-3.6.2.6-1.el7.centos.noarch ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noarch ovirt-engine-setup-base-3.6.3.4-1.el7.centos.noarch ovirt-engine-setup-plugin-ovirt-engine-3.6.3.4-1.el7.centos.noarch ovirt-engine-setup-plugin-websocket-proxy-3.6.3.4-1.el7.centos.noarch ovirt-engine-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch ovirt-engine-cli-3.6.2.0-1.el7.centos.noarch ovirt-host-deploy-java-1.4.1-1.el7.centos.noarch ovirt-engine-userportal-3.6.2.6-1.el7.centos.noarch ovirt-engine-webadmin-portal-3.6.2.6-1.el7.centos.noarch ovirt-guest-agent-common-1.0.11-1.el7.noarch ovirt-release36-003-1.noarch ovirt-iso-uploader-3.6.0-1.el7.centos.noarch ovirt-engine-lib-3.6.3.4-1.el7.centos.noarch ovirt-engine-sdk-python-3.6.3.0-1.el7.centos.noarch ovirt-engine-setup-plugin-vmconsole-proxy-helper-3.6.3.4-1.el7.centos.noarch ovirt-engine-websocket-proxy-3.6.3.4-1.el7.centos.noarch ovirt-log-collector-3.6.1-1.el7.centos.noarch ovirt-engine-extensions-api-impl-3.6.3.4-1.el7.centos.noarch --- FreeIPA: [root@ipa01 ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) [root@ipa01 ~]# uname -a Linux ipa01.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux [root@ipa01 ~]# rpm -qa | grep ipa ipa-python-4.2.0-15.el7_2.6.x86_64 ipa-client-4.2.0-15.el7_2.6.x86_64 python-libipa_hbac-1.13.0-40.el7_2.1.x86_64 python-iniparse-0.4-9.el7.noarch libipa_hbac-1.13.0-40.el7_2.1.x86_64 sssd-ipa-1.13.0-40.el7_2.1.x86_64 ipa-admintools-4.2.0-15.el7_2.6.x86_64 ipa-server-4.2.0-15.el7_2.6.x86_64 ipa-server-dns-4.2.0-15.el7_2.6.x86_64 --- Client: [root@test06 ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) [root@test06 ~]# uname -a Linux test06.DOMAIN.COM 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux [root@test06 ~]# rpm -qa | grep ipa python-libipa_hbac-1.13.0-40.el7_2.1.x86_64 python-iniparse-0.4-9.el7.noarch sssd-ipa-1.13.0-40.el7_2.1.x86_64 ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64 libipa_hbac-1.13.0-40.el7_2.1.x86_64 ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64 device-mapper-multipath-0.4.9-85.el7.x86_64 device-mapper-multipath-libs-0.4.9-85.el7.x86_64 [root@test06 ~]# rpm -qa | grep guest-agent qemu-guest-agent-2.3.