subject:"\[ovirt\-users\] Re\: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration\/User Portal. Troubleshooting"

[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2019-05-14 Thread aleksey . maksimov

 > network.negotiate-auth.delegation-uris = .ad.holding.com > network.negotiate-auth.trusted-uris = .ad.holding.com Yes. Configured The URL https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api in IE and Firefox opens without problems and without password prompts But when opening links from start page... https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/userportal/?locale=en_UShttps://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/webadmin/?locale=en_US ...opens a oVirt form prompting for credentials with a single profile "internal"  03.10.2016, 09:37, "Martin Perina" :  On Mon, Oct 3, 2016 at 8:18 AM,  wrote: Hello, Martin Before I wrote: Kerberos authentication FOR WINDOWS WEB SERVERS working successfully from Internet Explorer & Forefox.Kerberos authentication NOT working with oVirt Web-Portals. I expect that the users opening the oVirt web portal in the browser did not enter a password, and used instead of the transparent sign-on using Kerberos.It is impossible ?? It's possible and it's working fine when everything is properly set up. But please bear in mind kerberos SSO is one of the most complicated oVirt setup, but usually the error is on kerberos side (environment issues on the client). So, you are saying that using curl you are able to access API using kerberos ticket but when you try to access the same API from the browser it does not work, right?I don't use IE, but you need to set following options in "about:config" URL for Firefox to work properly with kerberos: network.negotiate-auth.delegation-uris = .ad.holding.com network.negotiate-auth.trusted-uris = .ad.holding.com If you have those options set, what exactly happen when you try to access https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api in Firefox? Martin Perina 03.10.2016, 09:08, "Martin Perina" :Hi Aleksey,in your last email you wrote that everything works (at least that's my understanding, email pasted below). So what exactly doesn't work for you?RegardsMartin Perina> # kinit aleksey>> Password for alek...@ad.holding.com: ***>> # klist>> Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9> Default principal: alek...@ad.holding.com>> Valid starting       Expires              Service principal> 09/30/2016 16:50:32  10/01/2016 02:50:32  krbtgt/ad.holding@ad.holding.com>         renew until 10/07/2016 16:50:29>>> # curl --negotiate -u : -X GET -H "Accept: application/xml" -khttps://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api>> > >  ... output truncated ...> >> It Works.> The browsers are configured.> Kerberos authentication for Windows web servers working successfully from Internet Explorer & Forefox  On Mon, Oct 3, 2016 at 7:37 AM,  wrote: Up30.09.2016, 18:55, "aleksey.maksi...@it-kb.ru" :> Any other ideas?___Users mailing listUsers@ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users-- 
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se


-- 
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ATPIRCDGWQPGJLEVBXGYS7YTHVWYHREU/

[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2019-05-14 Thread Martin Perina

On Mon, Oct 3, 2016 at 8:52 AM,  wrote:

>  > network.negotiate-auth.delegation-uris = .ad.holding.com
>  > network.negotiate-auth.trusted-uris = .ad.holding.com
>
> Yes. Configured
>
> The URL https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api in IE and
> Firefox opens without problems and without password prompts
>
> But when opening links from start page...
>
> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/
> userportal/?locale=en_US
> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/webadmin/?locale=en_US
>
> ...opens a oVirt form prompting for credentials with a single profile
> "internal"
>

Ahh, so kerberos SSO works fine for API, but not for portals. Could you
please share your Apache configuration with oVirt kerberos configuration?
Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf

Thanks

Martin Perina



>
>
> 03.10.2016, 09:37, "Martin Perina" :
>
>
>
> On Mon, Oct 3, 2016 at 8:18 AM,  wrote:
>
>
> Hello, Martin
>
> Before I wrote: Kerberos authentication FOR WINDOWS WEB SERVERS working
> successfully from Internet Explorer & Forefox.
> Kerberos authentication NOT working with oVirt Web-Portals.
>
> I expect that the users opening the oVirt web portal in the browser did
> not enter a password, and used instead of the transparent sign-on using
> Kerberos.
> It is impossible ??
>
>
> It's possible and it's working fine when everything is properly set up.
> But please bear in mind kerberos SSO is one of the most complicated oVirt
> setup, but usually the error is on kerberos side (environment issues on the
> client).
>
> So, you are saying that using curl you are able to access API using
> kerberos ticket but when you try to access the same API from the browser it
> does not work, right?
> I don't use IE, but you need to set following options in "about:config"
> URL for Firefox to work properly with kerberos:
>
>  network.negotiate-auth.delegation-uris = .ad.holding.com
>  network.negotiate-auth.trusted-uris = .ad.holding.com
>
> If you have those options set, what exactly happen when you try to access 
> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
> 
>
> in Firefox?
>
> Martin Perina
>
> 
>
>
> 03.10.2016, 09:08, "Martin Perina" :
>
> Hi Aleksey,
>
> in your last email you wrote that everything works (at least that's my
> understanding, email pasted below). So what exactly doesn't work for you?
>
> Regards
>
> Martin Perina
>
>
> > # kinit aleksey
> >
> > Password for alek...@ad.holding.com: ***
> >
> > # klist
> >
> > Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9
> > Default principal: alek...@ad.holding.com
> >
> > Valid starting   Expires  Service principal
> > 09/30/2016 16:50:32  10/01/2016 02:50:32  krbtgt/AD.HOLDING.COM@AD.
> HOLDING.COM
> > renew until 10/07/2016 16:50:29
> >
> >
> > # curl --negotiate -u : -X GET -H "Accept: application/xml" -k
>  
> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
> >
> > 
> > 
> >  ... output truncated ...
> > 
> >
> > It Works.
> > The browsers are configured.
> > Kerberos authentication for Windows web servers working successfully
> from Internet Explorer & Forefox
>
>
> On Mon, Oct 3, 2016 at 7:37 AM,  wrote:
>
>
> Up
>
> 30.09.2016, 18:55, "aleksey.maksi...@it-kb.ru"  >:
> > Any other ideas?
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>

--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se



--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZMDXHINKZ4VOF4YIC6BSIQYFBUZYHEDV/

[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2019-05-14 Thread aleksey . maksimov

Martin, thanks for the help. It works.

03.10.2016, 15:01, "Martin Perina" :
> Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but in 
> 4.0 we have quite new OAuth base SSO, so you need to use following 
> configuration:
>
>  ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api>
>   
>     RewriteEngine on
>     RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
>     RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
>     RequestHeader set X-Remote-User %{REMOTE_USER}s
>     AuthType Kerberos
>     AuthName "Kerberos Login"
>     Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
>     KrbAuthRealms AD.HOLDING.COM
>     KrbMethodK5Passwd off
>     Require valid-user
>     ErrorDocument 401 " url=/ovirt-engine/sso/login-unauthorized\"/> href=\"/ovirt-engine/sso/login-unauthorized\">Here"
>   
> 
> 
>
> Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session 
> instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you need 
> to do following:
>
>   1. yum install mod_session mod_auth_gssapi
>   2. Use following Apache configuration 
>
>  ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api>
>   
>     RewriteEngine on
>     RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
>     RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
>     RequestHeader set X-Remote-User %{REMOTE_USER}s
>
>     AuthType GSSAPI
>     AuthName "Kerberos Login"
>
>     # Modify to match installation
>     GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab
>     GssapiUseSessions On
>     Session On
>     SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;
>
>     Require valid-user
>     ErrorDocument 401 " url=/ovirt-engine/sso/login-unauthorized\"/> href=\"/ovirt-engine/sso/login-unauthorized\">Here"
>   
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se



--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WGBMFGNJSJFFPAUFCK3AVEXLJUKHDFAY/

[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2019-05-14 Thread aleksey . maksimov


Up

30.09.2016, 18:55, "aleksey.maksi...@it-kb.ru" :
> Any other ideas?
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se



--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IAGOCAMC3NPHIRHVYG2OKP475P4YN4TE/

[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2019-05-14 Thread aleksey . maksimov

 Hello, Martin Before I wrote: Kerberos authentication FOR WINDOWS WEB SERVERS working successfully from Internet Explorer & Forefox.Kerberos authentication NOT working with oVirt Web-Portals. I expect that the users opening the oVirt web portal in the browser did not enter a password, and used instead of the transparent sign-on using Kerberos.It is impossible ?? 03.10.2016, 09:08, "Martin Perina" :Hi Aleksey,in your last email you wrote that everything works (at least that's my understanding, email pasted below). So what exactly doesn't work for you?RegardsMartin Perina> # kinit aleksey>> Password for alek...@ad.holding.com: ***>> # klist>> Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9> Default principal: alek...@ad.holding.com>> Valid starting       Expires              Service principal> 09/30/2016 16:50:32  10/01/2016 02:50:32  krbtgt/ad.holding@ad.holding.com>         renew until 10/07/2016 16:50:29>>> # curl --negotiate -u : -X GET -H "Accept: application/xml" -k https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api>> > >  ... output truncated ...> >> It Works.> The browsers are configured.> Kerberos authentication for Windows web servers working successfully from Internet Explorer & Forefox  On Mon, Oct 3, 2016 at 7:37 AM,  wrote: Up30.09.2016, 18:55, "aleksey.maksi...@it-kb.ru" :> Any other ideas?___Users mailing listUsers@ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users-- 
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se


-- 
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CEWJPPFFO3TK753A3Q3SI5O5RQPM3L4O/

[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2019-05-14 Thread Martin Perina

Hi,

please take a look at inline comments:

On Mon, Oct 3, 2016 at 9:15 AM,  wrote:

> Yes. Of course. Here are my configs.
>
> 
> =
> # cat /etc/ovirt-engine/aaa/ovirt-sso.conf
>
> 
> 
> RewriteEngine on
> RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
> RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
> RequestHeader set X-Remote-User %{REMOTE_USER}s
> AuthType Kerberos
> AuthName "Kerberos Login"
> Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
> KrbAuthRealms AD.HOLDING.COM
> #KrbMethodNegotiate on
> #KrbMethodK5Passwd on
> KrbMethodK5Passwd off
> Require valid-user
> 
>

Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but in
4.0 we have quite new OAuth base SSO, so you need to use following
configuration:


  
RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
RequestHeader set X-Remote-User %{REMOTE_USER}s
AuthType Kerberos
AuthName "Kerberos Login"
Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
KrbAuthRealms AD.HOLDING.COM
KrbMethodK5Passwd off
Require valid-user
ErrorDocument 401 "Here"
  



Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session
instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you
need to do following:

  1. yum install mod_session mod_auth_gssapi
  2. Use following Apache configuration 



  
RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
RequestHeader set X-Remote-User %{REMOTE_USER}s

AuthType GSSAPI
AuthName "Kerberos Login"

# Modify to match installation
GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab
GssapiUseSessions On
Session On
SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;

Require valid-user
ErrorDocument 401 "Here"
  





>
> # ls -la /etc/httpd/conf.d/ovirt-*
>
> -rw-r--r--. 1 root root 33 Jul 26 16:42 /etc/httpd/conf.d/ovirt-
> engine-root-redirect.conf
> lrwxrwxrwx. 1 root root 36 Sep 30 00:06 /etc/httpd/conf.d/ovirt-sso.conf
> -> /etc/ovirt-engine/aaa/ovirt-sso.conf
>
>
> 
> =
> # cat /etc/ovirt-engine/aaa/ad.holding.com.properties
>
> include = 
> vars.domain = ad.holding.com
> pool.default.auth.simple.bindDN = s-oVirt-LS@${global:vars.domain}
> pool.default.auth.simple.password = Passw0rd
> pool.default.dc-resolve.enable = false
> search.default.dc-resolve.enable = false
> search.ad-resolve-upn.search-request.baseDN = DC=ad,DC=holding,DC=com
> pool.default.serverset.type = failover
> pool.default.serverset.failover.00.server = kom-dc01.${global:vars.domain}
> pool.default.serverset.failover.01.server = kom-dc02.${global:vars.domain}
> pool.default.serverset.failover.port = 636
> pool.default.serverset.failover.domain = ${global:vars.domain}
> pool.default.ssl.enable = true
> pool.default.ssl.protocol = TLSv1.2
> pool.default.ssl.truststore.file = ${local:_basedir}/${global:
> vars.domain}.jks
> pool.default.ssl.truststore.password = changeit
>


> =
> # cat /etc/ovirt-engine/extensions.d/ad.holding.com-authz.properties
>
> ovirt.engine.extension.name = ad.holding.com-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.
> extensions.aaa.Authz
> config.profile.file.1 = ../aaa/ad.holding.com.properties
>
> 
> =
> # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-authn.properties
>
> ovirt.engine.extension.name = ad.holding.com-http-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.misc
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.
> extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name = ad.holding.com-http
> ovirt.engine.aaa.authn.authz.plugin = ad.holding.com-authz
> ovirt.engine.aaa.authn.mapping.plugin = ad.holding.com-http-mapping
> config.artifact.name = HEADER
> config.artifact.arg = X-Remote-User
>
> 
> =
> # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-mapping.
> properties
>
> ovirt.engine.extension.name = ad.holding.com-http-mapping
> ovirt.engine.extension.bindings.method = jbo

[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2019-05-14 Thread Martin Perina

On Tue, Oct 4, 2016 at 5:16 PM,  wrote:

> Martin, thanks for the help. It works.
>

Glad to hear that, thanks.

Martin



>
> 03.10.2016, 15:01, "Martin Perina" :
> > Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but
> in 4.0 we have quite new OAuth base SSO, so you need to use following
> configuration:
> >
> >  oauth/token-http-auth)|^/ovirt-engine/api>
> >   
> > RewriteEngine on
> > RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
> > RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
> > RequestHeader set X-Remote-User %{REMOTE_USER}s
> > AuthType Kerberos
> > AuthName "Kerberos Login"
> > Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
> > KrbAuthRealms AD.HOLDING.COM
> > KrbMethodK5Passwd off
> > Require valid-user
> > ErrorDocument 401 " url=/ovirt-engine/sso/login-unauthorized\"/> href=\"/ovirt-engine/sso/login-unauthorized\">Here"
> >   
> > 
> > 
> >
> > Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session
> instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you
> need to do following:
> >
> >   1. yum install mod_session mod_auth_gssapi
> >   2. Use following Apache configuration 
> >
> >  oauth/token-http-auth)|^/ovirt-engine/api>
> >   
> > RewriteEngine on
> > RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
> > RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
> > RequestHeader set X-Remote-User %{REMOTE_USER}s
> >
> > AuthType GSSAPI
> > AuthName "Kerberos Login"
> >
> > # Modify to match installation
> > GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab
> > GssapiUseSessions On
> > Session On
> > SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;
> >
> > Require valid-user
> > ErrorDocument 401 " url=/ovirt-engine/sso/login-unauthorized\"/> href=\"/ovirt-engine/sso/login-unauthorized\">Here"
> >   
> > 
>

--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se



--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/GIIYYLGSCVGHCHAQPJ2EYNSQCU7KRCHC/

[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2019-05-14 Thread aleksey . maksimov

Yes. Of course. Here are my configs.

=
# cat /etc/ovirt-engine/aaa/ovirt-sso.conf


RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
RequestHeader set X-Remote-User %{REMOTE_USER}s
AuthType Kerberos
AuthName "Kerberos Login"
Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
KrbAuthRealms AD.HOLDING.COM
#KrbMethodNegotiate on
#KrbMethodK5Passwd on
KrbMethodK5Passwd off
Require valid-user



# ls -la /etc/httpd/conf.d/ovirt-*

-rw-r--r--. 1 root root 33 Jul 26 16:42 
/etc/httpd/conf.d/ovirt-engine-root-redirect.conf
lrwxrwxrwx. 1 root root 36 Sep 30 00:06 /etc/httpd/conf.d/ovirt-sso.conf -> 
/etc/ovirt-engine/aaa/ovirt-sso.conf


=
# cat /etc/ovirt-engine/aaa/ad.holding.com.properties

include = 
vars.domain = ad.holding.com
pool.default.auth.simple.bindDN = s-oVirt-LS@${global:vars.domain}
pool.default.auth.simple.password = Passw0rd
pool.default.dc-resolve.enable = false
search.default.dc-resolve.enable = false
search.ad-resolve-upn.search-request.baseDN = DC=ad,DC=holding,DC=com
pool.default.serverset.type = failover
pool.default.serverset.failover.00.server = kom-dc01.${global:vars.domain}
pool.default.serverset.failover.01.server = kom-dc02.${global:vars.domain}
pool.default.serverset.failover.port = 636
pool.default.serverset.failover.domain = ${global:vars.domain}
pool.default.ssl.enable = true
pool.default.ssl.protocol = TLSv1.2
pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.domain}.jks
pool.default.ssl.truststore.password = changeit

=
# cat /etc/ovirt-engine/extensions.d/ad.holding.com-authz.properties

ovirt.engine.extension.name = ad.holding.com-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = 
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = 
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/ad.holding.com.properties

=
# cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-authn.properties

ovirt.engine.extension.name = ad.holding.com-http-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = 
org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = 
org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = ad.holding.com-http
ovirt.engine.aaa.authn.authz.plugin = ad.holding.com-authz
ovirt.engine.aaa.authn.mapping.plugin = ad.holding.com-http-mapping
config.artifact.name = HEADER
config.artifact.arg = X-Remote-User

=
# cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-mapping.properties

ovirt.engine.extension.name = ad.holding.com-http-mapping
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = 
org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = 
org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping
config.mapAuthRecord.type = regex
config.mapAuthRecord.regex.mustMatch = true
config.mapAuthRecord.regex.pattern = 
^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}${realm}


03.10.2016, 09:56, "Martin Perina" :

> Ahh, so kerberos SSO works fine for API, but not for portals. Could you 
> please share your Apache configuration with oVirt kerberos configuration? 
> Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se



--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://ww

[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2019-05-14 Thread Martin Perina

Hi Aleksey,

in your last email you wrote that everything works (at least that's my
understanding, email pasted below). So what exactly doesn't work for you?

Regards

Martin Perina


> # kinit aleksey
>
> Password for alek...@ad.holding.com: ***
>
> # klist
>
> Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9
> Default principal: alek...@ad.holding.com
>
> Valid starting   Expires  Service principal
> 09/30/2016 16:50:32  10/01/2016 02:50:32  krbtgt/AD.HOLDING.COM@AD.
HOLDING.COM
> renew until 10/07/2016 16:50:29
>
>
> # curl --negotiate -u : -X GET -H "Accept: application/xml" -k
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
>
> 
> 
>  ... output truncated ...
> 
>
> It Works.
> The browsers are configured.
> Kerberos authentication for Windows web servers working successfully from
Internet Explorer & Forefox


On Mon, Oct 3, 2016 at 7:37 AM,  wrote:

>
> Up
>
> 30.09.2016, 18:55, "aleksey.maksi...@it-kb.ru"  >:
> > Any other ideas?
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se



--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/X4HQWTZK7FWOAB32CPBMNUOWDUK7A3G2/

[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2019-05-14 Thread Martin Perina

On Mon, Oct 3, 2016 at 8:18 AM,  wrote:

>
> Hello, Martin
>
> Before I wrote: Kerberos authentication FOR WINDOWS WEB SERVERS working
> successfully from Internet Explorer & Forefox.
> Kerberos authentication NOT working with oVirt Web-Portals.
>
> I expect that the users opening the oVirt web portal in the browser did
> not enter a password, and used instead of the transparent sign-on using
> Kerberos.
> It is impossible ??
>

It's possible and it's working fine when everything is properly set up.
But please bear in mind kerberos SSO is one of the most complicated oVirt
setup, but usually the error is on kerberos side (environment issues on the
client).

So, you are saying that using curl you are able to access API using
kerberos ticket but when you try to access the same API from the browser it
does not work, right?
I don't use IE, but you need to set following options in "about:config" URL
for Firefox to work properly with kerberos:

 network.negotiate-auth.delegation-uris = .ad.holding.com
 network.negotiate-auth.trusted-uris = .ad.holding.com

If you have those options set, what exactly happen when you try to access 
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api


in Firefox?

Martin Perina



>
> 03.10.2016, 09:08, "Martin Perina" :
>
> Hi Aleksey,
>
> in your last email you wrote that everything works (at least that's my
> understanding, email pasted below). So what exactly doesn't work for you?
>
> Regards
>
> Martin Perina
>
>
> > # kinit aleksey
> >
> > Password for alek...@ad.holding.com: ***
> >
> > # klist
> >
> > Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9
> > Default principal: alek...@ad.holding.com
> >
> > Valid starting   Expires  Service principal
> > 09/30/2016 16:50:32  10/01/2016 02:50:32  krbtgt/AD.HOLDING.COM@AD.
> HOLDING.COM
> > renew until 10/07/2016 16:50:29
> >
> >
> > # curl --negotiate -u : -X GET -H "Accept: application/xml" -k
> 
> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
> >
> > 
> > 
> >  ... output truncated ...
> > 
> >
> > It Works.
> > The browsers are configured.
> > Kerberos authentication for Windows web servers working successfully
> from Internet Explorer & Forefox
>
>
> On Mon, Oct 3, 2016 at 7:37 AM,  wrote:
>
>
> Up
>
> 30.09.2016, 18:55, "aleksey.maksi...@it-kb.ru"  >:
> > Any other ideas?
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>

--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se



--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/7N2X5BUW7DIAIQYYANECLNEAHHTTEYHA/

[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

10 matches

Site Navigation

Mail list logo

Footer information