Re: [ovirt-users] active directory and sso
Here are the engine logs: 2018-02-05 14:53:53,681+08 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-38) [] User t...@test.org successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access 2018-02-05 14:53:53,765+08 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-40) [6961a53b] Running command: CreateUserSessionCommand internal: false. 2018-02-05 14:53:53,775+08 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-40) [6961a53b] EVENT_ID: USER_VDC_LOGIN(30), Correlation ID: 6961a53b, Call Stack: null, Custom Event ID: -1, Message: User t...@test.org@test.org logged in. 2018-02-05 14:53:55,305+08 ERROR [org.ovirt.engine.core.utils.servlet.ServletUtils] (default task-60) [] Can't read file '/usr/share/ovirt-engine/files/spice/SpiceVersion_x64.txt' for request '/ovirt-engine/services/files/spice/SpiceVersion_x64.txt', will send a 404 error response. 2018-02-05 14:53:57,379+08 INFO [org.ovirt.engine.core.bll.VmLogonCommand] (default task-21) [4550dbd4-9c26-48fa-8ded-e50cd47a34e1] Running command: VmLogonCommand internal: false. Entities affected : ID: ae5846f6-4f25-4e7a-af2d-02e99599de47 Type: VMAction group CONNECT_TO_VM with role type USER 2018-02-05 14:53:57,400+08 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-21) [4550dbd4-9c26-48fa-8ded-e50cd47a34e1] START, VmLogonVDSCommand(HostName = host, VmLogonVDSCommandParameters:{runAsync='true', hostId='0049362d-39cc-498d-9c7e-f36c5fba20bf', vmId='ae5846f6-4f25-4e7a-af2d-02e99599de47', domain='test.org', password='***', userName='t...@test.org@test.org'}), log id: 34439164 2018-02-05 14:53:58,404+08 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-21) [4550dbd4-9c26-48fa-8ded-e50cd47a34e1] FINISH, VmLogonVDSCommand, log id: 34439164 2018-02-05 14:53:58,467+08 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (default task-23) [48fb921e] Running command: SetVmTicketCommand internal: false. Entities affected : ID: ae5846f6-4f25-4e7a-af2d-02e99599de47 Type: VMAction group CONNECT_TO_VM with role type USER 2018-02-05 14:53:58,469+08 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (default task-23) [48fb921e] START, SetVmTicketVDSCommand(HostName = host, SetVmTicketVDSCommandParameters:{runAsync='true', hostId='0049362d-39cc-498d-9c7e-f36c5fba20bf', vmId='ae5846f6-4f25-4e7a-af2d-02e99599de47', protocol='SPICE', ticket='60qsiE96d7F5', validTime='120', userName='t...@test.org', userId='737c7b8b-9503-489b-b32a-10bf8615bc1f', disconnectAction='LOCK_SCREEN'}), log id: 3076856 2018-02-05 14:53:59,108+08 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (default task-23) [48fb921e] FINISH, SetVmTicketVDSCommand, log id: 3076856 2018-02-05 14:53:59,116+08 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-23) [48fb921e] EVENT_ID: VM_SET_TICKET(164), Correlation ID: 48fb921e, Call Stack: null, Custom Event ID: -1, Message: User t...@test.org@test.org initiated console session for VM win7 2018-02-05 14:54:16,134+08 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler4) [] EVENT_ID: VM_CONSOLE_CONNECTED(167), Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User t...@test.org is connected to VM win7. At 2018-02-02 14:50:49, "Martin Perina" wrote: On Fri, Feb 2, 2018 at 4:46 AM, 董青龙 wrote: Thanks for the reply. I have completely configured all the things in option 1 which you told. But it seems that sso still does not work. My domain forest is "test.org" and my user is "test". When I login the user portal, I get "t...@test.org@test.org" int the top right corner. Should it be "t...@test.org"? This is fine, for AD we are using UPN as username (in your case 't...@test.org') and we concatenate this with authz extension name (in your case '@test.org'). Is it possible that engine send wrong user name to the guest agent? Could you please share engine.log from, after you try to login to VM Portal and open console to the VM to investigate? Thanks Martin At 2018-02-01 15:35:57, "Martin Perina" wrote: On Thu, Feb 1, 2018 at 9:13 AM, 董青龙 wrote: Hi, all I am trying to make SSO working with windows7 vm in an ovirt 4.1 environment. Ovirt-guest-agent has been installed in windows7 vm. I have an active directory server of windows2012 and I have configured the engine using "ovirt-engine-extension-aaa-ldap-setup" successfully. The windows7 vm has joined the domain,too. But when I login the userportal using a user created in the AD server, I still have to login the wi
Re: [ovirt-users] active directory and sso
On Fri, Feb 2, 2018 at 4:46 AM, 董青龙 wrote: > Thanks for the reply. I have completely configured all the things in > option 1 which you told. But it seems that sso still does not work. My > domain forest is "test.org" and my user is "test". When I login the user > portal, I get "t...@test.org@test.org" int the top right corner. Should > it be "t...@test.org"? > This is fine, for AD we are using UPN as username (in your case ' t...@test.org') and we concatenate this with authz extension name (in your case '@test.org'). Is it possible that engine send wrong user name to the guest agent? > > Could you please share engine.log from, after you try to login to VM Portal and open console to the VM to investigate? Thanks Martin At 2018-02-01 15:35:57, "Martin Perina" wrote: > > > > On Thu, Feb 1, 2018 at 9:13 AM, 董青龙 wrote: > >> Hi, all >> I am trying to make SSO working with windows7 vm in an ovirt 4.1 >> environment. Ovirt-guest-agent has been installed in windows7 vm. I have an >> active directory server of windows2012 and I have configured the engine >> using "ovirt-engine-extension-aaa-ldap-setup" successfully. The windows7 >> vm has joined the domain,too. But when I login the userportal using a user >> created in the AD server, I still have to login the windows7 vm using the >> same user for the second time. It seems that SSO does not work. >> Anyone can help me? Thanks! >> > > We are not providing full SSO for > VMs > . At the moment you have 2 options: > > 1. If you want user to be automatically logged in into a VM, then you need > to setup SSO using aaa-ldap extension for AD (please don't forget to answer > Yes for question about SSO for VMs in setup tool). Andf of course in a VM > you need to have installed and enabled guest agent. Once user logs into VM > Portal and clicks on a VM, then he should be automatically logged into it. > > 2. If you setup kerberos for engine SSO, then you don't need to enter > password to loging into VM Portal, but in such case we cannot pass a > password into a VM and user are not automatically logged in. > > Martin > > >> >> >> >> ___ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> >> > > > -- > Martin Perina > Associate Manager, Software Engineering > Red Hat Czech s.r.o. > > > > > -- Martin Perina Associate Manager, Software Engineering Red Hat Czech s.r.o. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] active directory and sso
Thanks for the reply. I have completely configured all the things in option 1 which you told. But it seems that sso still does not work. My domain forest is "test.org" and my user is "test". When I login the user portal, I get "t...@test.org@test.org" int the top right corner. Should it be "t...@test.org"? Is it possible that engine send wrong user name to the guest agent? At 2018-02-01 15:35:57, "Martin Perina" wrote: On Thu, Feb 1, 2018 at 9:13 AM, 董青龙 wrote: Hi, all I am trying to make SSO working with windows7 vm in an ovirt 4.1 environment. Ovirt-guest-agent has been installed in windows7 vm. I have an active directory server of windows2012 and I have configured the engine using "ovirt-engine-extension-aaa-ldap-setup" successfully. The windows7 vm has joined the domain,too. But when I login the userportal using a user created in the AD server, I still have to login the windows7 vm using the same user for the second time. It seems that SSO does not work. Anyone can help me? Thanks! We are not providing full SSO for VMs . At the moment you have 2 options: 1. If you want user to be automatically logged in into a VM, then you need to setup SSO using aaa-ldap extension for AD (please don't forget to answer Yes for question about SSO for VMs in setup tool). Andf of course in a VM you need to have installed and enabled guest agent. Once user logs into VM Portal and clicks on a VM, then he should be automatically logged into it. 2. If you setup kerberos for engine SSO, then you don't need to enter password to loging into VM Portal, but in such case we cannot pass a password into a VM and user are not automatically logged in. Martin ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users -- Martin Perina Associate Manager, Software Engineering Red Hat Czech s.r.o. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] active directory and sso
On Thu, Feb 1, 2018 at 9:13 AM, 董青龙 wrote: > Hi, all > I am trying to make SSO working with windows7 vm in an ovirt 4.1 > environment. Ovirt-guest-agent has been installed in windows7 vm. I have an > active directory server of windows2012 and I have configured the engine > using "ovirt-engine-extension-aaa-ldap-setup" successfully. The windows7 > vm has joined the domain,too. But when I login the userportal using a user > created in the AD server, I still have to login the windows7 vm using the > same user for the second time. It seems that SSO does not work. > Anyone can help me? Thanks! > We are not providing full SSO for VMs . At the moment you have 2 options: 1. If you want user to be automatically logged in into a VM, then you need to setup SSO using aaa-ldap extension for AD (please don't forget to answer Yes for question about SSO for VMs in setup tool). Andf of course in a VM you need to have installed and enabled guest agent. Once user logs into VM Portal and clicks on a VM, then he should be automatically logged into it. 2. If you setup kerberos for engine SSO, then you don't need to enter password to loging into VM Portal, but in such case we cannot pass a password into a VM and user are not automatically logged in. Martin > > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > > -- Martin Perina Associate Manager, Software Engineering Red Hat Czech s.r.o. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] active directory and sso
Hi, all I am trying to make SSO working with windows7 vm in an ovirt 4.1 environment. Ovirt-guest-agent has been installed in windows7 vm. I have an active directory server of windows2012 and I have configured the engine using "ovirt-engine-extension-aaa-ldap-setup" successfully. The windows7 vm has joined the domain,too. But when I login the userportal using a user created in the AD server, I still have to login the windows7 vm using the same user for the second time. It seems that SSO does not work. Anyone can help me? Thanks!___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users