Bug 1381606

Summary:	desktopLogin sends empty password, impacts desktop SSO feature
Product:	[oVirt] ovirt-engine	Reporter:	Jiri Belka <jbelka>
Component:	AAA	Assignee:	Ravi Nori <rnori>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Gonza <grafuls>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	4.0.5.1	CC:	bugs, mgoldboi, michal.skrivanek, mperina, omachace, oourfali, pstehlik
Target Milestone:	ovirt-4.0.5	Keywords:	Regression
Target Release:	4.0.5.2	Flags:	rule-engine: ovirt-4.0.z+ ykaul: blocker+ mgoldboi: planning_ack+ oourfali: devel_ack+ pstehlik: testing_ack+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-01-18 07:36:13 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	Infra	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jiri Belka 2016-10-04 14:29:46 UTC

Description of problem:

It seems engine sends empty password for an AD user when desktopLogin is invoken, ie. the AD user is logged into User Portal and opens console of his-assigned VM (User Role). The AD users instead of having working VM desktop env just sees locked screen dialog.

engine.log:

~~~
# tail -f /var/log/ovirt-engine/engine.log | grep -i desktopLogin
{"jsonrpc":"2.0","method":"VM.desktopLogin","params":{"vmID":"cb8b1462-3cb6-4bf0-b7e4-28be5702b6ac","domain":"ad-w2k8r2.example.com","username":"user2","password":""},"id":"edf2144b-e37d-4a03-9cdd-6f174c0217cc"}
                                                  ^^^ suspicious

<JsonRpcRequest id: "edf2144b-e37d-4a03-9cdd-6f174c0217cc", method: VM.desktopLogin, params: {vmID=cb8b1462-3cb6-4bf0-b7e4-28be5702b6ac, domain=ad-w2k8r2.example.com, username=user2, password=*****}>
                                             ^^^^^ it would be nice to see if SENSITIVE_KEYS are empty
~~~

vdsm.log

~~~
[root@dell-r210ii-13 ~]# grep -i 'XXX desktoplogin' /var/log/vdsm/vdsm.log
Thread-55::DEBUG::2016-10-04 16:09:18,769::guestagent::465::virt.vm::(desktopLogin) vmId=`cb8b1462-3cb6-4bf0-b7e4-28be5702b6ac`::XXX desktopLogin called: Heslo123
^^^ above was invoked manually via vdsclient desktopLogin command, an example with little bit modified /usr/lib/python2.7/site-packages/vdsm/virt/guestagent.py

[root@dell-r210ii-13 ~]# tail -f /var/log/vdsm/vdsm.log | grep 'XXX desktopLogin'
jsonrpc.Executor/2::DEBUG::2016-10-04 16:10:09,625::guestagent::465::virt.vm::(desktopLogin) vmId=`cb8b1462-3cb6-4bf0-b7e4-28be5702b6ac`::XXX desktopLogin called:
jsonrpc.Executor/7::DEBUG::2016-10-04 16:19:18,764::guestagent::465::virt.vm::(desktopLogin) vmId=`cb8b1462-3cb6-4bf0-b7e4-28be5702b6ac`::XXX desktopLogin called:

^^^ there were caught via normal desktopLogin (clicking on icon in User Portal)
~~~

Version-Release number of selected component (if applicable):
ovirt-engine-4.0.5-0.1.el7ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. have AD configured as auth backend, have a VM (win7 64bit) with AD working and GA installed
2. login to User Portal as an AD user which got a VM assigned with User Role
3. (start and) open console

Actual results:
the AD user doesn't see working desktop but ctrl-alt-del screen

Expected results:
the AD user should be logged in automatically and see working desktop

Additional info:

Comment 4 Red Hat Bugzilla Rules Engine 2016-10-19 13:55:11 UTC

Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 7 Jiri Belka 2016-10-26 14:21:10 UTC

ok,

sso works again.

<JsonRpcRequest id: "9c9fb07a-8650-4b2c-a09f-09e8dd8c3b17", method: VM.desktopLogin, params: {vmID=cb8b1462-3cb6-4bf0-b7e4-28be5702b6ac, domain=ad-w2k8r2.example.com, username=user2, password=*****}>