Description of problem: I have rhel6.5 vm with working SSO(verified via userportal) and also I have added ActiveDirectory domain, now I enter to RHEVM via webadmin under admin user and run spice session to vm, after it I run via REST logon action, I see that guest OS try to login, but with incorrect user(RHEV-M Authentication instead of admin). Version-Release number of selected component (if applicable): engine: rhevm-3.5.0-0.12.beta.el6ev.noarch guest: rhevm-guest-agent-common-1.0.10-1.el6_5.noarch, rhevm-guest-agent-pam-module-1.0.10-1.el6_5.x86_64, rhevm-guest-agent-gdm-plugin-1.0.10-1.el6_5.x86_64 How reproducible: Always Steps to Reproduce: 1. Configure SSO vm(install packages: rhevm-guest-agent-common, rhevm-guest-agent-pam-module, rhevm-guest-agent-gdm-plugin and install gnome https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/sn-switching-to-gui-login.html) 2. Add the same user and password to guest OS, that you have for internal or some another domain. Also add permission to use vm for your user. 3. Check if SSO works, enter via userportal(with checkbox connect automatically) with the same user and password, that you added to guest os(you must login automatically). 4. Logout guest OS and enter via webadmin with the same user you have added to guest OS. 5. Run spice session, you must see some login screen for gues os. 6. Via REST run logon command for the guest. Actual results: Guest OS try to login with incorrect user(RHEV-M Authentication) and not with admin user(also tried with another domain user). Expected results: Guest OS must login with correct user(the same user, that I use to login to webportal). Additional info: Check also via internal and via qa1.qa.lab.tlv.redhat.com domains
What do you mean "RHEV-M Authentication instead of admin"? What actual user/password is used to login into guest? Log files?
I attach screenshot of my login screen I not really what "RHEV-M Authentication" user, because I can't see this user in user management(maybe it created but agent), I also attach agent, engine and vdsm logs. I create two new user on vm admin from internal domain with the same password and vdcadmin from some external domain also with the same password(that used to enter to webadmin).
Created attachment 937458 [details] logs
Created attachment 937460 [details] screenshot
vfeenstr: can you please help in problem determination? I cannot understand what the actual problem is. if the engine is sending wrong credentials we should fix it but I am unsure this is the case.
RHEVM-Authentication is just a fake entry in GDM for the guest agent plugin. This entry in the user list is used when logging in via SSO. The user/password combination is retrieved via the virtio serial channel and then passed down the pam stack. I can see that admin@internal and a password (which is of course not in the logs) is passed down to the guest agent, if the user 'admin' and the 'password' combination work on the guest OS then the login should have succeeded at least that's what I can tell from the logs. Without the secure.log file it's hard to tell. But I can see that the pam plugin connected to the guest agent SO_CREDPASS UNIX Domain socket and requested the credentials, so from my POV it looks like that it works how it is supposed to be and there's no issue visible from the logs. From my PoV I do not see any bug here. It is working as defined.
I can give you engine and vm where it happening, or attach secure.log, what you prefer?
(In reply to Artyom from comment #7) > I can give you engine and vm where it happening, or attach secure.log, what > you prefer? are you sure that admin@internal user is available for you at system level of VM? Anyway, future problem determination is via Vinzenz, unless there is infra issue in which the credentials sent by engine are incorrect.
Created attachment 940724 [details] secure.log Anyway I will attach secure log from guest, you can start look from Sep 24 12:08:43, first I have success login from userportal and after I try to login vi webadmin via logon command.
Sep 24 12:12:58 localhost pam: gdm-ovirtcred: pam_unix(gdm-ovirtcred:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=admin Sep 24 12:12:58 localhost pam: gdm-ovirtcred: pam_sss(gdm-ovirtcred:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=admin Sep 24 12:12:58 localhost pam: gdm-ovirtcred: pam_sss(gdm-ovirtcred:auth): received for user admin: 10 (User not known to the underlying authentication module) This seems to me like the password of your admin user on the VM is different from the admin user in the admin-portal. Are you sure they have the same password?
So as it turns out, the password was a 1 character password which never got passed to vdsm. VDSM retrieved an empty password and passed that on to the guest agent. So the issue resides on the engine side. When calling vdsClient -s 0 <VMID> internal admin <PASSWORD> with the one character password on the host the login works as expected.
There is a misusage of CommandContext in VmLogonCommand. See how the user is set at - this.context = cmdContext; _parameters = parameters; DbUser user = SessionDataContainer.getInstance().getUser(cmdContext.getEngineContext().getSessionId(), true); if (user != null) { setCurrentUser(user); } And see how the password is being obtained at VmLogonCommand. If you find there is an issue with the context infra and not the command, feel free to assign back to infra.
Sorry, I Might have given a wrong analysis here, I will take back the bug.
Verified on rhevm-3.5.0-0.21.el6ev.noarch Work with internal and also with ActiveDirectory domain.
oVirt 3.5.1 has been released. If problems still persist, please make note of it in this bug report.