Bug 1141541 - logon command via REST, try logon to RHEV-M Authentication and not to original user
Summary: logon command via REST, try logon to RHEV-M Authentication and not to origina...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: oVirt
Classification: Retired
Component: ovirt-engine-core
Version: 3.5
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
: 3.5.1
Assignee: Yair Zaslavsky
QA Contact: Artyom
URL:
Whiteboard: infra
Depends On:
Blocks: 996512 oVirt-AAA-rewrite
TreeView+ depends on / blocked
 
Reported: 2014-09-14 14:41 UTC by Artyom
Modified: 2016-02-10 19:34 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-21 16:04:31 UTC
oVirt Team: Infra
Embargoed:


Attachments (Terms of Use)
logs (359.42 KB, application/octet-stream)
2014-09-15 07:40 UTC, Artyom
no flags Details
screenshot (533.13 KB, application/octet-stream)
2014-09-15 07:40 UTC, Artyom
no flags Details
secure.log (30.47 KB, text/plain)
2014-09-24 09:17 UTC, Artyom
no flags Details


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 34818 0 master MERGED aaa: Pass password across filters so it will be known during LoginUserCommand Never
oVirt gerrit 34823 0 ovirt-engine-3.5 MERGED aaa: Pass password across filters so it will be known during LoginUserCommand Never

Description Artyom 2014-09-14 14:41:53 UTC
Description of problem:
I have rhel6.5 vm with working SSO(verified via userportal) and also I have added ActiveDirectory domain, now I enter to RHEVM via webadmin under admin user and run spice session to vm, after it I run via REST logon action, I see that guest OS try to login, but with incorrect user(RHEV-M Authentication instead of admin).

Version-Release number of selected component (if applicable):
engine: rhevm-3.5.0-0.12.beta.el6ev.noarch
guest: rhevm-guest-agent-common-1.0.10-1.el6_5.noarch, 
rhevm-guest-agent-pam-module-1.0.10-1.el6_5.x86_64,
rhevm-guest-agent-gdm-plugin-1.0.10-1.el6_5.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Configure SSO vm(install packages: rhevm-guest-agent-common, 
rhevm-guest-agent-pam-module,
rhevm-guest-agent-gdm-plugin and install gnome https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/sn-switching-to-gui-login.html)
2. Add the same user and password to guest OS, that you have for internal or some another domain. Also add permission to use vm for your user.
3. Check if SSO works, enter via userportal(with checkbox connect automatically) with the same user and password, that you added to guest os(you must login automatically).
4. Logout guest OS and enter via webadmin with the same user you have added to guest OS.
5. Run spice session, you must see some login screen for gues os.
6. Via REST run logon command for the guest.

Actual results:
Guest OS try to login with incorrect user(RHEV-M Authentication) and not with admin user(also tried with another domain user).

Expected results:
Guest OS must login with correct user(the same user, that I use to login to webportal).

Additional info:
Check also via internal and via qa1.qa.lab.tlv.redhat.com domains

Comment 1 Alon Bar-Lev 2014-09-15 07:12:22 UTC
What do you mean "RHEV-M Authentication instead of admin"?

What actual user/password is used to login into guest?

Log files?

Comment 2 Artyom 2014-09-15 07:39:52 UTC
I attach screenshot of my login screen I not really what "RHEV-M Authentication" user, because I can't see this user in user management(maybe it created but agent), I also attach agent, engine and vdsm logs. I create two new user on vm admin from internal domain with the same password and vdcadmin from some external domain also with the same password(that used to enter to webadmin).

Comment 3 Artyom 2014-09-15 07:40:18 UTC
Created attachment 937458 [details]
logs

Comment 4 Artyom 2014-09-15 07:40:47 UTC
Created attachment 937460 [details]
screenshot

Comment 5 Alon Bar-Lev 2014-09-15 07:48:22 UTC
vfeenstr: can you please help in problem determination? I cannot understand what the actual problem is. if the engine is sending wrong credentials we should fix it but I am unsure this is the case.

Comment 6 Vinzenz Feenstra [evilissimo] 2014-09-23 07:42:35 UTC
RHEVM-Authentication is just a fake entry in GDM for the guest agent plugin.
This entry in the user list is used when logging in via SSO. The user/password combination is retrieved via the virtio serial channel and then passed down the pam stack.

I can see that admin@internal and a password (which is of course not in the logs) is passed down to the guest agent, if the user 'admin' and the 'password' combination work on the guest OS then the login should have succeeded at least that's what I can tell from the logs. Without the secure.log  file it's hard to tell.
But I can see that the pam plugin connected to the guest agent SO_CREDPASS UNIX Domain socket and requested the credentials, so from my POV it looks like that it works how it is supposed to be and there's no issue visible from the logs.

From my PoV I do not see any bug here. It is working as defined.

Comment 7 Artyom 2014-09-24 07:13:00 UTC
I can give you engine and vm where it happening, or attach secure.log, what you prefer?

Comment 8 Alon Bar-Lev 2014-09-24 07:16:10 UTC
(In reply to Artyom from comment #7)
> I can give you engine and vm where it happening, or attach secure.log, what
> you prefer?

are you sure that admin@internal user is available for you at system level of VM?

Anyway, future problem determination is via Vinzenz, unless there is infra issue in which the credentials sent by engine are incorrect.

Comment 9 Artyom 2014-09-24 09:17:41 UTC
Created attachment 940724 [details]
secure.log

Anyway I will attach secure log from guest, you can start look from Sep 24 12:08:43, first I have success login from userportal and after I try to login vi webadmin via logon command.

Comment 10 Vinzenz Feenstra [evilissimo] 2014-09-24 09:47:49 UTC
Sep 24 12:12:58 localhost pam: gdm-ovirtcred: pam_unix(gdm-ovirtcred:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=admin
Sep 24 12:12:58 localhost pam: gdm-ovirtcred: pam_sss(gdm-ovirtcred:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=admin
Sep 24 12:12:58 localhost pam: gdm-ovirtcred: pam_sss(gdm-ovirtcred:auth): received for user admin: 10 (User not known to the underlying authentication module)

This seems to me like the password of your admin user on the VM is different from the admin user in the admin-portal.

Are you sure they have the same password?

Comment 11 Vinzenz Feenstra [evilissimo] 2014-09-24 11:17:21 UTC
So as it turns out, the password was a 1 character password which never got passed to vdsm. VDSM retrieved an empty password and passed that on to the guest agent.
So the issue resides on the engine side.

When calling vdsClient -s 0 <VMID> internal admin <PASSWORD> with the one character password on the host the login works as expected.

Comment 12 Yair Zaslavsky 2014-10-21 13:33:17 UTC
There is a misusage of CommandContext in VmLogonCommand.
See how the user is set at -

  this.context = cmdContext;
        _parameters = parameters;
        DbUser user =
                SessionDataContainer.getInstance().getUser(cmdContext.getEngineContext().getSessionId(), true);
        if (user != null) {
            setCurrentUser(user);
        }


And see how the password is being obtained at VmLogonCommand.


If you find there is an issue with the context infra and not the command, feel free to assign back to infra.

Comment 13 Yair Zaslavsky 2014-10-21 13:54:30 UTC
Sorry, I Might have given a wrong analysis here,
I will take back the bug.

Comment 14 Artyom 2014-12-03 11:54:08 UTC
Verified on rhevm-3.5.0-0.21.el6ev.noarch
Work with internal and also with ActiveDirectory domain.

Comment 15 Sandro Bonazzola 2015-01-21 16:04:31 UTC
oVirt 3.5.1 has been released. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.