Description of problem: I have a working oVirt environment (3.6) with IPA (4.2) using SSO on Centos 7.2(1511) clients. This all works fine with the workaround from bug 1316135 (use 'authconfig --enablenis --update' to activate old PAM configurations) With the new clients (centos 7.3(1611)) the ypbind is not installed by default. After installing and apply same workaround ('authconfig --enablenis --update') SSO does not work. Login on console works, so IPA connection seems to be fine. Relevant logs: engine# /var/log/ovirt-engine/engine.log: 2017-05-10 10:06:27,853 INFO [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-30) [] Running command: LoginUserCommand internal: false. 2017-05-10 10:06:27,894 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-30) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User klant1.test@KENLA logged in. 2017-05-10 10:06:31,027 WARN [org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (default task-26) [737f5f1c] The message key 'VmLogon' is missing from 'bundles/ExecutionMessages' 2017-05-10 10:06:31,651 INFO [org.ovirt.engine.core.bll.VmLogonCommand] (default task-26) [737f5f1c] Running command: VmLogonCommand internal: false. Entities affected : ID: 156d9083-bfdb-4573-90f8-44ff24bbd28a Type: VMAction group CONNECT_TO_VM with role type USER 2017-05-10 10:06:31,653 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-26) [737f5f1c] START, VmLogonVDSCommand(HostName = host01, VmLogonVDSCommandParameters:{runAsync='true', hostId='225157c0-224b-4aa6-9210-db4de7c7fc30', vmId='156d9083-bfdb-4573-90f8-44ff24bbd28a', domain='KENLA.NL', password='***', userName='klant1.test@KENLA'}), log id: 7533ee04 2017-05-10 10:06:32,639 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-26) [737f5f1c] FINISH, VmLogonVDSCommand, log id: 7533ee04 2017-05-10 10:06:33,946 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (default task-8) [52351aea] Running command: SetVmTicketCommand internal: true. Entities affected : ID: 156d9083-bfdb-4573-90f8-44ff24bbd28a Type: VMAction group CONNECT_TO_VM with role type USER 2017-05-10 10:06:33,950 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (default task-8) [52351aea] START, SetVmTicketVDSCommand(HostName = host01, SetVmTicketVDSCommandParameters:{runAsync='true', hostId='225157c0-224b-4aa6-9210-db4de7c7fc30', vmId='156d9083-bfdb-4573-90f8-44ff24bbd28a', protocol='SPICE', ticket='kxS1O7xqyvCn', validTime='120', userName='klant1.test', userId='256850ca-38ed-4030-a5b2-40e71de22015', disconnectAction='LOCK_SCREEN'}), log id: 7a062fa9 2017-05-10 10:06:34,309 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (default task-8) [52351aea] FINISH, SetVmTicketVDSCommand, log id: 7a062fa9 2017-05-10 10:06:34,366 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-8) [52351aea] Correlation ID: 52351aea, Call Stack: null, Custom Event ID: -1, Message: User klant1.test@KENLA initiated console session for VM C7.3-gui 2017-05-10 10:07:11,248 INFO [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-2) [] Running command: LoginUserCommand internal: false. client# /var/log/ovirt-guest-agent/ovirt-guest-agent.log Dummy-2::INFO::2017-05-10 10:06:32,988::OVirtAgentLogic::321::root::Received an external command: login... Dummy-2::INFO::2017-05-10 10:06:35,571::OVirtAgentLogic::321::root::Received an external command: api-version... Dummy-2::INFO::2017-05-10 10:06:52,884::OVirtAgentLogic::321::root::Received an external command: lock-screen... Dummy-2::INFO::2017-05-10 10:06:55,761::OVirtAgentLogic::321::root::Received an external command: api-version... Version-Release number of selected component (if applicable): client# rpm -qa | grep ovirt ovirt-guest-agent-pam-module-1.0.13-2.el7.x86_64 ovirt-guest-agent-common-1.0.13-2.el7.noarch ovirt-guest-agent-gdm-plugin-1.0.13-2.el7.noarch How reproducible: always Steps to Reproduce: 1. Install RHEL 7.3 with ypbind 2. authconfig --enablenis --update 3. Login on userportal Actual results: lock-screen on client console Expected results: SSO login at client console Additional info:
troubleshooting tips: - try to send desktopLogin from host (vdsClient) - you can check desktopLogin function in /usr/lib/python2.7/site-packages/vdsm/virt/guestagent.py and try to print plaintext password - check guest agent log in DEBUG mode
It works for me with EL7.3 and: --- /etc/pam.d/password-auth.orig 2017-05-10 16:53:50.359587708 +0200 +++ /etc/pam.d/password-auth 2017-05-10 16:53:55.773856160 +0200 @@ -5,7 +5,7 @@ auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success -auth sufficient pam_sss.so forward_pass +auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so
Here is what 'authconfig --enablenis --update' does on the OS: --- /etc/pam.d/password-auth.orig 2017-05-10 13:39:53.945166745 +0200 +++ /etc/pam.d/password-auth 2017-05-10 14:12:10.934682304 +0200 @@ -2,10 +2,9 @@ # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so -auth [default=1 success=ok] pam_localuser.so -auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass +auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success -auth sufficient pam_sss.so forward_pass +auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so @@ -15,7 +14,7 @@ account [default=bad success=ok user account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= -password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so It should be clarified if instructions are still needed. When I manually changed PAM settings to: # sdiff -s /etc/pam.d/password-auth{.orig,} auth sufficient pam_sss.so forward_pass | auth sufficient pam_sss.so use_first_pass the guest OS was booting fine and VM SSO was working. * what was changed again in PAM? * are instructions relevant for EL 7.2+ or just EL 7.2?
Hi Jiri, thanks for your response. I was out of town for a few days, but just tried some of your suggestion with following results: 1.Changed log level on client in /etc/ovirt-guest-agent.conf under [Logger_root] variable “LEVEL” from INFO to DEBUG. Result: didn’t add any extra info in /var/log/ovirt-guest-agent/ovirt-guest-agent.log 2.On the host tried: # vdsClient -s <IPHOST> desktopLogin <VMID> <DOMAIN> <username> <password>. Result on host was: “Done”. Result on client was an entry in ovirt-guest-agent.log: “Dummy-2::INFO::2017-05-16 09:50:14,103::OVirtAgentLogic::321::root::Received an external command: login...” 3.On the host tried: # python /usr/share/vdsm/virt/guestagent.py Result: "ImportError: No module named supervdsm" Can you be more specific in your instructions to use guestagent.py? 4.Checked PAM config in /etc/pam.d/password-auth, this seems to be in line with your suggestions. #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so Do you have any other pointers to look at? Thanks in advance, Paul
(In reply to paul from comment #4) > Hi Jiri, thanks for your response. I was out of town for a few days, but > just tried some of your suggestion with following results: > > 1.Changed log level on client in /etc/ovirt-guest-agent.conf under > [Logger_root] variable “LEVEL” from INFO to DEBUG. > Result: didn’t add any extra info in > /var/log/ovirt-guest-agent/ovirt-guest-agent.log you need to uncomment the whole section, e.g.: [logger_root] level=DEBUG handlers=logfile propagate=0 > > 2.On the host tried: # vdsClient -s <IPHOST> desktopLogin <VMID> <DOMAIN> > <username> <password>. > Result on host was: “Done”. > Result on client was an entry in ovirt-guest-agent.log: > “Dummy-2::INFO::2017-05-16 > 09:50:14,103::OVirtAgentLogic::321::root::Received an external command: > login...” > > 3.On the host tried: # python /usr/share/vdsm/virt/guestagent.py > Result: "ImportError: No module named supervdsm" > Can you be more specific in your instructions to use guestagent.py? I guess what he meant was to open it and put some prints in there. But for starters a debug logs will be enough Id say > > 4.Checked PAM config in /etc/pam.d/password-auth, this seems to be in line > with your suggestions. > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 1000 quiet_success > auth sufficient pam_sss.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 1000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > password requisite pam_pwquality.so try_first_pass local_users_only > retry=3 authtok_type= > password sufficient pam_unix.so sha512 shadow nis nullok > try_first_pass use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > > Do you have any other pointers to look at? > Thanks in advance, Paul
Hi Tomas, thanks for mentioning i had to uncomment the whole section, ovirt-guest-agent.log now provides more info: Dummy-3::INFO::2017-05-18 16:20:53,027::OVirtAgentLogic::321::root::Received an external command: login... Dummy-3::DEBUG::2017-05-18 16:20:53,027::OVirtAgentLogic::355::root::User log-in (credentials = '\x00\x00\x00\x14klant1.test********\x00') Dummy-3::DEBUG::2017-05-18 16:20:53,027::OVirtAgentLogic::293::root::AgentLogicBase::doListen() - in loop before vio.read Dummy-2::DEBUG::2017-05-18 16:20:55,631::OVirtAgentLogic::197::root::Sending heartbeat with args {'memory-stat': {'swap_out': 0, 'majflt': 0, 'swap_usage': 0, 'mem_cached': 269172, 'mem_free': 677044, 'mem_buffers': 948, 'swap_in': 0, 'swap_total': 839676, 'pageflt': 177, 'mem_total': 948456, 'mem_unused': 406924}, 'free-ram': '661', 'apiVersion': 3} Dummy-2::DEBUG::2017-05-18 16:20:55,631::VirtIoChannel::209::root::Written {"__name__": "heartbeat", "memory-stat": {"swap_out": 0, "majflt": 0, "swap_usage": 0, "mem_cached": 269172, "mem_free": 677044, "mem_buffers": 948, "swap_in": 0, "swap_total": 839676, "pageflt": 177, "mem_total": 948456, "mem_unused": 406924}, "free-ram": "661", "apiVersion": 3} Dummy-3::INFO::2017-05-18 16:20:55,633::OVirtAgentLogic::321::root::Received an external command: api-version... Dummy-3::DEBUG::2017-05-18 16:20:55,633::OVirtAgentLogic::113::root::API version 2 already set, no update necessary Dummy-3::DEBUG::2017-05-18 16:20:55,633::OVirtAgentLogic::293::root::AgentLogicBase::doListen() - in loop before vio.read Dummy-2::DEBUG::2017-05-18 16:21:00,638::OVirtAgentLogic::197::root::Sending heartbeat with args {'memory-stat': {'swap_out': 0, 'majflt': 0, 'swap_usage': 0, 'mem_cached': 269200, 'mem_free': 670092, 'mem_buffers': 948, 'swap_in': 0, 'swap_total': 839676, 'pageflt': 696, 'mem_total': 948456, 'mem_unused': 399944}, 'free-ram': '654', 'apiVersion': 3} Dummy-2::DEBUG::2017-05-18 16:21:00,639::VirtIoChannel::209::root::Written {"__name__": "heartbeat", "memory-stat": {"swap_out": 0, "majflt": 0, "swap_usage": 0, "mem_cached": 269200, "mem_free": 670092, "mem_buffers": 948, "swap_in": 0, "swap_total": 839676, "pageflt": 696, "mem_total": 948456, "mem_unused": 399944}, "free-ram": "654", "apiVersion": 3} Dummy-3::INFO::2017-05-18 16:21:00,644::OVirtAgentLogic::321::root::Received an external command: api-version... Dummy-3::DEBUG::2017-05-18 16:21:00,644::OVirtAgentLogic::113::root::API version 2 already set, no update necessary Dummy-3::DEBUG::2017-05-18 16:21:00,644::OVirtAgentLogic::293::root::AgentLogicBase::doListen() - in loop before vio.read Dummy-2::DEBUG::2017-05-18 16:21:00,644::OVirtAgentLogic::398::root::AgentLogicBase::sendUserInfo - cur_user = '(unknown)' Dummy-2::DEBUG::2017-05-18 16:21:00,738::GuestAgentLinux2::152::root::PkgMgr: list_pkgs returns [['kernel-3.10.0-514.el7', 'xorg-x11-drv-qxl-0.1.1-18.el7', 'ovirt-guest-agent-common-1.0.13-2.el7', 'kernel-3.10.0-514.16.1.el7']] Dummy-2::DEBUG::2017-05-18 16:21:00,738::OVirtAgentLogic::197::root::Sending applications with args {'applications': ['kernel-3.10.0-514.el7', 'xorg-x11-drv-qxl-0.1.1-18.el7', 'ovirt-guest-agent-common-1.0.13-2.el7', 'kernel-3.10.0-514.16.1.el7']} Dummy-2::DEBUG::2017-05-18 16:21:00,739::VirtIoChannel::209::root::Written {"applications": ["kernel-3.10.0-514.el7", "xorg-x11-drv-qxl-0.1.1-18.el7", "ovirt-guest-agent-common-1.0.13-2.el7", "kernel-3.10.0-514.16.1.el7"], "__name__": "applications"} Dummy-2::DEBUG::2017-05-18 16:21:00,740::GuestAgentLinux2::296::root::Executing ovirt-container-list command Dummy-2::DEBUG::2017-05-18 16:21:00,767::OVirtAgentLogic::201::root::Message containers not supported by api version 2. Dummy-2::DEBUG::2017-05-18 16:21:00,769::OVirtAgentLogic::197::root::Sending host-name with args {'name': 'c7.2-gui.kenla.nl'} Dummy-2::DEBUG::2017-05-18 16:21:00,770::VirtIoChannel::209::root::Written {"__name__": "host-name", "name": "c7.2-gui.kenla.nl"} Dummy-2::DEBUG::2017-05-18 16:21:00,770::OVirtAgentLogic::197::root::Sending os-version with args {'version': '3.10.0-514.16.1.el7.x86_64'} Dummy-2::DEBUG::2017-05-18 16:21:00,770::VirtIoChannel::209::root::Written {"__name__": "os-version", "version": "3.10.0-514.16.1.el7.x86_64"} Dummy-2::DEBUG::2017-05-18 16:21:00,771::OVirtAgentLogic::197::root::Sending network-interfaces with args {'interfaces': [{'hw': '00:1a:4a:16:01:58', 'name': 'eth0', 'inet': ['10.0.1.7'], 'inet6': ['fe80::a2ab:bc3f:407f:2a4e']}]} Dummy-2::DEBUG::2017-05-18 16:21:00,772::VirtIoChannel::209::root::Written {"__name__": "network-interfaces", "interfaces": [{"inet6": ["fe80::a2ab:bc3f:407f:2a4e"], "hw": "00:1a:4a:16:01:58", "inet": ["10.0.1.7"], "name": "eth0"}]} Dummy-2::DEBUG::2017-05-18 16:21:00,774::OVirtAgentLogic::197::root::Sending fqdn with args {'fqdn': 'c7.2-gui.kenla.nl'} Dummy-2::DEBUG::2017-05-18 16:21:00,774::VirtIoChannel::209::root::Written {"__name__": "fqdn", "fqdn": "c7.2-gui.kenla.nl"} Dummy-2::DEBUG::2017-05-18 16:21:00,775::OVirtAgentLogic::197::root::Sending number-of-cpus with args {'count': 1} Dummy-2::DEBUG::2017-05-18 16:21:00,775::VirtIoChannel::209::root::Written {"count": 1, "__name__": "number-of-cpus"} Dummy-2::DEBUG::2017-05-18 16:21:05,781::OVirtAgentLogic::197::root::Sending heartbeat with args {'memory-stat': {'swap_out': 0, 'majflt': 0, 'swap_usage': 0, 'mem_cached': 269204, 'mem_free': 671188, 'mem_buffers': 948, 'swap_in': 0, 'swap_total': 839676, 'pageflt': 1495, 'mem_total': 948456, 'mem_unused': 401036}, 'free-ram': '655', 'apiVersion': 3} Dummy-2::DEBUG::2017-05-18 16:21:05,781::VirtIoChannel::209::root::Written {"__name__": "heartbeat", "memory-stat": {"swap_out": 0, "majflt": 0, "swap_usage": 0, "mem_cached": 269204, "mem_free": 671188, "mem_buffers": 948, "swap_in": 0, "swap_total": 839676, "pageflt": 1495, "mem_total": 948456, "mem_unused": 401036}, "free-ram": "655", "apiVersion": 3} Dummy-3::INFO::2017-05-18 16:21:05,783::OVirtAgentLogic::321::root::Received an external command: api-version... Dummy-3::DEBUG::2017-05-18 16:21:05,783::OVirtAgentLogic::113::root::API version 2 already set, no update necessary Dummy-3::DEBUG::2017-05-18 16:21:05,783::OVirtAgentLogic::293::root::AgentLogicBase::doListen() - in loop before vio.read Dummy-3::INFO::2017-05-18 16:21:10,725::OVirtAgentLogic::321::root::Received an external command: lock-screen... Dummy-3::DEBUG::2017-05-18 16:21:10,725::GuestAgentLinux2::228::root::Executing lock session command: '['/usr/share/ovirt-guest-agent/ovirt-locksession']' Dummy-3::DEBUG::2017-05-18 16:21:10,773::OVirtAgentLogic::293::root::AgentLogicBase::doListen() - in loop before vio.read Dummy-2::DEBUG::2017-05-18 16:21:10,788::OVirtAgentLogic::197::root::Sending heartbeat with args {'memory-stat': {'swap_out': 0, 'majflt': 0, 'swap_usage': 0, 'mem_cached': 269624, 'mem_free': 670900, 'mem_buffers': 948, 'swap_in': 0, 'swap_total': 839676, 'pageflt': 963, 'mem_total': 948456, 'mem_unused': 400328}, 'free-ram': '655', 'apiVersion': 3} Dummy-2::DEBUG::2017-05-18 16:21:10,788::VirtIoChannel::209::root::Written {"__name__": "heartbeat", "memory-stat": {"swap_out": 0, "majflt": 0, "swap_usage": 0, "mem_cached": 269624, "mem_free": 670900, "mem_buffers": 948, "swap_in": 0, "swap_total": 839676, "pageflt": 963, "mem_total": 948456, "mem_unused": 400328}, "free-ram": "655", "apiVersion": 3}
In the log you can see there are entries stating: Dummy-2::DEBUG::2017-05-18 16:21:00,644::OVirtAgentLogic::398::root::AgentLogicBase::sendUserInfo - cur_user = '(unknown)' while if I login in the console it states: Dummy-2::DEBUG::2017-05-22 11:13:40,559::OVirtAgentLogic::398::root::AgentLogicBase::sendUserInfo - cur_user = 'klant1.test' Also if i try this on a older vm (centos 7.2) log entries state: Dummy-1::INFO::2017-05-22 11:29:54,703::OVirtAgentLogic::307::root::Received an external command: login... Dummy-1::DEBUG::2017-05-22 11:29:54,703::OVirtAgentLogic::341::root::User log-in (credentials = '\x00\x00\x00\x14klant1.test********\x00') Dummy-1::INFO::2017-05-22 11:29:54,703::CredServer::208::root::The following users are allowed to connect: [0] Dummy-1::DEBUG::2017-05-22 11:29:54,703::CredServer::273::root::Token: 195732 Dummy-1::INFO::2017-05-22 11:29:54,703::CredServer::274::root::Opening credentials channel... Dummy-1::INFO::2017-05-22 11:29:54,704::CredServer::133::root::Emitting user authenticated signal (195732). All the 'CredServer' entries do not show up in the logs of new Centos 7.3 vm
Tomas, can you please have a look?
The SSO works for me with the fix suggested by Jiri Belka in comment #2. The missing CredServ lines in the log are suspicious. Can you verify that the file /usr/share/ovirt-guest-agent/CredServer.py exists on your system? It is in ovirt-guest-agent-common-1.0.13-2.el7.noarch RPM. Could you also attach the output of journalctl from around the time of the login?
Hi Tomas, Thanks for looking into this. I created a new VM with Centos 7.3(1611) and installed ipa-client4.4 with command "ipa-client-install --mkhomedir --permit" Login with IPA clients in the console works with this configuration. Afterwards changed only one line in /etc/pam.d/password-auth according to comment #2 from Jiri Belka [root@cd02 ~]# cat /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success #auth sufficient pam_sss.so forward_pass auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so With this config IPA clients can not login anymore (not SSO and not in console) Hereby the output you requested: [root@cd02 usr]# rpm -qa | grep ovirt ovirt-guest-agent-pam-module-1.0.13-2.el7.x86_64 ovirt-guest-agent-common-1.0.13-2.el7.noarch ovirt-guest-agent-gdm-plugin-1.0.13-2.el7.noarch [root@cd02 usr]# find / -name 'CredServer.py' /usr/share/ovirt-guest-agent/CredServer.py /var/log/ovirt-guest-agent/ovirt-guest-agent Dummy-2::INFO::2017-06-02 14:45:28,427::OVirtAgentLogic::321::root::Received an external command: login... Dummy-2::DEBUG::2017-06-02 14:45:28,428::OVirtAgentLogic::355::root::User log-in (credentials = '\x00\x00\x00\x0ftest********\x00') Dummy-2::DEBUG::2017-06-02 14:45:28,428::OVirtAgentLogic::293::root::AgentLogicBase::doListen() - in loop before vio.read Dummy-3::DEBUG::2017-06-02 14:45:30,554::OVirtAgentLogic::197::root::Sending heartbeat with args {'memory-stat': {'swap_out': 0, 'majflt': 0, 'swap_usage': 0, 'mem_cached': 255936, 'mem_free': 1539352, 'mem_buffers': 948, 'swap_in': 0, 'swap_total': 524284, 'pageflt': 176, 'mem_total': 1815748, 'mem_unused': 1282468}, 'free-ram': '1503', 'apiVersion': 3} Dummy-3::DEBUG::2017-06-02 14:45:30,555::VirtIoChannel::209::root::Written {"__name__": "heartbeat", "memory-stat": {"swap_out": 0, "majflt": 0, "swap_usage": 0, "mem_cached": 255936, "mem_free": 1539352, "mem_buffers": 948, "swap_in": 0, "swap_total": 524284, "pageflt": 176, "mem_total": 1815748, "mem_unused": 1282468}, "free-ram": "1503", "apiVersion": 3} Dummy-3::DEBUG::2017-06-02 14:45:35,560::OVirtAgentLogic::197::root::Sending heartbeat with args {'memory-stat': {'swap_out': 0, 'majflt': 0, 'swap_usage': 0, 'mem_cached': 255940, 'mem_free': 1539136, 'mem_buffers': 948, 'swap_in': 0, 'swap_total': 524284, 'pageflt': 252, 'mem_total': 1815748, 'mem_unused': 1282248}, 'free-ram': '1503', 'apiVersion': 3} Dummy-3::DEBUG::2017-06-02 14:45:35,561::VirtIoChannel::209::root::Written {"__name__": "heartbeat", "memory-stat": {"swap_out": 0, "majflt": 0, "swap_usage": 0, "mem_cached": 255940, "mem_free": 1539136, "mem_buffers": 948, "swap_in": 0, "swap_total": 524284, "pageflt": 252, "mem_total": 1815748, "mem_unused": 1282248}, "free-ram": "1503", "apiVersion": 3} Dummy-3::DEBUG::2017-06-02 14:45:35,563::OVirtAgentLogic::398::root::AgentLogicBase::sendUserInfo - cur_user = '(unknown)' Dummy-3::DEBUG::2017-06-02 14:45:40,569::OVirtAgentLogic::197::root::Sending heartbeat with args {'memory-stat': {'swap_out': 0, 'majflt': 0, 'swap_usage': 0, 'mem_cached': 255940, 'mem_free': 1539152, 'mem_buffers': 948, 'swap_in': 0, 'swap_total': 524284, 'pageflt': 246, 'mem_total': 1815748, 'mem_unused': 1282264}, 'free-ram': '1503', 'apiVersion': 3} Dummy-3::DEBUG::2017-06-02 14:45:40,569::VirtIoChannel::209::root::Written {"__name__": "heartbeat", "memory-stat": {"swap_out": 0, "majflt": 0, "swap_usage": 0, "mem_cached": 255940, "mem_free": 1539152, "mem_buffers": 948, "swap_in": 0, "swap_total": 524284, "pageflt": 246, "mem_total": 1815748, "mem_unused": 1282264}, "free-ram": "1503", "apiVersion": 3} Dummy-2::INFO::2017-06-02 14:45:40,587::OVirtAgentLogic::321::root::Received an external command: lock-screen... Dummy-2::DEBUG::2017-06-02 14:45:40,587::GuestAgentLinux2::228::root::Executing lock session command: '['/usr/share/ovirt-guest-agent/ovirt-locksession']' journalctl: jun 02 14:28:36 C7-3v2.domain.com kernel: MTRR default type: write-back ...skipping... jun 02 14:45:31 cd02.domain.com kernel: [drm:qxl_gem_object_create [qxl]] *ERROR* Failed to allocate GEM object (5766400, 2, 4096, -12) jun 02 14:45:31 cd02.domain.com kernel: [drm:qxl_alloc_surf_ioctl [qxl]] *ERROR* qxl_alloc_surf_ioctl: failed to create gem ret=-12 jun 02 14:45:31 cd02.domain.com spice-vdagent[774]: vdagent_audio_playback_sync mute=yes nchannels=2 jun 02 14:45:31 cd02.domain.com spice-vdagent[774]: get_alsa_default_mixer_by_name fail: No such file or directory jun 02 14:45:31 cd02.domain.com spice-vdagent[774]: vdagent-audio: can't get default alsa mixer jun 02 14:45:31 cd02.domain.com spice-vdagent[774]: Fail to sync playback volume jun 02 14:45:31 cd02.domain.com spice-vdagent[774]: vdagent_audio_record_sync mute=no nchannels=2 jun 02 14:45:31 cd02.domain.com spice-vdagent[774]: get_alsa_default_mixer_by_name fail: No such file or directory jun 02 14:45:31 cd02.domain.com spice-vdagent[774]: vdagent-audio: can't get default alsa mixer jun 02 14:45:31 cd02.domain.com spice-vdagent[774]: Fail to sync record volume jun 02 14:45:40 cd02.domain.com userhelper[2577]: pam_succeed_if(ovirt-locksession:auth): requirement "user = ovirtagent" was met by user "ovirtagent" jun 02 14:45:40 cd02.domain.com userhelper[2577]: running '/usr/share/ovirt-guest-agent/LockActiveSession.py' with root privileges on behalf of 'ovirtagent' jun 02 14:47:05 cd02.domain.com userhelper[2589]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent" jun 02 14:47:05 cd02.domain.com userhelper[2589]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent' If I try to login in on the console journalctl logs: jun 02 15:26:07 cd02.domain.com gdm-password][2403]: pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=test jun 02 15:26:07 cd02.domain.com gdm-password][2403]: pam_sss(gdm-password:auth): received for user test: 7 (Authentication failure) jun 02 15:26:07 cd02.domain.com gdm-password][2403]: gkr-pam: no password is available for user hope this helps. Regards, Paul
If i change /etc/pam.d/password-auth according to comment #3 from Jiri Belka the clients can login on the console, but SSO still does not work [root@cd02 ~]# cat /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so #auth [default=1 success=ok] pam_localuser.so #auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success #auth sufficient pam_sss.so forward_pass auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= #password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so /var/log/ovirt-guest-agent/ovirt-guest-agent.log Dummy-3::INFO::2017-06-02 15:48:26,717::OVirtAgentLogic::321::root::Received an external command: login... Dummy-3::DEBUG::2017-06-02 15:48:26,718::OVirtAgentLogic::355::root::User log-in (credentials = '\x00\x00\x00\x0ftest********\x00') Dummy-3::DEBUG::2017-06-02 15:48:26,718::OVirtAgentLogic::293::root::AgentLogicBase::doListen() - in loop before vio.read Dummy-2::DEBUG::2017-06-02 15:48:28,866::OVirtAgentLogic::197::root::Sending heartbeat with args {'memory-stat': {'swap_out': 0, 'majflt': 0, 'swap_usage': 0, 'mem_cached': 249296, 'mem_free': 1547752, 'mem_buffers': 948, 'swap_in': 0, 'swap_total': 524284, 'pageflt': 379, 'mem_total': 1815748, 'mem_unused': 1297508}, 'free-ram': '1511', 'apiVersion': 3} Dummy-2::DEBUG::2017-06-02 15:48:28,867::VirtIoChannel::209::root::Written {"__name__": "heartbeat", "memory-stat": {"swap_out": 0, "majflt": 0, "swap_usage": 0, "mem_cached": 249296, "mem_free": 1547752, "mem_buffers": 948, "swap_in": 0, "swap_total": 524284, "pageflt": 379, "mem_total": 1815748, "mem_unused": 1297508}, "free-ram": "1511", "apiVersion": 3} Dummy-2::DEBUG::2017-06-02 15:48:33,873::OVirtAgentLogic::197::root::Sending heartbeat with args {'memory-stat': {'swap_out': 0, 'majflt': 0, 'swap_usage': 0, 'mem_cached': 249528, 'mem_free': 1547844, 'mem_buffers': 948, 'swap_in': 0, 'swap_total': 524284, 'pageflt': 128, 'mem_total': 1815748, 'mem_unused': 1297368}, 'free-ram': '1511', 'apiVersion': 3} Dummy-2::DEBUG::2017-06-02 15:48:33,874::VirtIoChannel::209::root::Written {"__name__": "heartbeat", "memory-stat": {"swap_out": 0, "majflt": 0, "swap_usage": 0, "mem_cached": 249528, "mem_free": 1547844, "mem_buffers": 948, "swap_in": 0, "swap_total": 524284, "pageflt": 128, "mem_total": 1815748, "mem_unused": 1297368}, "free-ram": "1511", "apiVersion": 3} Dummy-2::DEBUG::2017-06-02 15:48:33,877::OVirtAgentLogic::398::root::AgentLogicBase::sendUserInfo - cur_user = '(unknown)' Dummy-2::DEBUG::2017-06-02 15:48:38,882::OVirtAgentLogic::197::root::Sending heartbeat with args {'memory-stat': {'swap_out': 0, 'majflt': 0, 'swap_usage': 0, 'mem_cached': 249740, 'mem_free': 1546116, 'mem_buffers': 948, 'swap_in': 0, 'swap_total': 524284, 'pageflt': 646, 'mem_total': 1815748, 'mem_unused': 1295428}, 'free-ram': '1509', 'apiVersion': 3} Dummy-2::DEBUG::2017-06-02 15:48:38,882::VirtIoChannel::209::root::Written {"__name__": "heartbeat", "memory-stat": {"swap_out": 0, "majflt": 0, "swap_usage": 0, "mem_cached": 249740, "mem_free": 1546116, "mem_buffers": 948, "swap_in": 0, "swap_total": 524284, "pageflt": 646, "mem_total": 1815748, "mem_unused": 1295428}, "free-ram": "1509", "apiVersion": 3} Dummy-2::DEBUG::2017-06-02 15:48:43,916::OVirtAgentLogic::197::root::Sending heartbeat with args {'memory-stat': {'swap_out': 0, 'majflt': 27, 'swap_usage': 0, 'mem_cached': 318852, 'mem_free': 1406552, 'mem_buffers': 948, 'swap_in': 0, 'swap_total': 524284, 'pageflt': 33794, 'mem_total': 1815748, 'mem_unused': 1086752}, 'free-ram': '1373', 'apiVersion': 3} Dummy-2::DEBUG::2017-06-02 15:48:43,917::VirtIoChannel::209::root::Written {"__name__": "heartbeat", "memory-stat": {"swap_out": 0, "majflt": 27, "swap_usage": 0, "mem_cached": 318852, "mem_free": 1406552, "mem_buffers": 948, "swap_in": 0, "swap_total": 524284, "pageflt": 33794, "mem_total": 1815748, "mem_unused": 1086752}, "free-ram": "1373", "apiVersion": 3} Dummy-2::DEBUG::2017-06-02 15:48:43,938::OVirtAgentLogic::398::root::AgentLogicBase::sendUserInfo - cur_user = 'test' Dummy-2::DEBUG::2017-06-02 15:48:43,938::OVirtAgentLogic::197::root::Sending active-user with args {'name': 'test'} Dummy-2::DEBUG::2017-06-02 15:48:43,939::VirtIoChannel::209::root::Written {"__name__": "active-user", "name": "test"} Dummy-3::INFO::2017-06-02 15:48:47,017::OVirtAgentLogic::321::root::Received an external command: lock-screen... Dummy-3::DEBUG::2017-06-02 15:48:47,017::GuestAgentLinux2::228::root::Executing lock session command: '['/usr/share/ovirt-guest-agent/ovirt-locksession']' journalctl: jun 02 15:47:51 C7-3v2.domain.com kernel: Base memory trampoline at [ffff880000099000] 99000 size 24576 ...skipping... jun 02 15:48:42 cd02.domain.com gnome-session[2400]: Gjs-Message: JS LOG: No permission to trigger offline updates: Polkit.Error: GDBus.Error:org.freedesktop.PolicyK jun 02 15:48:42 cd02.domain.com gnome-session[2400]: Gjs-Message: JS WARNING: [/usr/share/gnome-shell/extensions/launch-new-instance.g jun 02 15:48:42 cd02.domain.com gnome-session[2400]: (gnome-shell:2473): mutter-WARNING **: Failed to load background '/usr/share/backgrounds/gnome/adwaita-lock.jpg' jun 02 15:48:42 cd02.domain.com gnome-session[2400]: (uint32 1,) jun 02 15:48:43 cd02.domain.com gnome-session[2400]: Entering running state jun 02 15:48:43 cd02.domain.com gnome-session[2400]: Failed to play sound: File or data not found jun 02 15:48:43 cd02.domain.com gnome-session[2400]: (nautilus:2560): Gtk-WARNING **: gtk_widget_size_allocate(): attempt to allocate widget with width -15 and heigh jun 02 15:48:43 cd02.domain.com gnome-session[2400]: (gnome-shell:2473): Gjs-WARNING **: JS ERROR: GLib.Error dbus-glib-error-quark: The name org.freedesktop.Telepat jun 02 15:48:43 cd02.domain.com gnome-session[2400]: (gnome-settings-daemon:2441): color-plugin-WARNING **: failed to get edid: unable to get EDID for output jun 02 15:48:43 cd02.domain.com gnome-shell[2473]: GNOME Shell started at Fri Jun 02 2017 15:48:42 GMT+0200 (CEST) jun 02 15:48:44 cd02.domain.com gnome-session[2400]: (gnome-settings-daemon:2441): color-plugin-WARNING **: unable to get EDID for xrandr-Virtual-0: unable to get ED jun 02 15:48:47 cd02.domain.com userhelper[2698]: pam_succeed_if(ovirt-locksession:auth): requirement "user = ovirtagent" was met by user "ovirtagent" jun 02 15:48:47 cd02.domain.com userhelper[2698]: running '/usr/share/ovirt-guest-agent/LockActiveSession.py' with root privileges on behalf of 'ovirtagent' jun 02 15:48:58 cd02.domain.com realmd[971]: quitting realmd service after timeout jun 02 15:48:58 cd02.domain.com realmd[971]: stopping service jun 02 15:49:06 cd02.domain.com dbus[631]: [system] Failed to activate service 'org.bluez': timed out jun 02 15:49:06 cd02.domain.com dbus-daemon[631]: dbus[631]: [system] Failed to activate service 'org.bluez': timed out jun 02 15:49:06 cd02.domain.com pulseaudio[2494]: [pulseaudio] bluez5-util.c: GetManagedObjects() failed: org.freedesktop.DBus.Error.NoReply: Did not receive a reply jun 02 15:49:24 cd02.domain.com sshd[2719]: Accepted keyboard-interactive/pam for root from 10.0.2.65 port 40360 ssh2 jun 02 15:49:25 cd02.domain.com systemd[1]: Created slice user-0.slice.
(In reply to paul from comment #10) > Hi Tomas, > Thanks for looking into this. > I created a new VM with Centos 7.3(1611) and installed ipa-client4.4 with > command "ipa-client-install --mkhomedir --permit" > Login with IPA clients in the console works with this configuration. > > Afterwards changed only one line in /etc/pam.d/password-auth according to > comment #2 from Jiri Belka > > [...] > > With this config IPA clients can not login anymore (not SSO and not in > console) Intersting. I'd say that working console login is a prerequisite here, but we'll get to that later. Our main concern now is the CredServer. > Hereby the output you requested: > > [root@cd02 usr]# rpm -qa | grep ovirt > ovirt-guest-agent-pam-module-1.0.13-2.el7.x86_64 > ovirt-guest-agent-common-1.0.13-2.el7.noarch > ovirt-guest-agent-gdm-plugin-1.0.13-2.el7.noarch > [root@cd02 usr]# find / -name 'CredServer.py' > /usr/share/ovirt-guest-agent/CredServer.py This is good. Could you also share the result of command: ls -lZ /usr/share/ovirt-guest-agent/CredServer.py* Could you also check the ovirt-guest-agent.log if there is *any* line containing the string "CredServer"? For example if you restart ovirt-guest-agent you should see something like this in the log: MainThread::INFO::2017-06-08 09:44:37,596::ovirt-guest-agent::59::root::Starting oVirt guest agent CredServer::INFO::2017-06-08 09:44:37,645::CredServer::258::root::CredServer is running... > journalctl: > jun 02 14:28:36 C7-3v2.domain.com kernel: MTRR default type: write-back > ...skipping... > jun 02 14:45:31 cd02.domain.com kernel: [drm:qxl_gem_object_create [qxl]] Sadly the part I was interested in is missing here because the GA login command was issued at 15:48:26,
Hi Tomas, I did some more research and experiments and it now works! I did a few steps at the same time, not sure which one is/are essential: 1. Upgraded engine from 4.1.8 tot 4.1.2.2 because my API logon was not working and according to [1] the engine needed an update 2. Complete new VM installation with GNOME and all additional packages 3. Adjust password-auth according to comment 3. If you just change "forward_pass" to "use_first_pass" (comment 2) the SSO will work, but console login fails. Thanks for your efforts and I hope this helps others as well to tackle SSO issues. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1438484