Bug 866945 - Don't perform SSO if the computer is not joined to domain to which user belongs
Don't perform SSO if the computer is not joined to domain to which user belongs
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-guest-agent (Show other bugs)
3.1.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Vinzenz Feenstra [evilissimo]
Pavel Stehlik
virt
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-16 07:26 EDT by David Jaša
Modified: 2013-07-11 17:21 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-11 17:21:22 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Jaša 2012-10-16 07:26:06 EDT
Description of problem:
Don't perform SSO if the computer is not joined to domain to which user belongs

Version-Release number of selected component (if applicable):
si19.1 / tools 3.1-7

How reproducible:
always

Steps to Reproduce:
1. install all RHEV tools on computer that is not joined to any domain
2. disconnect from the VM
3. connect to the VM from the User Portal
  
Actual results:
SSO is performed, resulting in error dialogs

Expected results:
SSO is skipped altogether

Additional info:
Comment 1 Itamar Heim 2012-10-16 09:15:36 EDT
pay attention user does not have to belong to the domain, it could be trusted via different domains/forests/etc. as well
Comment 2 Simon Grinberg 2012-10-16 09:36:53 EDT
(In reply to comment #1)
> pay attention user does not have to belong to the domain, it could be
> trusted via different domains/forests/etc. as well

Even if the VM is not part of any domain? I think trust will only work if the VM is part of a domain. If that is the case then this is on the boundaries between a bug and an enhancement.
Comment 3 Itamar Heim 2012-10-16 09:39:29 EDT
(In reply to comment #2)
... 
> Even if the VM is not part of any domain? I think trust will only work if
> the VM is part of a domain. If that is the case then this is on the
> boundaries between a bug and an enhancement.

if it is in no domain, then you may want SSO to ignore the domain to allow SSO based on same user/password existing (windows worked that way for years - if you had same user/password in both domains/machines, it will let you work with "sso", without a trust).
(though i can't remember if they disabled that behavior or not)
Comment 4 Simon Grinberg 2012-10-16 09:56:22 EDT
(In reply to comment #3)
> (In reply to comment #2)
> ... 
> 
> if it is in no domain, then you may want SSO to ignore the domain to allow
> SSO based on same user/password existing (windows worked that way for years
> - if you had same user/password in both domains/machines, it will let you
> work with "sso", without a trust).
> (though i can't remember if they disabled that behavior or not)

But we deprecated the 'local users' support from RHEV right? So why not to be consistent across the board?

In any case I don't think this specific issue is urgent, it's a rare use case where an organization has domains but the VMs are not members of any domain.
Comment 5 David Jaša 2012-10-16 10:04:14 EDT
(In reply to comment #3)
> (In reply to comment #2)
> ... 
> > Even if the VM is not part of any domain? I think trust will only work if
> > the VM is part of a domain. If that is the case then this is on the
> > boundaries between a bug and an enhancement.
> 
> if it is in no domain, then you may want SSO to ignore the domain to allow
> SSO based on same user/password existing (windows worked that way for years
> - if you had same user/password in both domains/machines, it will let you
> work with "sso", without a trust).
> (though i can't remember if they disabled that behavior or not)

Just tested on windows xp: on computer joined to no domain, I've created a local user of the same name and password as my user in the domain: the system did _not_ sign me on.

The remaining question is if windows can authenticate user from different but trusted domain (with cross-domain trust or within the same forest).
Comment 6 David Jaša 2012-10-16 12:07:48 EDT
(In reply to comment #4)
> it's a rare use
> case where an organization has domains but the VMs are not members of any
> domain.

Well, I'm not seasoned in Windows corporate networks but this still leaves case of VM-in-different-domain-than-user unhandled. Perhaps windows has some equivalent of this bashism:
[ -n "$(getent passwd ${USER}@${DOMAIN})" ] \
    && perform_sso(${USER}@${DOMAIN}) \
    || logger -t rhev-agent "user ${USER}@${DOMAIN} is not known"

Note You need to log in before you can comment on or make changes to this bug.