Tag Archives: ad

Single Sign On in RHEV3 using GDM and Active Directory

As per my previous post we should have Active Directory up and running in our RHEV-M.

So how about setting up SSO on our RHEL guests? In order to do that we should follow this simple procedure.

First of all we need to install our rhev agent that is found in a special channel and winbind client:

rhn-channel --add --channel=rhel-x86_64-rhev-agent-6-server
yum install rhev-agent rhev-agent-gdm-plugin-rhevcred samba-winbind-clients

Next of all we need to activate AD authentification on our guest, for example (RHEVM is our test Domain):

system-config-authentication
  User Account => Winbind
  Winbind Domain => RHEVM
  Security Model => ads
  Winbind ADS Realm => RHEVM
  Winbind Domain Controller => ad.rhevm.test
  Template Shell => /bin/bash
  Join Domain  => Joined domain RHEVM.

If is not working double check your configuration files and DNS resolution:

/etc/samba/smb.conf 
/etc/krb5.conf 
/etc/resolv.conf

And finally, just in case, check that winbind is properly working, we could check some users/groups for example:

wbinfo -t
wbinfo -u
wbinfo -g
getent passwd "RHEVM\testuser"

As a last step, check that we can login/sudo with an AD user on this guest:

su - 'RHEVM\testuser'
ssh 'RHEVM\testuser'@localhost

Finally restart GDM daemon and rhev-agent service:

service rhev-agentd restart
pkill -f gdm-binary

And try to Single Sign On through GDM! It should work!

If it doesn’t work put in debug mode rhev-agent and try to figure out why is not working:

vi /etc/rhev-agent.conf
  ...
  level=DEBUG
  ...
service rhev-agentd restart
tail -f /var/log/rhev-agent/rhev-agent.log

How to connect RHEV 3.0 IPA to Active Directory?

In a default installation we have two methods of authentication:

But, how about connecting our IPA to an Active Directory? Piece of cake! We just need to add it through the command line:
rhevm-manage-domains -action=list
rhevm-manage-domains -action=add -domain='your.nice.domain' -user='your.ad.admin.user.' -interactive
service jbossas restart
After that we can check that our Active Directory is correctly up and running, trying to connect it through:
rhevm-manage-domains -action=list
rhevm-manage-domains -action=validate
If it validates, all should be fine! Just try to log in with your admin IPA user and set up some users/perms from your AD, and then just authenticate with your user/pass of the AD.
If it doesn’t work just take into account:
  1. Remember to restart jbossas service after setting up your AD domain!
  2. On the UserPortal/RHEVManager remember to select the correct domain from the combobox!
  3. If you can add your AD domain, did you try to add it with another administration user of your AD?
And just in case you just broke IPA and don’t remember your internal admin password ([email protected]), you can change it through:
rhevm-config -s AdminPassword=<newpassword>
service jbossas restart