Chapter 4. Additional Configuration
4.1. Configuring Single Sign-On for Virtual Machines
Configuring single sign-on, also known as password delegation, allows you to automatically log in to a virtual machine using the credentials you use to log in to the User Portal. Single sign-on can be used on both Red Hat Enterprise Linux and Windows virtual machines.
Important
If single sign-on to the User Portal is enabled, single sign-on to virtual machines will not be possible. With single sign-on to the User Portal enabled, the User Portal does not need to accept a password, thus the password cannot be delegated to sign in to virtual machines.
4.1.1. Configuring Single Sign-On for Red Hat Enterprise Linux Virtual Machines Using IPA (IdM)
To configure single sign-on for Red Hat Enterprise Linux virtual machines using GNOME and KDE graphical desktop environments and IPA (IdM) servers, you must install the ovirt-guest-agent package on the virtual machine and install the packages associated with your window manager.
Important
The following procedure assumes that you have a working IPA configuration and that the IPA domain is already joined to the Manager. You must also ensure that the clocks on the Manager, the virtual machine and the system on which IPA (IdM) is hosted are synchronized using NTP.
Procedure 4.1. Configuring Single Sign-On for Red Hat Enterprise Linux Virtual Machines
- Log in to the Red Hat Enterprise Linux virtual machine.
- Enable the required repository:
- For Red Hat Enterprise Linux 6
# subscription-manager repos --enable=rhel-6-server-rhv-4-agent-rpms
- For Red Hat Enterprise Linux 7
# subscription-manager repos --enable=rhel-7-server-rh-common-rpms
- Download and install the guest agent packages:
# yum install ovirt-guest-agent-common
- Install the single sign-on packages:
# yum install ovirt-guest-agent-pam-module # yum install ovirt-guest-agent-gdm-plugin
- Install the IPA packages:
# yum install ipa-client
- Run the following command and follow the prompts to configure ipa-client and join the virtual machine to the domain:
# ipa-client-install --permit --mkhomedir
Note
In environments that use DNS obfuscation, this command should be:# ipa-client-install --domain=FQDN --server==FQDN
- For Red Hat Enterprise Linux 7.2 and later, run:
# authconfig --enablenis --update
Note
Red Hat Enterprise Linux 7.2 has a new version of the System Security Services Daemon (SSSD) which introduces configuration that is incompatible with the Red Hat Virtualization Manager guest agent single sign-on implementation. The command will ensure that single sign-on works. - Fetch the details of an IPA user:
# getent passwd IPA_user_name
This will return something like this:some-ipa-user:*:936600010:936600001::/home/some-ipa-user:/bin/sh
You will need this information in the next step to create a home directory for some-ipa-user. - Set up a home directory for the IPA user:
- Create the new user's home directory:
# mkdir /home/some-ipa-user
- Give the new user ownership of the new user's home directory:
# chown 935500010:936600001 /home/some-ipa-user
Log in to the User Portal using the user name and password of a user configured to use single sign-on and connect to the console of the virtual machine. You will be logged in automatically.
4.1.2. Configuring Single Sign-On for Red Hat Enterprise Linux Virtual Machines Using Active Directory
To configure single sign-on for Red Hat Enterprise Linux virtual machines using GNOME and KDE graphical desktop environments and Active Directory, you must install the ovirt-guest-agent package on the virtual machine, install the packages associated with your window manager and join the virtual machine to the domain.
Important
The following procedure assumes that you have a working Active Directory configuration and that the Active Directory domain is already joined to the Manager. You must also ensure that the clocks on the Manager, the virtual machine and the system on which Active Directory is hosted are synchronized using NTP.
Procedure 4.2. Configuring Single Sign-On for Red Hat Enterprise Linux Virtual Machines
- Log in to the Red Hat Enterprise Linux virtual machine.
- Enable the Red Hat Virtualization Agent repository:
- For Red Hat Enterprise Linux 6
# subscription-manager repos --enable=rhel-6-server-rhv-4-agent-rpms
- For Red Hat Enterprise Linux 7
# subscription-manager repos --enable=rhel-7-server-rh-common-rpms
- Download and install the guest agent packages:
# yum install ovirt-guest-agent-common
- Install the single sign-on packages:
# yum install ovirt-guest-agent-gdm-plugin
- Install the Samba client packages:
# yum install samba-client samba-winbind samba-winbind-clients
- On the virtual machine, modify the
/etc/samba/smb.conffile to contain the following, replacingDOMAINwith the short domain name andREALM.LOCALwith the Active Directory realm:[global] workgroup = DOMAIN realm = REALM.LOCAL log level = 2 syslog = 0 server string = Linux File Server security = ads log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups winbind enum users = Yes winbind enum groups = Yes winbind use default domain = true winbind separator = + idmap uid = 1000000-2000000 idmap gid = 1000000-2000000 template shell = /bin/bash
- Join the virtual machine to the domain:
net ads join -U user_name
- Start the winbind service and ensure it starts on boot:
- For Red Hat Enterprise Linux 6
# service winbind start # chkconfig winbind on
- For Red Hat Enterprise Linux 7
# systemctl start winbind.service # systemctl enable winbind.service
- Verify that the system can communicate with Active Directory:
- Verify that a trust relationship has been created:
# wbinfo -t
- Verify that you can list users:
# wbinfo -u
- Verify that you can list groups:
# wbinfo -g
- Configure the NSS and PAM stack:
- Open the Authentication Configuration window:
# authconfig-tui
- Select the Use Winbind check box, select Next and press Enter.
- Select the OK button and press Enter.
Log in to the User Portal using the user name and password of a user configured to use single sign-on and connect to the console of the virtual machine. You will be logged in automatically.
4.1.3. Configuring Single Sign-On for Windows Virtual Machines
To configure single sign-on for Windows virtual machines, the Windows guest agent must be installed on the guest virtual machine. The
RHEV Guest Tools ISO file provides this agent. If the RHEV-toolsSetup.iso image is not available in your ISO domain, contact your system administrator.
Procedure 4.3. Configuring Single Sign-On for Windows Virtual Machines
- Select the Windows virtual machine. Ensure the machine is powered up.
- Click Change CD.
- Select
RHEV-toolsSetup.isofrom the list of images. - Click OK.
- Click the Console icon and log in to the virtual machine.
- On the virtual machine, locate the CD drive to access the contents of the guest tools ISO file and launch
RHEV-ToolsSetup.exe. After the tools have been installed, you will be prompted to restart the machine to apply the changes.
Log in to the User Portal using the user name and password of a user configured to use single sign-on and connect to the console of the virtual machine. You will be logged in automatically.
4.1.4. Disabling Single Sign-on for Virtual Machines
The following procedure explains how to disable single sign-on for a virtual machine.
Procedure 4.4. Disabling Single Sign-On for Virtual Machines
- Select a virtual machine and click .
- Click the Console tab.
- Select the Disable Single Sign On check box.
- Click .
