[Ovirt-devel] Accessing the WUI from your laptop
David Lutterkort
dlutter at redhat.com
Fri Jul 18 23:34:10 UTC 2008
I just went through teh motions of accessing the WUI from my laptop
instead of running Firefox inside the appliance. I am sure others on
this list know this already, but since I am pretty much a krb5 n00b,
this was all new to me.
I assume that you have the WUI appliance running on ovirt.home.net, and
want to access it from your laptop at laptop.home.net (note that I
changed the name of the WUI appliance, as my home network is not in the
ovirt.org domain)
* Make sure that ovirt.home.net and laptop.home.net can access
each other on the network (e.g., by putting ovirt.home.net on a
shared interface on its host)
* Make sure that forward and reverse DNS for those two machines is
set up properly, both on the laptop and on ovirt.home.net
* Check proper DNS resolution again
* Log into ovirt.home.net as root.
* Set an explicit kerberos password for ovirtadmin
# kinit -k -t /usr/share/ovirt-wui/ovirtadmin.tab ovirtadmin at PRIV.OVIRT.ORG
# ipa-passwd
Enter new password of your choice
* Create a host and a HTTP service principal for ovirt.home.net
# kinit admin at PRIV.OVIRT.ORG
(password is ovirt)
# ipa-addservice host/ovirt.watzmann.net at PRIV.OVIRT.ORG
# ipa-addservice HTTP/ovirt.watzmann.net at PRIV.OVIRT.ORG
* Add principals to the relevant keytabs (make backup copies of
those before actually running these commands; breaking the
keytabs is a great way to get to a place where nothing works)
# kadmin.local
kadmin.local: ktadd -k /etc/httpd/conf/ipa.keytab HTTP/ovirt.watzmann.net at PRIV.OVIRT.ORG
kadmin.local: ktadd -k /etc/krb5.keytab host/ovirt.watzmann.net at PRIV.OVIRT.ORG
* Restart the affected services (not quite sure if that is really
needed)
# service krb5kdc restart
# service httpd restart
* Log into laptop.home.net as root
* Add the following block in the [realms] section
of /etc/krb5.conf
PRIV.OVIRT.ORG = {
kdc = ovirt.home.net:88
admin_server = ovirt.home.net:749
default_domain = priv.ovirt.org
}
* Add the line 'ovirt.home.net = PRIV.OVIRT.ORG' in the
[domain_realms] section of /etc/krb5.conf
* Log into laptop.home.net as you
* Get a forwardable, addressless ticket (addressless might be
overkill, but if it's not forwardable, /var/log/krb5kdc.log on
ovirt.home.net complains a lot about a non-frowardable ticket)
> kinit -A -f ovirtadmin at PRIV.OVIRT.ORG
(use the password that you set previously with ipa-passwd)
* In Firefox, setup auth negotiation through Kerberos:
* Open 'about:config' and search for 'negotiate'
* Change the following settings:
network.negotiate-auth.trusted-uris=ovirt.home.net
network.negotiate-auth.delegation-uris=ovirt.home.net
network.negotiate-auth.using-native-gsslib=true
(If you have other uri's in the trusted-uris or
delegation-uris, these are comma-separated lists of
domains, hosts or actual URI's)
* Go to http://ovirt.home.net/ovirt and (hopefully) admire the
Dashboard
David
More information about the ovirt-devel
mailing list