[Ovirt-devel] Accessing the WUI from your laptop

[David Lutterkort]

I just went through teh motions of accessing the WUI from my laptop
instead of running Firefox inside the appliance. I am sure others on
this list know this already, but since I am pretty much a krb5 n00b,
this was all new to me.

I assume that you have the WUI appliance running on ovirt.home.net, and
want to access it from your laptop at laptop.home.net (note that I
changed the name of the WUI appliance, as my home network is not in the
ovirt.org domain)

      * Make sure that ovirt.home.net and laptop.home.net can access
        each other on the network (e.g., by putting ovirt.home.net on a
        shared interface on its host)
      * Make sure that forward and reverse DNS for those two machines is
        set up properly, both on the laptop and on ovirt.home.net
      * Check proper DNS resolution again
      * Log into ovirt.home.net as root.
      * Set an explicit kerberos password for ovirtadmin
                # kinit -k -t /usr/share/ovirt-wui/ovirtadmin.tab ovirtadmin at PRIV.OVIRT.ORG
                # ipa-passwd
                Enter new password of your choice
      * Create a host and a HTTP service principal for ovirt.home.net
                # kinit admin at PRIV.OVIRT.ORG 
                (password is ovirt)
                # ipa-addservice host/ovirt.watzmann.net at PRIV.OVIRT.ORG
                # ipa-addservice HTTP/ovirt.watzmann.net at PRIV.OVIRT.ORG
      * Add principals to the relevant keytabs (make backup copies of
        those before actually running these commands; breaking the
        keytabs is a great way to get to a place where nothing works)
                # kadmin.local
                kadmin.local: ktadd -k /etc/httpd/conf/ipa.keytab HTTP/ovirt.watzmann.net at PRIV.OVIRT.ORG
                kadmin.local: ktadd -k /etc/krb5.keytab host/ovirt.watzmann.net at PRIV.OVIRT.ORG
      * Restart the affected services (not quite sure if that is really
        needed)
                # service krb5kdc restart
                # service httpd restart
      * Log into laptop.home.net as root
      * Add the following block in the [realms] section
        of /etc/krb5.conf
                 PRIV.OVIRT.ORG = {
                  kdc = ovirt.home.net:88
                  admin_server = ovirt.home.net:749
                  default_domain = priv.ovirt.org
                 }
      * Add the line 'ovirt.home.net = PRIV.OVIRT.ORG' in the
        [domain_realms] section of /etc/krb5.conf
      * Log into laptop.home.net as you
      * Get a forwardable, addressless ticket (addressless might be
        overkill, but if it's not forwardable, /var/log/krb5kdc.log on
        ovirt.home.net complains a lot about a non-frowardable ticket)
                > kinit -A -f ovirtadmin at PRIV.OVIRT.ORG
                (use the password that you set previously with ipa-passwd)
      * In Firefox, setup auth negotiation through Kerberos:
              * Open 'about:config' and search for 'negotiate'
              * Change the following settings:
                network.negotiate-auth.trusted-uris=ovirt.home.net
                network.negotiate-auth.delegation-uris=ovirt.home.net
                network.negotiate-auth.using-native-gsslib=true
                
                (If you have other uri's in the trusted-uris or
                delegation-uris, these are comma-separated lists of
                domains, hosts or actual URI's)
                
      * Go to http://ovirt.home.net/ovirt and (hopefully) admire the
        Dashboard

David