This post is targeted to anyone, who uses oVirt project as VDI provider and needs to get SSO part running on Debian Linux. There are no problems getting SSO to work on Fedora 24 and earlier – it just works out of the box. But having only one SSO-enabled distribution won’t do much for most of admins. Some parts in this document will be KVM-VDI related, so oVirt users should skip them.
So, let’s start with fresh Debian Stretch install (there is no need to run your client OS on stable release – its too stable to have all nifty features for the end user 🙂 ).
Install your favorite desktop environment. Then install GDM3. Yes, SSO part works only with GDM3, although there are some plugins for KDM and GDM2, but they are no longer supported and should not be used.
Lets install ovirt-guest agent:
echo "deb http://download.opensuse.org/repositories/home:/evilissimo:/deb/Debian_7.0/ ./" >> /etc/apt/sources.list gpg -v -a --keyserver http://download.opensuse.org/repositories/home:/evilissimo:/deb/Debian_7.0/Release.key --recv-keys D5C7F7C373A1A299 gpg --export --armor 73A1A299 | apt-key add - apt-get update apt-get install ovirt-guest-agent systemctl enable ovirt-guest-agent.service
If you are using oVirt, create /etc/udev/rules.d/ovirt-guest-agent.rules file and copy following line to it:
SYMLINK=="virtio-ports/com.redhat.rhevm.vdsm", OWNER="ovirtagent", GROUP="ovirtagent"
If you are using KVM-VDI, create /etc/udev/rules.d/ovirt-guest-agent.rules file and copy following line to it:
SYMLINK=="virtio-ports/com.kvm-vdi.0", OWNER="ovirtagent", GROUP="ovirtagent"
Now, you need to fix one line in ovirt-agent’s CredServer.py. You can read description of issue here: http://lists.ovirt.org/pipermail/users/2016-July/041594.html
cd /usr/share/ovirt-guest-agent rm *.pyc
There’s one configuration file missing in ovirt-guest-agent.deb package, so you need to get it manually:
Open CredServer.py with your favorite text editor, go to line 146, and change it from:
conn.setsockopt(socket.SOL_SOCKET, socket.SO_PASSCRED, 1)
conn.setsockopt(socket.SOL_SOCKET, 16, 1)
ovirt-guest-agent should be fine now. Let’s compile pam_ovirt_cred
git clone https://github.com/oVirt/ovirt-guest-agent cd ovirt-guest-agent apt-get install pep8 autoconf libtool gettext g++ make pkg-config automake libpam-dev ./autogen.sh ./configure --with-sso --without-gdm --without-kdm cd pam-ovirt-cred/ make
If every step went without problems, copy your pam module to security dir:
cp .libs/pam_ovirt_cred.so /lib/security/
Create /etc/pam.d/gdm-ovirtcred file and copy these lines to it:
#%PAM-1.0 auth required pam_ovirt_cred.so auth include passwd account include passwd password include passwd session required pam_systemd.so open session include passwd
“session required pam_systemd.so open” entry solves issues, where KDM cannot start xserver with simple user rights and throws errors about:
(EE) xf86OpenConsole: Cannot open virtual console 2 (Permission denied)
Jul 29 15:05:31 jessie gdm3: GdmManager: Error while retrieving session id for sender: Error getting session id from systemd: No such device or address
Jul 29 15:05:31 jessie gdm-x-session: Could not register display: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: No display available
Jul 29 15:05:31 jessie /usr/lib/gdm3/gdm-x-session: Unable to register display with display manager
Reboot your guest and you should be able to perform SSO either by oVirt, KVM-VDI, or just using socket. You can read more about authorization via sockets here:
Technical info on oVirt agent and SSO