How to install oVirt guest agent on Debian OS and enable SSO

This post is targeted to anyone, who uses oVirt project as VDI provider and needs to get SSO part running on Debian Linux. There are no problems getting SSO to work on Fedora 24 and earlier – it just works out of the box. But having only one SSO-enabled distribution won’t do much for most of admins. Some parts in this document will be KVM-VDI related, so oVirt users should skip them.

So, let’s start with fresh Debian Stretch install (there is no need to run your client OS on stable release – its too stable to have all nifty features for the end user 🙂 ).

Install your favorite desktop environment. Then install GDM3. Yes, SSO part works only with GDM3, although there are some plugins for KDM and GDM2, but they are no longer supported and should not be used.

Lets install ovirt-guest agent:

echo "deb ./" >> /etc/apt/sources.list
gpg -v -a --keyserver --recv-keys D5C7F7C373A1A299
gpg --export --armor 73A1A299 | apt-key add -
apt-get update
apt-get install ovirt-guest-agent
systemctl enable ovirt-guest-agent.service

If you are using oVirt, create /etc/udev/rules.d/ovirt-guest-agent.rules file and copy following line to it:

SYMLINK=="virtio-ports/com.redhat.rhevm.vdsm", OWNER="ovirtagent", GROUP="ovirtagent"

If you are using KVM-VDI, create /etc/udev/rules.d/ovirt-guest-agent.rules file and copy following line to it:

SYMLINK=="virtio-ports/com.kvm-vdi.0", OWNER="ovirtagent", GROUP="ovirtagent"

Now, you need to fix one line in ovirt-agent’s You can read description of issue here:

cd /usr/share/ovirt-guest-agent
rm *.pyc

There’s one configuration file missing in ovirt-guest-agent.deb package, so you need to get it manually:


Open with your favorite text editor, go to line 146, and change it from:

conn.setsockopt(socket.SOL_SOCKET, socket.SO_PASSCRED, 1)


conn.setsockopt(socket.SOL_SOCKET, 16, 1)

ovirt-guest-agent should be fine now. Let’s compile pam_ovirt_cred

git clone
cd ovirt-guest-agent
apt-get install pep8 autoconf libtool gettext g++ make pkg-config automake libpam-dev
./configure --with-sso  --without-gdm --without-kdm
cd pam-ovirt-cred/

If every step went without problems, copy your pam module to security dir:

cp .libs/ /lib/security/

Create /etc/pam.d/gdm-ovirtcred file and copy these lines to it:

auth        required
auth        include     passwd
account     include     passwd
password    include     passwd
session     required open
session     include     passwd

session     required open” entry solves issues, where KDM cannot start xserver with simple user rights and throws errors about:
(EE) xf86OpenConsole: Cannot open virtual console 2 (Permission denied)
Jul 29 15:05:31 jessie gdm3: GdmManager: Error while retrieving session id for sender: Error getting session id from systemd: No such device or address
Jul 29 15:05:31 jessie gdm-x-session: Could not register display: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: No display available
Jul 29 15:05:31 jessie /usr/lib/gdm3/gdm-x-session[2279]: Unable to register display with display manager

Reboot your guest and you should be able to perform SSO either by oVirt, KVM-VDI, or just using socket. You can read more about authorization via sockets here:
Technical info on oVirt agent and SSO

Tags :

About the Author

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.