Bug 1327132

Summary:	[RFE] Satellite via GSS-TSIG authentication update DNS in Active Directory
Product:	Red Hat Satellite	Reporter:	Waldirio M Pinheiro <wpinheir>
Component:	DHCP & DNS	Assignee:	satellite6-bugs <satellite6-bugs>
Status:	CLOSED NOTABUG	QA Contact:	Katello QA List <katello-qa-list>
Severity:	high	Docs Contact:
Priority:	high
Version:	6.1.8	CC:	bkearney, ddolguik, dmitri, inecas, xdmoon
Target Milestone:	Unspecified	Keywords:	FutureFeature, Triaged
Target Release:	Unused
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-08-21 08:55:55 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Waldirio M Pinheiro 2016-04-14 10:18:13 UTC

Description of problem:
Actually is possible do this configuration according kcs https://access.redhat.com/articles/1527913, btw after the kerberos ticket expire, Satellite 6 don't update the same., so will be necessary implement this rfe.

Version-Release number of selected component (if applicable):
6.1.8

How reproducible:
100%

Steps to Reproduce:
1. Configure environment according kcs
2. Execute test with nsupdate or creating a new machine via Sat6
3. Wait the ticket expiration time (or just force)
4. Execute the same test using nsupdate

Actual results:
tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Ticket expired.

Expected results:
new entry in dns over AD.

Additional info:

Comment 6 Bryan Kearney 2016-07-26 15:25:24 UTC

Moving 6.2 bugs out to sat-backlog.

Comment 7 Bryan Kearney 2016-07-26 15:30:22 UTC

Moving 6.2 bugs out to sat-backlog.

Comment 9 Dmitri Dolguikh 2016-11-11 17:19:49 UTC

Ppstream ticket: http://projects.theforeman.org/issues/17319

Comment 10 Dmitri Dolguikh 2016-12-13 13:50:30 UTC

Is this actually a bug? 

We renew the ticket on every request (an aside -- there's a bug filed against realm smart-proxy module because this is inefficient: https://bugzilla.redhat.com/show_bug.cgi?id=1133940). All I'm seeing here is output from cli commands that shows what happens when a kerberos ticket expires (and how to manually fix this issue), but not logs from smart-proxy.

Comment 11 Bryan Kearney 2016-12-15 15:45:22 UTC

Upstream bug component is Capsule

Comment 12 Bryan Kearney 2016-12-15 17:11:42 UTC

Upstream bug component is DHCP & DNS

Comment 13 Dmitri Dolguikh 2017-01-06 10:46:33 UTC

As I mentioned above, it's not clear to me that this is actually a bug report. The attached logs illustrate a *manual* walk-through using cli tools, but there's no information about the user encountering this issue when using smart-proxy.

Moreover, smart-proxy does handle ticket expiry (if a too aggressively), I don't believe this to be an issue.

Comment 14 Ivan Necas 2017-08-21 08:55:55 UTC

Closing due to lack of data + so far, it doesn't look as a bug. Please re-open the bug or file a new one if the data are available.