Bug 1733111

Summary: [ovirt-engine-extension-aaa-ldap-setup] dig command usage does not allow for tcp fallback
Product: Red Hat Enterprise Virtualization Manager Reporter: Juan Orti Alcaine <jortialc>
Component: ovirt-engine-extension-aaa-ldapAssignee: Ondra Machacek <omachace>
Status: CLOSED ERRATA QA Contact: Petr Matyáš <pmatyas>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.3.0CC: bugs, klaas, lleistne, lsurette, lsvaty, mperina, omachace, pelauter, Rhev-m-bugs
Target Milestone: ovirt-4.3.6Keywords: Rebase, ZStream
Target Release: 4.3.6   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ovirt-engine-extension-aaa-ldap-1.3.10 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1733078 Environment:
Last Closed: 2019-10-10 15:38:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1733078    
Bug Blocks:    

Description Juan Orti Alcaine 2019-07-25 08:52:08 UTC
+++ This bug was initially created as a clone of Bug #1733078 +++

Description of problem:
our AD forest _ldap._tcp.gc._msdcs.<forest> has too many entries for a UDP lookup. That means dig returns nothing and setup fails. Problem is here:
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/8208f97c86b421327c63564942332f2b4f0ddd1b/setup/plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py#L152

+ignore means no fallback to TCP for answers that are too long for UDP


Version-Release number of selected component (if applicable):
ovirt-engine-extension-aaa-ldap-setup-1.3.9-1.el7ev.noarch

How reproducible:
Always in an enviroment with too long SRV record set


Steps to Reproduce:
1. Have a SRV record that is too long for UDP
2. Run ovirt-engine-extension-aaa-ldap-setup
3. It fails to discover the Global Catalog


Actual results:

2019-07-24 13:45:53,151+0200 DEBUG otopi.plugins.otopi.dialog.human human.queryString:159 query OVAAALDAP_LDAP_AD_DOMAIN
2019-07-24 13:45:53,151+0200 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND                 Please enter Active Directory Forest name: 
2019-07-24 13:45:55,672+0200 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVE    rootdomain.com
2019-07-24 13:45:55,673+0200 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad ad._resolveGC:45 Resolving Global Catalog SRV record for rootdomain.com
2019-07-24 13:45:55,673+0200 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad plugin.executeRaw:813 execute: ('/usr/bin/dig', '+noall', '+answer', '+ignore', '_ldap._tcp.gc._msdcs.rootdomain.com', 'SRV'), executable='None', cwd='None', env=None
2019-07-24 13:45:55,691+0200 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad plugin.executeRaw:863 execute-result: ('/usr/bin/dig', '+noall', '+answer', '+ignore', '_ldap._tcp.gc._msdcs.rootdomain.com', 'SRV'), rc=0
2019-07-24 13:45:55,692+0200 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad plugin.execute:921 execute-output: ('/usr/bin/dig', '+noall', '+answer', '+ignore', '_ldap._tcp.gc._msdcs.rootdomain.com', 'SRV') stdout:


2019-07-24 13:45:55,692+0200 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad plugin.execute:926 execute-output: ('/usr/bin/dig', '+noall', '+answer', '+ignore', '_ldap._tcp.gc._msdcs.rootdomain.com', 'SRV') stderr:


2019-07-24 13:45:55,693+0200 WARNING otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad ad._resolveGC:65 Cannot resolve Global Catalog SRV record for rootdomain.com. Please check you have entered correct Active Directory forest name and check that forest is resolvable by your system DNS servers
2019-07-24 13:45:55,693+0200 DEBUG otopi.context context._executeMethod:143 method exception
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/otopi/context.py", line 133, in _executeMethod
    method['method']()
  File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/ad.py", line 109, in _customization
    _("Active Directory forest is not resolvable, please make"
RuntimeError: Active Directory forest is not resolvable, please make sure you've entered correct forest name. If for some reason you can't use forest and you need some special configuration instead, please refer to examples directory provided by ovirt-engine-extension-aaa-ldap package.
2019-07-24 13:45:55,694+0200 ERROR otopi.context context._executeMethod:152 Failed to execute stage 'Environment customization': Active Directory forest is not resolvable, please make sure you've entered correct forest name. If for some reason you can't use forest and you need some special configuration instead, please refer to examples directory provided by ovirt-engine-extension-aaa-ldap package.



Expected results:
working AD setup


Additional info:

# host -t SRV _ldap._tcp.gc._msdcs.rootdomain.com
;; Truncated, retrying in TCP mode.
_ldap._tcp.gc._msdcs.rootdomain.com has SRV record 0 100 3268 ad1.domain1.com.
_ldap._tcp.gc._msdcs.rootdomain.com has SRV record 0 100 3268 ad2.domain2.com.
_ldap._tcp.gc._msdcs.rootdomain.com has SRV record 0 100 3268 ad3.domain2.com.
[...]

If "+ignore" is removed from the _resolver method in /usr/share/ovirt-engine-extension-aaa-ldap/setup/plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py, the setup finishes successfully.

Comment 1 Martin Perina 2019-07-25 10:34:17 UTC
*** Bug 1733078 has been marked as a duplicate of this bug. ***

Comment 4 Klaas Demter 2019-07-25 11:25:02 UTC
related to https://bugzilla.redhat.com/show_bug.cgi?id=1538217

Comment 6 Petr Matyáš 2019-08-26 14:14:34 UTC
Verified on ovirt-engine-extension-aaa-ldap-1.3.10-1.el7ev.noarch

Comment 8 errata-xmlrpc 2019-10-10 15:38:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:3020