Bug 1031778 - The engine-manage-domains tool ignores the Kerberos servers from DNS when using -ldapServers
Summary: The engine-manage-domains tool ignores the Kerberos servers from DNS when usi...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: oVirt
Classification: Retired
Component: ovirt-engine-core
Version: 3.3
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 3.4.1
Assignee: Martin Perina
QA Contact: bugs@ovirt.org
URL:
Whiteboard: infra
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-18 18:07 UTC by Juan Hernández
Modified: 2014-05-26 01:36 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2014-05-08 13:36:39 UTC
oVirt Team: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 24576 0 None MERGED tools: Add --resolve-kdc arg to engine-manage-domains Never
oVirt gerrit 26193 0 None MERGED tools: Add --resolve-kdc arg to engine-manage-domains Never

Description Juan Hernández 2013-11-18 18:07:00 UTC 
Description of problem:

When using the engine-manage-domains tool and providing the list of LDAP servers with the -ldapServers option the list of Kerberos servers given by the DNS are ignored, thus an incorrect /etc/ovirt-engine/krb5.conf file is created.


Version-Release number of selected component (if applicable):


How reproducible:

Always.


Steps to Reproduce:

1. Setup a system where the names of the LDAP and Kerberos servers are different.
2. Run the engine-manage-domains tool with the -ldapServers option specifying the names of the LDAP servers.


Actual results:

The generated /etc/ovirt-engine/krb5.conf file is incorrect, it contains the names of the LDAP servers instead of the names of the Kerberos servers. Something like this:

[realms]
         THE.REALM = {
                 kdc = the.ldap.server
         }


Expected results:

The file should contain something like this:

[realms]
         THE.REALM = {
                 kdc = the.kerberos.server
         }


Additional info:

The workaround is to manually modify the generated /etc/ovirt-engine/krb5.conf file, but it will be overwritten the next time that the engine-manage-domains tool runs.

Thanks to Jonas Israelsson for finding and reporting this.
Comment 1 Martin Perina 2014-03-03 14:38:11 UTC 
I posted a patch which adds "--resolve-kdc" argument which forces KDC servers to be resolved. With this patch engine-manage-domains has this behavior:

1) Add domain without --ldap-servers and without --resolve-kdc
      - LDAP servers are resolved from DNS and same servers are used as KDC servers in krb5.conf

2) Add domain with --ldap-servers and without --resolve-kdc
      - LDAP servers are set by user and same servers are used as KDC servers krb5.conf

3) Add domain without --ldap-servers and with --resolve-kdc
      - LDAP servers are resolved from DNS and separately KDC servers are resolved from DNS (LDAP server don't have to be same as KDC servers)

4) Add domain with --ldap-servers and with --resolve-kdc
      - LDAP servers are set by user and separately KDC servers are resolved from DNS (LDAP server don't have to be same as KDC servers)

The same is used when editing a domain.

Arthur, do you agree with this approach?
Comment 2 Sandro Bonazzola 2014-03-04 09:19:20 UTC 
This is an automated message.
Re-targeting all non-blocker bugs still open on 3.4.0 to 3.4.1.
Comment 3 Martin Perina 2014-03-28 10:16:16 UTC 
Too much automation, merged only to master.
Comment 4 Sandro Bonazzola 2014-05-08 13:36:39 UTC 
This is an automated message

oVirt 3.4.1 has been released:
 * should fix your issue
 * should be available at your local mirror within two days.

If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.