Bug 1031778 - The engine-manage-domains tool ignores the Kerberos servers from DNS when using -ldapServers
The engine-manage-domains tool ignores the Kerberos servers from DNS when usi...
Status: CLOSED CURRENTRELEASE
Product: oVirt
Classification: Community
Component: ovirt-engine-core (Show other bugs)
3.3
Unspecified Unspecified
unspecified Severity medium
: ---
: 3.4.1
Assigned To: Martin Perina
bugs@ovirt.org
infra
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-18 13:07 EST by Juan Hernández
Modified: 2014-05-25 21:36 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-05-08 09:36:39 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 24576 None MERGED tools: Add --resolve-kdc arg to engine-manage-domains Never
oVirt gerrit 26193 None MERGED tools: Add --resolve-kdc arg to engine-manage-domains Never

  None (edit)
Description Juan Hernández 2013-11-18 13:07:00 EST
Description of problem:

When using the engine-manage-domains tool and providing the list of LDAP servers with the -ldapServers option the list of Kerberos servers given by the DNS are ignored, thus an incorrect /etc/ovirt-engine/krb5.conf file is created.


Version-Release number of selected component (if applicable):


How reproducible:

Always.


Steps to Reproduce:

1. Setup a system where the names of the LDAP and Kerberos servers are different.
2. Run the engine-manage-domains tool with the -ldapServers option specifying the names of the LDAP servers.


Actual results:

The generated /etc/ovirt-engine/krb5.conf file is incorrect, it contains the names of the LDAP servers instead of the names of the Kerberos servers. Something like this:

[realms]
         THE.REALM = {
                 kdc = the.ldap.server
         }


Expected results:

The file should contain something like this:

[realms]
         THE.REALM = {
                 kdc = the.kerberos.server
         }


Additional info:

The workaround is to manually modify the generated /etc/ovirt-engine/krb5.conf file, but it will be overwritten the next time that the engine-manage-domains tool runs.

Thanks to Jonas Israelsson for finding and reporting this.
Comment 1 Martin Perina 2014-03-03 09:38:11 EST
I posted a patch which adds "--resolve-kdc" argument which forces KDC servers to be resolved. With this patch engine-manage-domains has this behavior:

1) Add domain without --ldap-servers and without --resolve-kdc
      - LDAP servers are resolved from DNS and same servers are used as KDC servers in krb5.conf

2) Add domain with --ldap-servers and without --resolve-kdc
      - LDAP servers are set by user and same servers are used as KDC servers krb5.conf

3) Add domain without --ldap-servers and with --resolve-kdc
      - LDAP servers are resolved from DNS and separately KDC servers are resolved from DNS (LDAP server don't have to be same as KDC servers)

4) Add domain with --ldap-servers and with --resolve-kdc
      - LDAP servers are set by user and separately KDC servers are resolved from DNS (LDAP server don't have to be same as KDC servers)

The same is used when editing a domain.

Arthur, do you agree with this approach?
Comment 2 Sandro Bonazzola 2014-03-04 04:19:20 EST
This is an automated message.
Re-targeting all non-blocker bugs still open on 3.4.0 to 3.4.1.
Comment 3 Martin Perina 2014-03-28 06:16:16 EDT
Too much automation, merged only to master.
Comment 4 Sandro Bonazzola 2014-05-08 09:36:39 EDT
This is an automated message

oVirt 3.4.1 has been released:
 * should fix your issue
 * should be available at your local mirror within two days.

If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.