Bug 1062172
| Summary: | useDnsLookup flag is ignored at rhevm-manage-domains - krb5.conf file will always contain realms and "domain_realm" section | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Yair Zaslavsky <yzaslavs> | |
| Component: | ovirt-engine-config | Assignee: | Yair Zaslavsky <yzaslavs> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Jiri Belka <jbelka> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 3.3.0 | CC: | aberezin, acathrow, bazulay, emesika, gklein, iheim, oourfali, Rhev-m-bugs, yeylon, yzaslavs | |
| Target Milestone: | --- | Keywords: | ZStream | |
| Target Release: | 3.4.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | infra | |||
| Fixed In Version: | ovirt-3.4.0-beta3 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1063286 (view as bug list) | Environment: | ||
| Last Closed: | Type: | Bug | ||
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1063286, 1078909, 1142926 | |||
|
Description
Yair Zaslavsky
2014-02-06 12:01:40 UTC
Actually the [domain_realm] should exist in case there is more than one domain. This bug is referenced in ovirt-engine-3.4.0-beta3 logs. Moving to ON_QA I suppose this BZ obsoletes this comment - https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5, right? (In reply to Jiri Belka from comment #4) > I suppose this BZ obsoletes this comment - > https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5, right? Not so sure, this does not have to do with co-hosting, but rather with the domain and the realm definitions. So is output below enough for verification? Reproduction steps talk about 'co-hosting' and comment #5 seems to me as a contradiction to that. # grep ^dns /etc/ovirt-engine/krb5.conf dns_lookup_realm = true dns_lookup_kdc = true In either case more info about verification steps would be appreciated. (In reply to Jiri Belka from comment #6) > So is output below enough for verification? Reproduction steps talk about > 'co-hosting' and comment #5 seems to me as a contradiction to that. > > # grep ^dns /etc/ovirt-engine/krb5.conf > dns_lookup_realm = true > dns_lookup_kdc = true > > In either case more info about verification steps would be appreciated. First, sorry for comment #5 - it is wrong. You should verify with two "domains". The comment about co-hosting is meant to emphasize the importance of the fix - i will try to elaborate - before the fix, both the [realms] section and the [domain_realms] section appeared for more than 1 domain, and the [realms] section KDCs were populated with the ldap servers, but this is wrong. dns_lookup_kdc=true will cause the java kerberos implementation to lookup for KDC at the DNS. I hope this is more clear now. In addition, the output you suggested is enough for one domain. What is the output you see for two domains? ok, av2.1/rhevm-tools-3.4.0-0.3.master.el6ev.noarch
with more domains dns queries are on...
# cat /etc/ovirt-engine/krb5.conf
[libdefaults]
default_realm = BRQ-IPA.RHEV.LAB.ENG.BRQ.REDHAT.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = no
default_tkt_enctypes = arcfour-hmac-md5
udp_preference_limit = 1
#realms
[domain_realm]
brq-ipa.rhev.lab.eng.brq.redhat.com = BRQ-IPA.RHEV.LAB.ENG.BRQ.REDHAT.COM
ad-w2k12r2.rhev.lab.eng.brq.redhat.com = AD-W2K12R2.RHEV.LAB.ENG.BRQ.REDHAT.COM
ad-w2k8r2.rhev.lab.eng.brq.redhat.com = AD-W2K8R2.RHEV.LAB.ENG.BRQ.REDHAT.COM
Closing as part of 3.4.0 |