Description of problem: useDnsLookup flag is ignored at rhevm-manage-domains, and the krb5.conf file always contains the [realms] and the [domain_realm] section, and has dns_lookup_realm and dns_lookup_kdc set to false. This, with the wrong assumption that the kdcs and the ldap servers are always co-hosted on the same machine is problematic, as it provides no way to use rhevm-manage-domains to add domains in which the kdcs and the ldap servers are not co-hosted on same host. Version-Release number of selected component (if applicable): How reproducible: Always, with the proper environment. Steps to Reproduce: 1. Have an environment in which the KDC and the ldap server are not co-hosted on the same machine. 2. Use rhevm-manage-domains to add this domain. 3. Actual results: The domain will not be added. Expected results: The domain should be added. Additional info:
Actually the [domain_realm] should exist in case there is more than one domain.
This bug is referenced in ovirt-engine-3.4.0-beta3 logs. Moving to ON_QA
I suppose this BZ obsoletes this comment - https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5, right?
(In reply to Jiri Belka from comment #4) > I suppose this BZ obsoletes this comment - > https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5, right? Not so sure, this does not have to do with co-hosting, but rather with the domain and the realm definitions.
So is output below enough for verification? Reproduction steps talk about 'co-hosting' and comment #5 seems to me as a contradiction to that. # grep ^dns /etc/ovirt-engine/krb5.conf dns_lookup_realm = true dns_lookup_kdc = true In either case more info about verification steps would be appreciated.
(In reply to Jiri Belka from comment #6) > So is output below enough for verification? Reproduction steps talk about > 'co-hosting' and comment #5 seems to me as a contradiction to that. > > # grep ^dns /etc/ovirt-engine/krb5.conf > dns_lookup_realm = true > dns_lookup_kdc = true > > In either case more info about verification steps would be appreciated. First, sorry for comment #5 - it is wrong. You should verify with two "domains". The comment about co-hosting is meant to emphasize the importance of the fix - i will try to elaborate - before the fix, both the [realms] section and the [domain_realms] section appeared for more than 1 domain, and the [realms] section KDCs were populated with the ldap servers, but this is wrong. dns_lookup_kdc=true will cause the java kerberos implementation to lookup for KDC at the DNS. I hope this is more clear now.
In addition, the output you suggested is enough for one domain. What is the output you see for two domains?
ok, av2.1/rhevm-tools-3.4.0-0.3.master.el6ev.noarch with more domains dns queries are on... # cat /etc/ovirt-engine/krb5.conf [libdefaults] default_realm = BRQ-IPA.RHEV.LAB.ENG.BRQ.REDHAT.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = no default_tkt_enctypes = arcfour-hmac-md5 udp_preference_limit = 1 #realms [domain_realm] brq-ipa.rhev.lab.eng.brq.redhat.com = BRQ-IPA.RHEV.LAB.ENG.BRQ.REDHAT.COM ad-w2k12r2.rhev.lab.eng.brq.redhat.com = AD-W2K12R2.RHEV.LAB.ENG.BRQ.REDHAT.COM ad-w2k8r2.rhev.lab.eng.brq.redhat.com = AD-W2K8R2.RHEV.LAB.ENG.BRQ.REDHAT.COM
Closing as part of 3.4.0