Description of problem: In some setups it is possible to have a situation in which the kerberos realm is not an upper case of the domain. In these cases wrong entries at the [domain_realm] section will be created. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: wrong entries are created [domain_realm] section. It is impossible to add domains and then log in. Expected results: Provide a way to bypass this issue, and allow a proper creation of [domain_realm] section (proper mapping of domains to realms) so adding domains + login via admin or user portal is possible. Additional info:
In order to override the [domain_realm] section, this patch suggests to provide an external file via setting its full path at /etc/ovirt-engine/engine-manage-domains/engine-manage-domains.conf by setting domainRealmMappingFile property to point to the file containing domain real mapping in format of domain1=REALM1 domain2=REALM2 (similar to the [domain_realm] section in krb5.conf file)
Tested with rhevm-3.4.0-0.3. We didn't succedd to add domain with different realm name with OpenLDAP. Steps: created /etc/krb5.conf [attached] edited /etc/ovirt-engine/engine-manage-domains/engine-manage-domains.conf [attached] created /root/test.conf [attached] kdb5_util create -s systemctl start krb5kdc systemctl start kadmin via kadmin.local add user0 add_principal -randkey ldap/brq-openldap.rhev.lab.eng.brq.redhat.com kadmin: ktadd -keytab /etc/openldap/ldap.keytab kinit user0 & ldapserach works OK. $klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: user0@TESTREALM Valid starting Expires Service principal 03/12/14 10:49:49 03/13/14 10:49:44 krbtgt/TESTREALM@TESTREALM renew until 03/12/14 10:49:49 03/12/14 10:50:01 03/13/14 10:49:44 ldap/brq-openldap.rhev.lab.eng.brq.redhat.com@TESTREALM renew until 03/12/14 10:49:49 Now when trying to add OpenLDAP via manager domains it tell: Failure while testing domain brq-openldap.rhev.lab.eng.brq.redhat.com. Details: Authentication Failed. Client not found in kerberos database. Log in /var/log/krb5kdc.log on OpenLDAP: Mar 12 11:58:29 brq-openldap.rhev.lab.eng.brq.redhat.com krb5kdc[1172](info): AS_REQ (1 etypes {23}) 10.34.63.30: CLIENT_NOT_FOUND: user0.LAB.ENG.BRQ.REDHAT.COM for krbtgt/BRQ-OPENLDAP.RHEV.LAB.ENG.BRQ.REDHAT.COM.LAB.ENG.BRQ.REDHAT.COM, Client not found in Kerberos database Mar 12 11:58:29 brq-openldap.rhev.lab.eng.brq.redhat.com krb5kdc[1172](info): closing down fd 13 ^^^ It don't user TESTREALM, but uppercase of domain. Yair, are we missing something?
Created attachment 873488 [details] /etc/krb5.conf
Created attachment 873489 [details] /root/test.conf
Created attachment 873490 [details] /etc/ovirt-engine/engine-manage-domains/engine-manage-domains.conf
Hi Ondra, IMHO there is something missing in your DNS setup - for a setup with one domain, the useDnsLookup is set to true when creating the krb5.conf and does not create the [domain_realms] section, which is optional for a setup with one domain, but mandatory in setups with two domains or more. if this flag is set to true, the code relies on the kerberos implementation of java to perform lookup in DNS for the kdcs. What you can try is turn this flag to false in the engine-manage-domains.conf. In this case, the code will not rely on the internal kerberos java stack, but perform explicit DNS lookups. If that does not work, please try on your own - dig SRV _kerberos._tcp.brq-openldap.rhev.lab.eng.brq.redhat.com - You should get SRV records for kerberos - if you don't get, there is something problematic wit your setup.
Hi Yair, I think that the problem is in the way of engine creates file - /etc/ovirt-engine/krb5.conf.manage_domains_utility Because it looks like this: [libdefaults] default_realm = BRQ-LDAP.RHEV.LAB.ENG.BRQ.REDHAT.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = no default_tkt_enctypes = arcfour-hmac-md5 udp_preference_limit = 1 #realms [domain_realm] brq-openldap.rhev.lab.eng.brq.redhat.com = TESTREALM And for correct usage the default_realm should be 'default_realm = TESTREALM' ^^ Like this it looks like when using 'useDnsLookup=true' When I am using 'useDnsLookup=false' it also creates section [realms], where is also bad realm name, which is again upper case of domain, so I think, that these two problems should be fixed, to get it work.
OK I understand now. I had: brq-openldap with kerbers+ldap running and with only A record in DNS. then I have DNS SRV records for test-openldap which points to brq-openldap. when running: engine-manage-domains add --domain=test-openldap with this in domainRealmMappingFile: brq-openldap = TEST-OPENLDAP then this is added also to krb5.conf file and I can add domain a work with it. When I try to remove domainRealmMappingFile property from /etc/ovirt-engine/engine-manage-domains/engine-manage-domains.conf then domain is not added successfully, thus moving to verified. I will file separate bug for issue mentioned in comment 10.
Closing as part of 3.4.0