Bug 1070465 - Failure to add domain via engine-manage-domains if the kerberos realm is not an uppercase of the DNS domain
Summary: Failure to add domain via engine-manage-domains if the kerberos realm is not ...
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-config
Version: 3.3.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.4.0
Assignee: Yair Zaslavsky
QA Contact: Ondra Machacek
Whiteboard: infra
Depends On:
Blocks: 1070564 1072330 rhev3.4beta 1142926
TreeView+ depends on / blocked
Reported: 2014-02-26 22:23 UTC by Yair Zaslavsky
Modified: 2016-02-10 19:40 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1070564 1072330 (view as bug list)
Last Closed: 2014-06-12 14:10:10 UTC
oVirt Team: Infra
Target Upstream Version:

Attachments (Terms of Use)
/etc/krb5.conf (516 bytes, text/plain)
2014-03-12 11:57 UTC, Ondra Machacek
no flags Details
/root/test.conf (53 bytes, text/plain)
2014-03-12 11:58 UTC, Ondra Machacek
no flags Details
/etc/ovirt-engine/engine-manage-domains/engine-manage-domains.conf (239 bytes, text/plain)
2014-03-12 11:58 UTC, Ondra Machacek
no flags Details

System ID Priority Status Summary Last Updated
oVirt gerrit 25121 None None None Never
oVirt gerrit 25125 None NEW tools: Allow to configure domains_realm section via external file Never

Description Yair Zaslavsky 2014-02-26 22:23:04 UTC
Description of problem:

In some setups it is possible to have a situation in which the kerberos realm is not an upper case of the domain.
In these cases wrong entries at the [domain_realm] section will be created.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

wrong entries are created [domain_realm] section.
It is impossible to add domains and then log in.

Expected results:

Provide a way to bypass this issue, and allow a proper creation of [domain_realm] section (proper mapping of domains to realms) so adding domains + login via admin or user portal is possible.

Additional info:

Comment 1 Yair Zaslavsky 2014-02-27 00:05:23 UTC
In order to override the [domain_realm] section, this patch suggests to provide an external file via setting its full path at

by setting domainRealmMappingFile property to point to the file containing domain real mapping in format of


(similar to the [domain_realm] section in krb5.conf file)

Comment 5 Ondra Machacek 2014-03-12 11:54:18 UTC
Tested with rhevm-3.4.0-0.3.
We didn't succedd to add domain with different realm name with OpenLDAP.

created /etc/krb5.conf [attached]
edited /etc/ovirt-engine/engine-manage-domains/engine-manage-domains.conf [attached]
created /root/test.conf [attached]
kdb5_util create -s
systemctl start krb5kdc
systemctl start kadmin

via kadmin.local add user0
add_principal -randkey ldap/brq-openldap.rhev.lab.eng.brq.redhat.com
kadmin:  ktadd -keytab /etc/openldap/ldap.keytab

kinit user0 & ldapserach works OK.

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user0@TESTREALM

Valid starting     Expires            Service principal
03/12/14 10:49:49  03/13/14 10:49:44  krbtgt/TESTREALM@TESTREALM
	renew until 03/12/14 10:49:49
03/12/14 10:50:01  03/13/14 10:49:44  ldap/brq-openldap.rhev.lab.eng.brq.redhat.com@TESTREALM
	renew until 03/12/14 10:49:49

Now when trying to add OpenLDAP via manager domains it tell:
Failure while testing domain brq-openldap.rhev.lab.eng.brq.redhat.com. Details: Authentication Failed. Client not found in kerberos database.

Log in /var/log/krb5kdc.log on OpenLDAP:
Mar 12 11:58:29 brq-openldap.rhev.lab.eng.brq.redhat.com krb5kdc[1172](info): AS_REQ (1 etypes {23}) CLIENT_NOT_FOUND: user0@BRQ-OPENLDAP.RHEV.LAB.ENG.BRQ.REDHAT.COM for krbtgt/BRQ-OPENLDAP.RHEV.LAB.ENG.BRQ.REDHAT.COM@BRQ-OPENLDAP.RHEV.LAB.ENG.BRQ.REDHAT.COM, Client not found in Kerberos database
Mar 12 11:58:29 brq-openldap.rhev.lab.eng.brq.redhat.com krb5kdc[1172](info): closing down fd 13

^^^ It don't user TESTREALM, but uppercase of domain.

Yair, are we missing something?

Comment 6 Ondra Machacek 2014-03-12 11:57:30 UTC
Created attachment 873488 [details]

Comment 7 Ondra Machacek 2014-03-12 11:58:14 UTC
Created attachment 873489 [details]

Comment 8 Ondra Machacek 2014-03-12 11:58:46 UTC
Created attachment 873490 [details]

Comment 9 Yair Zaslavsky 2014-03-12 23:07:31 UTC
Hi Ondra, IMHO there is something missing in your DNS setup - for a setup with one domain, the useDnsLookup is set to true when creating the krb5.conf and does not create the [domain_realms] section, which is optional for a setup with one domain, but mandatory in setups with two domains or more.
if this flag is set to true, the code relies on the kerberos implementation of java to perform lookup in DNS for the kdcs.
What you can try is turn this flag to false in the engine-manage-domains.conf.
In this case,  the code will not rely on the internal kerberos java stack, but perform explicit DNS lookups.
If that does not work, please try on your own -

dig SRV _kerberos._tcp.brq-openldap.rhev.lab.eng.brq.redhat.com -
You should get SRV records for kerberos - if you don't get, there is something problematic wit your setup.

Comment 10 Ondra Machacek 2014-03-13 12:23:33 UTC
Hi Yair,

I think that the problem is in the way of engine creates file - /etc/ovirt-engine/krb5.conf.manage_domains_utility

Because it looks like this:


dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = no
default_tkt_enctypes = arcfour-hmac-md5
udp_preference_limit = 1


	brq-openldap.rhev.lab.eng.brq.redhat.com = TESTREALM

And for correct usage the default_realm should be 'default_realm = TESTREALM'

^^ Like this it looks like when using 'useDnsLookup=true'

When I am using 'useDnsLookup=false'

it also creates section [realms], where is also bad realm name, which is again
upper case of domain, so I think, that these two problems should be fixed, to
get it work.

Comment 12 Ondra Machacek 2014-03-18 22:15:31 UTC
OK I understand now.

I had:
brq-openldap with kerbers+ldap running and with only A record in DNS.
then I have DNS SRV records for test-openldap which points to brq-openldap.

when running:
engine-manage-domains add --domain=test-openldap

with this in domainRealmMappingFile: brq-openldap = TEST-OPENLDAP

then this is added also to krb5.conf file and I can add domain a work with it.
When I try to remove domainRealmMappingFile property from 
then domain is not added successfully, thus moving to verified.

I will file separate bug for issue mentioned in comment 10.

Comment 13 Itamar Heim 2014-06-12 14:10:10 UTC
Closing as part of 3.4.0

Note You need to log in before you can comment on or make changes to this bug.