Description of problem: it is impossible to add an IPA domain to RHEV if DNS is not working. Version-Release number of selected component (if applicable): 3.4.1 How reproducible: Always Steps to Reproduce: 1. configure RHEV-M 3.4.1 2. set up a test IPA domain not resolvable via DNS from the RHEV-M 3. try to add the domain without --resolve-kdc option (according to docs this should not trigger DNS queries) # engine-manage-domains add --domain=test.lan --provider=IPA --user=admin --ldap-servers=10.0.0.1 --password-file=passwd Actual results: * DNS queries are performed * the process erorrs out with message: No KDC can be obtained for domain test.lan Expected results: * server from --ldap-servers is used as KDC * the domain is added successfully Additional info: * This behavior seems to be the opposite of BZ#1031778 * same behavior occurs if LDAP server is added to /etc/hosts and the hostname is used instead of the IP
Hello, if it's possible please add an argument to the engine-manage-domains command, that seperate kdc servers can be addded. In some environments it is common to separate KDC from LDAP. This should be working properly without a DNS lookup. Especially an additional AD exists in the environment. Thank you! Regards, Florian
fixed in vt3, moving to on_qa. if you believe this bug isn't released in vt3, please report to rhev-integ
I didn't find how to configure IPA to accept IP address with ldapserver param. But as bz says the ovirt now connect KDC which is specified in ldapserver parameter. but it couldn't work as it tries ldap/10.0.0.1@REALM, and there is no documented way how to ad such service into IPA as it needs to be hostname not an IP address.
*** Bug 1143836 has been marked as a duplicate of this bug. ***
I don't know how to configure the IPA server to do that. Bare in mind the bug is about the DNS queries being sent for KDC. I verified it by checking that there is no outoging traffic on the DNS port that resolves KDCs.
Hi Yair, test is relatively easy: 1. Remove all SRV entries to the services for IPA from DNS e.g.: _ldap._tcp IN SRV 0 100 389 ldap1.example.com. _ldap._tcp IN SRV 0 100 389 ldap2.example.com. _kerberos IN TXT EXAMPLE.COM _kerberos._tcp IN SRV 0 0 88 krb1.example.com. _kerberos._tcp IN SRV 0 0 88 krb2.example.com. 2. Make sure LDAP and KRB reside on the same server. 3. run engine-manage-domains add --domain=<domain> --provider=IPA --user=<IPA> --ldap-servers=<IP> The authentication should work now and the IPA server should be added correctly to the RHEV-M, as it uses the IP provided with --ldap-servers for the kerberos as well. Let me know if you have any further questions on how to configure IPA. Cheers, Martin
(In reply to Martin Tessun from comment #8) > Hi Yair, > > test is relatively easy: > > 1. Remove all SRV entries to the services for IPA from DNS > e.g.: > _ldap._tcp IN SRV 0 100 389 ldap1.example.com. > _ldap._tcp IN SRV 0 100 389 ldap2.example.com. > _kerberos IN TXT EXAMPLE.COM > _kerberos._tcp IN SRV 0 0 88 krb1.example.com. > _kerberos._tcp IN SRV 0 0 88 krb2.example.com. > > 2. Make sure LDAP and KRB reside on the same server. > 3. run engine-manage-domains add --domain=<domain> --provider=IPA > --user=<IPA> --ldap-servers=<IP> > > The authentication should work now and the IPA server should be added > correctly to the RHEV-M, as it uses the IP provided with --ldap-servers for > the kerberos as well. > > Let me know if you have any further questions on how to configure IPA. > > Cheers, > Martin Ondra, is this what you checked?
Yes. When I do steps described in #comment 8, then manage-domains send TGS-REQ ldap/<IP>. It's not possible to add service with IP address in IPA as only fqdn is supported. Or should manage-domain use reverse lookup and use TGS-REQ ldap/hostname ?
using host by ip in kerberos is not supported as reverse dns should not be trusted in most cases. anyway, I suggest to focus our resources in the new ldap implementation, all issues with existing are known and should not be fixed.
Sorry, of course IP should have been the dns name of the ldap server. I was just copying the statement from above. So after not having the SRV entries any more in the DNS, the above should work: # engine-manage-domains --domain=<domain> --provider=IPA --user=<IPA> --ldap-servers=<SERVERS> According to the man page this should also be SERVERS: --ldap-servers=SERVERS A comma delimited list of LDAP servers to be set to the domain. So now (without any DNS SRV entries), the above command should succeed, as long as the kerberos is running on the same server as the LDAP service.
It will succeed only if <SERVERS> are fqdns and not ip addresses.
(In reply to Ondra Machacek from comment #13) > It will succeed only if <SERVERS> are fqdns and not ip addresses. Yes, and that's exactly the way it should be. (Therefore stating <SERVERS> and not <IP>). So I think if this test succeeded the way I described in c#8 then everything works as expected. So no reverse lookup is expected.
(In reply to Martin Tessun from comment #14) > (In reply to Ondra Machacek from comment #13) > > It will succeed only if <SERVERS> are fqdns and not ip addresses. > > Yes, and that's exactly the way it should be. (Therefore stating <SERVERS> > and not <IP>). > > So I think if this test succeeded the way I described in c#8 then everything > works as expected. > > So no reverse lookup is expected. Ok, so is the bug verified?
Yes. There is no SRV records in DNS. rhevm-manage-domains add --domain=brq-openldap.rhev.lab.eng.brq.redhat.com --user=user1 --provider=openldap --ldap-servers=brq-openldap.rhev.lab.eng.brq.redhat.com Enter password: The domain brq-openldap.rhev.lab.eng.brq.redhat.com has been added to the engine as an authentication source but no users from that domain have been granted permissions within the oVirt Manager. Users from this domain can be granted permissions by editing the domain using action edit and specifying --add-permissions or from the Web administration interface logging in as admin@internal user. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart). Manage Domains completed successfully There are no SRV queries to DNS and I can work with user from this domain without any problem.
Works OK for IPA. No DNS queries for SRV record. rhevm-manage-domains add --domain=brq-ipa.rhev.lab.eng.brq.redhat.com --user=vdcadmin --provider=ipa --ldap-servers=brq-ipa.rhev.lab.eng.brq.redhat.com Enter password: The domain brq-ipa.rhev.lab.eng.brq.redhat.com has been added to the engine as an authentication source but no users from that domain have been granted permissions within the oVirt Manager. Users from this domain can be granted permissions by editing the domain using action edit and specifying --add-permissions or from the Web administration interface logging in as admin@internal user. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart). Manage Domains completed successfully
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0158.html