Description of problem: The way the appliance console is using the ipa-client-install command does not create the correct kerberos configuration.. The ipa-client-install command produces different kerberos configurations based on the arguments used. The ipa-client-install(1) man page has the following description: --- DNS Autodiscovery Client installer by default tries to search for _ldap._tcp.DOMAIN DNS SRV records for all domains that are parent to its hostname. For example, if a client machine has a hostname 'client1.lab.example.com', the installer will try to retrieve an IPA server hostname from _ldap._tcp.lab.example.com, _ldap._tcp.example.com and _ldap._tcp.com DNS SRV records, respectively. The discovered domain is then used to configure client components (e.g. SSSD and Kerberos 5 configuration) on the machine. When the client machine hostname is not in a subdomain of an IPA server, its domain can be passed with --domain option. In that case, both SSSD and Kerberos components have the domain set in the configuration files and will use it to autodiscover IPA servers. Client machine can also be configured without a DNS autodiscovery at all. When both --server and --domain options are used, client installer will use the specified server and domain directly. --server option accepts multiple server hostnames which can be used for failover mechanism. Without DNS autodiscovery, Kerberos is configured with a fixed list of KDC and Admin servers. SSSD is still configured to either try to read domain's SRV records or the specified fixed list of servers. When --fixed-primary option is specified, SSSD will not try to read DNS SRV record at all (see sssd-ipa(5) for details). --- suffice it to say the decision matrix is a bit complicated. Bottom line is, when using the ipa-client-install server flag, as is currently done, the /etc/krb5.conf file will be configured with the incorrect parameters: dns_lookup_realm = false dns_lookup_kdc = false Additional info: The solution will be to not use the ipa-client-install server flag or perhaps manually set the dns_lookup flags to true in the /etc/krb5.conf file as a final step of the external auth setup.
https://github.com/ManageIQ/manageiq/pull/11730
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/4677228c45ab6eb0091828153e69e15a79183ddd commit 4677228c45ab6eb0091828153e69e15a79183ddd Author: Joe VLcek <jvlcek> AuthorDate: Tue Oct 4 18:20:49 2016 -0400 Commit: Joe VLcek <jvlcek> CommitDate: Fri Oct 7 11:04:23 2016 -0400 For external auth configure kerberos to do dns_lookups https://bugzilla.redhat.com/show_bug.cgi?id=1380873 .../external_httpd_authentication.rb | 1 + .../external_httpd_configuration.rb | 45 +++++++---- .../external_httpd_authentication_spec.rb | 90 ++++++++++++++++++++++ 3 files changed, 120 insertions(+), 16 deletions(-)
verified in 5.8.0.12-rc1 dns_lookup_realm = true dns_lookup_kdc = true