+++ This bug was initially created as a clone of Bug #1733078 +++ Description of problem: our AD forest _ldap._tcp.gc._msdcs.<forest> has too many entries for a UDP lookup. That means dig returns nothing and setup fails. Problem is here: https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/8208f97c86b421327c63564942332f2b4f0ddd1b/setup/plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py#L152 +ignore means no fallback to TCP for answers that are too long for UDP Version-Release number of selected component (if applicable): ovirt-engine-extension-aaa-ldap-setup-1.3.9-1.el7ev.noarch How reproducible: Always in an enviroment with too long SRV record set Steps to Reproduce: 1. Have a SRV record that is too long for UDP 2. Run ovirt-engine-extension-aaa-ldap-setup 3. It fails to discover the Global Catalog Actual results: 2019-07-24 13:45:53,151+0200 DEBUG otopi.plugins.otopi.dialog.human human.queryString:159 query OVAAALDAP_LDAP_AD_DOMAIN 2019-07-24 13:45:53,151+0200 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND Please enter Active Directory Forest name: 2019-07-24 13:45:55,672+0200 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVE rootdomain.com 2019-07-24 13:45:55,673+0200 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad ad._resolveGC:45 Resolving Global Catalog SRV record for rootdomain.com 2019-07-24 13:45:55,673+0200 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad plugin.executeRaw:813 execute: ('/usr/bin/dig', '+noall', '+answer', '+ignore', '_ldap._tcp.gc._msdcs.rootdomain.com', 'SRV'), executable='None', cwd='None', env=None 2019-07-24 13:45:55,691+0200 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad plugin.executeRaw:863 execute-result: ('/usr/bin/dig', '+noall', '+answer', '+ignore', '_ldap._tcp.gc._msdcs.rootdomain.com', 'SRV'), rc=0 2019-07-24 13:45:55,692+0200 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad plugin.execute:921 execute-output: ('/usr/bin/dig', '+noall', '+answer', '+ignore', '_ldap._tcp.gc._msdcs.rootdomain.com', 'SRV') stdout: 2019-07-24 13:45:55,692+0200 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad plugin.execute:926 execute-output: ('/usr/bin/dig', '+noall', '+answer', '+ignore', '_ldap._tcp.gc._msdcs.rootdomain.com', 'SRV') stderr: 2019-07-24 13:45:55,693+0200 WARNING otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad ad._resolveGC:65 Cannot resolve Global Catalog SRV record for rootdomain.com. Please check you have entered correct Active Directory forest name and check that forest is resolvable by your system DNS servers 2019-07-24 13:45:55,693+0200 DEBUG otopi.context context._executeMethod:143 method exception Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/otopi/context.py", line 133, in _executeMethod method['method']() File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/ad.py", line 109, in _customization _("Active Directory forest is not resolvable, please make" RuntimeError: Active Directory forest is not resolvable, please make sure you've entered correct forest name. If for some reason you can't use forest and you need some special configuration instead, please refer to examples directory provided by ovirt-engine-extension-aaa-ldap package. 2019-07-24 13:45:55,694+0200 ERROR otopi.context context._executeMethod:152 Failed to execute stage 'Environment customization': Active Directory forest is not resolvable, please make sure you've entered correct forest name. If for some reason you can't use forest and you need some special configuration instead, please refer to examples directory provided by ovirt-engine-extension-aaa-ldap package. Expected results: working AD setup Additional info: # host -t SRV _ldap._tcp.gc._msdcs.rootdomain.com ;; Truncated, retrying in TCP mode. _ldap._tcp.gc._msdcs.rootdomain.com has SRV record 0 100 3268 ad1.domain1.com. _ldap._tcp.gc._msdcs.rootdomain.com has SRV record 0 100 3268 ad2.domain2.com. _ldap._tcp.gc._msdcs.rootdomain.com has SRV record 0 100 3268 ad3.domain2.com. [...] If "+ignore" is removed from the _resolver method in /usr/share/ovirt-engine-extension-aaa-ldap/setup/plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py, the setup finishes successfully.
*** Bug 1733078 has been marked as a duplicate of this bug. ***
related to https://bugzilla.redhat.com/show_bug.cgi?id=1538217
Verified on ovirt-engine-extension-aaa-ldap-1.3.10-1.el7ev.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:3020