Bug 1733111 - [ovirt-engine-extension-aaa-ldap-setup] dig command usage does not allow for tcp fallback
Summary: [ovirt-engine-extension-aaa-ldap-setup] dig command usage does not allow for ...
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-extension-aaa-ldap
Version: 4.3.0
Hardware: x86_64
OS: Linux
Target Milestone: ovirt-4.3.6
: 4.3.6
Assignee: Ondra Machacek
QA Contact: Petr Matyáš
: 1733078 (view as bug list)
Depends On: 1733078
TreeView+ depends on / blocked
Reported: 2019-07-25 08:52 UTC by Juan Orti
Modified: 2019-10-10 15:38 UTC (History)
9 users (show)

Fixed In Version: ovirt-engine-extension-aaa-ldap-1.3.10
Doc Type: No Doc Update
Doc Text:
Clone Of: 1733078
Last Closed: 2019-10-10 15:38:25 UTC
oVirt Team: Infra
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4304391 0 Troubleshoot None ovirt-engine-extension-aaa-ldap-setup cannot find Active Directory Global Catalog 2019-07-25 08:52:08 UTC
Red Hat Product Errata RHEA-2019:3020 0 None None None 2019-10-10 15:38:27 UTC
oVirt gerrit 102336 0 None MERGED setup: Use TCP with dig for bigger responses 2020-08-19 07:35:09 UTC

Description Juan Orti 2019-07-25 08:52:08 UTC
+++ This bug was initially created as a clone of Bug #1733078 +++

Description of problem:
our AD forest _ldap._tcp.gc._msdcs.<forest> has too many entries for a UDP lookup. That means dig returns nothing and setup fails. Problem is here:

+ignore means no fallback to TCP for answers that are too long for UDP

Version-Release number of selected component (if applicable):

How reproducible:
Always in an enviroment with too long SRV record set

Steps to Reproduce:
1. Have a SRV record that is too long for UDP
2. Run ovirt-engine-extension-aaa-ldap-setup
3. It fails to discover the Global Catalog

Actual results:

2019-07-24 13:45:53,151+0200 DEBUG otopi.plugins.otopi.dialog.human human.queryString:159 query OVAAALDAP_LDAP_AD_DOMAIN
2019-07-24 13:45:53,151+0200 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND                 Please enter Active Directory Forest name: 
2019-07-24 13:45:55,672+0200 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVE    rootdomain.com
2019-07-24 13:45:55,673+0200 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad ad._resolveGC:45 Resolving Global Catalog SRV record for rootdomain.com
2019-07-24 13:45:55,673+0200 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad plugin.executeRaw:813 execute: ('/usr/bin/dig', '+noall', '+answer', '+ignore', '_ldap._tcp.gc._msdcs.rootdomain.com', 'SRV'), executable='None', cwd='None', env=None
2019-07-24 13:45:55,691+0200 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad plugin.executeRaw:863 execute-result: ('/usr/bin/dig', '+noall', '+answer', '+ignore', '_ldap._tcp.gc._msdcs.rootdomain.com', 'SRV'), rc=0
2019-07-24 13:45:55,692+0200 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad plugin.execute:921 execute-output: ('/usr/bin/dig', '+noall', '+answer', '+ignore', '_ldap._tcp.gc._msdcs.rootdomain.com', 'SRV') stdout:

2019-07-24 13:45:55,692+0200 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad plugin.execute:926 execute-output: ('/usr/bin/dig', '+noall', '+answer', '+ignore', '_ldap._tcp.gc._msdcs.rootdomain.com', 'SRV') stderr:

2019-07-24 13:45:55,693+0200 WARNING otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad ad._resolveGC:65 Cannot resolve Global Catalog SRV record for rootdomain.com. Please check you have entered correct Active Directory forest name and check that forest is resolvable by your system DNS servers
2019-07-24 13:45:55,693+0200 DEBUG otopi.context context._executeMethod:143 method exception
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/otopi/context.py", line 133, in _executeMethod
  File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/ad.py", line 109, in _customization
    _("Active Directory forest is not resolvable, please make"
RuntimeError: Active Directory forest is not resolvable, please make sure you've entered correct forest name. If for some reason you can't use forest and you need some special configuration instead, please refer to examples directory provided by ovirt-engine-extension-aaa-ldap package.
2019-07-24 13:45:55,694+0200 ERROR otopi.context context._executeMethod:152 Failed to execute stage 'Environment customization': Active Directory forest is not resolvable, please make sure you've entered correct forest name. If for some reason you can't use forest and you need some special configuration instead, please refer to examples directory provided by ovirt-engine-extension-aaa-ldap package.

Expected results:
working AD setup

Additional info:

# host -t SRV _ldap._tcp.gc._msdcs.rootdomain.com
;; Truncated, retrying in TCP mode.
_ldap._tcp.gc._msdcs.rootdomain.com has SRV record 0 100 3268 ad1.domain1.com.
_ldap._tcp.gc._msdcs.rootdomain.com has SRV record 0 100 3268 ad2.domain2.com.
_ldap._tcp.gc._msdcs.rootdomain.com has SRV record 0 100 3268 ad3.domain2.com.

If "+ignore" is removed from the _resolver method in /usr/share/ovirt-engine-extension-aaa-ldap/setup/plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py, the setup finishes successfully.

Comment 1 Martin Perina 2019-07-25 10:34:17 UTC
*** Bug 1733078 has been marked as a duplicate of this bug. ***

Comment 4 Klaas Demter 2019-07-25 11:25:02 UTC
related to https://bugzilla.redhat.com/show_bug.cgi?id=1538217

Comment 6 Petr Matyáš 2019-08-26 14:14:34 UTC
Verified on ovirt-engine-extension-aaa-ldap-1.3.10-1.el7ev.noarch

Comment 8 errata-xmlrpc 2019-10-10 15:38:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.