Bug 1733111 - [ovirt-engine-extension-aaa-ldap-setup] dig command usage does not allow for tcp fallback
Summary: [ovirt-engine-extension-aaa-ldap-setup] dig command usage does not allow for ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-extension-aaa-ldap
Version: 4.3.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ovirt-4.3.6
: 4.3.6
Assignee: Ondra Machacek
QA Contact: Petr Matyáš
URL:
Whiteboard:
: 1733078 (view as bug list)
Depends On: 1733078
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-25 08:52 UTC by Juan Orti Alcaine
Modified: 2019-10-10 15:38 UTC (History)
9 users (show)

Fixed In Version: ovirt-engine-extension-aaa-ldap-1.3.10
Doc Type: No Doc Update
Doc Text:
Clone Of: 1733078
Environment:
Last Closed: 2019-10-10 15:38:25 UTC
oVirt Team: Infra
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4304391 Troubleshoot None ovirt-engine-extension-aaa-ldap-setup cannot find Active Directory Global Catalog 2019-07-25 08:52:08 UTC
Red Hat Product Errata RHEA-2019:3020 None None None 2019-10-10 15:38:27 UTC
oVirt gerrit 102336 None None None 2019-08-01 10:02:53 UTC

Description Juan Orti Alcaine 2019-07-25 08:52:08 UTC
+++ This bug was initially created as a clone of Bug #1733078 +++

Description of problem:
our AD forest _ldap._tcp.gc._msdcs.<forest> has too many entries for a UDP lookup. That means dig returns nothing and setup fails. Problem is here:
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/8208f97c86b421327c63564942332f2b4f0ddd1b/setup/plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py#L152

+ignore means no fallback to TCP for answers that are too long for UDP


Version-Release number of selected component (if applicable):
ovirt-engine-extension-aaa-ldap-setup-1.3.9-1.el7ev.noarch

How reproducible:
Always in an enviroment with too long SRV record set


Steps to Reproduce:
1. Have a SRV record that is too long for UDP
2. Run ovirt-engine-extension-aaa-ldap-setup
3. It fails to discover the Global Catalog


Actual results:

2019-07-24 13:45:53,151+0200 DEBUG otopi.plugins.otopi.dialog.human human.queryString:159 query OVAAALDAP_LDAP_AD_DOMAIN
2019-07-24 13:45:53,151+0200 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND                 Please enter Active Directory Forest name: 
2019-07-24 13:45:55,672+0200 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVE    rootdomain.com
2019-07-24 13:45:55,673+0200 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad ad._resolveGC:45 Resolving Global Catalog SRV record for rootdomain.com
2019-07-24 13:45:55,673+0200 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad plugin.executeRaw:813 execute: ('/usr/bin/dig', '+noall', '+answer', '+ignore', '_ldap._tcp.gc._msdcs.rootdomain.com', 'SRV'), executable='None', cwd='None', env=None
2019-07-24 13:45:55,691+0200 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad plugin.executeRaw:863 execute-result: ('/usr/bin/dig', '+noall', '+answer', '+ignore', '_ldap._tcp.gc._msdcs.rootdomain.com', 'SRV'), rc=0
2019-07-24 13:45:55,692+0200 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad plugin.execute:921 execute-output: ('/usr/bin/dig', '+noall', '+answer', '+ignore', '_ldap._tcp.gc._msdcs.rootdomain.com', 'SRV') stdout:


2019-07-24 13:45:55,692+0200 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad plugin.execute:926 execute-output: ('/usr/bin/dig', '+noall', '+answer', '+ignore', '_ldap._tcp.gc._msdcs.rootdomain.com', 'SRV') stderr:


2019-07-24 13:45:55,693+0200 WARNING otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.ad ad._resolveGC:65 Cannot resolve Global Catalog SRV record for rootdomain.com. Please check you have entered correct Active Directory forest name and check that forest is resolvable by your system DNS servers
2019-07-24 13:45:55,693+0200 DEBUG otopi.context context._executeMethod:143 method exception
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/otopi/context.py", line 133, in _executeMethod
    method['method']()
  File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/ad.py", line 109, in _customization
    _("Active Directory forest is not resolvable, please make"
RuntimeError: Active Directory forest is not resolvable, please make sure you've entered correct forest name. If for some reason you can't use forest and you need some special configuration instead, please refer to examples directory provided by ovirt-engine-extension-aaa-ldap package.
2019-07-24 13:45:55,694+0200 ERROR otopi.context context._executeMethod:152 Failed to execute stage 'Environment customization': Active Directory forest is not resolvable, please make sure you've entered correct forest name. If for some reason you can't use forest and you need some special configuration instead, please refer to examples directory provided by ovirt-engine-extension-aaa-ldap package.



Expected results:
working AD setup


Additional info:

# host -t SRV _ldap._tcp.gc._msdcs.rootdomain.com
;; Truncated, retrying in TCP mode.
_ldap._tcp.gc._msdcs.rootdomain.com has SRV record 0 100 3268 ad1.domain1.com.
_ldap._tcp.gc._msdcs.rootdomain.com has SRV record 0 100 3268 ad2.domain2.com.
_ldap._tcp.gc._msdcs.rootdomain.com has SRV record 0 100 3268 ad3.domain2.com.
[...]

If "+ignore" is removed from the _resolver method in /usr/share/ovirt-engine-extension-aaa-ldap/setup/plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py, the setup finishes successfully.

Comment 1 Martin Perina 2019-07-25 10:34:17 UTC
*** Bug 1733078 has been marked as a duplicate of this bug. ***

Comment 4 Klaas Demter 2019-07-25 11:25:02 UTC
related to https://bugzilla.redhat.com/show_bug.cgi?id=1538217

Comment 6 Petr Matyáš 2019-08-26 14:14:34 UTC
Verified on ovirt-engine-extension-aaa-ldap-1.3.10-1.el7ev.noarch

Comment 8 errata-xmlrpc 2019-10-10 15:38:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:3020


Note You need to log in before you can comment on or make changes to this bug.