826799 – Identity Management Guide DNS Errors

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 826799 - Identity Management Guide DNS Errors

Summary: Identity Management Guide DNS Errors

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	doc-Identity_Management_Guide
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Deon Ballard
QA Contact:	ecs-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-05-31 01:24 UTC by Sivaram Shunmugam
Modified:	2012-06-26 15:02 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-06-26 15:02:18 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Sivaram Shunmugam 2012-05-31 01:24:11 UTC

Description of problem:

There are errors in the DNS entries as detailed in section 
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Preparing_for_an_IPA_Installation.html#Preparing_for_an_IPA_Installation-DNS


2.2.4.6.1. The IPA-Generated DNS File

; ldap servers
_ldap._tcp              IN SRV 0 100 389        ipaserver.example.com

;kerberos realm
_kerberos               IN TXT EXAMPLE.COM

; kerberos servers
_kerberos._tcp          IN SRV 0 100 88         ipaserver.example.com
_kerberos._udp          IN SRV 0 100 88         ipaserver.example.com
_kerberos-master._tcp   IN SRV 0 100 88         ipaserver.example.com
_kerberos-master._udp   IN SRV 0 100 88         ipaserver.example.com
_kpasswd._tcp           IN SRV 0 100 464        ipaserver.example.com
_kpasswd._udp           IN SRV 0 100 464        ipaserver.example.com



After adding these entries into my bind configuration, I realized that I was unable to allow RHEV-M to add this as a domain.

According to KB65509:
https://access.redhat.com/knowledge/ko/node/65509

The DNS entries should be as follows:

 _kerberos._udp                  IN SRV 0 100 88  rhev.example.com.
 _kerberos._tcp                  IN SRV 0 100 88  rhev.example.com.
 _ldap._tcp                      IN SRV 0 100 389 rhev.example.com.


(Note the missing '.' at the end).

After correcting these entries, I was able to allow RHEVM to add the domain.


Version-Release number of selected component (if applicable):
6.2 Docs

How reproducible:

Always.

Steps to Reproduce:
1. Follow Documentation section 2.2.4.6.1. The IPA-Generated DNS File of the Enterprise Identity Management Guide and create DNS entries in bind.
2. Attempt to join RHEVM to the domain the IPA server is serving

  
Actual results:
1. RHEV-M is unable to join the IPA domain. "Authentication Failure"

Expected results:
1. RHEV-M should be able to join the IPA Domain.
2. Fix is to add the trailing '.' into the DNS entries.

Comment 2 Martin Kosek 2012-05-31 11:32:28 UTC

Moving to proper component.

This Bug is applicable for sections:
- 2.2.4.6.1. The IPA-Generated DNS File
- 2.5.2. Creating the Replica
- Example 8.5. SRV Record
- 8.12. Changing Load Balancing for IPA Servers and Replicas

In all these sections, SRV hostname should have the trailing '.' otherwise the SRV records won't work.

Comment 4 Deon Ballard 2012-06-22 22:16:23 UTC

Fixed:

* IPA-generated DNS file: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/dns-file.html

* Example 9.4, SRV record: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-dnsrecord-entries.html#adding-dns-records-cmd

* Load balancing: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/load-balancing.html

* Creating a replica (step 5): http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_IPA_Replicas.html#creating-the-replica

Note You need to log in before you can comment on or make changes to this bug.