Description of problem: Ldap server information can be retrieved via: 1. ldapServers configuration value - but it holds only one ldap server per domain 2. If 1 does not exist per domain - using DNS SRV query We should extend 1 to support multiple servers per domain. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Suggested upstream patch - http://gerrit.ovirt.org/#/c/11065/
(In reply to comment #11) > (In reply to comment #9) > > QE: Also please verify that if we add servers A,B,C (from a domain that has > > servers A,B,C,D for example) that the order of the *Kerberos* servers in > > krb5.conf is A,B,C,D. > > Yaniv, > In order to test what you said (and actually, this is a very important note > regarding the RFE) > > I don't think we will be able to use the > > dns_lookup_realm = false > dns_lookup_kdc = false > > with values of true (we will not have control on how the KDCs are ordered). > > This is currently controlled by a boolean flag at > /etc/ovirt-engine/manage-domains/manage-domains.conf - > > useDnsLookup=false > > I guess this should be moved as an optional flag to manage-domains (and not > be contained in the configuration) and if -ldapServers is used, the values > of dns_lookup_ream and of dns_lookup_kdc should be set to false. > > Thoughts about this? If you are using specific LDAP servers, it only makes sense to use specific Kerberos serves. In fact, it makes sense to use the same server for both LDAP and Kerberos.
(In reply to comment #12) > (In reply to comment #11) > > (In reply to comment #9) > > > QE: Also please verify that if we add servers A,B,C (from a domain that has > > > servers A,B,C,D for example) that the order of the *Kerberos* servers in > > > krb5.conf is A,B,C,D. > > > > Yaniv, > > In order to test what you said (and actually, this is a very important note > > regarding the RFE) > > > > I don't think we will be able to use the > > > > dns_lookup_realm = false > > dns_lookup_kdc = false > > > > with values of true (we will not have control on how the KDCs are ordered). > > > > This is currently controlled by a boolean flag at > > /etc/ovirt-engine/manage-domains/manage-domains.conf - > > > > useDnsLookup=false > > > > I guess this should be moved as an optional flag to manage-domains (and not > > be contained in the configuration) and if -ldapServers is used, the values > > of dns_lookup_ream and of dns_lookup_kdc should be set to false. > > > > Thoughts about this? > > If you are using specific LDAP servers, it only makes sense to use specific > Kerberos serves. In fact, it makes sense to use the same server for both > LDAP and Kerberos. Due to krb5LoginModule limitation, this is currently not possible.
Putting to ASSIGNED because attempt add domain rhev.example.cz with use of IPs (parameter -ldapServers=10.34.63.50,10.34.63.51) fails. 10.34.63.50 (ps-ad1.rhev.example.cz),10.34.63.51(ps-ad2.rhev.example.cz) are working LDAP servers. PTR records are correct and are returned to rhevm (see attached tcpdump file) User in AD exists and can be used (see host name variant on bottom) [root@mp-rhevm32 ~]# rhevm-manage-domains -action=add -domain=rhev.example.cz -user=ppepa -provider=ActiveDirectory -passwordFile=$pwdFile -addPermissions -ldapServers=10.34.63.50,10.34.63.51 Error: LDAP query Failed. Error in DNS configuration. Please verify the Engine host has a valid reverse DNS (PTR) record. Error: LDAP query Failed. Error in DNS configuration. Please verify the Engine host has a valid reverse DNS (PTR) record. Failure while testing domain rhev.example.cz. Details: No user information was found for user [root@mp-rhevm32 ~]# tail -6 /var/log/ovirt-engine/engine-manage-domains.log 2013-05-22 09:22:53,657 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): rhev.example.cz 2013-05-22 09:22:53,689 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): rhev.example.cz 2013-05-22 09:22:53,689 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: rhev.example.cz 2013-05-22 09:22:53,831 ERROR [org.ovirt.engine.core.utils.kerberos.JndiAction] Error during login to kerberos. Detailed information is: GSS initiate failed 2013-05-22 09:22:53,845 ERROR [org.ovirt.engine.core.utils.kerberos.JndiAction] Error during login to kerberos. Detailed information is: GSS initiate failed 2013-05-22 09:22:53,848 ERROR [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while testing domain rhev.example.cz. Details: No user information was found for user ###################################### Variant with host names works fine: rhevm-manage-domains -action=add -domain=rhev.example.cz -user=ppepa -provider=ActiveDirectory -passwordFile=$pwdFile -addPermissions -ldapServers=ps-ad1.rhev.example.cz,ps-ad2.rhev.example.cz user ppepa can log into rhevm and records for domain rhev.example.cz are in vdc_options: LdapServers rhev.example.cz:ps-ad1.rhev.example.cz;ps-ad2.rhev.example.cz ###################################### Yair Zaslavsky managed to reproduce the issue on his upstream environment
Created attachment 751644 [details] dns_PTR_tcpdump
Red Hat IT very much requires this feature. In our case, we need RHEV to use different servers from those specified in the SRV records.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0888.html