Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 904163

Summary: rhevm-manage-domains - problematic combination of AD and IPA domains
Product: Red Hat Enterprise Virtualization Manager Reporter: Jiri Belka <jbelka>
Component: ovirt-engineAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED DUPLICATE QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: 3.2.0CC: acathrow, dyasny, iheim, lpeer, Rhev-m-bugs, sgrinber, yeylon, ykaul, yzaslavs
Target Milestone: ---Keywords: Regression, TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-30 11:40:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 731763    
Attachments:
Description Flags
ad then ipa
none
ipa then ad none

Description Jiri Belka 2013-01-25 16:09:10 UTC 
Description of problem:

1. When I try to add IPA domain after AD domain, there's an error, although IPA domain was added, but searching inside AD in Admin Portal doesn't work.

> # rhevm-manage-domains -action=add -domain=rhev.lab.eng.brq.redhat.com -provider=ActiveDirectory -user=vdcadmin -interactive
Enter password:

The domain rhev.lab.eng.brq.redhat.com has been added to the engine as an authentication source but no users from that domain have been granted permissions within the oVirt Manager.
Users from this domain can be granted permissions from the Web administration interface.
oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart).
Manage Domains completed successfully

> # cat /etc/ovirt-engine/krb5.conf 

[libdefaults]

default_realm = RHEV.LAB.ENG.BRQ.REDHAT.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = no
default_tkt_enctypes = arcfour-hmac-md5
udp_preference_limit = 1

#realms

#domain_realm

> # rhevm-manage-domains -action=add -domain=brq-ipa.rhev.lab.eng.brq.redhat.com -provider=IPA -user=vdcadmin -interactive                    
Enter password:

Error: Kerberos error. Please check log for further details.
WARNING, domain: rhev.lab.eng.brq.redhat.com may not be functional: Failure while testing domain rhev.lab.eng.brq.redhat.com. Details: No user information was
 found for user
The domain brq-ipa.rhev.lab.eng.brq.redhat.com has been added to the engine as an authentication source but no users from that domain have been granted permis
sions within the oVirt Manager.
Users from this domain can be granted permissions from the Web administration interface.
oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart).
Manage Domains completed successfully

> # cat /etc/ovirt-engine/krb5.conf

[libdefaults]

default_realm = BRQ-IPA.RHEV.LAB.ENG.BRQ.REDHAT.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = no
default_tkt_enctypes = arcfour-hmac-md5
udp_preference_limit = 1

#realms

#domain_realm

> see attachment ad_then_ipa.txt for engine-manage-domains.log and engine.log info


2. When I try to add AD domain after IPA domain, there's an error,, but searching inside AD in Admin Portal doesn't work.

> # rhevm-manage-domains -action=add -domain=brq-ipa.rhev.lab.eng.brq.redhat.com -provider=IPA -user=vdcadmin -interactive
Enter password:

The domain brq-ipa.rhev.lab.eng.brq.redhat.com has been added to the engine as an authentication source but no users from that domain have been granted permissions within the oVirt Manager.
Users from this domain can be granted permissions from the Web administration interface.
oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart).
Manage Domains completed successfully

> # cat /etc/ovirt-engine/krb5.conf 

[libdefaults]

default_realm = BRQ-IPA.RHEV.LAB.ENG.BRQ.REDHAT.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = no
default_tkt_enctypes = arcfour-hmac-md5
udp_preference_limit = 1

#realms

#domain_realm

> # rhevm-manage-domains -action=add -domain=rhev.lab.eng.brq.redhat.com -provider=ActiveDirectory -user=vdcadmin -interactive
Enter password:

Error: LDAP query Failed. Error in DNS configuration. Please verify the Engine host has a valid reverse DNS (PTR) record.
WARNING, domain: brq-ipa.rhev.lab.eng.brq.redhat.com may not be functional: Failure while testing domain brq-ipa.rhev.lab.eng.brq.redhat.com. Details: No user information was found for user
Error: Kerberos error. Please check log for further details.
Failure while testing domain rhev.lab.eng.brq.redhat.com. Details: No user information was found for user

> see attachment ipa_then_ad.txt for engine-manage-domains.log and engine.log info

Version-Release number of selected component (if applicable):
sf4

How reproducible:


Steps to Reproduce:
1. add AD, then IPA, restart engine, search for users in Admin Portal
2. add IPA, then AD
  
Actual results:
adding multiple domains does not work

Expected results:
working multiple domains

Additional info:
it used to work in 3.1
Comment 1 Jiri Belka 2013-01-25 16:11:17 UTC 
Created attachment 687530 [details]
ad then ipa
Comment 3 Jiri Belka 2013-01-25 16:11:44 UTC 
Created attachment 687531 [details]
ipa then ad
Comment 4 Yair Zaslavsky 2013-01-30 11:40:41 UTC 

*** This bug has been marked as a duplicate of bug 905291 ***