Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 966046

Summary: [RHEVM][backend] rhevm-manage-domains -action=add with use of -ldapServers=IP fails
Product: Red Hat Enterprise Virtualization Manager Reporter: Martin Pavlik <mpavlik>
Component: ovirt-engineAssignee: Ravi Nori <rnori>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.2.0CC: acathrow, bazulay, chetan, iheim, jkt, lpeer, lyarwood, omachace, pstehlik, Rhev-m-bugs, rnori, yeylon
Target Milestone: ---Keywords: Triaged
Target Release: 3.3.0   
Hardware: x86_64   
OS: Linux   
Whiteboard: infra
Fixed In Version: Doc Type: Known Issue
Doc Text:
When adding an Active Directory (AD) domain with the rhevm-manage-domains command, the ldapServers parameter only accepts host names and rejects IPv4 addresses. To work around this issue, the AD server needs to have a Service Principal Name (SPN) registered for the IP address of the LDAP server. Run the following commands on the AD server: 1. List all registered Service Principal Names: setspn.exe -L <ad_host_name> 2. Add the ldap server IP to the list of registered SPNs setspn.exe -S "ldap/${AD_host_ip}" <AD_host_name> For more information see http://technet.microsoft.com/en-us/library/cc731241%28v=ws.10%29.aspx
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-08 13:53:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 894681    
Attachments:
Description Flags
dns_PTR_tcpdump none

Description Martin Pavlik 2013-05-22 11:03:00 UTC 
Created attachment 751658 [details]
dns_PTR_tcpdump

This bug is a result of testing bug 894681

Description of problem:
Attempt add domain rhev.example.cz with use of IPs (parameter -ldapServers=10.34.63.50,10.34.63.51) fails.

10.34.63.50 (ps-ad1.rhev.example.cz),10.34.63.51(ps-ad2.rhev.example.cz) are working LDAP servers.

PTR records are correct and are returned to rhevm (see attached tcpdump file)
User in AD exists and can be used (see host name variant on bottom)

[root@mp-rhevm32 ~]# rhevm-manage-domains -action=add -domain=rhev.example.cz -user=ppepa -provider=ActiveDirectory -passwordFile=$pwdFile -addPermissions -ldapServers=10.34.63.50,10.34.63.51
Error: LDAP query Failed. Error in DNS configuration. Please verify the Engine host has a valid reverse DNS (PTR) record.
Error: LDAP query Failed. Error in DNS configuration. Please verify the Engine host has a valid reverse DNS (PTR) record.
Failure while testing domain rhev.example.cz. Details: No user information was found for user

[root@mp-rhevm32 ~]# tail -6 /var/log/ovirt-engine/engine-manage-domains.log
2013-05-22 09:22:53,657 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): rhev.example.cz
2013-05-22 09:22:53,689 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): rhev.example.cz
2013-05-22 09:22:53,689 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: rhev.example.cz
2013-05-22 09:22:53,831 ERROR [org.ovirt.engine.core.utils.kerberos.JndiAction] Error during login to kerberos. Detailed information is: GSS initiate failed
2013-05-22 09:22:53,845 ERROR [org.ovirt.engine.core.utils.kerberos.JndiAction] Error during login to kerberos. Detailed information is: GSS initiate failed
2013-05-22 09:22:53,848 ERROR [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while testing domain rhev.example.cz. Details: No user information was found for user


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1.  rhevm-manage-domains -action=add -domain=YOUR_DOMAIN -user=YOUR_USER -provider=ActiveDirectory -passwordFile=$pwdFile -addPermissions -ldapServers=YOUR_LDAP_SERVER_IP

Actual results:
adding domain with user of -ldapServers=LDAP1_IP,LDAP2_IP fails

Expected results:
domain is added

Additional info:
######################################
Variant with host names works fine:
rhevm-manage-domains -action=add -domain=rhev.example.cz -user=ppepa -provider=ActiveDirectory -passwordFile=$pwdFile -addPermissions -ldapServers=ps-ad1.rhev.example.cz,ps-ad2.rhev.example.cz

user ppepa can log into rhevm and records for domain rhev.example.cz are in vdc_options: LdapServers rhev.example.cz:ps-ad1.rhev.example.cz;ps-ad2.rhev.example.cz

######################################
Comment 2 Ravi Nori 2013-05-24 16:14:57 UTC 
This issue is not an issue with manage domains/java. We need to modify the settings on the ad server.

The active directory server needs to have an entry for the ip address of the ad server.

executing the following commands on ad server host should fix the issue

1. setspn.exe -L <ad_host_name> 

will list all registered SPNs

2. setspn.exe -S "ldap/<ad_host_ip>" <ad_host_name> 

should add the ldap/<ip> to the list of registered SPNs

Once the above is executed manage domains should be able to add the ad server using ip address.

Link to document on microsoft website http://technet.microsoft.com/en-us/library/cc731241%28v=ws.10%29.aspx

Please make sure the permissions are granted for administrator for writing SPNs (follow instruction in ms website), other wise the newly added SPN wont be persisted and will disappear from the list in 5 minutes.
Comment 3 Martin Pavlik 2013-05-27 09:12:03 UTC 
I can confirm that procedure mentioned in comment 2 works. After modifying AD servers they can be added to rhevm with use of IPs, user could successfully log in rhevm.

2013-05-27 11:07:38,839 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): rhev.example.cz
2013-05-27 11:07:38,885 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): rhev.example.cz
2013-05-27 11:07:38,886 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: rhev.example.cz
2013-05-27 11:07:39,514 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully tested kerberos configuration for domain: rhev.example.cz
2013-05-27 11:07:39,531 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Performing backup of kerberos configuration file to /etc/ovirt-engine/krb5.conf.backup_20130527110739CEST
2013-05-27 11:07:39,537 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Applying kerberos configuration
2013-05-27 11:07:39,539 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomainsDAOImpl] uuid: 88febd50-b3ac-43ce-865e-9a0107d40d61 username: ppepa.CZ domain: rhev.example.cz
2013-05-27 11:07:39,690 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomainsDAOImpl] Setting value for AdUserName to rhev.example.cz:ppepa.CZ
2013-05-27 11:07:41,966 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomainsDAOImpl] Setting value for AdUserPassword to rhev.example.cz:********
2013-05-27 11:07:44,308 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomainsDAOImpl] Setting value for LdapServers to rhev.example.cz:10.34.63.50;10.34.63.51
2013-05-27 11:07:46,234 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomainsDAOImpl] Setting value for AdUserId to rhev.example.cz:88febd50-b3ac-43ce-865e-9a0107d40d61
2013-05-27 11:07:47,901 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomainsDAOImpl] Setting value for LDAPSecurityAuthentication to rhev.example.cz:GSSAPI
2013-05-27 11:07:50,385 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomainsDAOImpl] Setting value for DomainName to rhev.example.cz
2013-05-27 11:07:52,743 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomainsDAOImpl] Setting value for LDAPProviderTypes to rhev.example.cz:activeDirectory
Comment 4 Andrew Cathrow 2013-07-08 13:53:57 UTC 
Closing as not bug - please refer to Kbase 414323