Bug 966046 - [RHEVM][backend] rhevm-manage-domains -action=add with use of -ldapServers=IP fails
[RHEVM][backend] rhevm-manage-domains -action=add with use of -ldapServers=IP...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine (Show other bugs)
3.2.0
x86_64 Linux
unspecified Severity high
: ---
: 3.3.0
Assigned To: Ravi Nori
infra
: Triaged
Depends On:
Blocks: ldap_server_per_dom
  Show dependency treegraph
 
Reported: 2013-05-22 07:03 EDT by Martin Pavlik
Modified: 2016-02-10 14:43 EST (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
When adding an Active Directory (AD) domain with the rhevm-manage-domains command, the ldapServers parameter only accepts host names and rejects IPv4 addresses. To work around this issue, the AD server needs to have a Service Principal Name (SPN) registered for the IP address of the LDAP server. Run the following commands on the AD server: 1. List all registered Service Principal Names: setspn.exe -L <ad_host_name> 2. Add the ldap server IP to the list of registered SPNs setspn.exe -S "ldap/${AD_host_ip}" <AD_host_name> For more information see http://technet.microsoft.com/en-us/library/cc731241%28v=ws.10%29.aspx
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-08 09:53:57 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
dns_PTR_tcpdump (10.24 KB, application/vnd.tcpdump.pcap)
2013-05-22 07:03 EDT, Martin Pavlik
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 414323 None None None Never

  None (edit)
Description Martin Pavlik 2013-05-22 07:03:00 EDT
Created attachment 751658 [details]
dns_PTR_tcpdump

This bug is a result of testing bug 894681

Description of problem:
Attempt add domain rhev.example.cz with use of IPs (parameter -ldapServers=10.34.63.50,10.34.63.51) fails.

10.34.63.50 (ps-ad1.rhev.example.cz),10.34.63.51(ps-ad2.rhev.example.cz) are working LDAP servers.

PTR records are correct and are returned to rhevm (see attached tcpdump file)
User in AD exists and can be used (see host name variant on bottom)

[root@mp-rhevm32 ~]# rhevm-manage-domains -action=add -domain=rhev.example.cz -user=ppepa -provider=ActiveDirectory -passwordFile=$pwdFile -addPermissions -ldapServers=10.34.63.50,10.34.63.51
Error: LDAP query Failed. Error in DNS configuration. Please verify the Engine host has a valid reverse DNS (PTR) record.
Error: LDAP query Failed. Error in DNS configuration. Please verify the Engine host has a valid reverse DNS (PTR) record.
Failure while testing domain rhev.example.cz. Details: No user information was found for user

[root@mp-rhevm32 ~]# tail -6 /var/log/ovirt-engine/engine-manage-domains.log
2013-05-22 09:22:53,657 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): rhev.example.cz
2013-05-22 09:22:53,689 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): rhev.example.cz
2013-05-22 09:22:53,689 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: rhev.example.cz
2013-05-22 09:22:53,831 ERROR [org.ovirt.engine.core.utils.kerberos.JndiAction] Error during login to kerberos. Detailed information is: GSS initiate failed
2013-05-22 09:22:53,845 ERROR [org.ovirt.engine.core.utils.kerberos.JndiAction] Error during login to kerberos. Detailed information is: GSS initiate failed
2013-05-22 09:22:53,848 ERROR [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while testing domain rhev.example.cz. Details: No user information was found for user


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1.  rhevm-manage-domains -action=add -domain=YOUR_DOMAIN -user=YOUR_USER -provider=ActiveDirectory -passwordFile=$pwdFile -addPermissions -ldapServers=YOUR_LDAP_SERVER_IP

Actual results:
adding domain with user of -ldapServers=LDAP1_IP,LDAP2_IP fails

Expected results:
domain is added

Additional info:
######################################
Variant with host names works fine:
rhevm-manage-domains -action=add -domain=rhev.example.cz -user=ppepa -provider=ActiveDirectory -passwordFile=$pwdFile -addPermissions -ldapServers=ps-ad1.rhev.example.cz,ps-ad2.rhev.example.cz

user ppepa can log into rhevm and records for domain rhev.example.cz are in vdc_options: LdapServers rhev.example.cz:ps-ad1.rhev.example.cz;ps-ad2.rhev.example.cz

######################################
Comment 2 Ravi Nori 2013-05-24 12:14:57 EDT
This issue is not an issue with manage domains/java. We need to modify the settings on the ad server.

The active directory server needs to have an entry for the ip address of the ad server.

executing the following commands on ad server host should fix the issue

1. setspn.exe -L <ad_host_name> 

will list all registered SPNs

2. setspn.exe -S "ldap/<ad_host_ip>" <ad_host_name> 

should add the ldap/<ip> to the list of registered SPNs

Once the above is executed manage domains should be able to add the ad server using ip address.

Link to document on microsoft website http://technet.microsoft.com/en-us/library/cc731241%28v=ws.10%29.aspx

Please make sure the permissions are granted for administrator for writing SPNs (follow instruction in ms website), other wise the newly added SPN wont be persisted and will disappear from the list in 5 minutes.
Comment 3 Martin Pavlik 2013-05-27 05:12:03 EDT
I can confirm that procedure mentioned in comment 2 works. After modifying AD servers they can be added to rhevm with use of IPs, user could successfully log in rhevm.

2013-05-27 11:07:38,839 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): rhev.example.cz
2013-05-27 11:07:38,885 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): rhev.example.cz
2013-05-27 11:07:38,886 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: rhev.example.cz
2013-05-27 11:07:39,514 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully tested kerberos configuration for domain: rhev.example.cz
2013-05-27 11:07:39,531 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Performing backup of kerberos configuration file to /etc/ovirt-engine/krb5.conf.backup_20130527110739CEST
2013-05-27 11:07:39,537 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Applying kerberos configuration
2013-05-27 11:07:39,539 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomainsDAOImpl] uuid: 88febd50-b3ac-43ce-865e-9a0107d40d61 username: ppepa@RHEV.EXAMPLE.CZ domain: rhev.example.cz
2013-05-27 11:07:39,690 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomainsDAOImpl] Setting value for AdUserName to rhev.example.cz:ppepa@RHEV.EXAMPLE.CZ
2013-05-27 11:07:41,966 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomainsDAOImpl] Setting value for AdUserPassword to rhev.example.cz:********
2013-05-27 11:07:44,308 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomainsDAOImpl] Setting value for LdapServers to rhev.example.cz:10.34.63.50;10.34.63.51
2013-05-27 11:07:46,234 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomainsDAOImpl] Setting value for AdUserId to rhev.example.cz:88febd50-b3ac-43ce-865e-9a0107d40d61
2013-05-27 11:07:47,901 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomainsDAOImpl] Setting value for LDAPSecurityAuthentication to rhev.example.cz:GSSAPI
2013-05-27 11:07:50,385 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomainsDAOImpl] Setting value for DomainName to rhev.example.cz
2013-05-27 11:07:52,743 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomainsDAOImpl] Setting value for LDAPProviderTypes to rhev.example.cz:activeDirectory
Comment 4 Andrew Cathrow 2013-07-08 09:53:57 EDT
Closing as not bug - please refer to Kbase 414323

Note You need to log in before you can comment on or make changes to this bug.