Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1062172 - useDnsLookup flag is ignored at rhevm-manage-domains - krb5.conf file will always contain realms and "domain_realm" section
Summary: useDnsLookup flag is ignored at rhevm-manage-domains - krb5.conf file will al...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-config
Version: 3.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 3.4.0
Assignee: Yair Zaslavsky
QA Contact: Jiri Belka
URL:
Whiteboard: infra
Depends On:
Blocks: 1063286 rhev3.4beta 1142926
TreeView+ depends on / blocked
 
Reported: 2014-02-06 12:01 UTC by Yair Zaslavsky
Modified: 2016-02-10 19:20 UTC (History)
10 users (show)

Fixed In Version: ovirt-3.4.0-beta3
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1063286 (view as bug list)
Environment:
Last Closed:
oVirt Team: Infra
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 24190 None None None Never

Description Yair Zaslavsky 2014-02-06 12:01:40 UTC
Description of problem:

useDnsLookup flag is ignored at rhevm-manage-domains, and the krb5.conf file always contains the [realms] and the [domain_realm] section, and has
dns_lookup_realm and dns_lookup_kdc set to false.
This, with the wrong assumption that the kdcs and the ldap servers are always co-hosted on the same machine is problematic, as it provides no way to use rhevm-manage-domains to add domains in which the kdcs and the ldap servers are not co-hosted on same host.

Version-Release number of selected component (if applicable):


How reproducible:

Always, with the proper environment.


Steps to Reproduce:
1. Have an environment in which the KDC and the ldap server are not co-hosted on the same machine.
2. Use rhevm-manage-domains to add this domain.
3.

Actual results:

The domain will not be added.


Expected results:

The domain should be added.


Additional info:

Comment 1 Yair Zaslavsky 2014-02-07 07:12:16 UTC
Actually the [domain_realm] should exist in case there is more than one domain.

Comment 3 Sandro Bonazzola 2014-02-19 12:27:27 UTC
This bug is referenced in ovirt-engine-3.4.0-beta3 logs. Moving to ON_QA

Comment 4 Jiri Belka 2014-03-06 11:01:08 UTC
I suppose this BZ obsoletes this comment - https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5, right?

Comment 5 Yair Zaslavsky 2014-03-06 11:45:32 UTC
(In reply to Jiri Belka from comment #4)
> I suppose this BZ obsoletes this comment -
> https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5, right?

Not so sure, this does not have to do with co-hosting, but rather with the domain and the realm definitions.

Comment 6 Jiri Belka 2014-03-06 15:29:18 UTC
So is output below enough for verification? Reproduction steps talk about 'co-hosting' and comment #5 seems to me as a contradiction to that.

# grep ^dns /etc/ovirt-engine/krb5.conf 
dns_lookup_realm = true
dns_lookup_kdc = true

In either case more info about verification steps would be appreciated.

Comment 7 Yair Zaslavsky 2014-03-06 21:39:43 UTC
(In reply to Jiri Belka from comment #6)
> So is output below enough for verification? Reproduction steps talk about
> 'co-hosting' and comment #5 seems to me as a contradiction to that.
> 
> # grep ^dns /etc/ovirt-engine/krb5.conf 
> dns_lookup_realm = true
> dns_lookup_kdc = true
> 
> In either case more info about verification steps would be appreciated.

First, sorry for comment #5 - it is wrong.

You should verify with two "domains".
The comment about co-hosting is meant to emphasize the importance of the fix - i will try to elaborate -
before the fix, both the [realms] section and the [domain_realms] section appeared for more than 1 domain, and the [realms] section KDCs were populated with the ldap servers, but this is wrong.

dns_lookup_kdc=true will cause the java kerberos implementation to lookup for KDC at the DNS.

I hope this is more clear now.

Comment 8 Yair Zaslavsky 2014-03-06 21:40:22 UTC
In addition, the output you suggested is enough for one domain. What is the output you see for two domains?

Comment 9 Jiri Belka 2014-03-07 13:30:46 UTC
ok, av2.1/rhevm-tools-3.4.0-0.3.master.el6ev.noarch

with more domains dns queries are on...

# cat /etc/ovirt-engine/krb5.conf

[libdefaults]

default_realm = BRQ-IPA.RHEV.LAB.ENG.BRQ.REDHAT.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = no
default_tkt_enctypes = arcfour-hmac-md5
udp_preference_limit = 1

#realms

 [domain_realm]
        brq-ipa.rhev.lab.eng.brq.redhat.com = BRQ-IPA.RHEV.LAB.ENG.BRQ.REDHAT.COM
        ad-w2k12r2.rhev.lab.eng.brq.redhat.com = AD-W2K12R2.RHEV.LAB.ENG.BRQ.REDHAT.COM
        ad-w2k8r2.rhev.lab.eng.brq.redhat.com = AD-W2K8R2.RHEV.LAB.ENG.BRQ.REDHAT.COM

Comment 10 Itamar Heim 2014-06-12 14:06:59 UTC
Closing as part of 3.4.0


Note You need to log in before you can comment on or make changes to this bug.