10:20 a.m.
----- Original Message -----
From: "Cameron Christensen"
<cameron.christensen(a)uk2group.com>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>
Cc: "Yair Zaslavsky" <yzaslavs(a)redhat.com>, users(a)ovirt.org
Sent: Tuesday, November 18, 2014 6:21:18 PM
Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
On Mon, 2014-11-17 at 16:48 -0500, Alon Bar-Lev wrote:
>
> ----- Original Message -----
> > From: "Cameron Christensen" <cameron.christensen(a)uk2group.com>
> > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > Cc: users(a)ovirt.org
> > Sent: Monday, November 17, 2014 11:43:34 PM
> > Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to
> > IPA
> >
> >
> >
> > On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote:
> > >
> > > ----- Original Message -----
> > > > From: "Cameron Christensen"
<cameron.christensen(a)uk2group.com>
> > > > To: users(a)ovirt.org
> > > > Sent: Friday, November 14, 2014 5:39:54 PM
> > > > Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails
to
> > > > IPA
> > > >
> > > > Hello,
> > > >
> > > > I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA.
> > > > Starting up ovrit-engine the extension manager fails to properly
load
> > > > the service that handles Kerberos/LDAP.
> > >
> > > This is probably a bug, can you please execute the following and paste
> > > result:
> > >
> > > # PGPASSWORD="@PASSWORD@" psql -U engine -d engine -c
"select * from
> > > vdc_options where option_name='LDAPSecurityAuthentication'"
> > >
> >
> > option_id | option_name | option_value | version
> > -----------+----------------------------+-------------------+---------
> > 165 | LDAPSecurityAuthentication | example.org:GSSAPI | general
> >
> > I replaced my domain name with 'example.org'
> >
>
> I thought it will be empty... and it contains valid value. Yair?
>
Looking through the vdc_options table I noticed that many of the LDAP*
and Ad* settings use two different spellings for the Kerberos/LDAP
domain. One in all upper case letters, EXAMPLE.ORG and one in all lower
case, example.org. (I'm guessing this is to handle either spelling of
the domain?)
I updated LDAPSecurityAuthentication and set the option_value to use
both the upper case and lower case domain name,
'EXAMPLE.ORG:GSSAPI,example.org:GSSAPI'.
select * from vdc_options where option_name =
'LDAPSecurityAuthentication';
option_id | option_name | option_value
| version
-----------+----------------------------+-------------------------------------+---------
165 | LDAPSecurityAuthentication |
EXAMPLE.ORG:GSSAPI,example.org:GSSAPI | general
Just so we can continue to investigate -
if u would like to get your ldap and kerberos SRV records , to which domain will you send
them in your setup?
dig SRV _ldap._tcp.EXAMPLE.ORG
or
dig SRV _ldap._tcp.example.org?
same goes to
_kerberos._tcp.example.org and _kerberos._tcp.EXAMPLE.ORG
Cheers,
Yair
Using both domain names I am able to authenticate, authorize and pull
account information from the IPA server once again.
Thanks for pointing me at the right location.
Cameron