3:47 p.m.
Hi list,
I don't want to ask my question in the mail thread of Eduardo to avoid
mixing topics.
Can you give me more detailed information on how oVirt is using DNS
internally and how IPA users can work in the following scenario:
# engine-manage-domains -action=list
Domain: ovido.at
User name: admin(a)OVIDO.AT
Manage Domains completed successfully
# cat /etc/hosts | grep engine
10.0.100.195 ovirt-engine.lab.ovido.at
# ip a
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:1a:4a:00:64:14 brd ff:ff:ff:ff:ff:ff
inet 10.0.100.195/24 brd 10.0.100.255 scope global eth0
# host ovirt-engine.lab.ovido.at
ovirt-engine.lab.ovido.at has address 10.0.100.24
# host 10.0.100.24
24.100.0.10.in-addr.arpa domain name pointer ovirt-engine.lab.ovido.at.
So in my case I have correct DNS settings (forward and reverse), but my
ovirt-engine host has a totally different IP address.
I didn't test SSO with Kerberos in user portal (maybe this want work),
but authentication with IPA user in user portal and admin portal is
working fine even with these totally wrong DNS configuration.
Regards,
René
4:55 p.m.
Hi,
When you add a new domain - let's say example.com what happens from DNS perspective is
-
a. if useDnsLookup at engine-manage-domains conf is set to "true" then
dns_lookup_realm = true
and dns_lookup_kdc = true
Will be placed at the krb5.conf that is being created.
This will cause the internal java kerberos implementation to issue DNS srv requests per
realm (for example, if you want to add the domain example.com, the realm will be
EXAMPLE.COM)
for kerberos -
the srv record query will look like _kerberos._tcp.example.com and it will return a list
of KDCs for the realm.
If useDnsLookup is not set to true,
This will cause the manage-domains utility to issue kerberos DNS srv records, and fill the
krb5.conf file with information on KDCs per realm.
In return you will get a list of corresponding hosts for the ldap servers.
b. If -ldapServers was not passed - a DNS srv record will be issues to get the ldap
servers for the domain -
_ldap._tcp.example.com after the manage-domains utility performs kerberos
authentication.
This is done, in order to get a URL of an ldap server to be used, to send an ldap query
and get the user id for the given user at the command line utility.
So, as long as your DNS is configured properly, and the SRV records are well defined, you
will get SRV records for kerberos and ldap.
----- Original Message -----
From: "René Koch (ovido)" <r.koch(a)ovido.at>
To: "ovirt-users" <users(a)ovirt.org>
Sent: Friday, April 5, 2013 3:47:07 PM
Subject: [Users] DNS for IPA in oVirt
Hi list,
I don't want to ask my question in the mail thread of Eduardo to avoid
mixing topics.
Can you give me more detailed information on how oVirt is using DNS
internally and how IPA users can work in the following scenario:
# engine-manage-domains -action=list
Domain: ovido.at
User name: admin(a)OVIDO.AT
Manage Domains completed successfully
# cat /etc/hosts | grep engine
10.0.100.195 ovirt-engine.lab.ovido.at
# ip a
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:1a:4a:00:64:14 brd ff:ff:ff:ff:ff:ff
inet 10.0.100.195/24 brd 10.0.100.255 scope global eth0
# host ovirt-engine.lab.ovido.at
ovirt-engine.lab.ovido.at has address 10.0.100.24
# host 10.0.100.24
24.100.0.10.in-addr.arpa domain name pointer ovirt-engine.lab.ovido.at.
So in my case I have correct DNS settings (forward and reverse), but my
ovirt-engine host has a totally different IP address.
I didn't test SSO with Kerberos in user portal (maybe this want work),
but authentication with IPA user in user portal and admin portal is
working fine even with these totally wrong DNS configuration.
Regards,
René
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
10:47 a.m.
Hi,
Thanks a lot for your detailed explanation.
That mean that I don't need DNS entries (forward and reverse) for oVirt
engine anymore, only SRV records for the directory service (for sure)?
So using IP or /etc/hosts is sufficient.
Regards,
René
On Mon, 2013-04-08 at 09:55 -0400, Yair Zaslavsky wrote:
Hi,
When you add a new domain - let's say example.com what happens from DNS perspective
is -
a. if useDnsLookup at engine-manage-domains conf is set to "true" then
dns_lookup_realm = true
and dns_lookup_kdc = true
Will be placed at the krb5.conf that is being created.
This will cause the internal java kerberos implementation to issue DNS srv requests per
realm (for example, if you want to add the domain example.com, the realm will be
EXAMPLE.COM)
for kerberos -
the srv record query will look like _kerberos._tcp.example.com and it will return a list
of KDCs for the realm.
If useDnsLookup is not set to true,
This will cause the manage-domains utility to issue kerberos DNS srv records, and fill
the krb5.conf file with information on KDCs per realm.
In return you will get a list of corresponding hosts for the ldap servers.
b. If -ldapServers was not passed - a DNS srv record will be issues to get the ldap
servers for the domain -
_ldap._tcp.example.com after the manage-domains utility performs kerberos
authentication.
This is done, in order to get a URL of an ldap server to be used, to send an ldap query
and get the user id for the given user at the command line utility.
So, as long as your DNS is configured properly, and the SRV records are well defined, you
will get SRV records for kerberos and ldap.
----- Original Message -----
> From: "René Koch (ovido)" <r.koch(a)ovido.at>
> To: "ovirt-users" <users(a)ovirt.org>
> Sent: Friday, April 5, 2013 3:47:07 PM
> Subject: [Users] DNS for IPA in oVirt
>
> Hi list,
>
> I don't want to ask my question in the mail thread of Eduardo to avoid
> mixing topics.
>
> Can you give me more detailed information on how oVirt is using DNS
> internally and how IPA users can work in the following scenario:
>
> # engine-manage-domains -action=list
> Domain: ovido.at
> User name: admin(a)OVIDO.AT
> Manage Domains completed successfully
>
> # cat /etc/hosts | grep engine
> 10.0.100.195 ovirt-engine.lab.ovido.at
>
> # ip a
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
> link/ether 00:1a:4a:00:64:14 brd ff:ff:ff:ff:ff:ff
> inet 10.0.100.195/24 brd 10.0.100.255 scope global eth0
>
> # host ovirt-engine.lab.ovido.at
> ovirt-engine.lab.ovido.at has address 10.0.100.24
>
> # host 10.0.100.24
> 24.100.0.10.in-addr.arpa domain name pointer ovirt-engine.lab.ovido.at.
>
> So in my case I have correct DNS settings (forward and reverse), but my
> ovirt-engine host has a totally different IP address.
>
> I didn't test SSO with Kerberos in user portal (maybe this want work),
> but authentication with IPA user in user portal and admin portal is
> working fine even with these totally wrong DNS configuration.
>
>
> Regards,
> René
>
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
11:39 a.m.
----- Original Message -----
From: "René Koch (ovido)" <r.koch(a)ovido.at>
To: "Yair Zaslavsky" <yzaslavs(a)redhat.com>
Cc: "ovirt-users" <users(a)ovirt.org>
Sent: Tuesday, April 9, 2013 10:47:08 AM
Subject: Re: [Users] DNS for IPA in oVirt
Hi,
Thanks a lot for your detailed explanation.
That mean that I don't need DNS entries (forward and reverse) for oVirt
engine anymore, only SRV records for the directory service (for sure)?
So using IP or /etc/hosts is sufficient.
Regards,
René
Hi, I think you should also have PTR records for your IPA server.
On Mon, 2013-04-08 at 09:55 -0400, Yair Zaslavsky wrote:
> Hi,
> When you add a new domain - let's say example.com what happens from DNS
> perspective is -
>
>
> a. if useDnsLookup at engine-manage-domains conf is set to "true" then
> dns_lookup_realm = true
> and dns_lookup_kdc = true
>
> Will be placed at the krb5.conf that is being created.
> This will cause the internal java kerberos implementation to issue DNS srv
> requests per realm (for example, if you want to add the domain
> example.com, the realm will be EXAMPLE.COM)
> for kerberos -
> the srv record query will look like _kerberos._tcp.example.com and it will
> return a list of KDCs for the realm.
>
> If useDnsLookup is not set to true,
> This will cause the manage-domains utility to issue kerberos DNS srv
> records, and fill the krb5.conf file with information on KDCs per realm.
>
>
> In return you will get a list of corresponding hosts for the ldap servers.
>
> b. If -ldapServers was not passed - a DNS srv record will be issues to get
> the ldap servers for the domain -
> _ldap._tcp.example.com after the manage-domains utility performs kerberos
> authentication.
> This is done, in order to get a URL of an ldap server to be used, to send
> an ldap query and get the user id for the given user at the command line
> utility.
>
> So, as long as your DNS is configured properly, and the SRV records are
> well defined, you will get SRV records for kerberos and ldap.
>
>
>
>
>
> ----- Original Message -----
> > From: "René Koch (ovido)" <r.koch(a)ovido.at>
> > To: "ovirt-users" <users(a)ovirt.org>
> > Sent: Friday, April 5, 2013 3:47:07 PM
> > Subject: [Users] DNS for IPA in oVirt
> >
> > Hi list,
> >
> > I don't want to ask my question in the mail thread of Eduardo to avoid
> > mixing topics.
> >
> > Can you give me more detailed information on how oVirt is using DNS
> > internally and how IPA users can work in the following scenario:
> >
> > # engine-manage-domains -action=list
> > Domain: ovido.at
> > User name: admin(a)OVIDO.AT
> > Manage Domains completed successfully
> >
> > # cat /etc/hosts | grep engine
> > 10.0.100.195 ovirt-engine.lab.ovido.at
> >
> > # ip a
> > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> > state UP qlen 1000
> > link/ether 00:1a:4a:00:64:14 brd ff:ff:ff:ff:ff:ff
> > inet 10.0.100.195/24 brd 10.0.100.255 scope global eth0
> >
> > # host ovirt-engine.lab.ovido.at
> > ovirt-engine.lab.ovido.at has address 10.0.100.24
> >
> > # host 10.0.100.24
> > 24.100.0.10.in-addr.arpa domain name pointer ovirt-engine.lab.ovido.at.
> >
> > So in my case I have correct DNS settings (forward and reverse), but my
> > ovirt-engine host has a totally different IP address.
> >
> > I didn't test SSO with Kerberos in user portal (maybe this want work),
> > but authentication with IPA user in user portal and admin portal is
> > working fine even with these totally wrong DNS configuration.
> >
> >
> > Regards,
> > René
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users(a)ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
4245
days inactive
4249
days old
3 comments
2 participants
participants (2)
-
René Koch (ovido) -
Yair Zaslavsky