From j.bittner at nbu.cz Wed Nov  6 13:13:01 2013
Content-Type: multipart/mixed; boundary="===============8432015364946218048=="
MIME-Version: 1.0
From: Jakub Bittner <j.bittner at nbu.cz>
To: users at ovirt.org
Subject: Re: [Users] oVirt and IPA
Date: Wed, 06 Nov 2013 19:12:46 +0100
Message-ID: <527A869E.8000404@nbu.cz>
In-Reply-To: CAEo=5PxWpbx1TA6K3Ovq7v7tPFT2F+hn9omN0Ng1fO91c20ZyQ@mail.gmail.com

--===============8432015364946218048==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

This is a multi-part message in MIME format.
--------------010203040703010306000907
Content-Type: text/plain; charset=3DUTF-8; format=3Dflowed
Content-Transfer-Encoding: 7bit

Dne 6.11.2013 19:04, Jim Kinney napsal(a):
> Be sure to have a mirror IPA server _NOT_on the same ovirt host AND =

> you need to be using at least 2 DNS servers AND they both must be able =

> to point kerberos lookups to all IPA servers. I have my main IPA =

> server as a vm and a secondary on a physical system I run backups from.
>
>
>
>
> On Wed, Nov 6, 2013 at 12:49 PM, Jakub Bittner <j.bittner(a)nbu.cz =

> <mailto:j.bittner(a)nbu.cz>> wrote:
>
>     Hi,
>
>     I found an issue with IPA (and DNS) and oVirt. If I have hosted
>     IPA server in ovirt and have enabled login thru IPA to oVirt and I
>     stop IPA VM, I can not do anything in oVirt. I can not even log in
>     to oVirt, because login dialog is grayed out (I think it waits on
>     reaching IPA server). Of course I use IPA as primary DNS server
>     for oVirt. After some time oVirt lets me input local admin
>     credentials and waits on something.
>
>     I have more ipa servers, so I think login authentication should
>     fall back to another IPA server, but it does not.
>     _______________________________________________
>     Users mailing list
>     Users(a)ovirt.org <mailto:Users(a)ovirt.org>
>     http://lists.ovirt.org/mailman/listinfo/users
>
>
>
>
> -- =

> -- =

> James P. Kinney III
> ////
> ////Every time you stop a school, you will have to build a jail. What =

> you gain at one end you lose at the other. It's like feeding a dog on =

> his own tail. It won't fatten the dog.
> - Speech 11/23/1900 Mark Twain
> ////
> http://heretothereideas.blogspot.com/
> ////

I have more IPA servers, but it does not fail over to second IPA server. =

Next server was online and reachable. Maybe problem is that oVirt =

authentication system has only one IPA server, but the question is how =

to add another one or where to look on config files.

--------------010203040703010306000907
Content-Type: text/html; charset=3DUTF-8
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content=3D"text/html; charset=3DUTF-8" http-equiv=3D"Content-Type=
">
  </head>
  <body bgcolor=3D"#FFFFFF" text=3D"#000000">
    <div class=3D"moz-cite-prefix">Dne 6.11.2013 19:04, Jim Kinney
      napsal(a):<br>
    </div>
    <blockquote
cite=3D"mid:CAEo=3D5PxWpbx1TA6K3Ovq7v7tPFT2F+hn9omN0Ng1fO91c20ZyQ(a)mail.gm=
ail.com"
      type=3D"cite">
      <div dir=3D"ltr">
        <div>Be sure to have a mirror IPA server _NOT_on the same ovirt
          host AND you need to be using at least 2 DNS servers AND they
          both must be able to point kerberos lookups to all IPA
          servers. I have my main IPA server as a vm and a secondary on
          a physical system I run backups from.<br>
          <br>
        </div>
        <br>
      </div>
      <div class=3D"gmail_extra"><br>
        <br>
        <div class=3D"gmail_quote">On Wed, Nov 6, 2013 at 12:49 PM, Jakub
          Bittner <span dir=3D"ltr">&lt;<a moz-do-not-send=3D"true"
              href=3D"mailto:j.bittner(a)nbu.cz" target=3D"_blank">j.bittne=
r(a)nbu.cz</a>&gt;</span>
          wrote:<br>
          <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
            <br>
            I found an issue with IPA (and DNS) and oVirt. If I have
            hosted IPA server in ovirt and have enabled login thru IPA
            to oVirt and I stop IPA VM, I can not do anything in oVirt.
            I can not even log in to oVirt, because login dialog is
            grayed out (I think it waits on reaching IPA server). Of
            course I use IPA as primary DNS server for oVirt. After some
            time oVirt lets me input local admin credentials and waits
            on something.<br>
            <br>
            I have more ipa servers, so I think login authentication
            should fall back to another IPA server, but it does not.<br>
            _______________________________________________<br>
            Users mailing list<br>
            <a moz-do-not-send=3D"true" href=3D"mailto:Users(a)ovirt.org"
              target=3D"_blank">Users(a)ovirt.org</a><br>
            <a moz-do-not-send=3D"true"
              href=3D"http://lists.ovirt.org/mailman/listinfo/users"
              target=3D"_blank">http://lists.ovirt.org/mailman/listinfo/use=
rs</a><br>
          </blockquote>
        </div>
        <br>
        <br clear=3D"all">
        <br>
        -- <br>
        <div dir=3D"ltr">-- <br>
          James P. Kinney III<br>
          <i><i><i><i><br>
                </i></i></i></i>Every time you stop a school, you will
          have to build a jail. What you gain at one end you lose at the
          other. It's like feeding a dog on his own tail. It won't
          fatten the dog.<br>
          - Speech 11/23/1900 Mark Twain<br>
          <i><i><i><i><br>
                  <a moz-do-not-send=3D"true"
                    href=3D"http://heretothereideas.blogspot.com/"
                    target=3D"_blank">http://heretothereideas.blogspot.com/=
</a><br>
                </i></i></i></i></div>
      </div>
    </blockquote>
    <br>
    I have more IPA servers, but it does not fail over to second IPA
    server. Next server was online and reachable. Maybe problem is that
    oVirt authentication system has only one IPA server, but the
    question is how to add another one or where to look on config files.<br>
  </body>
</html>

--------------010203040703010306000907--

--===============8432015364946218048==
Content-Type: multipart/alternative
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.bin"

VGhpcyBpcyBhIG11bHRpLXBhcnQgbWVzc2FnZSBpbiBNSU1FIGZvcm1hdC4KLS0tLS0tLS0tLS0t
LS0wMTAyMDMwNDA3MDMwMTAzMDYwMDA5MDcKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFy
c2V0PVVURi04OyBmb3JtYXQ9Zmxvd2VkCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQK
CkRuZSA2LjExLjIwMTMgMTk6MDQsIEppbSBLaW5uZXkgbmFwc2FsKGEpOgo+IEJlIHN1cmUgdG8g
aGF2ZSBhIG1pcnJvciBJUEEgc2VydmVyIF9OT1Rfb24gdGhlIHNhbWUgb3ZpcnQgaG9zdCBBTkQg
Cj4geW91IG5lZWQgdG8gYmUgdXNpbmcgYXQgbGVhc3QgMiBETlMgc2VydmVycyBBTkQgdGhleSBi
b3RoIG11c3QgYmUgYWJsZSAKPiB0byBwb2ludCBrZXJiZXJvcyBsb29rdXBzIHRvIGFsbCBJUEEg
c2VydmVycy4gSSBoYXZlIG15IG1haW4gSVBBIAo+IHNlcnZlciBhcyBhIHZtIGFuZCBhIHNlY29u
ZGFyeSBvbiBhIHBoeXNpY2FsIHN5c3RlbSBJIHJ1biBiYWNrdXBzIGZyb20uCj4KPgo+Cj4KPiBP
biBXZWQsIE5vdiA2LCAyMDEzIGF0IDEyOjQ5IFBNLCBKYWt1YiBCaXR0bmVyIDxqLmJpdHRuZXJA
bmJ1LmN6IAo+IDxtYWlsdG86ai5iaXR0bmVyQG5idS5jej4+IHdyb3RlOgo+Cj4gICAgIEhpLAo+
Cj4gICAgIEkgZm91bmQgYW4gaXNzdWUgd2l0aCBJUEEgKGFuZCBETlMpIGFuZCBvVmlydC4gSWYg
SSBoYXZlIGhvc3RlZAo+ICAgICBJUEEgc2VydmVyIGluIG92aXJ0IGFuZCBoYXZlIGVuYWJsZWQg
bG9naW4gdGhydSBJUEEgdG8gb1ZpcnQgYW5kIEkKPiAgICAgc3RvcCBJUEEgVk0sIEkgY2FuIG5v
dCBkbyBhbnl0aGluZyBpbiBvVmlydC4gSSBjYW4gbm90IGV2ZW4gbG9nIGluCj4gICAgIHRvIG9W
aXJ0LCBiZWNhdXNlIGxvZ2luIGRpYWxvZyBpcyBncmF5ZWQgb3V0IChJIHRoaW5rIGl0IHdhaXRz
IG9uCj4gICAgIHJlYWNoaW5nIElQQSBzZXJ2ZXIpLiBPZiBjb3Vyc2UgSSB1c2UgSVBBIGFzIHBy
aW1hcnkgRE5TIHNlcnZlcgo+ICAgICBmb3Igb1ZpcnQuIEFmdGVyIHNvbWUgdGltZSBvVmlydCBs
ZXRzIG1lIGlucHV0IGxvY2FsIGFkbWluCj4gICAgIGNyZWRlbnRpYWxzIGFuZCB3YWl0cyBvbiBz
b21ldGhpbmcuCj4KPiAgICAgSSBoYXZlIG1vcmUgaXBhIHNlcnZlcnMsIHNvIEkgdGhpbmsgbG9n
aW4gYXV0aGVudGljYXRpb24gc2hvdWxkCj4gICAgIGZhbGwgYmFjayB0byBhbm90aGVyIElQQSBz
ZXJ2ZXIsIGJ1dCBpdCBkb2VzIG5vdC4KPiAgICAgX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX18KPiAgICAgVXNlcnMgbWFpbGluZyBsaXN0Cj4gICAgIFVzZXJz
QG92aXJ0Lm9yZyA8bWFpbHRvOlVzZXJzQG92aXJ0Lm9yZz4KPiAgICAgaHR0cDovL2xpc3RzLm92
aXJ0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3VzZXJzCj4KPgo+Cj4KPiAtLSAKPiAtLSAKPiBKYW1l
cyBQLiBLaW5uZXkgSUlJCj4gLy8vLwo+IC8vLy9FdmVyeSB0aW1lIHlvdSBzdG9wIGEgc2Nob29s
LCB5b3Ugd2lsbCBoYXZlIHRvIGJ1aWxkIGEgamFpbC4gV2hhdCAKPiB5b3UgZ2FpbiBhdCBvbmUg
ZW5kIHlvdSBsb3NlIGF0IHRoZSBvdGhlci4gSXQncyBsaWtlIGZlZWRpbmcgYSBkb2cgb24gCj4g
aGlzIG93biB0YWlsLiBJdCB3b24ndCBmYXR0ZW4gdGhlIGRvZy4KPiAtIFNwZWVjaCAxMS8yMy8x
OTAwIE1hcmsgVHdhaW4KPiAvLy8vCj4gaHR0cDovL2hlcmV0b3RoZXJlaWRlYXMuYmxvZ3Nwb3Qu
Y29tLwo+IC8vLy8KCkkgaGF2ZSBtb3JlIElQQSBzZXJ2ZXJzLCBidXQgaXQgZG9lcyBub3QgZmFp
bCBvdmVyIHRvIHNlY29uZCBJUEEgc2VydmVyLiAKTmV4dCBzZXJ2ZXIgd2FzIG9ubGluZSBhbmQg
cmVhY2hhYmxlLiBNYXliZSBwcm9ibGVtIGlzIHRoYXQgb1ZpcnQgCmF1dGhlbnRpY2F0aW9uIHN5
c3RlbSBoYXMgb25seSBvbmUgSVBBIHNlcnZlciwgYnV0IHRoZSBxdWVzdGlvbiBpcyBob3cgCnRv
IGFkZCBhbm90aGVyIG9uZSBvciB3aGVyZSB0byBsb29rIG9uIGNvbmZpZyBmaWxlcy4KCi0tLS0t
LS0tLS0tLS0tMDEwMjAzMDQwNzAzMDEwMzA2MDAwOTA3CkNvbnRlbnQtVHlwZTogdGV4dC9odG1s
OyBjaGFyc2V0PVVURi04CkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQKCjxodG1sPgog
IDxoZWFkPgogICAgPG1ldGEgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PVVURi04IiBodHRw
LWVxdWl2PSJDb250ZW50LVR5cGUiPgogIDwvaGVhZD4KICA8Ym9keSBiZ2NvbG9yPSIjRkZGRkZG
IiB0ZXh0PSIjMDAwMDAwIj4KICAgIDxkaXYgY2xhc3M9Im1vei1jaXRlLXByZWZpeCI+RG5lIDYu
MTEuMjAxMyAxOTowNCwgSmltIEtpbm5leQogICAgICBuYXBzYWwoYSk6PGJyPgogICAgPC9kaXY+
CiAgICA8YmxvY2txdW90ZQpjaXRlPSJtaWQ6Q0FFbz01UHhXcGJ4MVRBNkszT3ZxN3Y3dFBGVDJG
K2huOW9tTjBOZzFmTzkxYzIwWnlRQG1haWwuZ21haWwuY29tIgogICAgICB0eXBlPSJjaXRlIj4K
ICAgICAgPGRpdiBkaXI9Imx0ciI+CiAgICAgICAgPGRpdj5CZSBzdXJlIHRvIGhhdmUgYSBtaXJy
b3IgSVBBIHNlcnZlciBfTk9UX29uIHRoZSBzYW1lIG92aXJ0CiAgICAgICAgICBob3N0IEFORCB5
b3UgbmVlZCB0byBiZSB1c2luZyBhdCBsZWFzdCAyIEROUyBzZXJ2ZXJzIEFORCB0aGV5CiAgICAg
ICAgICBib3RoIG11c3QgYmUgYWJsZSB0byBwb2ludCBrZXJiZXJvcyBsb29rdXBzIHRvIGFsbCBJ
UEEKICAgICAgICAgIHNlcnZlcnMuIEkgaGF2ZSBteSBtYWluIElQQSBzZXJ2ZXIgYXMgYSB2bSBh
bmQgYSBzZWNvbmRhcnkgb24KICAgICAgICAgIGEgcGh5c2ljYWwgc3lzdGVtIEkgcnVuIGJhY2t1
cHMgZnJvbS48YnI+CiAgICAgICAgICA8YnI+CiAgICAgICAgPC9kaXY+CiAgICAgICAgPGJyPgog
ICAgICA8L2Rpdj4KICAgICAgPGRpdiBjbGFzcz0iZ21haWxfZXh0cmEiPjxicj4KICAgICAgICA8
YnI+CiAgICAgICAgPGRpdiBjbGFzcz0iZ21haWxfcXVvdGUiPk9uIFdlZCwgTm92IDYsIDIwMTMg
YXQgMTI6NDkgUE0sIEpha3ViCiAgICAgICAgICBCaXR0bmVyIDxzcGFuIGRpcj0ibHRyIj4mbHQ7
PGEgbW96LWRvLW5vdC1zZW5kPSJ0cnVlIgogICAgICAgICAgICAgIGhyZWY9Im1haWx0bzpqLmJp
dHRuZXJAbmJ1LmN6IiB0YXJnZXQ9Il9ibGFuayI+ai5iaXR0bmVyQG5idS5jejwvYT4mZ3Q7PC9z
cGFuPgogICAgICAgICAgd3JvdGU6PGJyPgogICAgICAgICAgPGJsb2NrcXVvdGUgY2xhc3M9Imdt
YWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjAgMCAwCiAgICAgICAgICAgIC44ZXg7Ym9yZGVyLWxl
ZnQ6MXB4ICNjY2Mgc29saWQ7cGFkZGluZy1sZWZ0OjFleCI+SGksPGJyPgogICAgICAgICAgICA8
YnI+CiAgICAgICAgICAgIEkgZm91bmQgYW4gaXNzdWUgd2l0aCBJUEEgKGFuZCBETlMpIGFuZCBv
VmlydC4gSWYgSSBoYXZlCiAgICAgICAgICAgIGhvc3RlZCBJUEEgc2VydmVyIGluIG92aXJ0IGFu
ZCBoYXZlIGVuYWJsZWQgbG9naW4gdGhydSBJUEEKICAgICAgICAgICAgdG8gb1ZpcnQgYW5kIEkg
c3RvcCBJUEEgVk0sIEkgY2FuIG5vdCBkbyBhbnl0aGluZyBpbiBvVmlydC4KICAgICAgICAgICAg
SSBjYW4gbm90IGV2ZW4gbG9nIGluIHRvIG9WaXJ0LCBiZWNhdXNlIGxvZ2luIGRpYWxvZyBpcwog
ICAgICAgICAgICBncmF5ZWQgb3V0IChJIHRoaW5rIGl0IHdhaXRzIG9uIHJlYWNoaW5nIElQQSBz
ZXJ2ZXIpLiBPZgogICAgICAgICAgICBjb3Vyc2UgSSB1c2UgSVBBIGFzIHByaW1hcnkgRE5TIHNl
cnZlciBmb3Igb1ZpcnQuIEFmdGVyIHNvbWUKICAgICAgICAgICAgdGltZSBvVmlydCBsZXRzIG1l
IGlucHV0IGxvY2FsIGFkbWluIGNyZWRlbnRpYWxzIGFuZCB3YWl0cwogICAgICAgICAgICBvbiBz
b21ldGhpbmcuPGJyPgogICAgICAgICAgICA8YnI+CiAgICAgICAgICAgIEkgaGF2ZSBtb3JlIGlw
YSBzZXJ2ZXJzLCBzbyBJIHRoaW5rIGxvZ2luIGF1dGhlbnRpY2F0aW9uCiAgICAgICAgICAgIHNo
b3VsZCBmYWxsIGJhY2sgdG8gYW5vdGhlciBJUEEgc2VydmVyLCBidXQgaXQgZG9lcyBub3QuPGJy
PgogICAgICAgICAgICBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fXzxicj4KICAgICAgICAgICAgVXNlcnMgbWFpbGluZyBsaXN0PGJyPgogICAgICAgICAgICA8
YSBtb3otZG8tbm90LXNlbmQ9InRydWUiIGhyZWY9Im1haWx0bzpVc2Vyc0BvdmlydC5vcmciCiAg
ICAgICAgICAgICAgdGFyZ2V0PSJfYmxhbmsiPlVzZXJzQG92aXJ0Lm9yZzwvYT48YnI+CiAgICAg
ICAgICAgIDxhIG1vei1kby1ub3Qtc2VuZD0idHJ1ZSIKICAgICAgICAgICAgICBocmVmPSJodHRw
Oi8vbGlzdHMub3ZpcnQub3JnL21haWxtYW4vbGlzdGluZm8vdXNlcnMiCiAgICAgICAgICAgICAg
dGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly9saXN0cy5vdmlydC5vcmcvbWFpbG1hbi9saXN0aW5mby91
c2VyczwvYT48YnI+CiAgICAgICAgICA8L2Jsb2NrcXVvdGU+CiAgICAgICAgPC9kaXY+CiAgICAg
ICAgPGJyPgogICAgICAgIDxiciBjbGVhcj0iYWxsIj4KICAgICAgICA8YnI+CiAgICAgICAgLS0g
PGJyPgogICAgICAgIDxkaXYgZGlyPSJsdHIiPi0tIDxicj4KICAgICAgICAgIEphbWVzIFAuIEtp
bm5leSBJSUk8YnI+CiAgICAgICAgICA8aT48aT48aT48aT48YnI+CiAgICAgICAgICAgICAgICA8
L2k+PC9pPjwvaT48L2k+RXZlcnkgdGltZSB5b3Ugc3RvcCBhIHNjaG9vbCwgeW91IHdpbGwKICAg
ICAgICAgIGhhdmUgdG8gYnVpbGQgYSBqYWlsLiBXaGF0IHlvdSBnYWluIGF0IG9uZSBlbmQgeW91
IGxvc2UgYXQgdGhlCiAgICAgICAgICBvdGhlci4gSXQncyBsaWtlIGZlZWRpbmcgYSBkb2cgb24g
aGlzIG93biB0YWlsLiBJdCB3b24ndAogICAgICAgICAgZmF0dGVuIHRoZSBkb2cuPGJyPgogICAg
ICAgICAgLSBTcGVlY2ggMTEvMjMvMTkwMCBNYXJrIFR3YWluPGJyPgogICAgICAgICAgPGk+PGk+
PGk+PGk+PGJyPgogICAgICAgICAgICAgICAgICA8YSBtb3otZG8tbm90LXNlbmQ9InRydWUiCiAg
ICAgICAgICAgICAgICAgICAgaHJlZj0iaHR0cDovL2hlcmV0b3RoZXJlaWRlYXMuYmxvZ3Nwb3Qu
Y29tLyIKICAgICAgICAgICAgICAgICAgICB0YXJnZXQ9Il9ibGFuayI+aHR0cDovL2hlcmV0b3Ro
ZXJlaWRlYXMuYmxvZ3Nwb3QuY29tLzwvYT48YnI+CiAgICAgICAgICAgICAgICA8L2k+PC9pPjwv
aT48L2k+PC9kaXY+CiAgICAgIDwvZGl2PgogICAgPC9ibG9ja3F1b3RlPgogICAgPGJyPgogICAg
SSBoYXZlIG1vcmUgSVBBIHNlcnZlcnMsIGJ1dCBpdCBkb2VzIG5vdCBmYWlsIG92ZXIgdG8gc2Vj
b25kIElQQQogICAgc2VydmVyLiBOZXh0IHNlcnZlciB3YXMgb25saW5lIGFuZCByZWFjaGFibGUu
IE1heWJlIHByb2JsZW0gaXMgdGhhdAogICAgb1ZpcnQgYXV0aGVudGljYXRpb24gc3lzdGVtIGhh
cyBvbmx5IG9uZSBJUEEgc2VydmVyLCBidXQgdGhlCiAgICBxdWVzdGlvbiBpcyBob3cgdG8gYWRk
IGFub3RoZXIgb25lIG9yIHdoZXJlIHRvIGxvb2sgb24gY29uZmlnIGZpbGVzLjxicj4KICA8L2Jv
ZHk+CjwvaHRtbD4KCi0tLS0tLS0tLS0tLS0tMDEwMjAzMDQwNzAzMDEwMzA2MDAwOTA3LS0K

--===============8432015364946218048==--