8:49 p.m.
Hi,
I found an issue with IPA (and DNS) and oVirt. If I have hosted IPA
server in ovirt and have enabled login thru IPA to oVirt and I stop IPA
VM, I can not do anything in oVirt. I can not even log in to oVirt,
because login dialog is grayed out (I think it waits on reaching IPA
server). Of course I use IPA as primary DNS server for oVirt. After some
time oVirt lets me input local admin credentials and waits on something.
I have more ipa servers, so I think login authentication should fall
back to another IPA server, but it does not.
9:04 p.m.
Be sure to have a mirror IPA server _NOT_on the same ovirt host AND you
need to be using at least 2 DNS servers AND they both must be able to point
kerberos lookups to all IPA servers. I have my main IPA server as a vm and
a secondary on a physical system I run backups from.
On Wed, Nov 6, 2013 at 12:49 PM, Jakub Bittner <j.bittner(a)nbu.cz> wrote:
Hi,
I found an issue with IPA (and DNS) and oVirt. If I have hosted IPA server
in ovirt and have enabled login thru IPA to oVirt and I stop IPA VM, I can
not do anything in oVirt. I can not even log in to oVirt, because login
dialog is grayed out (I think it waits on reaching IPA server). Of course I
use IPA as primary DNS server for oVirt. After some time oVirt lets me
input local admin credentials and waits on something.
I have more ipa servers, so I think login authentication should fall back
to another IPA server, but it does not.
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
--
--
James P. Kinney III
Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
*http://heretothereideas.blogspot.com/
<http://heretothereideas.blogspot.com/>*
9:12 p.m.
This is a multi-part message in MIME format.
--------------010203040703010306000907
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Dne 6.11.2013 19:04, Jim Kinney napsal(a):
Be sure to have a mirror IPA server _NOT_on the same ovirt host AND
you need to be using at least 2 DNS servers AND they both must be able
to point kerberos lookups to all IPA servers. I have my main IPA
server as a vm and a secondary on a physical system I run backups from.
On Wed, Nov 6, 2013 at 12:49 PM, Jakub Bittner <j.bittner(a)nbu.cz
<mailto:j.bittner@nbu.cz>> wrote:
Hi,
I found an issue with IPA (and DNS) and oVirt. If I have hosted
IPA server in ovirt and have enabled login thru IPA to oVirt and I
stop IPA VM, I can not do anything in oVirt. I can not even log in
to oVirt, because login dialog is grayed out (I think it waits on
reaching IPA server). Of course I use IPA as primary DNS server
for oVirt. After some time oVirt lets me input local admin
credentials and waits on something.
I have more ipa servers, so I think login authentication should
fall back to another IPA server, but it does not.
_______________________________________________
Users mailing list
Users(a)ovirt.org <mailto:Users@ovirt.org>
http://lists.ovirt.org/mailman/listinfo/users
--
--
James P. Kinney III
////
////Every time you stop a school, you will have to build a jail. What
you gain at one end you lose at the other. It's like feeding a dog on
his own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
////
http://heretothereideas.blogspot.com/
////
I have more IPA servers, but it does not fail over to second IPA server.
Next server was online and reachable. Maybe problem is that oVirt
authentication system has only one IPA server, but the question is how
to add another one or where to look on config files.
--------------010203040703010306000907
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
<html>
<head>
<meta content="text/html; charset=UTF-8"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Dne 6.11.2013 19:04, Jim Kinney
napsal(a):<br>
</div>
<blockquote
cite="mid:CAEo=5PxWpbx1TA6K3Ovq7v7tPFT2F+hn9omN0Ng1fO91c20ZyQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Be sure to have a mirror IPA server _NOT_on the same ovirt
host AND you need to be using at least 2 DNS servers AND they
both must be able to point kerberos lookups to all IPA
servers. I have my main IPA server as a vm and a secondary on
a physical system I run backups from.<br>
<br>
</div>
<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Nov 6, 2013 at 12:49 PM, Jakub
Bittner <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:j.bittner@nbu.cz"
target="_blank">j.bittner(a)nbu.cz</a>&gt;</span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I found an issue with IPA (and DNS) and oVirt. If I have
hosted IPA server in ovirt and have enabled login thru IPA
to oVirt and I stop IPA VM, I can not do anything in oVirt.
I can not even log in to oVirt, because login dialog is
grayed out (I think it waits on reaching IPA server). Of
course I use IPA as primary DNS server for oVirt. After some
time oVirt lets me input local admin credentials and waits
on something.<br>
<br>
I have more ipa servers, so I think login authentication
should fall back to another IPA server, but it does not.<br>
_______________________________________________<br>
Users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Users@ovirt.org"
target="_blank">Users(a)ovirt.org</a><br>
<a moz-do-not-send="true"
href="http://lists.ovirt.org/mailman/listinfo/users"
target="_blank">http://lists.ovirt.org/mailman/listinfo/user...
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div dir="ltr">-- <br>
James P. Kinney III<br>
<i><i><i><i><br>
</i></i></i></i>Every time you stop a school, you
will
have to build a jail. What you gain at one end you lose at the
other. It's like feeding a dog on his own tail. It won't
fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br>
<i><i><i><i><br>
<a moz-do-not-send="true"
href="http://heretothereideas.blogspot.com/"
target="_blank">http://heretothereideas.blogspot.com/</a&...
</i></i></i></i></div>
</div>
</blockquote>
<br>
I have more IPA servers, but it does not fail over to second IPA
server. Next server was online and reachable. Maybe problem is that
oVirt authentication system has only one IPA server, but the
question is how to add another one or where to look on config files.<br>
</body>
</html>
--------------010203040703010306000907--
5:22 p.m.
On 11/06/2013 07:49 PM, Jakub Bittner wrote:
Hi,
I found an issue with IPA (and DNS) and oVirt. If I have hosted IPA
server in ovirt and have enabled login thru IPA to oVirt and I stop IPA
VM, I can not do anything in oVirt. I can not even log in to oVirt,
because login dialog is grayed out (I think it waits on reaching IPA
server). Of course I use IPA as primary DNS server for oVirt. After some
time oVirt lets me input local admin credentials and waits on something.
I have more ipa servers, so I think login authentication should fall
back to another IPA server, but it does not.
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
if the login dialog is stuck becasue your IPA server is down, it would
be a bug. but i don't see a reason for the two to be related. the login
dialog shows the list of domains from the config, not from polling them.
4033
days inactive
4034
days old
3 comments
3 participants
participants (3)
-
Itamar Heim -
Jakub Bittner -
Jim Kinney