[Users] DNS for IPA in oVirt

René Koch (ovido) r.koch at ovido.at
Tue Apr 9 07:47:08 UTC 2013 

Hi,

Thanks a lot for your detailed explanation.
That mean that I don't need DNS entries (forward and reverse) for oVirt
engine anymore, only SRV records for the directory service (for sure)?
So using IP or /etc/hosts is sufficient.



Regards,
René



On Mon, 2013-04-08 at 09:55 -0400, Yair Zaslavsky wrote:
> Hi,
> When you add a new domain - let's say example.com what happens from DNS perspective is -
> 
> 
> a. if useDnsLookup at engine-manage-domains conf is set to "true" then
> dns_lookup_realm  = true
> and dns_lookup_kdc = true
> 
> Will be placed at the krb5.conf that is being created.
> This will cause the internal java kerberos implementation to issue DNS srv requests per realm (for example, if you want to add the domain example.com, the realm will be EXAMPLE.COM) 
> for kerberos -
> the srv record query will look like _kerberos._tcp.example.com and it will return a list of KDCs for the realm.
> 
> If useDnsLookup is not set to true, 
> This will cause the manage-domains utility to issue kerberos DNS srv records, and fill the krb5.conf file with information on KDCs per realm.
> 
> 
> In return you will get a list of corresponding hosts for the ldap servers.
> 
> b. If -ldapServers was not passed - a DNS srv record will be issues to get the ldap servers for the domain -
> _ldap._tcp.example.com  after the manage-domains utility performs kerberos authentication.
> This is done, in order to get a URL of an ldap server to be used, to send an ldap query and get the user id for the given user at the command line utility.
> 
> So, as long as your DNS is configured properly, and the SRV records are well defined, you will get SRV records for kerberos and ldap.
> 
> 
> 
> 
> 
> ----- Original Message -----
> > From: "René Koch (ovido)" <r.koch at ovido.at>
> > To: "ovirt-users" <users at ovirt.org>
> > Sent: Friday, April 5, 2013 3:47:07 PM
> > Subject: [Users] DNS for IPA in oVirt
> > 
> > Hi list,
> > 
> > I don't want to ask my question in the mail thread of Eduardo to avoid
> > mixing topics.
> > 
> > Can you give me more detailed information on how oVirt is using DNS
> > internally and how IPA users can work in the following scenario:
> > 
> > # engine-manage-domains -action=list
> > Domain: ovido.at
> > 	User name: admin at OVIDO.AT
> > Manage Domains completed successfully
> > 
> > # cat /etc/hosts | grep engine
> > 10.0.100.195 ovirt-engine.lab.ovido.at
> > 
> > # ip a
> > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> > state UP qlen 1000
> >     link/ether 00:1a:4a:00:64:14 brd ff:ff:ff:ff:ff:ff
> >     inet 10.0.100.195/24 brd 10.0.100.255 scope global eth0
> > 
> > # host ovirt-engine.lab.ovido.at
> > ovirt-engine.lab.ovido.at has address 10.0.100.24
> > 
> > # host 10.0.100.24
> > 24.100.0.10.in-addr.arpa domain name pointer ovirt-engine.lab.ovido.at.
> > 
> > So in my case I have correct DNS settings (forward and reverse), but my
> > ovirt-engine host has a totally different IP address.
> > 
> > I didn't test SSO with Kerberos in user portal (maybe this want work),
> > but authentication with IPA user in user portal and admin portal is
> > working fine even with these totally wrong DNS configuration.
> > 
> > 
> > Regards,
> > René
> > 
> > 
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >

More information about the Users mailing list