[Users] DNS for IPA in oVirt

Yair Zaslavsky yzaslavs at redhat.com
Tue Apr 9 08:39:19 UTC 2013



----- Original Message -----
> From: "René Koch (ovido)" <r.koch at ovido.at>
> To: "Yair Zaslavsky" <yzaslavs at redhat.com>
> Cc: "ovirt-users" <users at ovirt.org>
> Sent: Tuesday, April 9, 2013 10:47:08 AM
> Subject: Re: [Users] DNS for IPA in oVirt
> 
> Hi,
> 
> Thanks a lot for your detailed explanation.
> That mean that I don't need DNS entries (forward and reverse) for oVirt
> engine anymore, only SRV records for the directory service (for sure)?
> So using IP or /etc/hosts is sufficient.
> 
> 
> 
> Regards,
> René

Hi, I think you should also have PTR records for your IPA server.

> 
> 
> 
> On Mon, 2013-04-08 at 09:55 -0400, Yair Zaslavsky wrote:
> > Hi,
> > When you add a new domain - let's say example.com what happens from DNS
> > perspective is -
> > 
> > 
> > a. if useDnsLookup at engine-manage-domains conf is set to "true" then
> > dns_lookup_realm  = true
> > and dns_lookup_kdc = true
> > 
> > Will be placed at the krb5.conf that is being created.
> > This will cause the internal java kerberos implementation to issue DNS srv
> > requests per realm (for example, if you want to add the domain
> > example.com, the realm will be EXAMPLE.COM)
> > for kerberos -
> > the srv record query will look like _kerberos._tcp.example.com and it will
> > return a list of KDCs for the realm.
> > 
> > If useDnsLookup is not set to true,
> > This will cause the manage-domains utility to issue kerberos DNS srv
> > records, and fill the krb5.conf file with information on KDCs per realm.
> > 
> > 
> > In return you will get a list of corresponding hosts for the ldap servers.
> > 
> > b. If -ldapServers was not passed - a DNS srv record will be issues to get
> > the ldap servers for the domain -
> > _ldap._tcp.example.com  after the manage-domains utility performs kerberos
> > authentication.
> > This is done, in order to get a URL of an ldap server to be used, to send
> > an ldap query and get the user id for the given user at the command line
> > utility.
> > 
> > So, as long as your DNS is configured properly, and the SRV records are
> > well defined, you will get SRV records for kerberos and ldap.
> > 
> > 
> > 
> > 
> > 
> > ----- Original Message -----
> > > From: "René Koch (ovido)" <r.koch at ovido.at>
> > > To: "ovirt-users" <users at ovirt.org>
> > > Sent: Friday, April 5, 2013 3:47:07 PM
> > > Subject: [Users] DNS for IPA in oVirt
> > > 
> > > Hi list,
> > > 
> > > I don't want to ask my question in the mail thread of Eduardo to avoid
> > > mixing topics.
> > > 
> > > Can you give me more detailed information on how oVirt is using DNS
> > > internally and how IPA users can work in the following scenario:
> > > 
> > > # engine-manage-domains -action=list
> > > Domain: ovido.at
> > > 	User name: admin at OVIDO.AT
> > > Manage Domains completed successfully
> > > 
> > > # cat /etc/hosts | grep engine
> > > 10.0.100.195 ovirt-engine.lab.ovido.at
> > > 
> > > # ip a
> > > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> > > state UP qlen 1000
> > >     link/ether 00:1a:4a:00:64:14 brd ff:ff:ff:ff:ff:ff
> > >     inet 10.0.100.195/24 brd 10.0.100.255 scope global eth0
> > > 
> > > # host ovirt-engine.lab.ovido.at
> > > ovirt-engine.lab.ovido.at has address 10.0.100.24
> > > 
> > > # host 10.0.100.24
> > > 24.100.0.10.in-addr.arpa domain name pointer ovirt-engine.lab.ovido.at.
> > > 
> > > So in my case I have correct DNS settings (forward and reverse), but my
> > > ovirt-engine host has a totally different IP address.
> > > 
> > > I didn't test SSO with Kerberos in user portal (maybe this want work),
> > > but authentication with IPA user in user portal and admin portal is
> > > working fine even with these totally wrong DNS configuration.
> > > 
> > > 
> > > Regards,
> > > René
> > > 
> > > 
> > > _______________________________________________
> > > Users mailing list
> > > Users at ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > >
> 
> 



More information about the Users mailing list