Re: [Users] DNS for IPA in oVirt
Hi, Thanks a lot for your detailed explanation. That mean that I don't need DNS entries (forward and reverse) for oVirt engine anymore, only SRV records for the directory service (for sure)? So using IP or /etc/hosts is sufficient. Regards, René On Mon, 2013-04-08 at 09:55 -0400, Yair Zaslavsky wrote: Hi, When you add a new domain - let's say example.com what happens from DNS perspective is - a. if useDnsLookup at engine-manage-domains conf is set to true then dns_lookup_realm = true and dns_lookup_kdc = true Will be placed at the krb5.conf that is being created. This will cause the internal java kerberos implementation to issue DNS srv requests per realm (for example, if you want to add the domain example.com, the realm will be EXAMPLE.COM) for kerberos - the srv record query will look like _kerberos._tcp.example.com and it will return a list of KDCs for the realm. If useDnsLookup is not set to true, This will cause the manage-domains utility to issue kerberos DNS srv records, and fill the krb5.conf file with information on KDCs per realm. In return you will get a list of corresponding hosts for the ldap servers. b. If -ldapServers was not passed - a DNS srv record will be issues to get the ldap servers for the domain - _ldap._tcp.example.com after the manage-domains utility performs kerberos authentication. This is done, in order to get a URL of an ldap server to be used, to send an ldap query and get the user id for the given user at the command line utility. So, as long as your DNS is configured properly, and the SRV records are well defined, you will get SRV records for kerberos and ldap. - Original Message - From: René Koch (ovido) r.k...@ovido.at To: ovirt-users users@ovirt.org Sent: Friday, April 5, 2013 3:47:07 PM Subject: [Users] DNS for IPA in oVirt Hi list, I don't want to ask my question in the mail thread of Eduardo to avoid mixing topics. Can you give me more detailed information on how oVirt is using DNS internally and how IPA users can work in the following scenario: # engine-manage-domains -action=list Domain: ovido.at User name: ad...@ovido.at Manage Domains completed successfully # cat /etc/hosts | grep engine 10.0.100.195 ovirt-engine.lab.ovido.at # ip a 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:1a:4a:00:64:14 brd ff:ff:ff:ff:ff:ff inet 10.0.100.195/24 brd 10.0.100.255 scope global eth0 # host ovirt-engine.lab.ovido.at ovirt-engine.lab.ovido.at has address 10.0.100.24 # host 10.0.100.24 24.100.0.10.in-addr.arpa domain name pointer ovirt-engine.lab.ovido.at. So in my case I have correct DNS settings (forward and reverse), but my ovirt-engine host has a totally different IP address. I didn't test SSO with Kerberos in user portal (maybe this want work), but authentication with IPA user in user portal and admin portal is working fine even with these totally wrong DNS configuration. Regards, René ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] DNS for IPA in oVirt
- Original Message - From: René Koch (ovido) r.k...@ovido.at To: Yair Zaslavsky yzasl...@redhat.com Cc: ovirt-users users@ovirt.org Sent: Tuesday, April 9, 2013 10:47:08 AM Subject: Re: [Users] DNS for IPA in oVirt Hi, Thanks a lot for your detailed explanation. That mean that I don't need DNS entries (forward and reverse) for oVirt engine anymore, only SRV records for the directory service (for sure)? So using IP or /etc/hosts is sufficient. Regards, René Hi, I think you should also have PTR records for your IPA server. On Mon, 2013-04-08 at 09:55 -0400, Yair Zaslavsky wrote: Hi, When you add a new domain - let's say example.com what happens from DNS perspective is - a. if useDnsLookup at engine-manage-domains conf is set to true then dns_lookup_realm = true and dns_lookup_kdc = true Will be placed at the krb5.conf that is being created. This will cause the internal java kerberos implementation to issue DNS srv requests per realm (for example, if you want to add the domain example.com, the realm will be EXAMPLE.COM) for kerberos - the srv record query will look like _kerberos._tcp.example.com and it will return a list of KDCs for the realm. If useDnsLookup is not set to true, This will cause the manage-domains utility to issue kerberos DNS srv records, and fill the krb5.conf file with information on KDCs per realm. In return you will get a list of corresponding hosts for the ldap servers. b. If -ldapServers was not passed - a DNS srv record will be issues to get the ldap servers for the domain - _ldap._tcp.example.com after the manage-domains utility performs kerberos authentication. This is done, in order to get a URL of an ldap server to be used, to send an ldap query and get the user id for the given user at the command line utility. So, as long as your DNS is configured properly, and the SRV records are well defined, you will get SRV records for kerberos and ldap. - Original Message - From: René Koch (ovido) r.k...@ovido.at To: ovirt-users users@ovirt.org Sent: Friday, April 5, 2013 3:47:07 PM Subject: [Users] DNS for IPA in oVirt Hi list, I don't want to ask my question in the mail thread of Eduardo to avoid mixing topics. Can you give me more detailed information on how oVirt is using DNS internally and how IPA users can work in the following scenario: # engine-manage-domains -action=list Domain: ovido.at User name: ad...@ovido.at Manage Domains completed successfully # cat /etc/hosts | grep engine 10.0.100.195 ovirt-engine.lab.ovido.at # ip a 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:1a:4a:00:64:14 brd ff:ff:ff:ff:ff:ff inet 10.0.100.195/24 brd 10.0.100.255 scope global eth0 # host ovirt-engine.lab.ovido.at ovirt-engine.lab.ovido.at has address 10.0.100.24 # host 10.0.100.24 24.100.0.10.in-addr.arpa domain name pointer ovirt-engine.lab.ovido.at. So in my case I have correct DNS settings (forward and reverse), but my ovirt-engine host has a totally different IP address. I didn't test SSO with Kerberos in user portal (maybe this want work), but authentication with IPA user in user portal and admin portal is working fine even with these totally wrong DNS configuration. Regards, René ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] DNS for IPA in oVirt
Hi, When you add a new domain - let's say example.com what happens from DNS perspective is - a. if useDnsLookup at engine-manage-domains conf is set to true then dns_lookup_realm = true and dns_lookup_kdc = true Will be placed at the krb5.conf that is being created. This will cause the internal java kerberos implementation to issue DNS srv requests per realm (for example, if you want to add the domain example.com, the realm will be EXAMPLE.COM) for kerberos - the srv record query will look like _kerberos._tcp.example.com and it will return a list of KDCs for the realm. If useDnsLookup is not set to true, This will cause the manage-domains utility to issue kerberos DNS srv records, and fill the krb5.conf file with information on KDCs per realm. In return you will get a list of corresponding hosts for the ldap servers. b. If -ldapServers was not passed - a DNS srv record will be issues to get the ldap servers for the domain - _ldap._tcp.example.com after the manage-domains utility performs kerberos authentication. This is done, in order to get a URL of an ldap server to be used, to send an ldap query and get the user id for the given user at the command line utility. So, as long as your DNS is configured properly, and the SRV records are well defined, you will get SRV records for kerberos and ldap. - Original Message - From: René Koch (ovido) r.k...@ovido.at To: ovirt-users users@ovirt.org Sent: Friday, April 5, 2013 3:47:07 PM Subject: [Users] DNS for IPA in oVirt Hi list, I don't want to ask my question in the mail thread of Eduardo to avoid mixing topics. Can you give me more detailed information on how oVirt is using DNS internally and how IPA users can work in the following scenario: # engine-manage-domains -action=list Domain: ovido.at User name: ad...@ovido.at Manage Domains completed successfully # cat /etc/hosts | grep engine 10.0.100.195 ovirt-engine.lab.ovido.at # ip a 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:1a:4a:00:64:14 brd ff:ff:ff:ff:ff:ff inet 10.0.100.195/24 brd 10.0.100.255 scope global eth0 # host ovirt-engine.lab.ovido.at ovirt-engine.lab.ovido.at has address 10.0.100.24 # host 10.0.100.24 24.100.0.10.in-addr.arpa domain name pointer ovirt-engine.lab.ovido.at. So in my case I have correct DNS settings (forward and reverse), but my ovirt-engine host has a totally different IP address. I didn't test SSO with Kerberos in user portal (maybe this want work), but authentication with IPA user in user portal and admin portal is working fine even with these totally wrong DNS configuration. Regards, René ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] DNS for IPA in oVirt
Hi list, I don't want to ask my question in the mail thread of Eduardo to avoid mixing topics. Can you give me more detailed information on how oVirt is using DNS internally and how IPA users can work in the following scenario: # engine-manage-domains -action=list Domain: ovido.at User name: ad...@ovido.at Manage Domains completed successfully # cat /etc/hosts | grep engine 10.0.100.195 ovirt-engine.lab.ovido.at # ip a 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:1a:4a:00:64:14 brd ff:ff:ff:ff:ff:ff inet 10.0.100.195/24 brd 10.0.100.255 scope global eth0 # host ovirt-engine.lab.ovido.at ovirt-engine.lab.ovido.at has address 10.0.100.24 # host 10.0.100.24 24.100.0.10.in-addr.arpa domain name pointer ovirt-engine.lab.ovido.at. So in my case I have correct DNS settings (forward and reverse), but my ovirt-engine host has a totally different IP address. I didn't test SSO with Kerberos in user portal (maybe this want work), but authentication with IPA user in user portal and admin portal is working fine even with these totally wrong DNS configuration. Regards, René ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users