Hi, Thanks a lot for your detailed explanation. That mean that I don't need DNS entries (forward and reverse) for oVirt engine anymore, only SRV records for the directory service (for sure)? So using IP or /etc/hosts is sufficient.
Regards, René On Mon, 2013-04-08 at 09:55 -0400, Yair Zaslavsky wrote: > Hi, > When you add a new domain - let's say example.com what happens from DNS > perspective is - > > > a. if useDnsLookup at engine-manage-domains conf is set to "true" then > dns_lookup_realm = true > and dns_lookup_kdc = true > > Will be placed at the krb5.conf that is being created. > This will cause the internal java kerberos implementation to issue DNS srv > requests per realm (for example, if you want to add the domain example.com, > the realm will be EXAMPLE.COM) > for kerberos - > the srv record query will look like _kerberos._tcp.example.com and it will > return a list of KDCs for the realm. > > If useDnsLookup is not set to true, > This will cause the manage-domains utility to issue kerberos DNS srv records, > and fill the krb5.conf file with information on KDCs per realm. > > > In return you will get a list of corresponding hosts for the ldap servers. > > b. If -ldapServers was not passed - a DNS srv record will be issues to get > the ldap servers for the domain - > _ldap._tcp.example.com after the manage-domains utility performs kerberos > authentication. > This is done, in order to get a URL of an ldap server to be used, to send an > ldap query and get the user id for the given user at the command line utility. > > So, as long as your DNS is configured properly, and the SRV records are well > defined, you will get SRV records for kerberos and ldap. > > > > > > ----- Original Message ----- > > From: "René Koch (ovido)" <r.k...@ovido.at> > > To: "ovirt-users" <users@ovirt.org> > > Sent: Friday, April 5, 2013 3:47:07 PM > > Subject: [Users] DNS for IPA in oVirt > > > > Hi list, > > > > I don't want to ask my question in the mail thread of Eduardo to avoid > > mixing topics. > > > > Can you give me more detailed information on how oVirt is using DNS > > internally and how IPA users can work in the following scenario: > > > > # engine-manage-domains -action=list > > Domain: ovido.at > > User name: ad...@ovido.at > > Manage Domains completed successfully > > > > # cat /etc/hosts | grep engine > > 10.0.100.195 ovirt-engine.lab.ovido.at > > > > # ip a > > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > > state UP qlen 1000 > > link/ether 00:1a:4a:00:64:14 brd ff:ff:ff:ff:ff:ff > > inet 10.0.100.195/24 brd 10.0.100.255 scope global eth0 > > > > # host ovirt-engine.lab.ovido.at > > ovirt-engine.lab.ovido.at has address 10.0.100.24 > > > > # host 10.0.100.24 > > 24.100.0.10.in-addr.arpa domain name pointer ovirt-engine.lab.ovido.at. > > > > So in my case I have correct DNS settings (forward and reverse), but my > > ovirt-engine host has a totally different IP address. > > > > I didn't test SSO with Kerberos in user portal (maybe this want work), > > but authentication with IPA user in user portal and admin portal is > > working fine even with these totally wrong DNS configuration. > > > > > > Regards, > > René > > > > > > _______________________________________________ > > Users mailing list > > Users@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users