----- Original Message ----- > From: "René Koch (ovido)" <r.k...@ovido.at> > To: "Yair Zaslavsky" <yzasl...@redhat.com> > Cc: "ovirt-users" <users@ovirt.org> > Sent: Tuesday, April 9, 2013 10:47:08 AM > Subject: Re: [Users] DNS for IPA in oVirt > > Hi, > > Thanks a lot for your detailed explanation. > That mean that I don't need DNS entries (forward and reverse) for oVirt > engine anymore, only SRV records for the directory service (for sure)? > So using IP or /etc/hosts is sufficient. > > > > Regards, > René
Hi, I think you should also have PTR records for your IPA server. > > > > On Mon, 2013-04-08 at 09:55 -0400, Yair Zaslavsky wrote: > > Hi, > > When you add a new domain - let's say example.com what happens from DNS > > perspective is - > > > > > > a. if useDnsLookup at engine-manage-domains conf is set to "true" then > > dns_lookup_realm = true > > and dns_lookup_kdc = true > > > > Will be placed at the krb5.conf that is being created. > > This will cause the internal java kerberos implementation to issue DNS srv > > requests per realm (for example, if you want to add the domain > > example.com, the realm will be EXAMPLE.COM) > > for kerberos - > > the srv record query will look like _kerberos._tcp.example.com and it will > > return a list of KDCs for the realm. > > > > If useDnsLookup is not set to true, > > This will cause the manage-domains utility to issue kerberos DNS srv > > records, and fill the krb5.conf file with information on KDCs per realm. > > > > > > In return you will get a list of corresponding hosts for the ldap servers. > > > > b. If -ldapServers was not passed - a DNS srv record will be issues to get > > the ldap servers for the domain - > > _ldap._tcp.example.com after the manage-domains utility performs kerberos > > authentication. > > This is done, in order to get a URL of an ldap server to be used, to send > > an ldap query and get the user id for the given user at the command line > > utility. > > > > So, as long as your DNS is configured properly, and the SRV records are > > well defined, you will get SRV records for kerberos and ldap. > > > > > > > > > > > > ----- Original Message ----- > > > From: "René Koch (ovido)" <r.k...@ovido.at> > > > To: "ovirt-users" <users@ovirt.org> > > > Sent: Friday, April 5, 2013 3:47:07 PM > > > Subject: [Users] DNS for IPA in oVirt > > > > > > Hi list, > > > > > > I don't want to ask my question in the mail thread of Eduardo to avoid > > > mixing topics. > > > > > > Can you give me more detailed information on how oVirt is using DNS > > > internally and how IPA users can work in the following scenario: > > > > > > # engine-manage-domains -action=list > > > Domain: ovido.at > > > User name: ad...@ovido.at > > > Manage Domains completed successfully > > > > > > # cat /etc/hosts | grep engine > > > 10.0.100.195 ovirt-engine.lab.ovido.at > > > > > > # ip a > > > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > > > state UP qlen 1000 > > > link/ether 00:1a:4a:00:64:14 brd ff:ff:ff:ff:ff:ff > > > inet 10.0.100.195/24 brd 10.0.100.255 scope global eth0 > > > > > > # host ovirt-engine.lab.ovido.at > > > ovirt-engine.lab.ovido.at has address 10.0.100.24 > > > > > > # host 10.0.100.24 > > > 24.100.0.10.in-addr.arpa domain name pointer ovirt-engine.lab.ovido.at. > > > > > > So in my case I have correct DNS settings (forward and reverse), but my > > > ovirt-engine host has a totally different IP address. > > > > > > I didn't test SSO with Kerberos in user portal (maybe this want work), > > > but authentication with IPA user in user portal and admin portal is > > > working fine even with these totally wrong DNS configuration. > > > > > > > > > Regards, > > > René > > > > > > > > > _______________________________________________ > > > Users mailing list > > > Users@ovirt.org > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users