IPA Service Discovery without DNS?

Latest response

Is it possible to configure IPA for Service Discovery Without DNS and use it with RHEV-M?  When I run the rhevm-manage-domains command, the following error message is displayed:

 

Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: example.com
Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
 

The following error entry is recorded in rhevm-manage-domains.log:

 

2011-12-20 10:36:55,679 ERROR [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting SRV list for protocol _tcp and domain EXAMPLE.COM Exception message is DNS name not found [response code 3]
 

Responses

Aram,

 

DNS is required, and FQDN (forward and reverse).

 

Check out this earlier post:

 

https://access.redhat.com/discussion/rhev-m-setup-often-thinks-ipa-setup-worked-when-it-hasnt

 

Andrius.

 

This might be possible with some trickery in /etc/hosts and /etc/resolv.conf but I wouldn't recommend it.  Directory services like IPA rely heavily on DNS.  In fact, the IPA WIKI says "...IPA relies heavily on a fully-functional DNS for correct operation."

 

If your local security policy doesn't prevent it, I'd recommend setting up a forwarding DNS server on the RHEV-M so that you can use IPA.  Here is a brief how-to:

1. Assume corporate DNS is example.com
2. On the RHEV-M install ISC BIND.
3. Create a subdomain of the corporate domain. (example: rhev.example.com)
3.1 You should have both forward and reverse zone files for rhev.example.com.  Add the RHEV-Hs to these zones.
3.2. The RHEV-M should be authoritative for this zone.
3.3.  Create a forwarders section in named.conf to forward all non-rhev.example.com requests to the corporate nameservers.  Example:

 

options {
    forwarders {    

    192.168.1.10 port 53;   /* Corporate  DNS server 1 */
    192.168.1.11 port 53; /* Corporate DNS server 2 */
};

 

4. Make sure /etc/resolv.conf on the RHEV-M uses 127.0.0.1 *first* and the domain search list searches rhev.example.com first.  Example:
    [root@rhevm ~]# cat /etc/resolv.conf
    search rhev.example.com example.com
    nameserver 127.0.0.1
5. Point the RHEV-Hs at the RHEV-M for name resolution.
6. Don't foget to open holes in RHEV-M's firewall for DNS.

Aram,

 

You have to include SRV DNS records for correct services discovering.

 

Please see http://freeipa.org/page/DNS_Location_Discovery

 

I can post my DNS zone file later.

At the very end of the IPA installation, it provides you with a link to a sample ZONE files (or what you need to append to an existing).

As Pavel had mentioned, there SRV records that are needed.  

 

If you need assistance with setting up DNS, myself and many others can easily get you on the right track.

 

Here is an example:

<p>

;

This script provided the following
/tmp/sample.zone.TXBkrl.db
/- Exceprt -/

;ldap servers
_ldap._tcp      IN SRV 0 100 389    rhipa01

;kerberos realm
_kerberos       IN TXT AREA51.PRIVATE

; kerberos servers
_kerberos._tcp      IN SRV 0 100 88     rhipa01
_kerberos._udp      IN SRV 0 100 88     rhipa01
_kerberos-master._tcp   IN SRV 0 100 88     rhipa01
_kerberos-master._udp   IN SRV 0 100 88     rhipa01
_kpasswd._tcp       IN SRV 0 100 464    rhipa01
_kpasswd._udp       IN SRV 0 100 464    rhipa01

fixed