IPA Service Discovery without DNS?
Is it possible to configure IPA for Service Discovery Without DNS and use it with RHEV-M? When I run the rhevm-manage-domains command, the following error message is displayed:
Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: example.com
Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.
The following error entry is recorded in rhevm-manage-domains.log:
2011-12-20 10:36:55,679 ERROR [org.ovirt.engine.core.dns.DnsSRVLocator] Error in getting SRV list for protocol _tcp and domain EXAMPLE.COM Exception message is DNS name not found [response code 3]
Responses
Red Hat
Guru
3695 points
Aram,
DNS is required, and FQDN (forward and reverse).
Check out this earlier post:
https://access.redhat.com/discussion/rhev-m-setup-often-thinks-ipa-setup-worked-when-it-hasnt
Andrius.
This might be possible with some trickery in /etc/hosts and /etc/resolv.conf but I wouldn't recommend it. Directory services like IPA rely heavily on DNS. In fact, the IPA WIKI says "...IPA relies heavily on a fully-functional DNS for correct operation."
If your local security policy doesn't prevent it, I'd recommend setting up a forwarding DNS server on the RHEV-M so that you can use IPA. Here is a brief how-to:
1. Assume corporate DNS is example.com
2. On the RHEV-M install ISC BIND.
3. Create a subdomain of the corporate domain. (example: rhev.example.com)
3.1 You should have both forward and reverse zone files for rhev.example.com. Add the RHEV-Hs to these zones.
3.2. The RHEV-M should be authoritative for this zone.
3.3. Create a forwarders section in named.conf to forward all non-rhev.example.com requests to the corporate nameservers. Example:
options {
forwarders {
192.168.1.10 port 53; /* Corporate DNS server 1 */
192.168.1.11 port 53; /* Corporate DNS server 2 */
};
4. Make sure /etc/resolv.conf on the RHEV-M uses 127.0.0.1 *first* and the domain search list searches rhev.example.com first. Example:
[root@rhevm ~]# cat /etc/resolv.conf
search rhev.example.com example.com
nameserver 127.0.0.1
5. Point the RHEV-Hs at the RHEV-M for name resolution.
6. Don't foget to open holes in RHEV-M's firewall for DNS.
Aram,
You have to include SRV DNS records for correct services discovering.
Please see http://freeipa.org/page/DNS_Location_Discovery
I can post my DNS zone file later.
At the very end of the IPA installation, it provides you with a link to a sample ZONE files (or what you need to append to an existing).
As Pavel had mentioned, there SRV records that are needed.
If you need assistance with setting up DNS, myself and many others can easily get you on the right track.
Here is an example:
<p>
This script provided the following /tmp/sample.zone.TXBkrl.db /- Exceprt -/ ;ldap servers _ldap._tcp IN SRV 0 100 389 rhipa01 ;kerberos realm _kerberos IN TXT AREA51.PRIVATE ; kerberos servers _kerberos._tcp IN SRV 0 100 88 rhipa01 _kerberos._udp IN SRV 0 100 88 rhipa01 _kerberos-master._tcp IN SRV 0 100 88 rhipa01 _kerberos-master._udp IN SRV 0 100 88 rhipa01 _kpasswd._tcp IN SRV 0 100 464 rhipa01 _kpasswd._udp IN SRV 0 100 464 rhipa01
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.