In my ever evolving lab, it came time to integrate Red Hat Enterprise Linux (RHEV) with Identity, Policy, Audit (IPA).There were a few caveats and searching Google didn’t help, so hopefully this article can save you some time.
Integrating the two was fairly straitforward. The biggest challenge was finding a quick and easy way to provide reverse DNS. I use an external DNS provider which does not do reverse DNS for internal IP addresses. This article will dig into how to setup a full blown proof of concept without needing an external DNS server to provide reverse DNS.
For those that might need a brief primer on DNS records, the following article is excellent.
The following items are assumed to be available and working.
- Clean Red Hat Enterprise Linux 6.3+ Server
- Working forward and reverse DNS (both can be satisfied with dnsmasq, described below)
- Fully installed and working Red Hat Enterprise Virtualization (RHEV) environment
- Install IPA on Clean Red Hat Enterprise Linux 6.3+ Server
- Option: Install/Configure Dnsmasq on RHEV Server
- Configure RHEV Domain
Install Identity, Policy, Audit
Option: if an external DNS server is available, the following SRV entries should be added. For those unfamiliar with SRV records, this will allow services such as RHEV or the IPA client to discover the correct Kerberos/LDAP/NTP servers by searching DNS.
_kerberos-master._udp SRV 0 100 88 dc.crunchtools.com.
_kerberos._tcp SRV 0 100 88 dc.crunctools.com.
_kerberos._udp SRV 0 100 88 dc.crunchtools.com.
_kpasswd._tcp SRV 0 100 464 dc.crunchtools.com.
_kpasswd._udp SRV 0 100 464 dc.crunchtools.com.
_ldap._tcp SRV 0 100 389 dc.crunchtools.com.
_ntp._udp SRV 0 100 123 dc.crunchtools.com.
Option: If host based firewall rules are required, the following entries should be added to: /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT
Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP server.
If there is no access to a reverse DNS server, dnsmasq can be installed and configured on the RHEV-M host.
Add the following line to /etc/dnsmasq.conf
Configure the upstream DNS server in /etc/dnsmasq-resolve.conf
Configure the standard DNS resolver to look to local host. This will chain all lookups through the local dnsmasq daemon.
Option: Forward DNS SRV records can also be satisfied with dnsmasq
Red Hat Enterprise Virtualization (RHEV)
Configure the new domain (Version 3.2)
Configure the new domain (Version 3.4)
Finally, here are some techniques used to troubleshoot integrating RHEV and IPA. Some of these are specific to certain versions of RHEV
The RHEV-M logs do not display much information with regard to a reverse DNS issue.
2013-02-25 12:39:16,360 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): crunchtools.com
2013-02-25 12:39:16,360 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: crunchtools.com
2013-02-25 12:39:16,677 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: dc.crunctools.com.
2013-02-25 12:39:16,680 ERROR [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while testing domain crunchtools.com. Details: Kerberos error. Please check log for further details.
The logs for the Kerberos domain will show nothing because the RHEV-M host isn’t resolving the correct controller.
Check the SRV records
Watch DNS and Kerberos activity