Red Hat Enterprise Virtualization (RHEV) & Identity, Policy, Audit (IPA)

Background

In my ever evolving lab, it came time to integrate Red Hat Enterprise Linux (RHEV) with Identity, Policy, Audit (IPA).There were a few caveats and searching Google didn’t help, so hopefully this article can save you some time.

Integrating the two was fairly straitforward. The biggest challenge was finding a quick and easy way to provide reverse DNS. I use an external DNS provider which does not do reverse DNS for internal IP addresses. This article will dig into how to setup a full blown proof of concept without needing an external DNS server to provide reverse DNS.

For those that might need a brief primer on DNS records, the following article is excellent.

 

Installation/Configuration

The following items are assumed to be available and working.

Prerequisites

  • Clean Red Hat Enterprise Linux 6.3+ Server
  • Working forward and reverse DNS (both can be satisfied with dnsmasq, described below)
  • Fully installed and working Red Hat Enterprise Virtualization (RHEV) environment

 

Integration Steps

  • Install IPA on Clean Red Hat Enterprise Linux 6.3+ Server
  • Option: Install/Configure Dnsmasq on RHEV Server
  • Configure RHEV Domain

 

Install Identity, Policy, Audit

Option: if an external DNS server is available, the following SRV entries should be added. For those unfamiliar with SRV records, this will allow services such as RHEV or the IPA client to discover the correct Kerberos/LDAP/NTP servers by searching DNS.

_kerberos-master._tcp SRV 0 100 88 dc.crunchtools.com.
_kerberos-master._udp SRV 0 100 88 dc.crunchtools.com.
_kerberos._tcp SRV 0 100 88 dc.crunctools.com.
_kerberos._udp SRV 0 100 88 dc.crunchtools.com.
_kpasswd._tcp SRV 0 100 464 dc.crunchtools.com.
_kpasswd._udp SRV 0 100 464 dc.crunchtools.com.
_ldap._tcp SRV 0 100 389 dc.crunchtools.com.
_ntp._udp SRV 0 100 123 dc.crunchtools.com.

 

Option: If host based firewall rules are required, the following entries should be added to: /etc/sysconfig/iptables

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT

 

Install packages

yum install ipa-server bind bind-dyndb-ldap

 

Configure

ipa-server-install

 

Restart ssh

/etc/init.d/ssh restart

 

Option: Dnsmasq

Reverse DNS lookup of the IPA server is a strict requirement. rDNS can be provided by Dnsmasq, which is available from the base RHEL channel.

Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP server.

If there is no access to a reverse DNS server, dnsmasq can be installed and configured on the RHEV-M host.

yum install dnsmasq

 

Add the following line to /etc/dnsmasq.conf

resolv-file=/etc/dnsmasq-resolv.conf

 

Configure the upstream DNS server in /etc/dnsmasq-resolve.conf

nameserver 192.168.128.1
domain crunchtools.com

 

Configure the standard DNS resolver to look to local host. This will chain all lookups through the local dnsmasq daemon.

nameserver 192.168.128.1
domain crunchtools.com

 

Option: Forward DNS SRV records can also be satisfied with dnsmasq

srv-host=_ldap._tcp.crunchtools.com,dc.crunchtools.com,389,1
srv-host=_kerberos._tcp.crunchtools.com,dc.crunchtools.com,88,1
srv-host=_kerberos._udp.crunchtools.com,dc.crunchtools.com,88,1
srv-host=_kerberos-master._tcp.crunchtools.com,dc.crunchtools.com,88,1
srv-host=_kerberos-master._udp.crunchtools.com,dc.crunchtools.com,88,1
srv-host=_kpasswd._tcp.crunchtools.com,dc.crunchtools.com,464,1
srv-host=_kpasswd._udp.crunchtools.com,dc.crunchtools.com,464,1
srv-host=_ntp._udp.crunchtools.com,dc.crunchtools.com,123,1

 

Red Hat Enterprise Virtualization (RHEV)

Configure the new domain (Version 3.2)

rhevm-manage-domains -action=add -domain=crunchtools.com -realm=CRUNCHTOOLS.COM -user=admin -provider=IPA -passwordFile=/tmp/.pwd

 

Configure the new domain (Version 3.4)

rhevm-manage-domains add --domain=crunchtools.com --resolve-kdc --user=admin --provider=IPA --password-file=/tmp/.pwd

 

Troubleshooting

Finally, here are some techniques used to troubleshoot integrating RHEV and IPA. Some of these are specific to certain versions of RHEV

Logs

The RHEV-M logs do not display much information with regard to a reverse DNS issue.

/var/log/ovirt-engine/engine-manage-domains.log
2013-02-25 12:39:16,233 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): crunchtools.com
2013-02-25 12:39:16,360 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): crunchtools.com
2013-02-25 12:39:16,360 INFO [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: crunchtools.com
2013-02-25 12:39:16,677 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: exception message: dc.crunctools.com.
2013-02-25 12:39:16,680 ERROR [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while testing domain crunchtools.com. Details: Kerberos error. Please check log for further details.

 

The logs for the Kerberos domain will show nothing because the RHEV-M host isn’t resolving the correct controller.

/var/log/krb5kdc.log

 

Network

Check the SRV records

host -t SRV _kerberos._tcp.CRUNCHTOOLS.COM

 

Watch DNS and Kerberos activity

tcpdump -i any port 88 or port 53

 

One comment on “Red Hat Enterprise Virtualization (RHEV) & Identity, Policy, Audit (IPA)”

Leave a Reply

Your email address will not be published. Required fields are marked *