Markdown Content - Red Hat Enterprise Virtualization (RHEV) & Identity, Policy, Audit (IPA)

---
# Red Hat Enterprise Virtualization (RHEV) & Identity, Policy, Audit (IPA)

**URL:** https://crunchtools.com/rhev-ipa/
Date: 2013-02-26
Author: fatherlinux
Post Type: post
Summary: Background In my ever evolving lab, it came time to integrate Red Hat Enterprise Linux (RHEV) with Identity, Policy, Audit (IPA).There were a few caveats and searching Google didn’t help, so hopefully this article can save you some time. Integrating the two was fairly straitforward. The biggest challenge was finding a quick and easy wayContinue Reading "Red Hat Enterprise Virtualization (RHEV) & Identity, Policy, Audit (IPA)" →
Categories: Articles
Tags: Systems Administration, Tutorials, Virtualization
---

## Background

In my ever [evolving lab](http://crunchtools.com/crunchtools-lab-environment/), it came time to integrate [Red Hat Enterprise Linux (RHEV)](https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Virtualization/3.1/html/Administration_Guide/sect-Directory_Users.html) with [Identity, Policy, Audit (IPA).](https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/)There were a few caveats and searching Google didn't help, so hopefully this article can save you some time.

Integrating the two was fairly straitforward. The biggest challenge was finding a quick and easy way to provide reverse DNS. I use an external DNS provider which does not do reverse DNS for internal IP addresses. This article will dig into how to setup a full blown proof of concept without needing an external DNS server to provide reverse DNS.

For those that might need a brief primer on DNS records, the following [article](http://www.debianhelp.co.uk/dnsrecords.htm) is excellent.

 

[toc]

## Installation/Configuration

The following items are assumed to be available and working.

### Prerequisites

 	- Clean Red Hat Enterprise Linux 6.3+ Server

 	- Working forward and reverse DNS (both can be satisfied with dnsmasq, described below)

 	- Fully installed and working Red Hat Enterprise Virtualization (RHEV) environment

 

## Integration Steps

 	- Install IPA on Clean Red Hat Enterprise Linux 6.3+ Server

 	- Option: Install/Configure Dnsmasq on RHEV Server

 	- Configure RHEV Domain

 

### Install Identity, Policy, Audit

Option: if an external DNS server is available, the following SRV entries should be added. For those unfamiliar with SRV records, this will allow services such as RHEV or the IPA client to discover the correct Kerberos/LDAP/NTP servers by searching DNS.

_kerberos-master._tcp	SRV	0 100 88 dc.crunchtools.com.
_kerberos-master._udp	SRV	0 100 88 dc.crunchtools.com.
_kerberos._tcp			SRV	0 100 88 dc.crunctools.com.
_kerberos._udp			SRV	0 100 88 dc.crunchtools.com.
_kpasswd._tcp			SRV	0 100 464 dc.crunchtools.com.
_kpasswd._udp			SRV	0 100 464 dc.crunchtools.com.
_ldap._tcp				SRV	0 100 389 dc.crunchtools.com.
_ntp._udp				SRV	0 100 123 dc.crunchtools.com.

 

Option: If host based firewall rules are required, the following entries should be added to: /etc/sysconfig/iptables

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT

 

Install packages

`yum install ipa-server bind bind-dyndb-ldap`

 

Configure

`ipa-server-install`

 

Restart ssh

`/etc/init.d/ssh restart`

 

### Option: Dnsmasq

Reverse DNS lookup of the IPA server is a **[strict requirement](https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Virtualization/3.1/html/Administration_Guide/sect-Directory_Users.html)**. rDNS can be provided by [Dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html), which is available from the base RHEL [channel](https://rhn.redhat.com/network/software/channels/details.pxt?cid=10486).
> Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP server.

If there is no access to a reverse DNS server, dnsmasq can be installed and configured on the RHEV-M host.

`yum install dnsmasq`

 

Add the following line to /etc/dnsmasq.conf

`resolv-file=/etc/dnsmasq-resolv.conf`

 

Configure the upstream DNS server in /etc/dnsmasq-resolve.conf

nameserver 192.168.128.1
domain crunchtools.com

 

Configure the standard DNS resolver to look to local host. This will chain all lookups through the local dnsmasq daemon.

nameserver 192.168.128.1
domain crunchtools.com

 

Option: Forward DNS SRV records can also be satisfied with dnsmasq

srv-host=_ldap._tcp.crunchtools.com,dc.crunchtools.com,389,1
srv-host=_kerberos._tcp.crunchtools.com,dc.crunchtools.com,88,1
srv-host=_kerberos._udp.crunchtools.com,dc.crunchtools.com,88,1
srv-host=_kerberos-master._tcp.crunchtools.com,dc.crunchtools.com,88,1
srv-host=_kerberos-master._udp.crunchtools.com,dc.crunchtools.com,88,1
srv-host=_kpasswd._tcp.crunchtools.com,dc.crunchtools.com,464,1
srv-host=_kpasswd._udp.crunchtools.com,dc.crunchtools.com,464,1
srv-host=_ntp._udp.crunchtools.com,dc.crunchtools.com,123,1

 

### Red Hat Enterprise Virtualization (RHEV)

Configure the new domain (Version 3.2)

`rhevm-manage-domains -action=add -domain=crunchtools.com -realm=CRUNCHTOOLS.COM -user=admin -provider=IPA -passwordFile=/tmp/.pwd`

 

Configure the new domain (Version 3.4)

`rhevm-manage-domains add --domain=crunchtools.com --resolve-kdc --user=admin --provider=IPA --password-file=/tmp/.pwd`

 

## Troubleshooting

Finally, here are some techniques used to troubleshoot integrating RHEV and IPA. Some of these are specific to certain versions of RHEV

### Logs

The RHEV-M logs do not display much information with regard to a reverse DNS issue.

`/var/log/ovirt-engine/engine-manage-domains.log`
2013-02-25 12:39:16,233 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Creating kerberos configuration for domain(s): crunchtools.com
2013-02-25 12:39:16,360 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Successfully created kerberos configuration for domain(s): crunchtools.com
2013-02-25 12:39:16,360 INFO  [org.ovirt.engine.core.utils.kerberos.ManageDomains] Testing kerberos configuration for domain: crunchtools.com
2013-02-25 12:39:16,677 ERROR [org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error:  exception message: dc.crunctools.com.
2013-02-25 12:39:16,680 ERROR [org.ovirt.engine.core.utils.kerberos.ManageDomains] Failure while testing domain crunchtools.com. Details: Kerberos error. Please check log for further details.

 

The logs for the Kerberos domain will show nothing because the RHEV-M host isn't resolving the correct controller.

`/var/log/krb5kdc.log`

 

### Network

Check the SRV records

`host -t SRV _kerberos._tcp.CRUNCHTOOLS.COM`

 

Watch DNS and Kerberos activity

`tcpdump -i any port 88 or port 53`

 

---

## Categories

- Articles

---

## Navigation

- [Home](https://crunchtools.com/)
- [Articles](https://crunchtools.com/category/articles/)
- [Events](https://crunchtools.com/category/events/)
- [News](https://crunchtools.com/category/news/)
- [Presentations](https://crunchtools.com/category/presentations/)
- [Software](https://crunchtools.com/software/)
- [Beaver Backup](https://crunchtools.com/software/beaver-backup/)
- [Check BGP Neighbors](https://crunchtools.com/software/check-bgp-neighbors-nagios/)
- [Chev](https://crunchtools.com/software/chev-check-vulnerabilities-script/)
- [Graph BGP Neighbors](https://crunchtools.com/software/grpah-bgp-neighbors/)
- [Graph MySQL Stats](https://crunchtools.com/software/graph-mysql-stats/)
- [Graph Sockets Pipes Files](https://crunchtools.com/software/graph-sockets-pipes-files/)
- [MCP Servers](https://crunchtools.com/software/mcp-servers/)
- [Petit](https://crunchtools.com/software/petit/)
- [Racecar](https://crunchtools.com/software/racecar/)
- [Shiva](https://crunchtools.com/software/shiva/)
- [About](https://crunchtools.com/about/)
- [Home](https://crunchtools.com)

## Tags

- Systems Administration
- Tutorials
- Virtualization