Bug 2083336

Summary:	Instructions for kerberos auth against AD with gssproxy is conflicting and as a result doesn't work
Product:	Red Hat Satellite	Reporter:	Pablo Hess <phess>
Component:	Authentication	Assignee:	Adam Lazik <alazik>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Satellite QE Team <sat-qe-bz-list>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	6.10.6	CC:	agadhave, ahumbe, alazik, jentrena, mdolezel, mhulan, phillip.allen
Target Milestone:	Unspecified	Keywords:	Documentation, Triaged
Target Release:	Unused	Flags:	mdolezel: needinfo? (agadhave)
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-07-27 10:32:20 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Pablo Hess 2022-05-09 18:07:54 UTC

Document URL: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.10/html/administering_red_hat_satellite/chap-administering-configuring_external_authentication#configuring-direct-ad-integration-with-gss-proxy_admin

Section Number and Name: 13.3.3 Configuring Direct AD Integration with GSS-proxy

Describe the issue: The instructions at step 5 (code box 5 in the Procedure section) set gssproxy to point to `/etc/krb5.keytab` as its keytab:
====
5. Create the /etc/gssproxy/00-http.conf file with the following content:

[service/HTTP]
mechs = krb5
cred_store = keytab:/etc/krb5.keytab   <===== pointing to krb5.keytab
====

...but the next step, instead, points to `/etc/httpd/conf/http.keytab` when downloading the key from AD to the keytab:
====
6. Create a keytab entry:

# KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf
# chown root.apache /etc/httpd/conf/http.keytab
# chmod 640 /etc/httpd/conf/http.keytab
====

This causes the right key to reside in a keytab that is not the one used by gssproxy, thus rendering kerberos auth with gssproxy permanently unsuccessful on Satellite.


Suggestions for improvement: Modify step #5 to point to /etc/httpd/conf/http.keytab as below:
====
5. Create the /etc/gssproxy/00-http.conf file with the following content:

[service/HTTP]
mechs = krb5
cred_store = keytab:/etc/httpd/conf/http.keytab    <==== point to http.keytab
cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
euid = ID_of_Apache_User
====

Additional information:  This bug is present since "forever" so it would be even better if we could fix the docs for all Satellite releases we currently support.

Comment 4 Adam Lazik 2023-07-24 13:03:59 UTC

Hello!

Created PR to adress the issue: https://github.com/theforeman/foreman-documentation/pull/2304

Comment 5 Adam Lazik 2023-07-27 10:32:20 UTC

The documentation has been updated:
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.13/html-single/installing_satellite_server_in_a_connected_network_environment/index#Configuring_Direct_AD_Integration_with_GSS_Proxy_satellite
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.12/html-single/installing_satellite_server_in_a_connected_network_environment/index#Configuring_Direct_AD_Integration_with_GSS_Proxy_satellite
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.11/html-single/administering_red_hat_satellite/index#Configuring_Direct_AD_Integration_with_GSS_Proxy_admin