Created attachment 1122061 [details] fix from the foreman Description of problem: After setting up a realm proxy on a capsule, attempts to provision hosts using that IPA realm fail and roll back due to an authorization failure during the kerberos handshake with the IPA server. foreman-prepare-realm and katello-installer commands to install the realm component both complete successfully with no error. ~~~ , [2016-02-02T21:43:41.673529 #20314] INFO -- : TFTP: entry for 00:50:56:b9:e4:51 created successfully 172.22.1.4 - - [02/Feb/2016 21:43:41] "POST /tftp/syslinux/00:50:56:b9:e4:51 HTTP/1.1" 200 - 0.0107 D, [2016-02-02T21:43:42.194151 #20314] DEBUG -- : Starting task: /usr/bin/wget --timeout=10 --tries=3 --no-check-certificate -nv -c "http://sat6.home.gatwards.org/pulp/repos/GatwardIT/Library/content/dist/rhel/server/7/7.2/x86_64/kickstart//images/pxeboot/vmlinuz" -O "/var/lib/tftpboot/boot/RedHat-7.2-x86_64-vmlinuz" 172.22.1.4 - - [02/Feb/2016 21:43:42] "POST /tftp/fetch_boot_file HTTP/1.1" 200 - 0.0253 D, [2016-02-02T21:43:42.293276 #20314] DEBUG -- : Starting task: /usr/bin/wget --timeout=10 --tries=3 --no-check-certificate -nv -c "http://sat6.home.gatwards.org/pulp/repos/GatwardIT/Library/content/dist/rhel/server/7/7.2/x86_64/kickstart//images/pxeboot/initrd.img" -O "/var/lib/tftpboot/boot/RedHat-7.2-x86_64-initrd.img" 172.22.1.4 - - [02/Feb/2016 21:43:42] "POST /tftp/fetch_boot_file HTTP/1.1" 200 - 0.0206 I, [2016-02-02T21:43:42.477477 #20314] INFO -- : freeipa: realm keytab is '/etc/foreman-proxy/freeipa.keytab' and using principal 'realm-capsule.ORG' I, [2016-02-02T21:43:42.477684 #20314] INFO -- : freeipa: realm HOME.GATWARDS.ORG I, [2016-02-02T21:43:42.477819 #20314] INFO -- : freeipa: server is https://auth1.home.gatwards.org/ipa/xml I, [2016-02-02T21:43:42.479634 #20314] INFO -- : Requesting credentials for Kerberos principal realm-capsule.ORG using keytab /etc/foreman-proxy/freeipa.keytab D, [2016-02-02T21:43:42.826386 #20314] DEBUG -- : Kerberos credential cache initialised with principal: realm-capsule.ORG E, [2016-02-02T21:43:44.242376 #20314] ERROR -- : Authorization failed. HTTP-Error: 401 Unauthorized D, [2016-02-02T21:43:44.242507 #20314] DEBUG -- : /usr/share/ruby/xmlrpc/client.rb:484:in `do_rpc' /usr/share/ruby/xmlrpc/client.rb:279:in `call2' /usr/share/ruby/xmlrpc/client.rb:260:in `call' /usr/share/foreman-proxy/modules/realm/freeipa.rb:101:in `create' /usr/share/foreman-proxy/modules/realm/realm_api.rb:28:in `block in <class:Api>' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:1293:in `call' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:1293:in `block in compile!' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:860:in `[]' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:860:in `block (3 levels) in route!' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:876:in `route_eval' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:860:in `block (2 levels) in route!' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:897:in `block in process_route' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:895:in `catch' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:895:in `process_route' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:859:in `block in route!' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:858:in `each' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:858:in `route!' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:963:in `block in dispatch!' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:946:in `block in invoke' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:946:in `catch' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:946:in `invoke' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:960:in `dispatch!' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:794:in `block in call!' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:946:in `block in invoke' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:946:in `catch' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:946:in `invoke' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:794:in `call!' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:780:in `call' /usr/share/gems/gems/rack-1.4.1/lib/rack/commonlogger.rb:20:in `call' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:161:in `call' /usr/share/foreman-proxy/lib/proxy/log.rb:35:in `call' /usr/share/gems/gems/rack-protection-1.5.0/lib/rack/protection/xss_header.rb:18:in `call' /usr/share/gems/gems/rack-protection-1.5.0/lib/rack/protection/path_traversal.rb:16:in `call' /usr/share/gems/gems/rack-protection-1.5.0/lib/rack/protection/json_csrf.rb:18:in `call' /usr/share/gems/gems/rack-protection-1.5.0/lib/rack/protection/base.rb:49:in `call' /usr/share/gems/gems/rack-protection-1.5.0/lib/rack/protection/base.rb:49:in `call' /usr/share/gems/gems/rack-protection-1.5.0/lib/rack/protection/frame_options.rb:31:in `call' /usr/share/gems/gems/rack-1.4.1/lib/rack/nulllogger.rb:9:in `call' /usr/share/gems/gems/rack-1.4.1/lib/rack/head.rb:9:in `call' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/showexceptions.rb:21:in `call' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:124:in `call' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:1417:in `block in call' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:1499:in `synchronize' /usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:1417:in `call' /usr/share/gems/gems/rack-1.4.1/lib/rack/builder.rb:134:in `call' /usr/share/gems/gems/rack-1.4.1/lib/rack/urlmap.rb:64:in `block in call' /usr/share/gems/gems/rack-1.4.1/lib/rack/urlmap.rb:49:in `each' /usr/share/gems/gems/rack-1.4.1/lib/rack/urlmap.rb:49:in `call' /usr/share/gems/gems/rack-1.4.1/lib/rack/builder.rb:134:in `call' /usr/share/gems/gems/rack-1.4.1/lib/rack/handler/webrick.rb:59:in `service' /usr/share/ruby/webrick/httpserver.rb:138:in `service' /usr/share/ruby/webrick/httpserver.rb:94:in `run' /usr/share/ruby/webrick/server.rb:295:in `block in start_thread' 172.22.1.4 - - [02/Feb/2016 21:43:44] "POST /realm/HOME.GATWARDS.ORG/ HTTP/1.1" 400 50 1.8302 D, [2016-02-02T21:43:44.383020 #20314] DEBUG -- : TFTP: entry for 00:50:56:b9:e4:51 removed successfully 172.22.1.4 - - [02/Feb/2016 21:43:44] "DELETE /tftp/syslinux/00:50:56:b9:e4:51 HTTP/1.1" 200 - 0.0105 ~~~ Version-Release number of selected component (if applicable): Satellite 6.1.6 installed on RHEL 7.2 IPA Server 4.2.0 installed on RHEL 7.2 (ipa-server-4.2.0-15.el7_2.3.x86_64) How reproducible: 100% reproducible - simply attempting to create a new host entry with the Realm defined gets this error. Actual results: Failed to provision due to authorization failure during the kerberos handshake Expected results: Successfully provisioned Additional info: Upstream foreman bug for this issue appears to be resolved in foreman 1.10.1 http://projects.theforeman.org/issues/12555
Connecting redmine issue http://projects.theforeman.org/issues/12555 from this bug
VERIFIED With sat62-snap9.0 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: kbidarka.COM Valid starting Expires Service principal 04/29/2016 10:16:25 04/30/2016 10:16:20 krbtgt/ABC.REDHAT.COM.COM
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1501