Bug 1305402 - Unable to provision hosts using IPA realm Proxy in Capsule
Unable to provision hosts using IPA realm Proxy in Capsule
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Capsule (Show other bugs)
6.1.6
Unspecified Unspecified
high Severity high (vote)
: Beta
: --
Assigned To: Dmitri Dolguikh
Kedar Bidarkar
http://projects.theforeman.org/issues...
: Triaged
Depends On: 1313748
Blocks: 1314396
  Show dependency treegraph
 
Reported: 2016-02-07 20:19 EST by Ashfaqur Rahaman
Modified: 2016-07-27 05:22 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Kerberos issues with IPA Realm integration would cause provisioning to fail in Satellite 6.1. This has been resolved in Satellite 6.2, and provisioning will work with this setup.
Story Points: ---
Clone Of:
: 1314396 (view as bug list)
Environment:
Last Closed: 2016-07-27 05:22:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
fix from the foreman (5.14 KB, text/plain)
2016-02-07 20:19 EST, Ashfaqur Rahaman
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 12555 None None None 2016-02-07 20:19 EST

  None (edit)
Description Ashfaqur Rahaman 2016-02-07 20:19:26 EST
Created attachment 1122061 [details]
fix from the foreman

Description of problem:

After setting up a realm proxy on a capsule, attempts to provision hosts using that IPA realm fail and roll back due to an authorization failure during the kerberos handshake with the IPA server.

foreman-prepare-realm and katello-installer commands to install the realm component both complete successfully with no error. 

~~~
, [2016-02-02T21:43:41.673529 #20314]  INFO -- : TFTP: entry for 00:50:56:b9:e4:51 created successfully
172.22.1.4 - - [02/Feb/2016 21:43:41] "POST /tftp/syslinux/00:50:56:b9:e4:51 HTTP/1.1" 200 - 0.0107
D, [2016-02-02T21:43:42.194151 #20314] DEBUG -- : Starting task: /usr/bin/wget --timeout=10 --tries=3 --no-check-certificate -nv -c "http://sat6.home.gatwards.org/pulp/repos/GatwardIT/Library/content/dist/rhel/server/7/7.2/x86_64/kickstart//images/pxeboot/vmlinuz" -O "/var/lib/tftpboot/boot/RedHat-7.2-x86_64-vmlinuz"
172.22.1.4 - - [02/Feb/2016 21:43:42] "POST /tftp/fetch_boot_file HTTP/1.1" 200 - 0.0253
D, [2016-02-02T21:43:42.293276 #20314] DEBUG -- : Starting task: /usr/bin/wget --timeout=10 --tries=3 --no-check-certificate -nv -c "http://sat6.home.gatwards.org/pulp/repos/GatwardIT/Library/content/dist/rhel/server/7/7.2/x86_64/kickstart//images/pxeboot/initrd.img" -O "/var/lib/tftpboot/boot/RedHat-7.2-x86_64-initrd.img"
172.22.1.4 - - [02/Feb/2016 21:43:42] "POST /tftp/fetch_boot_file HTTP/1.1" 200 - 0.0206
I, [2016-02-02T21:43:42.477477 #20314]  INFO -- : freeipa: realm keytab is '/etc/foreman-proxy/freeipa.keytab' and using principal 'realm-capsule@HOME.GATWARDS.ORG'
I, [2016-02-02T21:43:42.477684 #20314]  INFO -- : freeipa: realm HOME.GATWARDS.ORG
I, [2016-02-02T21:43:42.477819 #20314]  INFO -- : freeipa: server is https://auth1.home.gatwards.org/ipa/xml
I, [2016-02-02T21:43:42.479634 #20314]  INFO -- : Requesting credentials for Kerberos principal realm-capsule@HOME.GATWARDS.ORG using keytab /etc/foreman-proxy/freeipa.keytab
D, [2016-02-02T21:43:42.826386 #20314] DEBUG -- : Kerberos credential cache initialised with principal: realm-capsule@HOME.GATWARDS.ORG
E, [2016-02-02T21:43:44.242376 #20314] ERROR -- : Authorization failed.
HTTP-Error: 401 Unauthorized
D, [2016-02-02T21:43:44.242507 #20314] DEBUG -- : /usr/share/ruby/xmlrpc/client.rb:484:in `do_rpc'
/usr/share/ruby/xmlrpc/client.rb:279:in `call2'
/usr/share/ruby/xmlrpc/client.rb:260:in `call'
/usr/share/foreman-proxy/modules/realm/freeipa.rb:101:in `create'
/usr/share/foreman-proxy/modules/realm/realm_api.rb:28:in `block in <class:Api>'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:1293:in `call'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:1293:in `block in compile!'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:860:in `[]'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:860:in `block (3 levels) in route!'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:876:in `route_eval'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:860:in `block (2 levels) in route!'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:897:in `block in process_route'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:895:in `catch'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:895:in `process_route'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:859:in `block in route!'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:858:in `each'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:858:in `route!'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:963:in `block in dispatch!'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:946:in `block in invoke'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:946:in `catch'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:946:in `invoke'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:960:in `dispatch!'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:794:in `block in call!'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:946:in `block in invoke'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:946:in `catch'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:946:in `invoke'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:794:in `call!'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:780:in `call'
/usr/share/gems/gems/rack-1.4.1/lib/rack/commonlogger.rb:20:in `call'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:161:in `call'
/usr/share/foreman-proxy/lib/proxy/log.rb:35:in `call'
/usr/share/gems/gems/rack-protection-1.5.0/lib/rack/protection/xss_header.rb:18:in `call'
/usr/share/gems/gems/rack-protection-1.5.0/lib/rack/protection/path_traversal.rb:16:in `call'
/usr/share/gems/gems/rack-protection-1.5.0/lib/rack/protection/json_csrf.rb:18:in `call'
/usr/share/gems/gems/rack-protection-1.5.0/lib/rack/protection/base.rb:49:in `call'
/usr/share/gems/gems/rack-protection-1.5.0/lib/rack/protection/base.rb:49:in `call'
/usr/share/gems/gems/rack-protection-1.5.0/lib/rack/protection/frame_options.rb:31:in `call'
/usr/share/gems/gems/rack-1.4.1/lib/rack/nulllogger.rb:9:in `call'
/usr/share/gems/gems/rack-1.4.1/lib/rack/head.rb:9:in `call'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/showexceptions.rb:21:in `call'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:124:in `call'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:1417:in `block in call'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:1499:in `synchronize'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:1417:in `call'
/usr/share/gems/gems/rack-1.4.1/lib/rack/builder.rb:134:in `call'
/usr/share/gems/gems/rack-1.4.1/lib/rack/urlmap.rb:64:in `block in call'
/usr/share/gems/gems/rack-1.4.1/lib/rack/urlmap.rb:49:in `each'
/usr/share/gems/gems/rack-1.4.1/lib/rack/urlmap.rb:49:in `call'
/usr/share/gems/gems/rack-1.4.1/lib/rack/builder.rb:134:in `call'
/usr/share/gems/gems/rack-1.4.1/lib/rack/handler/webrick.rb:59:in `service'
/usr/share/ruby/webrick/httpserver.rb:138:in `service'
/usr/share/ruby/webrick/httpserver.rb:94:in `run'
/usr/share/ruby/webrick/server.rb:295:in `block in start_thread'
172.22.1.4 - - [02/Feb/2016 21:43:44] "POST /realm/HOME.GATWARDS.ORG/ HTTP/1.1" 400 50 1.8302
D, [2016-02-02T21:43:44.383020 #20314] DEBUG -- : TFTP: entry for 00:50:56:b9:e4:51 removed successfully
172.22.1.4 - - [02/Feb/2016 21:43:44] "DELETE /tftp/syslinux/00:50:56:b9:e4:51 HTTP/1.1" 200 - 0.0105
~~~

Version-Release number of selected component (if applicable):

Satellite 6.1.6 installed on RHEL 7.2
IPA Server  4.2.0 installed on RHEL 7.2   (ipa-server-4.2.0-15.el7_2.3.x86_64)


How reproducible:

100% reproducible - simply attempting to create a new host entry with the Realm defined gets this error.

Actual results:

Failed to provision due to authorization failure during the kerberos handshake

Expected results:

Successfully provisioned 

Additional info:

Upstream foreman bug for this issue appears to be resolved in foreman 1.10.1
http://projects.theforeman.org/issues/12555
Comment 5 Tomer Brisker 2016-02-14 04:57:30 EST
Connecting redmine issue http://projects.theforeman.org/issues/12555 from this bug
Comment 10 Kedar Bidarkar 2016-04-29 06:20:04 EDT
VERIFIED With sat62-snap9.0

~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: kbidarka@ABC.REDHAT.COM

Valid starting       Expires              Service principal
04/29/2016 10:16:25  04/30/2016 10:16:20  krbtgt/ABC.REDHAT.COM@ABC.REDHAT.COM
Comment 14 errata-xmlrpc 2016-07-27 05:22:48 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501

Note You need to log in before you can comment on or make changes to this bug.