1305402 – Unable to provision hosts using IPA realm Proxy in Capsule

Bug 1305402 - Unable to provision hosts using IPA realm Proxy in Capsule

Summary: Unable to provision hosts using IPA realm Proxy in Capsule

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Foreman Proxy
Sub Component:
Version:	6.1.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	Unspecified
Assignee:	Dmitri Dolguikh
QA Contact:	Kedar Bidarkar
Docs Contact:
URL:	http://projects.theforeman.org/issues...
Whiteboard:
Depends On:	1313748
Blocks:	1314396
TreeView+	depends on / blocked

Reported:	2016-02-08 01:19 UTC by Ashfaqur Rahaman
Modified:	2021-06-10 11:08 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Kerberos issues with IPA Realm integration would cause provisioning to fail in Satellite 6.1. This has been resolved in Satellite 6.2, and provisioning will work with this setup.
Clone Of:
Clones:	1314396 (view as bug list)
Environment:
Last Closed:	2016-07-27 09:22:48 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
fix from the foreman (5.14 KB, text/plain) 2016-02-08 01:19 UTC, Ashfaqur Rahaman	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	12555	0	Normal	Closed	Only first FreeIPA XMLRPC call succeeds Foreman proxy 1.10 and FreeIPA, version: 4.1.4	2021-01-11 22:26:58 UTC
Red Hat Product Errata	RHBA-2016:1501	0	normal	SHIPPED_LIVE	Red Hat Satellite 6.2 Capsule and Server	2016-07-27 12:28:58 UTC

Description Ashfaqur Rahaman 2016-02-08 01:19:26 UTC

Created attachment 1122061 [details]
fix from the foreman

Description of problem:

After setting up a realm proxy on a capsule, attempts to provision hosts using that IPA realm fail and roll back due to an authorization failure during the kerberos handshake with the IPA server.

foreman-prepare-realm and katello-installer commands to install the realm component both complete successfully with no error. 

~~~
, [2016-02-02T21:43:41.673529 #20314]  INFO -- : TFTP: entry for 00:50:56:b9:e4:51 created successfully
172.22.1.4 - - [02/Feb/2016 21:43:41] "POST /tftp/syslinux/00:50:56:b9:e4:51 HTTP/1.1" 200 - 0.0107
D, [2016-02-02T21:43:42.194151 #20314] DEBUG -- : Starting task: /usr/bin/wget --timeout=10 --tries=3 --no-check-certificate -nv -c "http://sat6.home.gatwards.org/pulp/repos/GatwardIT/Library/content/dist/rhel/server/7/7.2/x86_64/kickstart//images/pxeboot/vmlinuz" -O "/var/lib/tftpboot/boot/RedHat-7.2-x86_64-vmlinuz"
172.22.1.4 - - [02/Feb/2016 21:43:42] "POST /tftp/fetch_boot_file HTTP/1.1" 200 - 0.0253
D, [2016-02-02T21:43:42.293276 #20314] DEBUG -- : Starting task: /usr/bin/wget --timeout=10 --tries=3 --no-check-certificate -nv -c "http://sat6.home.gatwards.org/pulp/repos/GatwardIT/Library/content/dist/rhel/server/7/7.2/x86_64/kickstart//images/pxeboot/initrd.img" -O "/var/lib/tftpboot/boot/RedHat-7.2-x86_64-initrd.img"
172.22.1.4 - - [02/Feb/2016 21:43:42] "POST /tftp/fetch_boot_file HTTP/1.1" 200 - 0.0206
I, [2016-02-02T21:43:42.477477 #20314]  INFO -- : freeipa: realm keytab is '/etc/foreman-proxy/freeipa.keytab' and using principal 'realm-capsule.ORG'
I, [2016-02-02T21:43:42.477684 #20314]  INFO -- : freeipa: realm HOME.GATWARDS.ORG
I, [2016-02-02T21:43:42.477819 #20314]  INFO -- : freeipa: server is https://auth1.home.gatwards.org/ipa/xml
I, [2016-02-02T21:43:42.479634 #20314]  INFO -- : Requesting credentials for Kerberos principal realm-capsule.ORG using keytab /etc/foreman-proxy/freeipa.keytab
D, [2016-02-02T21:43:42.826386 #20314] DEBUG -- : Kerberos credential cache initialised with principal: realm-capsule.ORG
E, [2016-02-02T21:43:44.242376 #20314] ERROR -- : Authorization failed.
HTTP-Error: 401 Unauthorized
D, [2016-02-02T21:43:44.242507 #20314] DEBUG -- : /usr/share/ruby/xmlrpc/client.rb:484:in `do_rpc'
/usr/share/ruby/xmlrpc/client.rb:279:in `call2'
/usr/share/ruby/xmlrpc/client.rb:260:in `call'
/usr/share/foreman-proxy/modules/realm/freeipa.rb:101:in `create'
/usr/share/foreman-proxy/modules/realm/realm_api.rb:28:in `block in <class:Api>'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:1293:in `call'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:1293:in `block in compile!'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:860:in `[]'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:860:in `block (3 levels) in route!'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:876:in `route_eval'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:860:in `block (2 levels) in route!'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:897:in `block in process_route'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:895:in `catch'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:895:in `process_route'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:859:in `block in route!'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:858:in `each'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:858:in `route!'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:963:in `block in dispatch!'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:946:in `block in invoke'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:946:in `catch'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:946:in `invoke'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:960:in `dispatch!'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:794:in `block in call!'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:946:in `block in invoke'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:946:in `catch'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:946:in `invoke'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:794:in `call!'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:780:in `call'
/usr/share/gems/gems/rack-1.4.1/lib/rack/commonlogger.rb:20:in `call'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:161:in `call'
/usr/share/foreman-proxy/lib/proxy/log.rb:35:in `call'
/usr/share/gems/gems/rack-protection-1.5.0/lib/rack/protection/xss_header.rb:18:in `call'
/usr/share/gems/gems/rack-protection-1.5.0/lib/rack/protection/path_traversal.rb:16:in `call'
/usr/share/gems/gems/rack-protection-1.5.0/lib/rack/protection/json_csrf.rb:18:in `call'
/usr/share/gems/gems/rack-protection-1.5.0/lib/rack/protection/base.rb:49:in `call'
/usr/share/gems/gems/rack-protection-1.5.0/lib/rack/protection/base.rb:49:in `call'
/usr/share/gems/gems/rack-protection-1.5.0/lib/rack/protection/frame_options.rb:31:in `call'
/usr/share/gems/gems/rack-1.4.1/lib/rack/nulllogger.rb:9:in `call'
/usr/share/gems/gems/rack-1.4.1/lib/rack/head.rb:9:in `call'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/showexceptions.rb:21:in `call'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:124:in `call'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:1417:in `block in call'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:1499:in `synchronize'
/usr/share/gems/gems/sinatra-1.3.6/lib/sinatra/base.rb:1417:in `call'
/usr/share/gems/gems/rack-1.4.1/lib/rack/builder.rb:134:in `call'
/usr/share/gems/gems/rack-1.4.1/lib/rack/urlmap.rb:64:in `block in call'
/usr/share/gems/gems/rack-1.4.1/lib/rack/urlmap.rb:49:in `each'
/usr/share/gems/gems/rack-1.4.1/lib/rack/urlmap.rb:49:in `call'
/usr/share/gems/gems/rack-1.4.1/lib/rack/builder.rb:134:in `call'
/usr/share/gems/gems/rack-1.4.1/lib/rack/handler/webrick.rb:59:in `service'
/usr/share/ruby/webrick/httpserver.rb:138:in `service'
/usr/share/ruby/webrick/httpserver.rb:94:in `run'
/usr/share/ruby/webrick/server.rb:295:in `block in start_thread'
172.22.1.4 - - [02/Feb/2016 21:43:44] "POST /realm/HOME.GATWARDS.ORG/ HTTP/1.1" 400 50 1.8302
D, [2016-02-02T21:43:44.383020 #20314] DEBUG -- : TFTP: entry for 00:50:56:b9:e4:51 removed successfully
172.22.1.4 - - [02/Feb/2016 21:43:44] "DELETE /tftp/syslinux/00:50:56:b9:e4:51 HTTP/1.1" 200 - 0.0105
~~~

Version-Release number of selected component (if applicable):

Satellite 6.1.6 installed on RHEL 7.2
IPA Server  4.2.0 installed on RHEL 7.2   (ipa-server-4.2.0-15.el7_2.3.x86_64)


How reproducible:

100% reproducible - simply attempting to create a new host entry with the Realm defined gets this error.

Actual results:

Failed to provision due to authorization failure during the kerberos handshake

Expected results:

Successfully provisioned 

Additional info:

Upstream foreman bug for this issue appears to be resolved in foreman 1.10.1
http://projects.theforeman.org/issues/12555

Comment 5 Tomer Brisker 2016-02-14 09:57:30 UTC

Connecting redmine issue http://projects.theforeman.org/issues/12555 from this bug

Comment 10 Kedar Bidarkar 2016-04-29 10:20:04 UTC

VERIFIED With sat62-snap9.0

~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: kbidarka.COM

Valid starting       Expires              Service principal
04/29/2016 10:16:25  04/30/2016 10:16:20  krbtgt/ABC.REDHAT.COM.COM

Comment 14 errata-xmlrpc 2016-07-27 09:22:48 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501

Note You need to log in before you can comment on or make changes to this bug.