Bug 1310326 - Error setting up IdM realm
Error setting up IdM realm
Status: CLOSED NOTABUG
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Installer (Show other bugs)
6.1.7
x86_64 Linux
unspecified Severity urgent (vote)
: Unspecified
: --
Assigned To: Katello Bug Bin
Katello QA List
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-20 07:13 EST by Anthony Green
Modified: 2016-02-22 09:21 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-22 09:21:23 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Anthony Green 2016-02-20 07:13:42 EST
Version is actually 6.1.7.  Looks like bugzilla version choices need to be updated.

Description of problem:

Configuring Satellite for IdM Realm Support as per .....

https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html/User_Guide/Configuring_Identity_Management_in_Red_Hat_Satellite.html


[root@satellite ~]# foreman-prepare-realm admin realm-capsule
Password for admin@ATGREEN.ORG: 
Warning: Your password will expire in 5 days on Thu 25 Feb 2016 09:17:05 AM EST
---------------------------------------------
Added privilege "Smart Proxy Host Management"
---------------------------------------------
  Privilege name: Smart Proxy Host Management
  Description: Smart Proxy Host Management
-----------------------------------------------
Added permission "Add Host Enrollment Password"
-----------------------------------------------
  Permission name: Add Host Enrollment Password
  Granted rights: add
  Effective attributes: userpassword
  Bind rule type: permission
  Subtree: cn=computers,cn=accounts,dc=atgreen,dc=org
  Type: host
  Privilege name: Smart Proxy Host Management
  Description: Smart Proxy Host Management
  Permissions: Retrieve Certificates from the CA, System: Add DNS Entries, System: Remove
               DNS Entries, System: Update DNS Entries, System: Manage Host Certificates,
               System: Manage Host Enrollment Password, System: Manage Host Keytab,
               System: Modify Hosts, System: Remove Hosts, System: Manage Service Keytab,
               System: Modify Services, Add Host Enrollment Password
------------------------------
Number of permissions added 12
------------------------------
-------------------------------------
Added role "Smart Proxy Host Manager"
-------------------------------------
  Role name: Smart Proxy Host Manager
  Description: Smart Proxy management
  Role name: Smart Proxy Host Manager
  Description: Smart Proxy management
  Privileges: Smart Proxy Host Management
----------------------------
Number of privileges added 1
----------------------------
--------------------------
Added user "realm-capsule"
--------------------------
  User login: realm-capsule
  First name: Smart
  Last name: Proxy
  Full name: Smart Proxy
  Display name: Smart Proxy
  Initials: SP
  Home directory: /home/realm-capsule
  GECOS: Smart Proxy
  Login shell: /bin/sh
  Kerberos principal: realm-capsule@ATGREEN.ORG
  Email address: realm-capsule@atgreen.org
  UID: 1663200004
  GID: 1663200004
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
  Role name: Smart Proxy Host Manager
  Description: Smart Proxy management
  Member users: realm-capsule
  Privileges: Smart Proxy Host Management
-------------------------
Number of members added 1
-------------------------
Keytab successfully retrieved and stored in: freeipa.keytab
Realm Proxy User:    realm-capsule
Realm Proxy Keytab:  /root/freeipa.keytab
[root@satellite ~]# mv freeipa.keytab /etc/foreman-proxy/
[root@satellite ~]# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab 
[root@satellite ~]# katello-installer --capsule-realm true \
> --capsule-realm-keytab /etc/foreman-proxy/freeipa.keytab \
> --capsule-realm-principal 'realm-capsule@ATGREEN.ORG' \
> --capsule-realm-provider freeipa \
>   --foreman-ipa-authentication true
 /bin/echo Get keytab           && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k           && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s idm.atgreen.org -k /etc/httpd/conf/http.keytab -p HTTP/satellite.atgreen.org           && kdestroy -c KEYRING:session:get-http-service-keytab returned 9 instead of one of [0]
 /Stage[main]/Foreman::Config/Exec[ipa-getkeytab]/returns: change from notrun to 0 failed: /bin/echo Get keytab           && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k           && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s idm.atgreen.org -k /etc/httpd/conf/http.keytab -p HTTP/satellite.atgreen.org           && kdestroy -c KEYRING:session:get-http-service-keytab returned 9 instead of one of [0]
 /Stage[main]/Foreman::Config/Exec[ipa-getkeytab]: Failed to call refresh: /bin/echo Get keytab           && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k           && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s idm.atgreen.org -k /etc/httpd/conf/http.keytab -p HTTP/satellite.atgreen.org           && kdestroy -c KEYRING:session:get-http-service-keytab returned 9 instead of one of [0]
 /Stage[main]/Foreman::Config/Exec[ipa-getkeytab]: /bin/echo Get keytab           && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k           && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s idm.atgreen.org -k /etc/httpd/conf/http.keytab -p HTTP/satellite.atgreen.org           && kdestroy -c KEYRING:session:get-http-service-keytab returned 9 instead of one of [0]
Installing             Done                                               [100%] [.....]
  Something went wrong! Check the log for ERROR-level output
  The full log is at /var/log/katello-installer/katello-installer.log


Looking at the log file...


[ERROR 2016-02-20 07:08:45 main]  /Stage[main]/Foreman::Config/Exec[ipa-getkeytab]: /bin/echo Get keytab           && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k           && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s idm.atgreen.org -k /etc/httpd/conf/http.keytab -p HTTP/satellite.atgreen.org           && kdestroy -c KEYRING:session:get-http-service-keytab returned 9 instead of one of [0]




Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Anthony Green 2016-02-20 07:35:00 EST
Upon further investigation:

[root@satellite ~]# KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s idm.atgreen.org -k /etc/httpd/conf/http.keytab -p HTTP/satellite.atgreen.org 
Failed to parse result: PrincipalName not found.

Retrying with pre-4.0 keytab retrieval method...
Failed to parse result: PrincipalName not found.

Failed to get keytab!
Failed to get keytab
Comment 2 Stephen Benjamin 2016-02-22 09:21:23 EST
There are two kinds of Realm integration with Satellite.  The first, is the automatic client registration, which is the documentation you used and everything there looks successful.

The second, is authentication to the Satellite UI itself.  That is the --foreman-ipa-authentication=true setting you supplied.  You're missing the prerequisites, specifically you need to create an HTTP principal inside IPA for this to work, as per http://red.ht/1RWQhqt.


    "Create an HTTP service for the Satellite server with the
     ipa service-add HTTP/satellite_fqdn command. For more information on
     managing services, see Red Hat Enterprise Linux 7 Linux Domain Identity
     Authentication, and Policy Guide ⁠[10]."



Hope that helps, let me know if you run into any other problems.

- Stephen

Note You need to log in before you can comment on or make changes to this bug.