Version is actually 6.1.7. Looks like bugzilla version choices need to be updated. Description of problem: Configuring Satellite for IdM Realm Support as per ..... https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html/User_Guide/Configuring_Identity_Management_in_Red_Hat_Satellite.html [root@satellite ~]# foreman-prepare-realm admin realm-capsule Password for admin: Warning: Your password will expire in 5 days on Thu 25 Feb 2016 09:17:05 AM EST --------------------------------------------- Added privilege "Smart Proxy Host Management" --------------------------------------------- Privilege name: Smart Proxy Host Management Description: Smart Proxy Host Management ----------------------------------------------- Added permission "Add Host Enrollment Password" ----------------------------------------------- Permission name: Add Host Enrollment Password Granted rights: add Effective attributes: userpassword Bind rule type: permission Subtree: cn=computers,cn=accounts,dc=atgreen,dc=org Type: host Privilege name: Smart Proxy Host Management Description: Smart Proxy Host Management Permissions: Retrieve Certificates from the CA, System: Add DNS Entries, System: Remove DNS Entries, System: Update DNS Entries, System: Manage Host Certificates, System: Manage Host Enrollment Password, System: Manage Host Keytab, System: Modify Hosts, System: Remove Hosts, System: Manage Service Keytab, System: Modify Services, Add Host Enrollment Password ------------------------------ Number of permissions added 12 ------------------------------ ------------------------------------- Added role "Smart Proxy Host Manager" ------------------------------------- Role name: Smart Proxy Host Manager Description: Smart Proxy management Role name: Smart Proxy Host Manager Description: Smart Proxy management Privileges: Smart Proxy Host Management ---------------------------- Number of privileges added 1 ---------------------------- -------------------------- Added user "realm-capsule" -------------------------- User login: realm-capsule First name: Smart Last name: Proxy Full name: Smart Proxy Display name: Smart Proxy Initials: SP Home directory: /home/realm-capsule GECOS: Smart Proxy Login shell: /bin/sh Kerberos principal: realm-capsule Email address: realm-capsule UID: 1663200004 GID: 1663200004 Password: False Member of groups: ipausers Kerberos keys available: False Role name: Smart Proxy Host Manager Description: Smart Proxy management Member users: realm-capsule Privileges: Smart Proxy Host Management ------------------------- Number of members added 1 ------------------------- Keytab successfully retrieved and stored in: freeipa.keytab Realm Proxy User: realm-capsule Realm Proxy Keytab: /root/freeipa.keytab [root@satellite ~]# mv freeipa.keytab /etc/foreman-proxy/ [root@satellite ~]# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab [root@satellite ~]# katello-installer --capsule-realm true \ > --capsule-realm-keytab /etc/foreman-proxy/freeipa.keytab \ > --capsule-realm-principal 'realm-capsule' \ > --capsule-realm-provider freeipa \ > --foreman-ipa-authentication true /bin/echo Get keytab && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s idm.atgreen.org -k /etc/httpd/conf/http.keytab -p HTTP/satellite.atgreen.org && kdestroy -c KEYRING:session:get-http-service-keytab returned 9 instead of one of [0] /Stage[main]/Foreman::Config/Exec[ipa-getkeytab]/returns: change from notrun to 0 failed: /bin/echo Get keytab && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s idm.atgreen.org -k /etc/httpd/conf/http.keytab -p HTTP/satellite.atgreen.org && kdestroy -c KEYRING:session:get-http-service-keytab returned 9 instead of one of [0] /Stage[main]/Foreman::Config/Exec[ipa-getkeytab]: Failed to call refresh: /bin/echo Get keytab && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s idm.atgreen.org -k /etc/httpd/conf/http.keytab -p HTTP/satellite.atgreen.org && kdestroy -c KEYRING:session:get-http-service-keytab returned 9 instead of one of [0] /Stage[main]/Foreman::Config/Exec[ipa-getkeytab]: /bin/echo Get keytab && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s idm.atgreen.org -k /etc/httpd/conf/http.keytab -p HTTP/satellite.atgreen.org && kdestroy -c KEYRING:session:get-http-service-keytab returned 9 instead of one of [0] Installing Done [100%] [.....] Something went wrong! Check the log for ERROR-level output The full log is at /var/log/katello-installer/katello-installer.log Looking at the log file... [ERROR 2016-02-20 07:08:45 main] /Stage[main]/Foreman::Config/Exec[ipa-getkeytab]: /bin/echo Get keytab && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s idm.atgreen.org -k /etc/httpd/conf/http.keytab -p HTTP/satellite.atgreen.org && kdestroy -c KEYRING:session:get-http-service-keytab returned 9 instead of one of [0] Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Upon further investigation: [root@satellite ~]# KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s idm.atgreen.org -k /etc/httpd/conf/http.keytab -p HTTP/satellite.atgreen.org Failed to parse result: PrincipalName not found. Retrying with pre-4.0 keytab retrieval method... Failed to parse result: PrincipalName not found. Failed to get keytab! Failed to get keytab
There are two kinds of Realm integration with Satellite. The first, is the automatic client registration, which is the documentation you used and everything there looks successful. The second, is authentication to the Satellite UI itself. That is the --foreman-ipa-authentication=true setting you supplied. You're missing the prerequisites, specifically you need to create an HTTP principal inside IPA for this to work, as per http://red.ht/1RWQhqt. "Create an HTTP service for the Satellite server with the ipa service-add HTTP/satellite_fqdn command. For more information on managing services, see Red Hat Enterprise Linux 7 Linux Domain Identity Authentication, and Policy Guide [10]." Hope that helps, let me know if you run into any other problems. - Stephen