Bug 1310326 - Error setting up IdM realm
Summary: Error setting up IdM realm
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installation
Version: 6.1.7
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: Unspecified
Assignee: Katello Bug Bin
QA Contact: Katello QA List
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-20 12:13 UTC by Anthony Green
Modified: 2016-02-22 14:21 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-02-22 14:21:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Anthony Green 2016-02-20 12:13:42 UTC 
Version is actually 6.1.7.  Looks like bugzilla version choices need to be updated.

Description of problem:

Configuring Satellite for IdM Realm Support as per .....

https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html/User_Guide/Configuring_Identity_Management_in_Red_Hat_Satellite.html


[root@satellite ~]# foreman-prepare-realm admin realm-capsule
Password for admin: 
Warning: Your password will expire in 5 days on Thu 25 Feb 2016 09:17:05 AM EST
---------------------------------------------
Added privilege "Smart Proxy Host Management"
---------------------------------------------
  Privilege name: Smart Proxy Host Management
  Description: Smart Proxy Host Management
-----------------------------------------------
Added permission "Add Host Enrollment Password"
-----------------------------------------------
  Permission name: Add Host Enrollment Password
  Granted rights: add
  Effective attributes: userpassword
  Bind rule type: permission
  Subtree: cn=computers,cn=accounts,dc=atgreen,dc=org
  Type: host
  Privilege name: Smart Proxy Host Management
  Description: Smart Proxy Host Management
  Permissions: Retrieve Certificates from the CA, System: Add DNS Entries, System: Remove
               DNS Entries, System: Update DNS Entries, System: Manage Host Certificates,
               System: Manage Host Enrollment Password, System: Manage Host Keytab,
               System: Modify Hosts, System: Remove Hosts, System: Manage Service Keytab,
               System: Modify Services, Add Host Enrollment Password
------------------------------
Number of permissions added 12
------------------------------
-------------------------------------
Added role "Smart Proxy Host Manager"
-------------------------------------
  Role name: Smart Proxy Host Manager
  Description: Smart Proxy management
  Role name: Smart Proxy Host Manager
  Description: Smart Proxy management
  Privileges: Smart Proxy Host Management
----------------------------
Number of privileges added 1
----------------------------
--------------------------
Added user "realm-capsule"
--------------------------
  User login: realm-capsule
  First name: Smart
  Last name: Proxy
  Full name: Smart Proxy
  Display name: Smart Proxy
  Initials: SP
  Home directory: /home/realm-capsule
  GECOS: Smart Proxy
  Login shell: /bin/sh
  Kerberos principal: realm-capsule
  Email address: realm-capsule
  UID: 1663200004
  GID: 1663200004
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
  Role name: Smart Proxy Host Manager
  Description: Smart Proxy management
  Member users: realm-capsule
  Privileges: Smart Proxy Host Management
-------------------------
Number of members added 1
-------------------------
Keytab successfully retrieved and stored in: freeipa.keytab
Realm Proxy User:    realm-capsule
Realm Proxy Keytab:  /root/freeipa.keytab
[root@satellite ~]# mv freeipa.keytab /etc/foreman-proxy/
[root@satellite ~]# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab 
[root@satellite ~]# katello-installer --capsule-realm true \
> --capsule-realm-keytab /etc/foreman-proxy/freeipa.keytab \
> --capsule-realm-principal 'realm-capsule' \
> --capsule-realm-provider freeipa \
>   --foreman-ipa-authentication true
 /bin/echo Get keytab           && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k           && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s idm.atgreen.org -k /etc/httpd/conf/http.keytab -p HTTP/satellite.atgreen.org           && kdestroy -c KEYRING:session:get-http-service-keytab returned 9 instead of one of [0]
 /Stage[main]/Foreman::Config/Exec[ipa-getkeytab]/returns: change from notrun to 0 failed: /bin/echo Get keytab           && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k           && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s idm.atgreen.org -k /etc/httpd/conf/http.keytab -p HTTP/satellite.atgreen.org           && kdestroy -c KEYRING:session:get-http-service-keytab returned 9 instead of one of [0]
 /Stage[main]/Foreman::Config/Exec[ipa-getkeytab]: Failed to call refresh: /bin/echo Get keytab           && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k           && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s idm.atgreen.org -k /etc/httpd/conf/http.keytab -p HTTP/satellite.atgreen.org           && kdestroy -c KEYRING:session:get-http-service-keytab returned 9 instead of one of [0]
 /Stage[main]/Foreman::Config/Exec[ipa-getkeytab]: /bin/echo Get keytab           && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k           && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s idm.atgreen.org -k /etc/httpd/conf/http.keytab -p HTTP/satellite.atgreen.org           && kdestroy -c KEYRING:session:get-http-service-keytab returned 9 instead of one of [0]
Installing             Done                                               [100%] [.....]
  Something went wrong! Check the log for ERROR-level output
  The full log is at /var/log/katello-installer/katello-installer.log


Looking at the log file...


[ERROR 2016-02-20 07:08:45 main]  /Stage[main]/Foreman::Config/Exec[ipa-getkeytab]: /bin/echo Get keytab           && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k           && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s idm.atgreen.org -k /etc/httpd/conf/http.keytab -p HTTP/satellite.atgreen.org           && kdestroy -c KEYRING:session:get-http-service-keytab returned 9 instead of one of [0]




Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Anthony Green 2016-02-20 12:35:00 UTC 
Upon further investigation:

[root@satellite ~]# KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s idm.atgreen.org -k /etc/httpd/conf/http.keytab -p HTTP/satellite.atgreen.org 
Failed to parse result: PrincipalName not found.

Retrying with pre-4.0 keytab retrieval method...
Failed to parse result: PrincipalName not found.

Failed to get keytab!
Failed to get keytab
Comment 2 Stephen Benjamin 2016-02-22 14:21:23 UTC 
There are two kinds of Realm integration with Satellite.  The first, is the automatic client registration, which is the documentation you used and everything there looks successful.

The second, is authentication to the Satellite UI itself.  That is the --foreman-ipa-authentication=true setting you supplied.  You're missing the prerequisites, specifically you need to create an HTTP principal inside IPA for this to work, as per http://red.ht/1RWQhqt.


    "Create an HTTP service for the Satellite server with the
     ipa service-add HTTP/satellite_fqdn command. For more information on
     managing services, see Red Hat Enterprise Linux 7 Linux Domain Identity
     Authentication, and Policy Guide ⁠[10]."



Hope that helps, let me know if you run into any other problems.

- Stephen
Note You need to log in before you can comment on or make changes to this bug.