Description of problem:
Just tried rebuilding a couple of test hosts on my Sat 6.2.6 install, and found that the idm_register snippet had not been running. In the foreman-proxy/proxy.log was an entry each time the provisioning token was accessed:
ERROR -- : Insufficient access: not allowed to perform operation: revoke certificate
This was working at the end of last year - have upgraded both Satellite (6.2.4 -> 6.2.6) and also ipa-server - suspect new permission required in IdM server due to various recent ipa-server RHSA erratum
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure Satellite Realm proxy
2. Configure host to kickstart as a member of the IdM realm
3. After host has been built, mark host for rebuild in Satellite and reboot it
4. Error will be seen in proxy.log as host accesses kickstart template - IdM re-registration is triggered but fails due to insufficient permission
idm_register snippet is not run on build, so host does not enrol in IPA.
foreman-proxy/proxy.log shows ERROR message
host enrols to IPA on build, no errors in proxy log
Solution seems to be toI add the 'Revoke Certificate' privilege to the 'Smart Proxy Host Manager' role in IPA. With this set there is no error logged and hosts could be rebuilt.
Should be updated in 'foreman-realm-prepare' script and existing installations would need the additional permission added to the realm-capsule user.
What version of IPA did you upgrade from?
I'm not sure exactly when this issue appeared as I was not constantly building machines, however it was working with the initial 4.4.0 in RHEL 7.3.
Update sequence according to yum history was
4.2.0-15.el7_2.19 -> 4.4.0-12.el7 (RHEL 7.2 to 7.3 update)
4.4.0-12.el7 -> 4.4.0-14.el7_3.el7 (Problem identified here)
I have the setup automated, but it's complicated to have a testcase in PASS/FAIL format.
No, I will try and test this thing soon.
Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in the product in the forseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.