Description of problem: After updating to the latest Satellite 6.2.10 packages, ipa packages, and gssproxy packages, single sign-on using the "Active Directory Direct" method no longer works. Status output of gssproxy.service shows 'Unspecified gss failure'. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Visit Satellite UI URL Actual results: A brief text appears in the browser: 'Kerberos authentication did not pass' and a redirect to the web UI login page occurs. Expected results: Kerberos authentication should pass and login to the UI should occur without entering any credentials. Additional info: I have left and rejoined the domain, generated new http.keytab, checked permissions on the keytab, re-run the satellite-installer with the ipa authentication option as documented in the Satellite documentation for connecting to Active Directory directly. Nothing seems to work.
Hello Ryan, I have some questions that could be addressed from debugs that would normally be provided in a support case, if you have one for this issue. If you have not already done so, please open a support case with us for troubleshooting of this issue. Otherwise: At the point you filed this BZ, Satellite 6.2.11 was available, have you attempted to update to this and check again? Also, are you currently running the latest packages available via RHEL 7.4's release? Thanks.
Hello Craig, Due to another issue I am having with Satellite, it is reporting 0 errata available on configuration items after errata is applied, even though errata is still available. I have since figured out how to force a proper errata applicability via `/usr/sbin/katello-package-upload -f` and was able to determine that there are still package updates available for the Satellite server. Due to environment requirements, I cannot apply the updates until a CR is approved on Friday; however, I will report back here once they are applied. The Satellite server has been updated to 6.2.11. I will provide debug information if I still have an issue after the latest RHEL packages have been applied on Friday. If not, I will still come back, report that the updates worked and close this bug. Thank you.
Hi Ryan, Any updates? Thanks!
Yes sir. Updated to 6.2.12 and still had the issue. I used the realm command to leave the domain and then followed the documentation @ https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/html-single/server_administration_guide/#sect-Red_Hat_Satellite-Server_Administration_Guide-AD_direct to rejoin and set up Satellite for AD authentication. I then flushed the kerberos tickets on my Windows machine, logged out and back in to obtain new tickets, and I still briefly see the "Kerberos authentication did not pass" text in my browser before I am redirected to the regular Satellite login screen. I do want to point out that SSSD/kerberos auth is working just fine for SSH login just to address any concerns about whether there is a good join.
A production.log with debug log level from login process could help. Could we please get it before further debugging?
Email is bouncing to the reporter. I am closing this out.