Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1489923

Summary: Single sign-on no longer working after updating to the latest Satellite 6.2.11 packages
Product: Red Hat Satellite Reporter: Ryan Kimbrell <ryan.kimbrell>
Component: LDAPAssignee: Daniel Lobato Garcia <dlobatog>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Katello QA List <katello-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2.11CC: bkearney, cdonnell, dhlavacd, jlyle, mhulan, ryan.kimbrell
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: UnusedFlags: jlyle: needinfo?
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1583671 (view as bug list) Environment:
Last Closed: 2018-04-23 20:54:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1583671    

Description Ryan Kimbrell 2017-09-08 16:36:46 UTC 
Description of problem:
After updating to the latest Satellite 6.2.10 packages, ipa packages, and gssproxy packages, single sign-on using the "Active Directory Direct" method no longer works. Status output of gssproxy.service shows 'Unspecified gss failure'.

Version-Release number of selected component (if applicable):


How reproducible: Always


Steps to Reproduce:
1. Visit Satellite UI URL

Actual results:
A brief text appears in the browser: 'Kerberos authentication did not pass' and a redirect to the web UI login page occurs.

Expected results:
Kerberos authentication should pass and login to the UI should occur without entering any credentials.

Additional info:
I have left and rejoined the domain, generated new http.keytab, checked permissions on the keytab, re-run the satellite-installer with the ipa authentication option as documented in the Satellite documentation for connecting to Active Directory directly. Nothing seems to work.
Comment 1 Craig Donnelly 2017-09-20 17:53:03 UTC 
Hello Ryan,

I have some questions that could be addressed from debugs that would normally be provided in a support case, if you have one for this issue.

If you have not already done so, please open a support case with us for troubleshooting of this issue.

Otherwise:

At the point you filed this BZ, Satellite 6.2.11 was available, have you attempted to update to this and check again?

Also, are you currently running the latest packages available via RHEL 7.4's release?

Thanks.
Comment 2 Ryan Kimbrell 2017-09-20 18:01:17 UTC 
Hello Craig,

Due to another issue I am having with Satellite, it is reporting 0 errata available on configuration items after errata is applied, even though errata is still available. I have since figured out how to force a proper errata applicability via `/usr/sbin/katello-package-upload -f` and was able to determine that there are still package updates available for the Satellite server. Due to environment requirements, I cannot apply the updates until a CR is approved on Friday; however, I will report back here once they are applied.

The Satellite server has been updated to 6.2.11. I will provide debug information if I still have an issue after the latest RHEL packages have been applied on Friday. If not, I will still come back, report that the updates worked and close this bug.

Thank you.
Comment 3 Brad Buckingham 2017-10-06 13:25:33 UTC 
Hi Ryan,

Any updates?

Thanks!
Comment 4 Ryan Kimbrell 2017-10-09 14:09:53 UTC 
Yes sir. Updated to 6.2.12 and still had the issue. I used the realm command to leave the domain and then followed the documentation @ https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/html-single/server_administration_guide/#sect-Red_Hat_Satellite-Server_Administration_Guide-AD_direct to rejoin and set up Satellite for AD authentication. I then flushed the kerberos tickets on my Windows machine, logged out and back in to obtain new tickets, and I still briefly see the "Kerberos authentication did not pass" text in my browser before I am redirected to the regular Satellite login screen.

I do want to point out that SSSD/kerberos auth is working just fine for SSH login just to address any concerns about whether there is a good join.
Comment 6 Marek Hulan 2017-10-09 17:58:53 UTC 
A production.log with debug log level from login process could help. Could we please get it before further debugging?
Comment 8 Bryan Kearney 2018-04-23 20:54:20 UTC 
Email is bouncing to the reporter. I am closing this out.