Bug 2083336 - Instructions for kerberos auth against AD with gssproxy is conflicting and as a result doesn't work [NEEDINFO]
Summary: Instructions for kerberos auth against AD with gssproxy is conflicting and as...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Authentication
Version: 6.10.6
Hardware: x86_64
OS: Linux
unspecified
medium with 3 votes
Target Milestone: Unspecified
Assignee: Adam Lazik
QA Contact: Satellite QE Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-09 18:07 UTC by Pablo Hess
Modified: 2023-07-27 10:32 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-07-27 10:32:20 UTC
Target Upstream Version:
Embargoed:
mdolezel: needinfo? (agadhave)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SAT-15468 0 None None None 2023-07-21 06:37:43 UTC
Red Hat Issue Tracker SATDOC-782 0 None None None 2022-05-09 18:24:54 UTC

Description Pablo Hess 2022-05-09 18:07:54 UTC 
Document URL: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.10/html/administering_red_hat_satellite/chap-administering-configuring_external_authentication#configuring-direct-ad-integration-with-gss-proxy_admin

Section Number and Name: 13.3.3 Configuring Direct AD Integration with GSS-proxy

Describe the issue: The instructions at step 5 (code box 5 in the Procedure section) set gssproxy to point to `/etc/krb5.keytab` as its keytab:
====
5. Create the /etc/gssproxy/00-http.conf file with the following content:

[service/HTTP]
mechs = krb5
cred_store = keytab:/etc/krb5.keytab   <===== pointing to krb5.keytab
====

...but the next step, instead, points to `/etc/httpd/conf/http.keytab` when downloading the key from AD to the keytab:
====
6. Create a keytab entry:

# KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf
# chown root.apache /etc/httpd/conf/http.keytab
# chmod 640 /etc/httpd/conf/http.keytab
====

This causes the right key to reside in a keytab that is not the one used by gssproxy, thus rendering kerberos auth with gssproxy permanently unsuccessful on Satellite.


Suggestions for improvement: Modify step #5 to point to /etc/httpd/conf/http.keytab as below:
====
5. Create the /etc/gssproxy/00-http.conf file with the following content:

[service/HTTP]
mechs = krb5
cred_store = keytab:/etc/httpd/conf/http.keytab    <==== point to http.keytab
cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
euid = ID_of_Apache_User
====

Additional information:  This bug is present since "forever" so it would be even better if we could fix the docs for all Satellite releases we currently support.
Comment 4 Adam Lazik 2023-07-24 13:03:59 UTC 
Hello!

Created PR to adress the issue: https://github.com/theforeman/foreman-documentation/pull/2304
Comment 5 Adam Lazik 2023-07-27 10:32:20 UTC 
The documentation has been updated:
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.13/html-single/installing_satellite_server_in_a_connected_network_environment/index#Configuring_Direct_AD_Integration_with_GSS_Proxy_satellite
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.12/html-single/installing_satellite_server_in_a_connected_network_environment/index#Configuring_Direct_AD_Integration_with_GSS_Proxy_satellite
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.11/html-single/administering_red_hat_satellite/index#Configuring_Direct_AD_Integration_with_GSS_Proxy_admin
Note You need to log in before you can comment on or make changes to this bug.