Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2083336

Summary: Instructions for kerberos auth against AD with gssproxy is conflicting and as a result doesn't work
Product: Red Hat Satellite Reporter: Pablo Hess <phess>
Component: AuthenticationAssignee: Adam Lazik <alazik>
Status: CLOSED CURRENTRELEASE QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.10.6CC: agadhave, ahumbe, alazik, jentrena, lhellebr, mdolezel, mhulan, phillip.allen
Target Milestone: UnspecifiedKeywords: Documentation, Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-27 10:32:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pablo Hess 2022-05-09 18:07:54 UTC 
Document URL: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.10/html/administering_red_hat_satellite/chap-administering-configuring_external_authentication#configuring-direct-ad-integration-with-gss-proxy_admin

Section Number and Name: 13.3.3 Configuring Direct AD Integration with GSS-proxy

Describe the issue: The instructions at step 5 (code box 5 in the Procedure section) set gssproxy to point to `/etc/krb5.keytab` as its keytab:
====
5. Create the /etc/gssproxy/00-http.conf file with the following content:

[service/HTTP]
mechs = krb5
cred_store = keytab:/etc/krb5.keytab   <===== pointing to krb5.keytab
====

...but the next step, instead, points to `/etc/httpd/conf/http.keytab` when downloading the key from AD to the keytab:
====
6. Create a keytab entry:

# KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf
# chown root.apache /etc/httpd/conf/http.keytab
# chmod 640 /etc/httpd/conf/http.keytab
====

This causes the right key to reside in a keytab that is not the one used by gssproxy, thus rendering kerberos auth with gssproxy permanently unsuccessful on Satellite.


Suggestions for improvement: Modify step #5 to point to /etc/httpd/conf/http.keytab as below:
====
5. Create the /etc/gssproxy/00-http.conf file with the following content:

[service/HTTP]
mechs = krb5
cred_store = keytab:/etc/httpd/conf/http.keytab    <==== point to http.keytab
cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
euid = ID_of_Apache_User
====

Additional information:  This bug is present since "forever" so it would be even better if we could fix the docs for all Satellite releases we currently support.
Comment 4 Adam Lazik 2023-07-24 13:03:59 UTC 
Hello!

Created PR to adress the issue: https://github.com/theforeman/foreman-documentation/pull/2304
Comment 5 Adam Lazik 2023-07-27 10:32:20 UTC 
The documentation has been updated:
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.13/html-single/installing_satellite_server_in_a_connected_network_environment/index#Configuring_Direct_AD_Integration_with_GSS_Proxy_satellite
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.12/html-single/installing_satellite_server_in_a_connected_network_environment/index#Configuring_Direct_AD_Integration_with_GSS_Proxy_satellite
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.11/html-single/administering_red_hat_satellite/index#Configuring_Direct_AD_Integration_with_GSS_Proxy_admin
Comment 6 Red Hat Bugzilla 2023-11-25 04:25:02 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days