Hide Forgot
Description of problem: The Web UI does not support GSSAPI Authentication Version-Release number of selected component (if applicable): Currently running 5.4.0 It is possible to configure authentication using kerberos credentials, but it would be better if users with a valid ticket and properly configured browser could be authenticated via GSSAPI rather than having to type in their user name and password.
We recently committed code into Spacewalk 2.1 and for 2.2 that provides integration with Red Hat Identity (Idm) services from FreeIPA. This gives ldap and krb integration points, including GSSAPI. So, Sat 5.7 should meet this RFE's requirements, moving as such. Cliff
Documentation for the upstream feature is at https://fedorahosted.org/spacewalk/wiki/SpacewalkAndIPA. For downstream, the question is if some easier way to set the whole thing up could be found, possibly by adding a couple of options to spacewalk-setup to also configure the external authentication, and maybe even IPA-enroll the machine. Well, the spacewalk-setup would definitely be useful for upstream too.
Verified with spacewalk-setup-2.3.0-14.el6sat.noarch and spacewalk-java-2.3.8-96.el6sat.noarch * Install IPA client from wiki page https://fedorahosted.org/spacewalk/wiki/SpacewalkAndIPA >> yum install /usr/sbin/ipa-client-install -y >> ipa-client-install * Get keytab from ipa server >> kinit admin >> ipa-getkeytab -s $( awk '/^server/ { print $3 }' /etc/ipa/default.conf ) -k /etc/httpd/conf/http.keytab -p HTTP/$( hostname ) >> chown apache /etc/httpd/conf/http.keytab >> chmod 600 /etc/httpd/conf/http.keytab * set spacewalk >> spacewalk-setup-ipa-authentication
(In reply to Pavel Studeník from comment #4) > Verified with spacewalk-setup-2.3.0-14.el6sat.noarch and > spacewalk-java-2.3.8-96.el6sat.noarch > > * Install IPA client from wiki page > https://fedorahosted.org/spacewalk/wiki/SpacewalkAndIPA > > >> yum install /usr/sbin/ipa-client-install -y > >> ipa-client-install > > * Get keytab from ipa server > > >> kinit admin > >> ipa-getkeytab -s $( awk '/^server/ { print $3 }' /etc/ipa/default.conf ) -k /etc/httpd/conf/http.keytab -p HTTP/$( hostname ) > >> chown apache /etc/httpd/conf/http.keytab > >> chmod 600 /etc/httpd/conf/http.keytab > > * set spacewalk > > >> spacewalk-setup-ipa-authentication I'm sorry but it couldn't have worked this way. You did not create the HTTP/ service so the ipa-getkeytab must have failed. On the other hand, running the ipa-getkeytab shouldn't be necessary when spacewalk-setup-ipa-authentication is used -- it will fetch it for you. Can you please retest?
I forgot add following step before download key: # yum install /usr/bin/ipa -y # kinit admin # ipa service-add HTTP/$( hostname ) I plan to retest it today, because I don't know why tabkey wasn't download.
1) install ipa on client # yum install /usr/sbin/ipa-client-install -y # ipa-client-install --domain example.com --hostaname $( hostname ) 2) create service (on client) # yum install /usr/bin/ipa -y # kinit admin # ipa service-add HTTP/$( hostname ) 3) setup ipa for satellite # spacewalk-setup-ipa-authentication Enabling authentication against [smqa-x3550m3-03.lab.eng.brq.redhat.com]. Keytab: [/etc/httpd/conf/http.keytab] already exists, will not refetch. Use [klist -kt /etc/httpd/conf/http.keytab] to verify its content. PAM service: File [/etc/pam.d/spacewalk], will not overwrite. Packages: all needed packages are already installed. SELinux boolean [httpd_dbus_sssd] is already on. .... Waiting for tomcat to be ready ... Authentication against [smqa-x3550m3-03.lab.eng.brq.redhat.com] sucessfully enabled. As admin, at Admin > Users > External Authentication, select Default organization to autopopulate new users into. It works correct with these three steps. Go to login page and authenticate yourself by kerberos login.
(In reply to Pavel Studeník from comment #7) > > 3) setup ipa for satellite > > # spacewalk-setup-ipa-authentication > > Enabling authentication against [smqa-x3550m3-03.lab.eng.brq.redhat.com]. > Keytab: [/etc/httpd/conf/http.keytab] already exists, will not refetch. Please retest with fresh Satellite.
NOTE: With the release of Red Hat Satellite 5.7 on January 12th 2015 this bug / feature is resolved. This bug was not verified (moved to RELEASE_PENDING) prior to release. As such, over the next week or so we plan to confirm the valiation that this was indeed fixed as part of the release and then move to Closed Current Release. The Satellite 5.7 GA Errata: - https://rhn.redhat.com/errata/RHSA-2015-0033.html Satellite 5.7 Release Notes: - https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/5.7/html-single/Release_Notes/index.html Satellite Customer Portal Blog announcement for release: - https://access.redhat.com/blogs/1169563/posts/1315743 Cliff
Specifically for this feature, the documentation is in the chapter 6.2. Using Identity Management for Authentication of Satellite 5.7 Installation Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/5.7/html/Installation_Guide/ch06s02.html