All,
We've been running Foreman 1.6 with integration to our FreeIPA setup for
several months now with no issues. Yesterday, we started getting the
following error when trying to deploy a machine with the associated realm:
Unable to save
Failed to create ipatest.idaho.cbts.net's realm entry: ERF12-5287
[ProxyAPI::ProxyException]: Unable to create realm entry
([RestClient::BadRequest]: 400 Bad Request) for proxy
https://foreman.idaho.cbts.net:8443/realm/IDAHO.CBTS.NET
Logfiles show:
E, [2015-01-23T10:26:08.969139 #10778] ERROR – : Failed to initialise
credential cache from keytab: krb5_get_init_creds_keytab: Password has
expired
What's interesting is the account we are using (realm-proxy@IDAHO.CBTS.NET)
doesn't have a password, and has a password policy attached that doesn't
enforce any password expiration:
[root@foreman foreman-proxy]# ipa user-show realm-proxy
User login: realm-proxy
First name: Smart
Last name: Proxy
Home directory: /home/realm-proxy
Login shell: /bin/bash
Email address: realm-proxy@idaho.cbts.net
UID: 144400015
GID: 144400015
Account disabled: False
Password: False
Member of groups: ipausers, service_accounts
Roles: Smart Proxy Host Manager
Kerberos keys available: True
I updated the IPA servers and the foreman server (to Foreman to 1.7.1)
yesterday. Only after removing and recreating the realm-proxy user in IPA
and grabbing the new keytab did everything start working again. Until this
morning - when we're right back to the expired password error.
I have Apache configured to do the intercept of the logins and pass that
off to IPA and that works just fine, however the creation of hosts is still
giving us issues this morning.
Does anyone have any clues what might be happening? Pointers to help
diagnose?
Thanks,
Matt
> All,
>
> We've been running Foreman 1.6 with integration to our FreeIPA setup for
> several months now with no issues. Yesterday, we started getting the
> following error when trying to deploy a machine with the associated realm:
>
> Unable to save
>
> Failed to create ipatest.idaho.cbts.net's realm entry: ERF12-5287
> [ProxyAPI::ProxyException]: Unable to create realm entry
> ([RestClient::BadRequest]: 400 Bad Request) for proxy
> https://foreman.idaho.cbts.net:8443/realm/IDAHO.CBTS.NET
>
> Logfiles show:
>
> E, [2015-01-23T10:26:08.969139 #10778] ERROR – : Failed to initialise
> credential cache from keytab: krb5_get_init_creds_keytab: Password has
> expired
>
> What's interesting is the account we are using (realm-proxy@IDAHO.CBTS.NET)
> doesn't have a password, and has a password policy attached that doesn't
> enforce any password expiration:
>
> [root@foreman foreman-proxy]# ipa user-show realm-proxy
> User login: realm-proxy
> First name: Smart
> Last name: Proxy
> Home directory: /home/realm-proxy
> Login shell: /bin/bash
> Email address: realm-proxy@idaho.cbts.net
> UID: 144400015
> GID: 144400015
> Account disabled: False
> Password: False
> Member of groups: ipausers, service_accounts
> Roles: Smart Proxy Host Manager
> Kerberos keys available: True
>
> I updated the IPA servers and the foreman server (to Foreman to 1.7.1)
> yesterday. Only after removing and recreating the realm-proxy user in IPA
> and grabbing the new keytab did everything start working again. Until this
> morning - when we're right back to the expired password error.
>
> I have Apache configured to do the intercept of the logins and pass that
> off to IPA and that works just fine, however the creation of hosts is still
> giving us issues this morning.
>
> Does anyone have any clues what might be happening? Pointers to help
> diagnose?
Really odd, I might ask the FreeIPA team about it on Freenode or their
mailing list… but first try:
rm /etc/foreman-proxy/freeipa.keytab
ipa-getkeytab -p realm-proxy@IDAHO.CBTS.NET -k /etc/foreman-proxy/freeipa.keytab -s <an IPA server>
chown foreman-proxy /etc/foreman-proxy/freeipa.keytab
After that can you kinit with it?
sudo -u foreman-proxy kinit -k -t /etc/foreman-proxy/freeipa.keytab
···
On Fri, Jan 23, 2015 at 10:38:34AM -0500, Matthew Hyclak wrote:
Thanks,
Matt
–
You received this message because you are subscribed to the Google Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
–
Best Regards,
Stephen Benjamin
Red Hat Engineering
I think it was a false alarm. The replica server had gotten out of sync.
I've resynced them and so far so good.
Thanks for the response!
Matt
···
On Fri, Jan 23, 2015 at 12:32 PM, Stephen Benjamin wrote:
On Fri, Jan 23, 2015 at 10:38:34AM -0500, Matthew Hyclak wrote:
All,
We’ve been running Foreman 1.6 with integration to our FreeIPA setup for
several months now with no issues. Yesterday, we started getting the
following error when trying to deploy a machine with the associated
realm:
Unable to save
Failed to create ipatest.idaho.cbts.net’s realm entry: ERF12-5287
[ProxyAPI::ProxyException]: Unable to create realm entry
([RestClient::BadRequest]: 400 Bad Request) for proxy
https://foreman.idaho.cbts.net:8443/realm/IDAHO.CBTS.NET
Logfiles show:
E, [2015-01-23T10:26:08.969139 #10778] ERROR – : Failed to initialise
credential cache from keytab: krb5_get_init_creds_keytab: Password has
expired
What’s interesting is the account we are using (
realm-proxy@IDAHO.CBTS.NET)
doesn’t have a password, and has a password policy attached that
doesn’t
enforce any password expiration:
[root@foreman foreman-proxy]# ipa user-show realm-proxy
User login: realm-proxy
First name: Smart
Last name: Proxy
Home directory: /home/realm-proxy
Login shell: /bin/bash
Email address: realm-proxy@idaho.cbts.net
UID: 144400015
GID: 144400015
Account disabled: False
Password: False
Member of groups: ipausers, service_accounts
Roles: Smart Proxy Host Manager
Kerberos keys available: True
I updated the IPA servers and the foreman server (to Foreman to 1.7.1)
yesterday. Only after removing and recreating the realm-proxy user in IPA
and grabbing the new keytab did everything start working again. Until
this
morning - when we’re right back to the expired password error.
I have Apache configured to do the intercept of the logins and pass that
off to IPA and that works just fine, however the creation of hosts is
still
giving us issues this morning.
Does anyone have any clues what might be happening? Pointers to help
diagnose?
Really odd, I might ask the FreeIPA team about it on Freenode or their
mailing list… but first try:
rm /etc/foreman-proxy/freeipa.keytab
ipa-getkeytab -p realm-proxy@IDAHO.CBTS.NET -k
/etc/foreman-proxy/freeipa.keytab -s
chown foreman-proxy /etc/foreman-proxy/freeipa.keytab
After that can you kinit with it?
sudo -u foreman-proxy kinit -k -t /etc/foreman-proxy/freeipa.keytab
Thanks,
Matt
–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
–
Best Regards,
Stephen Benjamin
Red Hat Engineering
–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
