I have foreman 1.12.4 running on CentOS 7 setup with FreeIPA. I am able to
generate a OTP one time and one time only for a host. After a host builds
it successfully joins the realm and authentication works. However, if I
select "Build" in Foreman for the host, it does not generate a OTP for the
next build. The only way I am able to regenerate another OTP is to remove
the host from within IPA, remove the Realm from the host within Foreman and
add the Realm back in. I set the logging level to DEBUG in foreman-proxy
and am not seeing where the proxy is requesting a new OTP when the build
button is pressed. What am I missing?
I managed to figured out what the cause was. I figured I would post it
here in case anyone else comes across the same situation.
IPA 4.4.0 (CentOS 7)
Foreman 1.12.4 (CentOS 7)
ipa-admintools 4.4.0.14.el7
It was a permissions issue with the user account authorized to
add/enroll/disable the host in FreeIPA. The foreman-prepare-realm that
gets installed from ipa-admintools is missing a couple of roles/permissions
to add to the user account it sets up. That said:
- Host Enrolllment Password needs the write permission added to it under
the Smart Proxy Manager role (needed to be able to add the host into IPA on
the first build) - Revoke Certificate needs to have the delete permission added to it
(needed to disable the host if it's being built again after it has been
enrolled in IPA)