Foreman 1.15.3 and Katello 3.4: Foreman-proxy using realm-proxy@EXAMPLE.COM instead of the set name

Evan_Hisey · August 28, 2017, 11:10pm

This is a clean install on CENTOS 7.3 with 1.15.3 and 3.4. As you can see
from the debug when I attempt to create/provision a host Foreman tries to
use realm-proxy@EXAMPLE.COM rather than the principle setting of
katello-service@IDM.NWC.NWS:

D, [2017-08-28T17:37:36.017066 ] DEBUG – : freeipa: realm IDM.NWC.NWS
D, [2017-08-28T17:37:36.017346 ] DEBUG – : freeipa: uri is
https://nwcal-idm01.idm.nwc.nws/ipa/xml
D, [2017-08-28T17:37:36.017543 ] DEBUG – : Making IPA call: ["host_show",
["nwcal-kvm1.nwc.nws"]]
D, [2017-08-28T17:37:36.022298 ] DEBUG – : Requesting credentials for
Kerberos principal realm-proxy@EXAMPLE.COM using keytab
/etc/foreman-proxy/freeipa.keytab
E, [2017-08-28T17:37:36.023160 ] ERROR – : Failed to initialise credential
cache from keytab: krb5_get_init_creds_keytab: Key table entry not found
E, [2017-08-28T17:37:36.023990 ] ERROR – : Failed to initailize
credentials cache from keytab: krb5_get_init_creds_keytab: Key table entry
not found

foreman-installer --help | grep realm
–foreman-proxy-freeipa-remove-dns Remove DNS entries from FreeIPA
when deleting hosts from realm (current: true)
–foreman-proxy-realm Enable realm management feature (current:
true)
–foreman-proxy-realm-keytab Kerberos keytab path to authenticate
realm updates (current: "/etc/foreman-proxy/freeipa.keytab")
–foreman-proxy-realm-listen-on Realm proxy to listen on https, http,
or both (current: "https")
–foreman-proxy-realm-principal Kerberos principal for realm updates (current:
"katello-service@IDM.NWC.NWS")
–foreman-proxy-realm-provider Realm management provider (current:
"freeipa")
–foreman-proxy-realm-split-config-files Split realm configuration
files. This is needed since version 1.15. (current: false)

I am guessing there is either a setting being missed in the configuration
at install, or this setting is hanging on the install. Other than in the
settings file, where is this set, or defaulted to?

Evan_Hisey · August 29, 2017, 2:44pm

Repling with the trigger/fix to this issue, I am not sure what causes the
scenario tough. In /etc/foreman-proxy are two files: realm.yaml and
realm_freeipa.yaml. Foreman-installer appears to to ready and modify
realm.yaml, while foreman-proxy is reading realm_freeipa.yaml. By
correcting the realm_freeipa.yaml from realm-proxy@EXAMPLE.COM to katello-service@IDM.NWC.NWS
to resolve the issue with Kerberos credentials. There is probably still a
bug somewhere in the installer that needs to be found triggering this.

···

On Tuesday, August 29, 2017 at 1:10:12 AM UTC-5, evan....@noaa.gov wrote: > > This is a clean install on CENTOS 7.3 with 1.15.3 and 3.4. As you can see > from the debug when I attempt to create/provision a host Foreman tries to > use realm-proxy@EXAMPLE.COM rather than the principle setting of > katello-service@IDM.NWC.NWS: > > D, [2017-08-28T17:37:36.017066 ] DEBUG -- : freeipa: realm IDM.NWC.NWS > D, [2017-08-28T17:37:36.017346 ] DEBUG -- : freeipa: uri is > https://nwcal-idm01.idm.nwc.nws/ipa/xml > D, [2017-08-28T17:37:36.017543 ] DEBUG -- : Making IPA call: ["host_show", > ["nwcal-kvm1.nwc.nws"]] > D, [2017-08-28T17:37:36.022298 ] DEBUG -- : Requesting credentials for > Kerberos principal realm-proxy@EXAMPLE.COM using keytab > /etc/foreman-proxy/freeipa.keytab > E, [2017-08-28T17:37:36.023160 ] ERROR -- : Failed to initialise > credential cache from keytab: krb5_get_init_creds_keytab: Key table entry > not found > E, [2017-08-28T17:37:36.023990 ] ERROR -- : Failed to initailize > credentials cache from keytab: krb5_get_init_creds_keytab: Key table entry > not found > > > foreman-installer --help | grep realm > --foreman-proxy-freeipa-remove-dns Remove DNS entries from FreeIPA > when deleting hosts from realm (current: true) > --foreman-proxy-realm Enable realm management feature > (current: true) > --foreman-proxy-realm-keytab Kerberos keytab path to authenticate > realm updates (current: "/etc/foreman-proxy/freeipa.keytab") > --foreman-proxy-realm-listen-on Realm proxy to listen on https, http, > or both (current: "https") > --foreman-proxy-realm-principal Kerberos principal for realm updates (current: > "katello-service@IDM.NWC.NWS") > --foreman-proxy-realm-provider Realm management provider (current: > "freeipa") > --foreman-proxy-realm-split-config-files Split realm configuration > files. This is needed since version 1.15. (current: false) > > I am guessing there is either a setting being missed in the configuration > at install, or this setting is hanging on the install. Other than in the > settings file, where is this set, or defaulted to? >

Ale · November 22, 2017, 5:50am

This is still happening with rhel 7.4 foreman 1.15.6 and katello 3.4

···

On Tuesday, August 29, 2017 at 11:44:40 PM UTC+9, evan....@noaa.gov wrote:

Repling with the trigger/fix to this issue, I am not sure what causes the
scenario tough. In /etc/foreman-proxy are two files: realm.yaml and
realm_freeipa.yaml. Foreman-installer appears to to ready and modify
realm.yaml, while foreman-proxy is reading realm_freeipa.yaml. By
correcting the realm_freeipa.yaml from realm-...@EXAMPLE.COM <javascript:>
to katello-service@IDM.NWC.NWS to resolve the issue with Kerberos
credentials. There is probably still a bug somewhere in the installer that
needs to be found triggering this.

On Tuesday, August 29, 2017 at 1:10:12 AM UTC-5, evan....@noaa.gov wrote:

This is a clean install on CENTOS 7.3 with 1.15.3 and 3.4. As you can
see from the debug when I attempt to create/provision a host Foreman tries
to use realm...@EXAMPLE.COM <javascript:> rather than the principle
setting of katello-service@IDM.NWC.NWS:

D, [2017-08-28T17:37:36.017066 ] DEBUG -- : freeipa: realm IDM.NWC.NWS
D, [2017-08-28T17:37:36.017346 ] DEBUG -- : freeipa: uri is
https://nwcal-idm01.idm.nwc.nws/ipa/xml
D, [2017-08-28T17:37:36.017543 ] DEBUG -- : Making IPA call:
["host_show", ["nwcal-kvm1.nwc.nws"]]
D, [2017-08-28T17:37:36.022298 ] DEBUG -- : Requesting credentials for
Kerberos principal realm-...@EXAMPLE.COM <javascript:> using keytab
/etc/foreman-proxy/freeipa.keytab
E, [2017-08-28T17:37:36.023160 ] ERROR -- : Failed to initialise
credential cache from keytab: krb5_get_init_creds_keytab: Key table entry
not found
E, [2017-08-28T17:37:36.023990 ] ERROR -- : Failed to initailize
credentials cache from keytab: krb5_get_init_creds_keytab: Key table entry
not found

foreman-installer --help | grep realm
--foreman-proxy-freeipa-remove-dns Remove DNS entries from FreeIPA
when deleting hosts from realm (current: true)
--foreman-proxy-realm Enable realm management feature
(current: true)
--foreman-proxy-realm-keytab Kerberos keytab path to authenticate
realm updates (current: "/etc/foreman-proxy/freeipa.keytab")
--foreman-proxy-realm-listen-on Realm proxy to listen on https,
http, or both (current: "https")
--foreman-proxy-realm-principal Kerberos principal for realm updates
(current: "katello-service@IDM.NWC.NWS")
--foreman-proxy-realm-provider Realm management provider (current:
"freeipa")
--foreman-proxy-realm-split-config-files Split realm configuration
files. This is needed since version 1.15. (current: false)

I am guessing there is either a setting being missed in the
configuration at install, or this setting is hanging on the install. Other
than in the settings file, where is this set, or defaulted to?