Foreman not completing FreeIPA enrollment


#1

Problem:
So I am trying to get Foreman to work with FreeIPA to join the realm on provisioning. I have smart proxy running and it registers the server in FreeIPA but it doesn’t complete enrollment. I do see an error in the IPA logs that seems to indicate its not getting the correct one time password as shown below.

019-06-05T08:00:33Z DEBUG Starting external process
2019-06-05T08:00:33Z DEBUG args=/usr/sbin/ipa-join -s ipa01.phantomnet.lan -b dc=phantomnet,dc=lan -h centos-test.phantomnet.lan -w XXXXXXXX
2019-06-05T08:00:34Z DEBUG Process finished, return code=15
2019-06-05T08:00:34Z DEBUG stdout=
2019-06-05T08:00:34Z DEBUG stderr=Incorrect password.

So I am not clear on why this is happening as I followed the instructions on the Foreman site and the keytab was generated. However I do see this on the provisioned servers logs.

2019-06-05T08:00:33Z DEBUG Starting external process
2019-06-05T08:00:33Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r PHANTOMNET.LAN
2019-06-05T08:00:33Z DEBUG Process finished, return code=3
2019-06-05T08:00:33Z DEBUG stdout=
2019-06-05T08:00:33Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory

Expected outcome:
I am expecting that once a server is provisioned it should be enrolled in FreeIPA as well but I am not seeing that. Only the host entry itself.

Foreman and Proxy versions:
Foreman: 1.21
Smart-Proxy: 1.20.2

Anybody come across this? or have an idea what I might be missing?
I can provide more logs if necessary but I am not sure where else to look to determine what I am missing from the configuration


#2

I would say check permissions and SELinux context of the keytab, because of the failed to open log message. Permissions have to be restrictive but still readable for foreman-proxy.


#3

Bloody local firewall on the IPA server. I thought I had opened all the required ports but I guess not.
Thanks for pointing me in the correct direction.