Help with Foreman's external authentication with FreeIPA. (Kerberos)

VladF · August 23, 2017, 1:08pm

Hi,
I am trying to make external authentication via kerberos SSO on foreman
server. I use this tutorial

Foreman :: Manual
Foreman server is freeipa enrolled. I've make a service
HTTP/foreman.test.com on freeipa and do that on foreman server:

kinit admin ipa-getkeytab -s MY IPA SERVER fqdn -k /etc/http.keytab -p HTTP/
foreman.test.com
chown apache /etc/http.keytab
chmod 600 /etc/http.keytab

but when I try to access foreman.test.com I see the error Kerberos
authentication did not pass.

klist on my foreman server:

[root@foreman ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_Sab2PVh
Default principal: HTTPS/foreman.test.com@CENTOS-25.TEST.COM

Valid starting Expires Service principal
08/23/2017 08:50:29 08/24/2017 08:50:29 krbtgt/CENTOS-25.TEST.COM@CENTOS-
25.TEST.COM

I've installed modules mod_auth_kerb mod_authnz_pam and edit my
/etc/httpd/conf.d/auth_kerb.conf.

add to /etc/httpd/conf.d/auth_kerb.conf LoadModule auth_kerb_module

modules/mod_auth_kerb.so LoadModule authnz_pam_module
modules/mod_authnz_pam.so <Location /users/extlogin> AuthType Kerberos
AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off
KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/http.keytab KrbLocalUserMapping
On # require valid-user require pam-account foreman-prod ErrorDocument 401
'<html><meta http-equiv="refresh" content="0;
URL=/users/login"><body>Kerberos authentication did not
pass.</body></html>' # The following is needed as a workaround for
https://bugzilla.redhat.com/show_bug.cgi?id=1020087 ErrorDocument 500
'<html><meta http-equiv="refresh" content="0;
URL=/users/login"><body>Kerberos authentication did not
pass.</body></html>' </Location>

What am I doing wrong? How can I debug this problem?

Marek_Hulan · September 11, 2017, 11:48am

Hello,

I think all you need to do is documented at Index of /manuals
1.15/#5.7.1ConfigurationviaForemaninstaller, as long as the host is FreeIPA
enrolled, you just create a service for it and run installer with --foreman-
ipa-authentication=true

You seem to be using old version of manual, if you're running Foreman 1.6, I'd
recommend updating first.

Hope this helps

···

-- Marek

On středa 23. srpna 2017 15:08:57 CEST VladF wrote:

Hi,
I am trying to make external authentication via kerberos SSO on foreman
server. I use this tutorial

Foreman :: Manual
Foreman server is freeipa enrolled. I’ve make a service
HTTP/foreman.test.com on freeipa and do that on foreman server:

kinit admin ipa-getkeytab -s MY IPA SERVER fqdn -k /etc/http.keytab -p HTTP/
foreman.test.com
chown apache /etc/http.keytab
chmod 600 /etc/http.keytab

but when I try to access foreman.test.com I see the error Kerberos
authentication did not pass.

klist on my foreman server:

[root@foreman ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_Sab2PVh
Default principal: HTTPS/foreman.test.com@CENTOS-25.TEST.COM

Valid starting Expires Service principal
08/23/2017 08:50:29 08/24/2017 08:50:29 krbtgt/CENTOS-25.TEST.COM@CENTOS-
25.TEST.COM

I’ve installed modules mod_auth_kerb mod_authnz_pam and edit my
/etc/httpd/conf.d/auth_kerb.conf.

add to /etc/httpd/conf.d/auth_kerb.conf LoadModule auth_kerb_module

modules/mod_auth_kerb.so LoadModule authnz_pam_module
modules/mod_authnz_pam.so <Location /users/extlogin> AuthType Kerberos
AuthName “Kerberos Login” KrbMethodNegotiate On KrbMethodK5Passwd Off
KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/http.keytab KrbLocalUserMapping
On # require valid-user require pam-account foreman-prod ErrorDocument 401
’Kerberos authentication did not
pass.’ # The following is needed as a workaround for
https://bugzilla.redhat.com/show_bug.cgi?id=1020087 ErrorDocument 500
’Kerberos authentication did not
pass.’

What am I doing wrong? How can I debug this problem?