Available providers:

freeipa

:realm_provider: freeipa

Authentication for Kerberos-based Realms

:realm_keytab: /etc/foreman-proxy/foreman-realm.keytab
:realm_principal: foreman-realm@MY.REALM

FreeIPA specific settings

Remove from DNS when deleting the FreeIPA entry

:freeipa_remove_dns: true

anybody knows what I’m missing ?
Rob

Tel: 053 20 30 270 	info@netbulae.eu 	Staalsteden 4-3A 	KvK 08198180
Fax: 053 20 30 271 	www.netbulae.eu 	7547 TA Enschede 	BTW NL821234584B01

the forman log reports an error
==> /var/log/foreman/production.log <==
Failed to create test.tjako.thuis’s realm entry: ERF12-5287
[ProxyAPI::ProxyException]: Unable to create realm entry
([RestClient::BadRequest]: 400 Bad Request) for proxy
https://katello.tjako.thuis:9090/realm/TJAKO.THUIS

after which katello nearly gives an error and reverts the previous actions
removing the tfpf enty
deleting dns records
deleting dhcp reservation

I verified that foreman-prepare-realm did run correctly
the foreman-realm principal exists
the 3 extra permissions are create
the role ‘Smart Proxy Host Manager’ is created
the privilege ‘Smart Proxy Host Management’ is created
the permissions are added to the privilege (15 total including the 3
mentioned before)
the privilege is added to the role
the foreman-realm user is added to the role

output from checks :
ipa privilege-show 'Smart Proxy Host Management’
Privilege name: Smart Proxy Host Management
Description: Smart Proxy Host Management
Permissions: add hosts, remove hosts, modify hosts, modify services,
manage host keytab, manage service keytab, retrieve
certificates from the ca, revoke certificate, add dns
entries, remove dns entries, update dns entries, read dns
entries, modify host password, write host certificate,
modify host userclass
Granting privilege to roles: Smart Proxy Host Manager

ipa user-show foreman-realm
User login: foreman-realm
First name: Smart
Last name: Proxy
Home directory: /home/foreman-realm
Login shell: /bin/bash
Email address: foreman-realm@my.domain
UID: xxxxxxxxxxx
GID: xxxxxxxxxxx
Account disabled: False
Password: False
Member of groups: ipausers
Roles: Smart Proxy Host Manager
Kerberos keys available: True

I checked permissions on the keytab mode 600 owner foreman-proxy

I confirmed that foreman can actually read the keytab

I checked the settings in the yml file

cat /etc/foreman-proxy/settings.d/realm.yml

Manage joining realms e.g. FreeIPA

:enabled: true

Available providers:

freeipa

:realm_provider: freeipa

Authentication for Kerberos-based Realms

:realm_keytab: /etc/foreman-proxy/foreman-realm.keytab
:realm_principal: foreman-realm@MY.REALM

FreeIPA specific settings

Remove from DNS when deleting the FreeIPA entry

:freeipa_remove_dns: true

anybody knows what I’m missing ?
Rob

–
You received this message because you are subscribed to the Google Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
Stephen Benjamin

Red Hat GmbH | http://de.redhat.com/ | Sitz: Grasbrunn
Handelsregister: Amtsgericht München, HRB 153243
Geschäftsführer: Charles Cachera, Michael Cunningham,
Michael O’Neill, Charles Peters

On 11/03/2014 03:47 PM, Rob Verduijn wrote:

Hello,

I’ve been playing around with freeipa for a while now and managed to
tackle several challenges regarding smart-proxies.
But now I seem to rnu into a brick wall regarding the realm-proxy.

Whenever I try to add a host it fails to add it to the realm.

In the logs I can see the other proxies do their job nicely.

ie :
a dhcp reservation is made in the local dhcp server via omshell
a dns record is made for the forward zone and the reverse zone (freeipa is
also my dns server)
the tftp boot files are fetched

but then the realm entry fails
==> /var/log/foreman-proxy/proxy.log <==
I, [2014-11-03T15:23:00.469662 #21273] INFO – : freeipa: realm keytab is
’/etc/foreman-proxy/foreman-realm.keytab’ and using principal '
foreman-realm@MY.REALM’
I, [2014-11-03T15:23:00.512017 #21273] INFO – : freeipa: realm MY.REALM
I, [2014-11-03T15:23:00.512225 #21273] INFO – : freeipa: server is
https://freeipa.my.domain/ipa/xml
I, [2014-11-03T15:23:00.512568 #21273] INFO – : Requesting credentials
for Kerberos principal foreman-realm@MY.REALM using keytab
/etc/foreman-proxy/foreman-realm.keytab
D, [2014-11-03T15:23:00.657509 #21273] DEBUG – : Kerberos credential
cache initialised with principal: foreman-realm@MY.REALM
E, [2014-11-03T15:23:02.715791 #21273] ERROR – : Wrong size. Was 307,
should be 191
D, [2014-11-03T15:23:02.715987 #21273] DEBUG – :
/usr/share/ruby/xmlrpc/client.rb:506:in `do_rpc’
followed by a large trace/dump from ruby

the forman log reports an error
==> /var/log/foreman/production.log <==
Failed to create test.tjako.thuis’s realm entry: ERF12-5287
[ProxyAPI::ProxyException]: Unable to create realm entry
([RestClient::BadRequest]: 400 Bad Request) for proxy
https://katello.tjako.thuis:9090/realm/TJAKO.THUIS

after which katello nearly gives an error and reverts the previous
actions
removing the tfpf enty
deleting dns records
deleting dhcp reservation

I verified that foreman-prepare-realm did run correctly
the foreman-realm principal exists
the 3 extra permissions are create
the role ‘Smart Proxy Host Manager’ is created
the privilege ‘Smart Proxy Host Management’ is created
the permissions are added to the privilege (15 total including the 3
mentioned before)
the privilege is added to the role
the foreman-realm user is added to the role

output from checks :
ipa privilege-show 'Smart Proxy Host Management’
Privilege name: Smart Proxy Host Management
Description: Smart Proxy Host Management
Permissions: add hosts, remove hosts, modify hosts, modify services,
manage host keytab, manage service keytab, retrieve
certificates from the ca, revoke certificate, add dns
entries, remove dns entries, update dns entries, read dns
entries, modify host password, write host certificate,
modify host userclass
Granting privilege to roles: Smart Proxy Host Manager

ipa user-show foreman-realm
User login: foreman-realm
First name: Smart
Last name: Proxy
Home directory: /home/foreman-realm
Login shell: /bin/bash
Email address: foreman-realm@my.domain
UID: xxxxxxxxxxx
GID: xxxxxxxxxxx
Account disabled: False
Password: False
Member of groups: ipausers
Roles: Smart Proxy Host Manager
Kerberos keys available: True

I checked permissions on the keytab mode 600 owner foreman-proxy

I confirmed that foreman can actually read the keytab

I checked the settings in the yml file

cat /etc/foreman-proxy/settings.d/realm.yml

Manage joining realms e.g. FreeIPA

:enabled: true

Available providers:

freeipa

:realm_provider: freeipa

Authentication for Kerberos-based Realms

:realm_keytab: /etc/foreman-proxy/foreman-realm.keytab
:realm_principal: foreman-realm@MY.REALM

FreeIPA specific settings

Remove from DNS when deleting the FreeIPA entry

:freeipa_remove_dns: true

anybody knows what I’m missing ?
Rob

You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Hi,

I don’t know if you edited while posting to the list but in your realm.yml
you have:

foreman-realm@MY.REALM

But in the error you post, you use realm TJAKO.THUIS?

the forman log reports an error
==> /var/log/foreman/production.log <==
Failed to create test.tjako.thuis’s realm entry: ERF12-5287
[ProxyAPI::ProxyException]: Unable to create realm entry
([RestClient::BadRequest]: 400 Bad Request) for proxy
https://katello.tjako.thuis:9090/realm/TJAKO.THUIS

Met vriendelijke groet, With kind regards,

Jorick Astrego

*Netbulae Virtualization Experts *

Tel: 053 20 30 270 info@netbulae.eu Staalsteden 4-3A KvK 08198180 Fax:
053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

On Mon, Nov 03, 2014 at 03:47:39PM +0100, Rob Verduijn wrote:

Hello,

I’ve been playing around with freeipa for a while now and managed to
tackle
several challenges regarding smart-proxies.
But now I seem to rnu into a brick wall regarding the realm-proxy.

Whenever I try to add a host it fails to add it to the realm.

In the logs I can see the other proxies do their job nicely.

ie :
a dhcp reservation is made in the local dhcp server via omshell
a dns record is made for the forward zone and the reverse zone (freeipa
is
also my dns server)
the tftp boot files are fetched

but then the realm entry fails
==> /var/log/foreman-proxy/proxy.log <==
I, [2014-11-03T15:23:00.469662 #21273] INFO – : freeipa: realm keytab
is
’/etc/foreman-proxy/foreman-realm.keytab’ and using principal
’foreman-realm@MY.REALM’
I, [2014-11-03T15:23:00.512017 #21273] INFO – : freeipa: realm MY.REALM
I, [2014-11-03T15:23:00.512225 #21273] INFO – : freeipa: server is
https://freeipa.my.domain/ipa/xml
I, [2014-11-03T15:23:00.512568 #21273] INFO – : Requesting credentials
for Kerberos principal foreman-realm@MY.REALM using keytab
/etc/foreman-proxy/foreman-realm.keytab
D, [2014-11-03T15:23:00.657509 #21273] DEBUG – : Kerberos credential
cache
initialised with principal: foreman-realm@MY.REALM
E, [2014-11-03T15:23:02.715791 #21273] ERROR – : Wrong size. Was 307,
should be 191
D, [2014-11-03T15:23:02.715987 #21273] DEBUG – :
/usr/share/ruby/xmlrpc/client.rb:506:in `do_rpc’
followed by a large trace/dump from ruby

Are you running Foreman on CentOS 7 / RHEL 7?

If so, this is a problem with Ruby, and the fix hasn’t made it’s way to
EL yet:
https://bugs.ruby-lang.org/issues/8182

This is the Red Hat bugzilla to rebase to the latest
Ruby 2.0:
https://bugzilla.redhat.com/show_bug.cgi?id=1071187

You can temporarily work around the problem:
Commenting these out on lines 505-506 in
/usr/share/ruby/xmlrpc/client.rb seems to work around it in the short
term.

  #elsif expected != "<unknown>" and expected.to_i != data.bytesize

and resp[“Transfer-Encoding”].nil?
# raise “Wrong size. Was #{data.bytesize}, should be
# #{expected}”

the forman log reports an error
==> /var/log/foreman/production.log <==
Failed to create test.tjako.thuis’s realm entry: ERF12-5287
[ProxyAPI::ProxyException]: Unable to create realm entry
([RestClient::BadRequest]: 400 Bad Request) for proxy
https://katello.tjako.thuis:9090/realm/TJAKO.THUIS

after which katello nearly gives an error and reverts the previous
actions
removing the tfpf enty
deleting dns records
deleting dhcp reservation

I verified that foreman-prepare-realm did run correctly
the foreman-realm principal exists
the 3 extra permissions are create
the role ‘Smart Proxy Host Manager’ is created
the privilege ‘Smart Proxy Host Management’ is created
the permissions are added to the privilege (15 total including the 3
mentioned before)
the privilege is added to the role
the foreman-realm user is added to the role

output from checks :
ipa privilege-show 'Smart Proxy Host Management’
Privilege name: Smart Proxy Host Management
Description: Smart Proxy Host Management
Permissions: add hosts, remove hosts, modify hosts, modify services,
manage host keytab, manage service keytab, retrieve
certificates from the ca, revoke certificate, add dns
entries, remove dns entries, update dns entries, read dns
entries, modify host password, write host certificate,
modify host userclass
Granting privilege to roles: Smart Proxy Host Manager

ipa user-show foreman-realm
User login: foreman-realm
First name: Smart
Last name: Proxy
Home directory: /home/foreman-realm
Login shell: /bin/bash
Email address: foreman-realm@my.domain
UID: xxxxxxxxxxx
GID: xxxxxxxxxxx
Account disabled: False
Password: False
Member of groups: ipausers
Roles: Smart Proxy Host Manager
Kerberos keys available: True

I checked permissions on the keytab mode 600 owner foreman-proxy

I confirmed that foreman can actually read the keytab

I checked the settings in the yml file

cat /etc/foreman-proxy/settings.d/realm.yml

Manage joining realms e.g. FreeIPA

:enabled: true

Available providers:

freeipa

:realm_provider: freeipa

Authentication for Kerberos-based Realms

:realm_keytab: /etc/foreman-proxy/foreman-realm.keytab
:realm_principal: foreman-realm@MY.REALM

FreeIPA specific settings

Remove from DNS when deleting the FreeIPA entry

:freeipa_remove_dns: true

anybody knows what I’m missing ?
Rob

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
Stephen Benjamin

---

Red Hat GmbH | http://de.redhat.com/ | Sitz: Grasbrunn
Handelsregister: Amtsgericht München, HRB 153243
Geschäftsführer: Charles Cachera, Michael Cunningham,
Michael O’Neill, Charles Peters