Problem with connect to REALM

ERF12-5287 [ProxyAPI::ProxyException]: Unable to create realm entry ([RestClient::BadRequest]: 400 Bad Request) for proxy

Problem:

Authorization failed.
HTTP-Error: 401 Unauthorized: /usr/share/gems/gems/xmlrpc-0.3.3/lib/xmlrpc/client.rb:507:in do_rpc' /usr/share/gems/gems/xmlrpc-0.3.3/lib/xmlrpc/client.rb:287:in call2’
/usr/share/gems/gems/xmlrpc-0.3.3/lib/xmlrpc/client.rb:268:in call' /usr/share/foreman-proxy/modules/realm_freeipa/provider.rb:152:in ipa_call’
/usr/share/foreman-proxy/modules/realm_freeipa/provider.rb:60:in find' /usr/share/foreman-proxy/modules/realm_freeipa/provider.rb:75:in create’
/usr/share/foreman-proxy/modules/realm/realm_api.rb:13:in block in <class:Api>' /usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1697:in call’
/usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1697:in block in compile!' /usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1030:in block (3 levels) in route!’
/usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1049:in route_eval' /usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1030:in block (2 levels) in route!’
/usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1078:in block in process_route' /usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1076:in catch’
/usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1076:in process_route' /usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1028:in block in route!’
/usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1025:in each' /usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1025:in route!’
/usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1147:in block in dispatch!' /usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1119:in block in invoke’
/usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1119:in catch' /usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1119:in invoke’
/usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1142:in dispatch!' /usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:956:in block in call!’
/usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1119:in block in invoke' /usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1119:in catch’
/usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1119:in invoke' /usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:956:in call!’
/usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:945:in call' /usr/share/foreman-proxy/lib/proxy/log.rb:101:in call’
/usr/share/foreman-proxy/lib/proxy/request_id_middleware.rb:11:in call' /usr/share/gems/gems/rack-protection-2.2.4/lib/rack/protection/xss_header.rb:18:in call’
/usr/share/gems/gems/rack-protection-2.2.4/lib/rack/protection/path_traversal.rb:16:in call' /usr/share/gems/gems/rack-protection-2.2.4/lib/rack/protection/json_csrf.rb:26:in call’
/usr/share/gems/gems/rack-protection-2.2.4/lib/rack/protection/base.rb:50:in call' /usr/share/gems/gems/rack-protection-2.2.4/lib/rack/protection/base.rb:50:in call’
/usr/share/gems/gems/rack-protection-2.2.4/lib/rack/protection/frame_options.rb:31:in call' /usr/share/gems/gems/rack-2.2.8/lib/rack/null_logger.rb:11:in call’
/usr/share/gems/gems/rack-2.2.8/lib/rack/head.rb:12:in call' /usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/show_exceptions.rb:22:in call’
/usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:218:in call' /usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:2004:in call’
/usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1564:in block in call' /usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1780:in synchronize’
/usr/share/gems/gems/sinatra-2.2.4/lib/sinatra/base.rb:1564:in call' /usr/share/gems/gems/rack-2.2.8/lib/rack/urlmap.rb:74:in block in call’
/usr/share/gems/gems/rack-2.2.8/lib/rack/urlmap.rb:58:in each' /usr/share/gems/gems/rack-2.2.8/lib/rack/urlmap.rb:58:in call’
/usr/share/gems/gems/rack-2.2.8/lib/rack/builder.rb:244:in call' /usr/share/gems/gems/rack-2.2.8/lib/rack/handler/webrick.rb:95:in service’
/usr/share/gems/gems/webrick-1.8.1/lib/webrick/httpserver.rb:140:in service' /usr/share/gems/gems/webrick-1.8.1/lib/webrick/httpserver.rb:96:in run’
/usr/share/gems/gems/webrick-1.8.1/lib/webrick/server.rb:310:in block in start_thread' /usr/share/gems/gems/logging-2.3.1/lib/logging/diagnostic_context.rb:474:in block in create_with_logging_context’

Command

KRB5_TRACE=/dev/stdout sudo -u foreman-proxy kinit realm@XXX.XX -k -t /etc/foreman-proxy/freeipa.keytab - working well

installed packages

  • ansible-collection-theforeman-foreman-4.0.0-2.el8.noarch
  • ansiblerole-foreman_scap_client-0.2.0-2.el8.noarch
  • candlepin-4.3.12-1.el8.noarch
  • candlepin-selinux-4.3.12-1.el8.noarch
  • foreman-3.10.0-1.el8.noarch
  • foreman-cli-3.10.0-1.el8.noarch
  • foreman-debug-3.10.0-1.el8.noarch
  • foreman-dynflow-sidekiq-3.10.0-1.el8.noarch
  • foreman-installer-3.10.0-1.el8.noarch
  • foreman-installer-katello-3.10.0-1.el8.noarch
  • foreman-obsolete-packages-1.6-1.el8.noarch
  • foreman-postgresql-3.10.0-1.el8.noarch
  • foreman-proxy-3.10.0-1.el8.noarch
  • foreman-redis-3.10.0-1.el8.noarch
  • foreman-release-3.10.0-1.el8.noarch
  • foreman-selinux-3.10.0-1.el8.noarch
  • foreman-service-3.10.0-1.el8.noarch
  • foreman-vmware-3.10.0-1.el8.noarch
  • katello-4.12.0-1.el8.noarch
  • katello-certs-tools-2.9.0-2.el8.noarch
  • katello-client-bootstrap-1.7.9-2.el8.noarch
  • katello-common-4.12.0-1.el8.noarch
  • katello-debug-4.12.0-1.el8.noarch
  • katello-repos-4.12.0-1.el8.noarch
  • katello-selinux-5.0.2-1.el8.noarch
  • pulpcore-obsolete-packages-1.0-9.el8.noarch
  • pulpcore-selinux-2.0.1-1.el8.x86_64
  • puppet-foreman_scap_client-1.0.0-2.el8.noarch
  • python3.11-pulp-ansible-0.20.2-3.el8.noarch
  • python3.11-pulp-certguard-1.7.1-2.el8.noarch
  • python3.11-pulp-cli-0.21.2-5.el8.noarch
  • python3.11-pulp-container-2.16.4-1.el8.noarch
  • python3.11-pulp-deb-3.0.1-1.el8.noarch
  • python3.11-pulp-file-1.15.1-2.el8.noarch
  • python3.11-pulp-glue-0.21.2-3.el8.noarch
  • python3.11-pulp-python-3.10.0-3.el8.noarch
  • python3.11-pulp-rpm-3.23.3-1.el8.noarch
  • python3.11-pulpcore-3.39.11-1.el8.noarch
  • rubygem-foreman-tasks-9.1.1-1.fm3_11.el8.noarch
  • rubygem-foreman_ansible-14.0.0-1.fm3_11.el8.noarch
  • rubygem-foreman_bootdisk-21.2.1-2.fm3_10.el8.noarch
  • rubygem-foreman_maintain-1.5.1-1.el8.noarch
  • rubygem-foreman_openscap-7.1.1-2.fm3_10.el8.noarch
  • rubygem-foreman_puppet-6.2.0-1.fm3_10.el8.noarch
  • rubygem-foreman_remote_execution-13.0.0-1.fm3_11.el8.noarch
  • rubygem-foreman_remote_execution-cockpit-13.0.0-1.fm3_11.el8.noarch
  • rubygem-foreman_snapshot_management-3.0.0-2.fm3_11.el8.noarch
  • rubygem-foreman_webhooks-3.2.2-2.fm3_10.el8.noarch
  • rubygem-hammer_cli-3.10.0-1.el8.noarch
  • rubygem-hammer_cli_foreman-3.10.0-1.el8.noarch
  • rubygem-hammer_cli_foreman_ansible-0.6.0-1.fm3_9.el8.noarch
  • rubygem-hammer_cli_foreman_puppet-0.0.7-1.fm3_10.el8.noarch
  • rubygem-hammer_cli_foreman_remote_execution-0.3.0-1.fm3_10.el8.noarch
  • rubygem-hammer_cli_foreman_tasks-0.0.20-1.fm3_10.el8.noarch
  • rubygem-hammer_cli_katello-1.12.0-0.1.pre.master.20240122184453git9a6ae05.el8.noarch
  • rubygem-katello-4.12.0-1.el8.noarch
  • rubygem-pulp_ansible_client-0.20.3-1.el8.noarch
  • rubygem-pulp_certguard_client-1.6.5-1.el8.noarch
  • rubygem-pulp_container_client-2.16.4-1.el8.noarch
  • rubygem-pulp_deb_client-3.0.1-1.el8.noarch
  • rubygem-pulp_file_client-1.15.1-1.el8.noarch
  • rubygem-pulp_ostree_client-2.1.3-1.el8.noarch
  • rubygem-pulp_python_client-3.10.0-1.el8.noarch
  • rubygem-pulp_rpm_client-3.23.2-1.el8.noarch
  • rubygem-pulpcore_client-3.39.9-1.el8.noarch
  • rubygem-smart_proxy_pulp-3.3.0-1.fm3_10.el8.noarch

This is version of IPA
IPA SERVER:
VERSION: 4.11.0
IPA-CLIENT
VERSION: 4.9.13

This is simillar: Freeipa (Redhat IDM) REALM integration is failing

When I turn on debug in foreman-proxy, nothing new is visible.

On freeipa server i have

Jun 17 18:12:17 freeipa.XXX.XX krb5kdc[33760](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.86.60.225: NEEDED_PREAUTH: realm@XXX.XX for krbtgt/XXX.XX@XXX.XX, Additional pre-authentication required
Jun 17 18:12:17 freeipa.XXX.XX krb5kdc[33760](info): closing down fd 11
Jun 17 18:12:17 freeipa.XXX.XX krb5kdc[33763](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.86.60.225: ISSUE: authtime 1718640737, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, realm@XXX.XX for krbtgt/XXX.XX@XXX.XX
Jun 17 18:12:17 freeipa.XXX.XX krb5kdc[33763](info): closing down fd 11
Jun 17 18:12:17 freeipa.XXX.XX krb5kdc[33762](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.86.60.225: ISSUE: authtime 1718640737, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, realm@XXX.XX for HTTP/freeipa.XXX.XX@XXX.XX
Jun 17 18:12:17 freeipa.XXX.XX krb5kdc[33762](info): closing down fd 11

https://www.freeipa.org/release-notes/4-11-0.html

This is changelog for this versio

I fixed this error, I changed the /etc/ipa/default.conf file from the main server to the replica and it works.