Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fixes #8278 - update foreman-prepare-realm for freeipa 4 #231

Closed
wants to merge 1 commit into from
Closed

fixes #8278 - update foreman-prepare-realm for freeipa 4 #231

wants to merge 1 commit into from

Conversation

stbenjam
Copy link
Member

@stbenjam stbenjam commented Nov 5, 2014

No description provided.

@stbenjam
Copy link
Member Author

Updated according to @encukou's feedback on 78af1f7. Thanks!

@stbenjam
Copy link
Member Author

To test this:

  1. Install FreeIPA 4.x -- currently, only available on Fedora 21 beta (coming w/ CentOS 7.1)
    1. yum install -y freeipa-server
    2. ipa-server-install (answer questions, defaults are fine)
  2. Checkout the smart-proxy git repo and bundle install and all that
  3. Run foreman-prepare-realm admin realm-proxy
    1. Give it the admin password you chose for FreeIPA
    2. Ensure this completes without errors, and gives you a keytab path
  4. Configure smart proxy realm.yml, giving it the path to the keytab
  5. Start the Smart Proxy and add it to Foreman
  6. Create the 'Realm' under the Infrastructure menu
  7. Build a new foreman host, select a Realm
    1. When it's done, ensure it's registered to FreeIPA
      1. Login to the FreeIPA web UI, and go to the hosts Tab
        1. FreeIPA will show Kerberos Key Present, Host Provisioned in the details page
  8. Delete the host from foreman, ensure deleted from FreeIPA as well

@stbenjam
Copy link
Member Author

I also always run into this on fresh vm's, while ipa-server-install is running, you may want to wget a large ISO in the background to generate some entropy so it can create the kerberos container, otherwise it will take ages

@encukou
Copy link

encukou commented Nov 13, 2014

Or if it's just for testing purposes: https://copr.fedoraproject.org/coprs/pviktori/breakmycryptod/

@lzap
Copy link
Member

lzap commented Nov 14, 2014

I am setting up to test this patch, will get back to that next week.

lzap
lzap reviewed Nov 20, 2014
View reviewed changes
sbin/foreman-prepare-realm
--permissions='modify services' --permissions='manage service keytab' --permission="read dns entries" \
--permission="remove dns entries" --permission="add dns entries" --permission="update dns entries"

if [ "$PERMISSION_SYSTEM" -eq "v1"];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing space which is a shell parsing error. Also I don't understand numeric comparison of string. Can you ellaborate?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you need to have

if [ "$PERMISSION_SYSTEM" == "v1" ]; then

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you mean numeric comparison?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I know this is /bin/bash, but a single "=" is POSIX compatible, "==" is a bash-ism. I'll get my coat...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah I see, I didn't realize -eq was different than ==, nor did I get this error when I ran it, strange. Thanks!

@lzap
Copy link
Member

lzap commented Nov 20, 2014

Ok finally I get to this, sorry for the delay. Was testing against F21 server on RHEL7 client which I added via --server and --domain options.

[root@hp-sl2x160zg6-01 ~]# bash foreman-prepare-realm admin realm-proxy
Password for admin@LAB.BOS.REDHAT.COM: 
---------------------------------------------
Added privilege "Smart Proxy Host Management"
---------------------------------------------
  Privilege name: Smart Proxy Host Management
  Description: Smart Proxy Host Management
foreman-prepare-realm: line 43: [: missing `]'
Usage: ipa [global-options] permission-add NAME [options]

ipa: error: no such option: --right
  Privilege name: Smart Proxy Host Management
  Description: Smart Proxy Host Management
  Permissions: System: Manage Host Enrollment Password, System: Remove DNS Entries, System: Modify Hosts, System: Manage
               Service Keytab, System: Manage Host Certificates, System: Add DNS Entries, System: Modify Services, System:
               Manage Host Keytab, Retrieve Certificates from the CA, System: Update DNS Entries, System: Remove Hosts
  Failed members: 
    permission: Add Host Enrollment Password: permission not found
------------------------------
Number of permissions added 11
------------------------------
-------------------------------------
Added role "Smart Proxy Host Manager"
-------------------------------------
  Role name: Smart Proxy Host Manager
  Description: Smart Proxy management
  Role name: Smart Proxy Host Manager
  Description: Smart Proxy management
  Privileges: Smart Proxy Host Management
----------------------------
Number of privileges added 1
----------------------------
------------------------
Added user "realm-proxy"
------------------------
  User login: realm-proxy
  First name: Smart
  Last name: Proxy
  Full name: Smart Proxy
  Display name: Smart Proxy
  Initials: SP
  Home directory: /home/realm-proxy
  GECOS: Smart Proxy
  Login shell: /bin/sh
  Kerberos principal: realm-proxy@LAB.BOS.REDHAT.COM
  Email address: realm-proxy@lab.bos.redhat.com
  UID: 21000001
  GID: 21000001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
  Role name: Smart Proxy Host Manager
  Description: Smart Proxy management
  Member users: realm-proxy
  Privileges: Smart Proxy Host Management
-------------------------
Number of members added 1
-------------------------
Keytab successfully retrieved and stored in: freeipa.keytab
Realm Proxy User:    realm-proxy
Realm Proxy Keytab:  /root/freeipa.keytab

lzap
lzap reviewed Nov 20, 2014
View reviewed changes
sbin/foreman-prepare-realm
--permission='modify services' --permission='manage service keytab' --permission='read dns entries' \
--permission='remove dns entries' --permission='add dns entries' --permission='update dns entries'
else
ipa permission-add 'Add Host Enrollment Password' --right='add' --type='host' --attrs='userpassword'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ipa client from RHEL7 does not understand the --right option.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, good catch, reverted back to permission then

@stbenjam
Copy link
Member Author

Thanks @lzap, updated!

@stbenjam
Copy link
Member Author

You will also run into this on RHEL 7.0: https://bugzilla.redhat.com/show_bug.cgi?id=1122140

@lzap
Copy link
Member

lzap commented Nov 20, 2014

Ok this works fine on both RHEL6 and 7.

@lzap
Copy link
Member

lzap commented Nov 20, 2014

Thank you for your contribution, merged as 2bd70b7.

@lzap lzap closed this Nov 20, 2014
@lzap lzap mentioned this pull request Nov 20, 2014
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Needs testing Not yet reviewed
Projects
None yet
Milestone
No milestone
5 participants
@stbenjam @encukou @lzap @domcleal @theforeman-bot