Thursday, March 5, 2015

How to Configure Satellite for IPA Authentication

This page contains links and information about the configuration and How to Configure Satellite for IPA Authentication​
Requirements
  • Admin group to map for Satellite Admins
  • Config channel group for other users
How to Configure Satellite
  1. Install the following packages:
    1. yum install ipa-client ipa-admintools sssd sssd-dbus mod_auth_kerb mod_authnz_pam mod_lookup_identity mod_intercept_form_submit -y​
  2. Check selinux status (Selinux must be enforcing and can be in permissive mode) by default we turn selinux off. Changing this will require a reboot to relabel all the files with selinux contexts.
    • ​[tuser@client.mydom.com ~]$ getenforce
      Disabled
    • ]$ sestatus
      SELinux status:      disabled​

  3. Since it shows Disabled, we need to change Selinux to Enforcing, then permissive.
    • ​cd /etc/sysconfig and edit selinux file
    • change SELINUX=disabled to SELINUX=enforcing
    • reboot
    • login and change again from enforcing to permissive
      • ​cd /etc/sysconfig and edit selinux file
      • change SELINUX=enforcing​ to SELINUX=permissive​
    • OR do this
      •  # setenforce 0
        [root@client.mydom.com ~]# getenforce
        Permissive
  4. ​​​Verify it's enabled and in enforcing mode
    1. ​[root@Satellite.mydom.com rhn]# getenforce
      Permissive

    2. [root@satellite.mydom.com rhn]# sestatus
      SELinux status:                 enabled
      SELinuxfs mount:                /selinux
      Current mode:                   permissive
      Mode from config file:          permissive
      Policy version:                 24
      Policy from config file:        targeted

  5. If you try to run the spacewalk setup ipa command below and selinux is not configured properly you will see this error:
    1. [root@satellie.mydom.com sysconfig]# spacewalk-setup-ipa-authentication
      Enabling authentication against [ipa.mydom.com].
      Keytab: [/etc/httpd/conf/http.keytab] already exists, will not refetch.
              Use [klist -kt /etc/httpd/conf/http.keytab] to verify its content.
      PAM service: File [/etc/pam.d/spacewalk], will not overwrite.
      Packages: all needed packages are already installed.
      getsebool:  SELinux is disabled
            Maybe you need to upgrade selinux-policy?


  6. Once selinux ​ is configured properly we can proceed with IPA Configuration.

  7. Make sure you have a ticket,  run kinit admin
  8. ​​Now that everything is read, run the following command to configure ipa
    1. [root@satellite.mydom.com ~]# spacewalk-setup-ipa-authentication
    2. Enabling authentication against [ipa.mydom.com].
      Keytab: [/etc/httpd/conf/http.keytab] already exists, will not refetch.
              Use [klist -kt /etc/httpd/conf/http.keytab] to verify its content.
      PAM service: File [/etc/pam.d/spacewalk], will not overwrite.
      Packages: all needed packages are already installed.
      Turning SELinux boolean [httpd_dbus_sssd] on ...
              ... done.
      Turning SELinux boolean [allow_httpd_mod_auth_pam] on ...
              ... done.
      Configuring Apache modules.
      ** /etc/tomcat6/server.xml has been backed up to server.xml-swsave.ipa
      Stopping sssd:                                             [  OK  ]
      Starting sssd:                                             [  OK  ]
      Stopping tomcat6:                                          [  OK  ]
      Starting tomcat6:                                          [  OK  ]
      Stopping httpd:                                            [  OK  ]
      Starting httpd:                                            [  OK  ]
      Waiting for tomcat to be ready ...
      Authentication against [ipa.mydom.com] sucessfully enabled.
      As admin, at Admin > Users > External Authentication, select
                Default organization to autopopulate new users into.


  9. Once IPA Configuration is completed, login to satellite webUI as satadm and configured External Authentication for Admin Group
    • ​The unix/linux group admins will be used to allow team login and permissions to Satellite WebUI
  10. Go to Admin > Users > External Authentication > Configuration
    1. Select 'myOrg' for Default Orginization and click Update
  11. Click on Group Role Mapping tab and then click on  + Create External Group
    1. External Group Name:  Enter the external group admins
    2. Administrative Roles:    Select Organization Administrator
    3. Click Create  to save.
  12. Logout then login with your TID account that is member of admins group. Your login should succeed.