This page contains links and information about the configuration and How to Configure Satellite for IPA Authentication
Requirements- Admin group to map for Satellite Admins
- Config channel group for other users
How to Configure Satellite
- Install the following packages:
- yum install ipa-client ipa-admintools sssd sssd-dbus mod_auth_kerb mod_authnz_pam mod_lookup_identity mod_intercept_form_submit -y
- Check selinux status (Selinux must be enforcing and can be in permissive mode) by default we turn selinux off. Changing this will require a reboot to relabel all the files with selinux contexts.
- [tuser@client.mydom.com ~]$ getenforceDisabled
- ]$ sestatusSELinux status: disabled
- Since it shows Disabled, we need to change Selinux to Enforcing, then permissive.
- cd /etc/sysconfig and edit selinux file
- change SELINUX=disabled to SELINUX=enforcing
- reboot
- login and change again from enforcing to permissive
- cd /etc/sysconfig and edit selinux file
- change SELINUX=enforcing to SELINUX=permissive
- OR do this
- # setenforce 0[root@client.mydom.com ~]# getenforcePermissive
- Verify it's enabled and in enforcing mode
- [root@Satellite.mydom.com rhn]# getenforcePermissive
- [root@satellite.mydom.com rhn]# sestatusSELinux status: enabledSELinuxfs mount: /selinuxCurrent mode: permissiveMode from config file: permissivePolicy version: 24Policy from config file: targeted
- If you try to run the spacewalk setup ipa command below and selinux is not configured properly you will see this error:
- [root@satellie.mydom.com sysconfig]# spacewalk-setup-ipa-authenticationEnabling authentication against [ipa.mydom.com].Keytab: [/etc/httpd/conf/http.keytab] already exists, will not refetch.Use [klist -kt /etc/httpd/conf/http.keytab] to verify its content.PAM service: File [/etc/pam.d/spacewalk], will not overwrite.Packages: all needed packages are already installed.getsebool: SELinux is disabledMaybe you need to upgrade selinux-policy?
- Once selinux is configured properly we can proceed with IPA Configuration.
- Make sure you have a ticket, run kinit admin
- Now that everything is read, run the following command to configure ipa
- [root@satellite.mydom.com ~]# spacewalk-setup-ipa-authentication
- Enabling authentication against [ipa.mydom.com].Keytab: [/etc/httpd/conf/http.keytab] already exists, will not refetch.Use [klist -kt /etc/httpd/conf/http.keytab] to verify its content.PAM service: File [/etc/pam.d/spacewalk], will not overwrite.Packages: all needed packages are already installed.Turning SELinux boolean [httpd_dbus_sssd] on ...... done.Turning SELinux boolean [allow_httpd_mod_auth_pam] on ...... done.Configuring Apache modules.** /etc/tomcat6/server.xml has been backed up to server.xml-swsave.ipaStopping sssd: [ OK ]Starting sssd: [ OK ]Stopping tomcat6: [ OK ]Starting tomcat6: [ OK ]Stopping httpd: [ OK ]Starting httpd: [ OK ]Waiting for tomcat to be ready ...Authentication against [ipa.mydom.com] sucessfully enabled.As admin, at Admin > Users > External Authentication, selectDefault organization to autopopulate new users into.
- Once IPA Configuration is completed, login to satellite webUI as satadm and configured External Authentication for Admin Group
- The unix/linux group admins will be used to allow team login and permissions to Satellite WebUI
- Go to Admin > Users > External Authentication > Configuration
- Select 'myOrg' for Default Orginization and click Update
- Click on Group Role Mapping tab and then click on + Create External Group
- External Group Name: Enter the external group admins
- Administrative Roles: Select Organization Administrator
- Click Create to save.
- Logout then login with your TID account that is member of admins group. Your login should succeed.
No comments:
Post a Comment