I managed to figured out what the cause was. I figured I would post it here in case anyone else comes across the same situation. IPA 4.4.0 (CentOS 7) Foreman 1.12.4 (CentOS 7) ipa-admintools 4.4.0.14.el7
It was a permissions issue with the user account authorized to add/enroll/disable the host in FreeIPA. The foreman-prepare-realm that gets installed from ipa-admintools is missing a couple of roles/permissions to add to the user account it sets up. That said: - Host Enrolllment Password needs the write permission added to it under the Smart Proxy Manager role (needed to be able to add the host into IPA on the first build) - Revoke Certificate needs to have the delete permission added to it (needed to disable the host if it's being built again after it has been enrolled in IPA) On Wednesday, March 29, 2017 at 3:26:14 AM UTC-4, Eric Fredrickson wrote: > > I have foreman 1.12.4 running on CentOS 7 setup with FreeIPA. I am able > to generate a OTP one time and one time only for a host. After a host > builds it successfully joins the realm and authentication works. However, > if I select "Build" in Foreman for the host, it does not generate a OTP for > the next build. The only way I am able to regenerate another OTP is to > remove the host from within IPA, remove the Realm from the host within > Foreman and add the Realm back in. I set the logging level to DEBUG in > foreman-proxy and am not seeing where the proxy is requesting a new OTP > when the build button is pressed. What am I missing? > > > -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
