Repling with the trigger/fix to this issue, I am not sure what causes the scenario tough. In /etc/foreman-proxy are two files: realm.yaml and realm_freeipa.yaml. Foreman-installer appears to to ready and modify realm.yaml, while foreman-proxy is reading realm_freeipa.yaml. By correcting the realm_freeipa.yaml from [email protected] to [email protected] to resolve the issue with Kerberos credentials. There is probably still a bug somewhere in the installer that needs to be found triggering this.
On Tuesday, August 29, 2017 at 1:10:12 AM UTC-5, [email protected] wrote: > > This is a clean install on CENTOS 7.3 with 1.15.3 and 3.4. As you can see > from the debug when I attempt to create/provision a host Foreman tries to > use [email protected] rather than the principle setting of > [email protected]: > > D, [2017-08-28T17:37:36.017066 ] DEBUG -- : freeipa: realm IDM.NWC.NWS > D, [2017-08-28T17:37:36.017346 ] DEBUG -- : freeipa: uri is > https://nwcal-idm01.idm.nwc.nws/ipa/xml > D, [2017-08-28T17:37:36.017543 ] DEBUG -- : Making IPA call: ["host_show", > ["nwcal-kvm1.nwc.nws"]] > D, [2017-08-28T17:37:36.022298 ] DEBUG -- : Requesting credentials for > Kerberos principal [email protected] using keytab > /etc/foreman-proxy/freeipa.keytab > E, [2017-08-28T17:37:36.023160 ] ERROR -- : Failed to initialise > credential cache from keytab: krb5_get_init_creds_keytab: Key table entry > not found > E, [2017-08-28T17:37:36.023990 ] ERROR -- : Failed to initailize > credentials cache from keytab: krb5_get_init_creds_keytab: Key table entry > not found > > > foreman-installer --help | grep realm > --foreman-proxy-freeipa-remove-dns Remove DNS entries from FreeIPA > when deleting hosts from realm (current: true) > --foreman-proxy-realm Enable realm management feature > (current: true) > --foreman-proxy-realm-keytab Kerberos keytab path to authenticate > realm updates (current: "/etc/foreman-proxy/freeipa.keytab") > --foreman-proxy-realm-listen-on Realm proxy to listen on https, http, > or both (current: "https") > --foreman-proxy-realm-principal Kerberos principal for realm updates > (current: > "[email protected]") > --foreman-proxy-realm-provider Realm management provider (current: > "freeipa") > --foreman-proxy-realm-split-config-files Split realm configuration > files. This is needed since version 1.15. (current: false) > > I am guessing there is either a setting being missed in the configuration > at install, or this setting is hanging on the install. Other than in the > settings file, where is this set, or defaulted to? > -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
