Hello, I think all you need to do is documented at https://theforeman.org/manuals/ 1.15/#5.7.1ConfigurationviaForemaninstaller, as long as the host is FreeIPA enrolled, you just create a service for it and run installer with --foreman- ipa-authentication=true
You seem to be using old version of manual, if you're running Foreman 1.6, I'd recommend updating first. Hope this helps -- Marek On středa 23. srpna 2017 15:08:57 CEST VladF wrote: > Hi, > I am trying to make external authentication via kerberos SSO on foreman > server. I use this tutorial > - https://theforeman.org/manuals/1.6/#5.7ExternalAuthentication > Foreman server is freeipa enrolled. I've make a service > HTTP/foreman.test.com on freeipa and do that on foreman server: > > kinit admin ipa-getkeytab -s MY IPA SERVER fqdn -k /etc/http.keytab -p HTTP/ > foreman.test.com > chown apache /etc/http.keytab > chmod 600 /etc/http.keytab > > > > but when I try to access foreman.test.com I see the error Kerberos > authentication did not pass. > > klist on my foreman server: > > [root@foreman ~]# klist > Ticket cache: KEYRING:persistent:0:krb_ccache_Sab2PVh > Default principal: HTTPS/[email protected] > > > Valid starting Expires Service principal > 08/23/2017 08:50:29 08/24/2017 08:50:29 krbtgt/CENTOS-25.TEST.COM@CENTOS- > 25.TEST.COM > > I've installed modules mod_auth_kerb mod_authnz_pam and edit my > /etc/httpd/conf.d/auth_kerb.conf. > > # add to /etc/httpd/conf.d/auth_kerb.conf LoadModule auth_kerb_module > modules/mod_auth_kerb.so LoadModule authnz_pam_module > modules/mod_authnz_pam.so <Location /users/extlogin> AuthType Kerberos > AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off > KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/http.keytab KrbLocalUserMapping > On # require valid-user require pam-account foreman-prod ErrorDocument 401 > '<html><meta http-equiv="refresh" content="0; > URL=/users/login"><body>Kerberos authentication did not > pass.</body></html>' # The following is needed as a workaround for > https://bugzilla.redhat.com/show_bug.cgi?id=1020087 ErrorDocument 500 > '<html><meta http-equiv="refresh" content="0; > URL=/users/login"><body>Kerberos authentication did not > pass.</body></html>' </Location> > > What am I doing wrong? How can I debug this problem? -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
