Anonymous via FreeIPA-users <[email protected]> writes:
> I want to authenticate to cockpit with kerberos. Some of the servers > however have other services running on the http service in > freeipa. Freeipa is also an example. What is the proper way that I can > have kerberos authentication on cockpit running on freeipa master and > replica servers? I know that I can create a service called > cockpit/master.domain.com but from what I've been told, or at least > I've understood for kerberos to function the service needs to be > HTTP/master.domain.com The cockpit documentation details what need to be done: https://cockpit-project.org/guide/latest/sso.html I do use the followinf ansible-play to install and configure cockpit. --- # Maybe this can be used? # https://github.com/linux-system-roles/cockpit - name: Install, enable, and configure cockpit on a host hosts: cockpit become: true vars: keytab: /etc/cockpit/krb5.keytab tasks: - name: Install cockpit packages ansible.builtin.package: name: - cockpit state: present - name: Install cockpit-machines packages on KVM hosts ansible.builtin.package: name: - cockpit-machines state: present when: "'kvm' in group_names" - name: Remove cockpit-machines packages on non-KVM hosts ansible.builtin.package: name: - cockpit-machines state: absent when: "'kvm' not in group_names" - name: Ensure that cockpit.socket is started ansible.builtin.systemd: state: started enabled: true name: cockpit.socket - name: Ensure the cockpit port 9090 is accessible ansible.posix.firewalld: service: cockpit permanent: true immediate: true state: enabled when: ansible_os_family == "RedHat" # On Debian our user needs urllib-gssapi (via pip3) # Fedora has a package for that - name: Install urllib-gssapi python package on Debian ansible.builtin.pip: name: urllib-gssapi when: ansible_os_family == 'Debian' - name: Install urllib-gssapi python package on RedHat systems ansible.builtin.package: name: - python3-urllib-gssapi state: present when: ansible_os_family == 'RedHat' - name: Ensure kerberos service principal for cockpit is present community.general.ipa_service: name: "{{ item }}" state: present environment: KRB5_CLIENT_KTNAME: /etc/krb5.keytab with_items: - "cockpit/{{ inventory_hostname }}@JOCHEN.ORG" - name: Ensure kerberos service principal for HTTP is present freeipa.ansible_freeipa.ipaservice: name: "{{ item }}" state: present ok_as_delegate: true ok_to_auth_as_delegate: true ipaadmin_principal: "host/{{ inventory_hostname }}@JOCHEN.ORG" environment: KRB5_CLIENT_KTNAME: /etc/krb5.keytab with_items: - "HTTP/{{ inventory_hostname }}@JOCHEN.ORG" # With this heuristic we try to find a suitable keytab to copy. # Another approach might be tr retrieve the keytab (needing # special permissions). - name: Looking for a suitable keytab for cockpit ansible.builtin.shell: cmd: | for i in /etc/apache2/http.keytab /etc/keycloak/keycloak.keytab /var/lib/ipa/gssproxy/http.keytab; do if [ -f $i ]; then echo "$i"; exit; fi done changed_when: false check_mode: false register: _found_file - name: Debug ansible.builtin.debug: var: _found_file - name: Get the keytab, we don't have one ansible.builtin.command: argv: - /usr/sbin/ipa-getkeytab - -k - "{{ keytab }}" - -p - 'HTTP/{{ inventory_hostname }}@JOCHEN.ORG' creates: "{{ keytab }}" register: ipagetkeytab # Do not fail on error codes 3 and 5: # 3 - Unable to open keytab # 5 - Principal name or realm not found in keytab failed_when: ipagetkeytab.rc != 0 and ipagetkeytab.rc != 3 and ipagetkeytab.rc != 5 when: "(_found_file.stdout | length) == 0" - name: Copy http.keytab to /etc/cockpit/krb5.keytab ansible.builtin.copy: src: "{{ _found_file.stdout }}" dest: /etc/cockpit/krb5.keytab remote_src: true mode: "0600" when: "(_found_file | length) != 0" - name: Play the role fedora.linux_system_roles.certificate ansible.builtin.include_role: name: fedora.linux_system_roles.certificate vars: certificate_requests: - name: /etc/cockpit/ws-certs.d/50-from-certmonger dns: '{{ ansible_fqdn }}' ip: - '{{ ansible_default_ipv4.address }}' - "{{ ansible_all_ipv6_addresses | select('match', '^fd23:e163:19f7:1234:') | first }}" ca: ipa principal: 'cockpit/{{ ansible_fqdn }}@{{ ansible_domain | upper }}' owner: root group: cockpit-ws # Cockpit refreshes the certs automatically handlers: - name: Daemon reload ansible.builtin.systemd: daemon_reload: true --- Hope that helps Jochen -- This space is intentionally left blank. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
