On Mon, Jan 05, 2015 at 12:09:37PM -0800, Glen Collins wrote: > Hi Jan, > > No, I did not use the IPA documentation. The reason, everything is handled > for me using the Question authentication PAM module. All the encryption, > kerberos and all that good stuff is done for me. I just followed the > documentation on the Satellite product and did the changes to: > > /etc/rhn/rhnf.conf and added pam_auth_service = rhn-satellite > > Moved or created what I think is the correct pam configuration and created > the file /etc/pam.d/rhn-satellite with those entries. > > I then restarted everything, created my AD account in SW, checked the PAM > checkbox. > > Created the necessary DG with the appropriate permissions in spacewalk making > sure it matched the AD group name as it's displayed. > > Logged in to SW with my AD account, got in but only very limited persions. > The group I gave the permissions too has complete access to SW, Org Admin and > SW Admin. So I should see ever menu and option. I don't, just a standard user. > > So I'm wondering if there is logging in tomcat what I can turn on to see > what's being returned. I used quests tools and it does bring back the correct > AD group with my ID in it. I'm just wondering how tomcat is doing everything > in the backend. But there is no logging other than unable to authenticate if > I get my password wrong. > > I also kind of pieced this together using: > > http://www.redhat.com/archives/spacewalk-list/2013-July/msg00037.html > > It's using winbind so I started at step 4. No luck there either. > > I think the issue is I have the PAM setup incorrect in > /etc/pam.d/rhn-satellite, but without any kind of logging it's hard to > diagnose. I did try and turn on the actual PAM logging/debugging, but it game > not real low level logging. > > I also looked at someone using centrify: > > http://liniks.com/?p=253 > > And that gave me no luck either. Pretty much the same thing. > > So if anyone has any good ideas it would be appreciated.
The external group role mapping (and auto-provisioning of users alike) only works when you use the external authentication. When PAM is used, that part will not work because the PAM stack does not have means to retrieve the additional attributes and group information. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat _______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
