Thanks Alex – I’m almost there!

I can now successfully log into Spacewalk as a user authenticating with SSSD 
and Group Policy.  Needed to add a few more pieces to get it to work properly – 
it was doing the authentication but not the authorization, and wasn’t passing 
large Kerberos tokens.

It seems my External Authentication Group Role Mapping isn’t working though.  I 
have created a new group “spacewalkadmins” in AD and added the users to it.  I 
can id the username and see that the user is a member of the group.   I added 
the group name to the Spacewalk External Authentication Group Role Mapping, but 
the mapping is not happening.  The user is getting added with no role mapping 
permissions.

Any idea where I can see the logs for what is happening and why it may not be 
mapping?

Thanks!

Max DiOrio
Global Systems Administrator

From: spacewalk-list-boun...@redhat.com 
[mailto:spacewalk-list-boun...@redhat.com] On Behalf Of Alexandru Raceanu
Sent: Monday, March 12, 2018 2:58 PM
To: spacewalk-list@redhat.com
Subject: Re: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication

Try to go trough the SW/FreeIPA documentation 
(https://github.com/spacewalkproject/spacewalk/wiki/SpacewalkAndIPA)
DON'T COPY PASTE, read, understand and skip the parts of ipa installation and 
config as you already have sssd up and running so that should be sufficient.
Take a backup before you mess around with you SW deployment so I won't feel bad 
about the tips!

As far as the channel related stuff, after you have the external auth working 
for rhn admins, you should be able to map another group for dev's with specific 
permissions (subscribe/unsubscribe systems to software channels)

That's at least how the theory would be, personally I would prefer to add all 
development required software channels to the whole development env/machines, 
and they can install whatever they want from that channels.
It will save you the hassle of educating users on how to use spacewalk or other 
time consuming questions.

/Alex

________________________________
From: "DiOrio, Max" 
<max.dio...@ieeeglobalspec.com<mailto:max.dio...@ieeeglobalspec.com>>
To: spacewalk-list@redhat.com<mailto:spacewalk-list@redhat.com>
Sent: Monday, March 12, 2018 7:44:07 PM
Subject: Re: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication

SW 2.7 on RHEL 7.4

The HTTPD conf files are either commented out, or in the case of 
auth_kerb.conf, empty.  This is a completely out of the box setup and the only 
documentation I’ve been able to find on this on RH’s portal mentions just the 
config changes I made.  Nothing to do with the files you mentioned.

Is there a better how-to to describe the full changes that need to take place 
to enable this?

As far as role map, I only want end users to be able to subscribe to additional 
software channels that we don’t push by default.  For example, we don’t have 
Microsoft’s channel in our base activation key, but would like to give our 
developers an opportunity to install software from it without admin 
intervention.

It appears that doing spacewalk-channel –add –c microsoft_rhel7    prompts for 
a username and password so they are unable to add the channel.

Max DiOrio
Global Systems Administrator

From: 
spacewalk-list-boun...@redhat.com<mailto:spacewalk-list-boun...@redhat.com> 
[mailto:spacewalk-list-boun...@redhat.com] On Behalf Of Alexandru Raceanu
Sent: Monday, March 12, 2018 2:08 PM
To: spacewalk-list@redhat.com<mailto:spacewalk-list@redhat.com>
Subject: Re: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication

Spacewalk version and OS please...
Also log entries except the tomcat would be helpful.

What's the content of following:
/etc/httpd/conf.d/intercept_form_submit.conf
/etc/httpd/conf.d/authnz_pam.conf
/etc/httpd/conf.d/auth_kerb.conf

I don't think that you need to create the user if you do role map for external 
authenticated users ( Admin -> Users -> External Authentication -> Group Role 
Mapping )


/Alex
________________________________
From: "DiOrio, Max" 
<max.dio...@ieeeglobalspec.com<mailto:max.dio...@ieeeglobalspec.com>>
To: spacewalk-list@redhat.com<mailto:spacewalk-list@redhat.com>
Sent: Monday, March 12, 2018 4:52:21 PM
Subject: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication

Hi!

I’m looking to potentially use SSSD and Active Directory to authenticate our 
users to Spacewalk.  The Spacewalk server is already on the domain and we 
authenticate just fine via SSH using AD.

I added the following to the rhn.conf file:
pam_auth_service = spacewalk-satellite

Created the spacewalk-satellite pam.d file:
#%PAM-1.0

auth    required        pam_env.so
auth    sufficient      pam_sss.so no_user_check
auth    required        pam_deny.so

account required        pam_sss.so no_user_check

Restarted spacewalk.   Created a user mdiorio in the GUI and checked the box to 
use PAM.

But get the following error when I go to log in.

Mar 12 11:51:21 la-1pspacewalk server: 2018-03-12 11:51:21,304 
[ajp-bio-0:0:0:0:0:0:0:1-8009-exec-4] WARN  
com.redhat.rhn.domain.user.legacy.UserImpl - PAM login for user User mdiorio 
(id 2, org_id 1) failed with error Permission denied.
Mar 12 11:51:23 la-1pspacewalk server: 2018-03-12 11:51:23,304 
[ajp-bio-0:0:0:0:0:0:0:1-8009-exec-4] INFO  
com.redhat.rhn.frontend.action.LoginAction - LOCAL AUTH FAILURE: [mdiorio]

I can kinit my account on the server without a problem.

Not sure what I’m missing.   Thanks!

Max DiOrio
Global Systems Administrator
[cid:image002.jpg@01D26A5C.D5C0BF00]
201 Fuller Road, Suite 202
Albany, NY 12203-3621
Phone: +518-238-6516 | Mobile: +518-944-5289
max.dio...@ieeeglobalspec.com<mailto:max.dio...@ieeeglobalspec.com>


_______________________________________________
Spacewalk-list mailing list
Spacewalk-list@redhat.com<mailto:Spacewalk-list@redhat.com>
https://www.redhat.com/mailman/listinfo/spacewalk-list

_______________________________________________
Spacewalk-list mailing list
Spacewalk-list@redhat.com<mailto:Spacewalk-list@redhat.com>
https://www.redhat.com/mailman/listinfo/spacewalk-list
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list

Reply via email to