<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 10pt; color: #000000"><div>I agree and thanks for +1 on the bug.</div><div>On the other hand, the PAM checkbox you talk about is not visible in none of my SW servers.</div><div> </div><div>/Alex</div><div> </div><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__">From: "DiOrio, Max" <Max.DiOrio@ieeeglobalspec.com> To: spacewalk-list@redhat.com Sent: Thursday, March 15, 2018 6:39:19 PM Subject: Re: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication </div> <div data-marker="__QUOTED_TEXT__"> <style></style> <div class="WordSection1"> <a name="_MailEndCompose">It seems like it would be trivial to add quick logic that if the user creation is coming from PAM, to automatically “check the box” for Use PAM in the database. Manually having to check the box every time a new user logs in in a pain, and it resolves the issue of being able to use client side tools such as ‘spacewalk-channel’.</a> I did add my comment to the bug report. Thanks for the help Alex! <div> Max DiOrio Global Systems Administrator </div> <div> <div style="border: none; border-top: solid #E1E1E1 1.0pt; padding: 3.0pt 0in 0in 0in;" data-mce-style="border: none; border-top: solid #E1E1E1 1.0pt; padding: 3.0pt 0in 0in 0in;"> From: spacewalk-list-bounces@redhat.com <spacewalk-list-bounces@redhat.com> On Behalf Of Alexandru Raceanu Sent: Thursday, March 15, 2018 3:40 AM To: spacewalk-list@redhat.com Subject: Re: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication </div> </div> <div> <div> Well... That part doesn't work at the moment as far as I can see and never managed to get it working on SW 2.5/2.6/2.7. </div> <div> I've already opened a bug report over 1 year ago ( <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1382974" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1382974</a> ) </div> <div> </div> <div> Feel free to add a +1 to that one. </div> <div> </div> <div> If anyone else has any input on this part, feel free to comment, i'm also interested in fixing this. </div> <div> </div> <div> /Alex </div> <div> </div> <div class="MsoNormal" align="center" style="text-align: center;" data-mce-style="text-align: center;"> <hr size="2" width="100%" align="center" id="zwchr"> </div> <div> From: "DiOrio, Max" <<a href="mailto:Max.DiOrio@ieeeglobalspec.com" target="_blank">Max.DiOrio@ieeeglobalspec.com</a>> To: <a href="mailto:spacewalk-list@redhat.com" target="_blank">spacewalk-list@redhat.com</a> Sent: Wednesday, March 14, 2018 9:52:15 PM Subject: Re: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication </div> <div> Sorry – one more issue I’m running into. Looks like anything that communicates via XMLPRC can’t authenticate. # spacewalk-channel --add -c microsoft_rhel7 -u mdiorio -p Error validating data at server: Error Message: Invalid username/password combination Error Class Code: 2 Error Class Info: Invalid username and password combination. Explanation: An error has occurred while processing your request. If this problem persists please enter a bug report at bugzilla.redhat.com. If you choose to submit the bug report, please be sure to include details of what you were trying to do when this error occurred and details on how to reproduce this problem. In the rhn_server_xmlrpc.log, I see the request, but no errors: xmlrpc/up2date.subscribeChannels(1000010030, ['microsoft_rhel7']) In ssl_request_log: 10.85.164.46 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "POST /XMLRPC HTTP/1.1" 737 I can’t find anything specific in any of the event logs as to why it’s failing. <div> Max DiOrio Global Systems Administrator </div> <div> <div style="border: none; border-top: solid #E1E1E1 1.0pt; padding: 3.0pt 0in 0in 0in;" data-mce-style="border: none; border-top: solid #E1E1E1 1.0pt; padding: 3.0pt 0in 0in 0in;"> From: <a href="mailto:spacewalk-list-bounces@redhat.com" target="_blank">spacewalk-list-bounces@redhat.com</a> [<a href="mailto:spacewalk-list-bounces@redhat.com" target="_blank">mailto:spacewalk-list-bounces@redhat.com</a>] On Behalf Of DiOrio, Max Sent: Tuesday, March 13, 2018 2:35 PM To: <a href="mailto:spacewalk-list@redhat.com" target="_blank">spacewalk-list@redhat.com</a> Subject: Re: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication </div> </div> Got it! Had to uncomment the following line in lookup_identity.conf # LookupUserGroupsIter AJP_REMOTE_USER_GROUP Seems to work perfectly now! Now to document all this just in case! Thanks for the help. <div> Max DiOrio Global Systems Administrator </div> <div> <div style="border: none; border-top: solid #E1E1E1 1.0pt; padding: 3.0pt 0in 0in 0in;" data-mce-style="border: none; border-top: solid #E1E1E1 1.0pt; padding: 3.0pt 0in 0in 0in;"> From: <a href="mailto:spacewalk-list-bounces@redhat.com" target="_blank">spacewalk-list-bounces@redhat.com</a> [<a href="mailto:spacewalk-list-bounces@redhat.com" target="_blank">mailto:spacewalk-list-bounces@redhat.com</a>] On Behalf Of DiOrio, Max Sent: Tuesday, March 13, 2018 1:55 PM To: <a href="mailto:spacewalk-list@redhat.com" target="_blank">spacewalk-list@redhat.com</a> Subject: Re: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication </div> </div> Thanks Alex – I’m almost there! I can now successfully log into Spacewalk as a user authenticating with SSSD and Group Policy. Needed to add a few more pieces to get it to work properly – it was doing the authentication but not the authorization, and wasn’t passing large Kerberos tokens. It seems my External Authentication Group Role Mapping isn’t working though. I have created a new group “spacewalkadmins” in AD and added the users to it. I can id the username and see that the user is a member of the group. I added the group name to the Spacewalk External Authentication Group Role Mapping, but the mapping is not happening. The user is getting added with no role mapping permissions. Any idea where I can see the logs for what is happening and why it may not be mapping? Thanks! <div> Max DiOrio Global Systems Administrator </div> <div> <div style="border: none; border-top: solid #E1E1E1 1.0pt; padding: 3.0pt 0in 0in 0in;" data-mce-style="border: none; border-top: solid #E1E1E1 1.0pt; padding: 3.0pt 0in 0in 0in;"> From: <a href="mailto:spacewalk-list-bounces@redhat.com" target="_blank">spacewalk-list-bounces@redhat.com</a> [<a href="mailto:spacewalk-list-bounces@redhat.com" target="_blank">mailto:spacewalk-list-bounces@redhat.com</a>] On Behalf Of Alexandru Raceanu Sent: Monday, March 12, 2018 2:58 PM To: <a href="mailto:spacewalk-list@redhat.com" target="_blank">spacewalk-list@redhat.com</a> Subject: Re: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication </div> </div> <div> <div> Try to go trough the SW/FreeIPA documentation (<a href="https://github.com/spacewalkproject/spacewalk/wiki/SpacewalkAndIPA" target="_blank">https://github.com/spacewalkproject/spacewalk/wiki/SpacewalkAndIPA</a>) DON'T COPY PASTE, read, understand and skip the parts of ipa installation and config as you already have sssd up and running so that should be sufficient. </div> <div> Take a backup before you mess around with you SW deployment so I won't feel bad about the tips! </div> <div> As far as the channel related stuff, after you have the external auth working for rhn admins, you should be able to map another group for dev's with specific permissions (subscribe/unsubscribe systems to software channels) That's at least how the theory would be, personally I would prefer to add all development required software channels to the whole development env/machines, and they can install whatever they want from that channels. </div> <div> It will save you the hassle of educating users on how to use spacewalk or other time consuming questions. </div> <div> </div> <div> /Alex </div> <div> </div> <div class="MsoNormal" align="center" style="text-align: center;" data-mce-style="text-align: center;"> <hr size="2" width="100%" align="center"> </div> <div> From: "DiOrio, Max" <<a href="mailto:Max.DiOrio@ieeeglobalspec.com" target="_blank">Max.DiOrio@ieeeglobalspec.com</a>> To: <a href="mailto:spacewalk-list@redhat.com" target="_blank">spacewalk-list@redhat.com</a> Sent: Monday, March 12, 2018 7:44:07 PM Subject: Re: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication </div> <div> SW 2.7 on RHEL 7.4 The HTTPD conf files are either commented out, or in the case of auth_kerb.conf, empty. This is a completely out of the box setup and the only documentation I’ve been able to find on this on RH’s portal mentions just the config changes I made. Nothing to do with the files you mentioned. Is there a better how-to to describe the full changes that need to take place to enable this? As far as role map, I only want end users to be able to subscribe to additional software channels that we don’t push by default. For example, we don’t have Microsoft’s channel in our base activation key, but would like to give our developers an opportunity to install software from it without admin intervention. It appears that doing spacewalk-channel –add –c microsoft_rhel7 prompts for a username and password so they are unable to add the channel. <div> Max DiOrio Global Systems Administrator </div> <div> <div style="border: none; border-top: solid #E1E1E1 1.0pt; padding: 3.0pt 0in 0in 0in;" data-mce-style="border: none; border-top: solid #E1E1E1 1.0pt; padding: 3.0pt 0in 0in 0in;"> From: <a href="mailto:spacewalk-list-bounces@redhat.com" target="_blank">spacewalk-list-bounces@redhat.com</a> [<a href="mailto:spacewalk-list-bounces@redhat.com" target="_blank">mailto:spacewalk-list-bounces@redhat.com</a>] On Behalf Of Alexandru Raceanu Sent: Monday, March 12, 2018 2:08 PM To: <a href="mailto:spacewalk-list@redhat.com" target="_blank">spacewalk-list@redhat.com</a> Subject: Re: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication </div> </div> <div> <div> Spacewalk version and OS please... </div> <div> Also log entries except the tomcat would be helpful. </div> <div> </div> <div> What's the content of following: /etc/httpd/conf.d/intercept_form_submit.conf </div> <div> /etc/httpd/conf.d/authnz_pam.conf </div> <div> /etc/httpd/conf.d/auth_kerb.conf </div> <div> </div> <div> I don't think that you need to create the user if you do role map for external authenticated users ( Admin -> Users -> External Authentication -> Group Role Mapping ) </div> <div> /Alex </div> <div class="MsoNormal" align="center" style="text-align: center;" data-mce-style="text-align: center;"> <hr size="2" width="100%" align="center"> </div> <div> From: "DiOrio, Max" <<a href="mailto:Max.DiOrio@ieeeglobalspec.com" target="_blank">Max.DiOrio@ieeeglobalspec.com</a>> To: <a href="mailto:spacewalk-list@redhat.com" target="_blank">spacewalk-list@redhat.com</a> Sent: Monday, March 12, 2018 4:52:21 PM Subject: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication </div> <div> Hi! I’m looking to potentially use SSSD and Active Directory to authenticate our users to Spacewalk. The Spacewalk server is already on the domain and we authenticate just fine via SSH using AD. I added the following to the rhn.conf file: pam_auth_service = spacewalk-satellite Created the spacewalk-satellite pam.d file: #%PAM-1.0 auth required pam_env.so auth sufficient pam_sss.so no_user_check auth required pam_deny.so account required pam_sss.so no_user_check Restarted spacewalk. Created a user mdiorio in the GUI and checked the box to use PAM. But get the following error when I go to log in. Mar 12 11:51:21 la-1pspacewalk server: 2018-03-12 11:51:21,304 [ajp-bio-0:0:0:0:0:0:0:1-8009-exec-4] WARN com.redhat.rhn.domain.user.legacy.UserImpl - PAM login for user User mdiorio (id 2, org_id 1) failed with error Permission denied. Mar 12 11:51:23 la-1pspacewalk server: 2018-03-12 11:51:23,304 [ajp-bio-0:0:0:0:0:0:0:1-8009-exec-4] INFO com.redhat.rhn.frontend.action.LoginAction - LOCAL AUTH FAILURE: [mdiorio] I can kinit my account on the server without a problem. Not sure what I’m missing. Thanks! Max DiOrio Global Systems Administrator <img border="0" width="175" height="46" style="width: 1.8229in; height: .4791in;" id="Picture_x0020_5" src="cid:image001.jpg@01D3BC63.0374B240" alt="cid:image002.jpg@01D26A5C.D5C0BF00" data-mce-style="width: 1.8229in; height: .4791in;"> 201 Fuller Road, Suite 202 Albany, NY 12203-3621 Phone: +518-238-6516 | Mobile: +518-944-5289 <a href="mailto:max.diorio@ieeeglobalspec.com" target="_blank">max.diorio@ieeeglobalspec.com</a> _______________________________________________ Spacewalk-list mailing list <a href="mailto:Spacewalk-list@redhat.com" target="_blank">Spacewalk-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/spacewalk-list" target="_blank">https://www.redhat.com/mailman/listinfo/spacewalk-list</a> </div> </div> _______________________________________________ Spacewalk-list mailing list <a href="mailto:Spacewalk-list@redhat.com" target="_blank">Spacewalk-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/spacewalk-list" target="_blank">https://www.redhat.com/mailman/listinfo/spacewalk-list</a> </div> </div> _______________________________________________ Spacewalk-list mailing list <a href="mailto:Spacewalk-list@redhat.com" target="_blank">Spacewalk-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/spacewalk-list" target="_blank">https://www.redhat.com/mailman/listinfo/spacewalk-list</a> </div> </div> </div> _______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list </div></div></body></html>