[Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication
DiOrio, Max
Max.DiOrio at ieeeglobalspec.com
Fri Mar 16 10:57:24 UTC 2018
Ahh... I think made this mistake too.
Modify the /etc/rhn/rhn.conf file and include the following line:
pam_auth_service = spacewalk-prod
Then restart spacewalk. Obviously change spacewalk-prod to whatever your Pam service name is.
Without this, you don't get the checkbox for Use PAM. Instead it tell you something about enabling pam to use external authentication.
Essentially without the config above, Apache knows to use Pam, but spacewalk has no idea.
Without checking the box, you can enter a password for the user. The Web UI would use sssd and Pam, the console tools would use the password set in spacewalk. When the box is checked, everything is aware of and uses the Pam module.
Sent from Nine<http://www.9folders.com/>
________________________________
From: Alexandru Raceanu <alex at capeno.com>
Sent: Friday, March 16, 2018 6:16 AM
To: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication
I agree and thanks for +1 on the bug.
On the other hand, the PAM checkbox you talk about is not visible in none of my SW servers.
/Alex
________________________________
From: "DiOrio, Max" <Max.DiOrio at ieeeglobalspec.com>
To: spacewalk-list at redhat.com
Sent: Thursday, March 15, 2018 6:39:19 PM
Subject: Re: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication
It seems like it would be trivial to add quick logic that if the user creation is coming from PAM, to automatically “check the box” for Use PAM in the database. Manually having to check the box every time a new user logs in in a pain, and it resolves the issue of being able to use client side tools such as ‘spacewalk-channel’.
I did add my comment to the bug report. Thanks for the help Alex!
Max DiOrio
Global Systems Administrator
From: spacewalk-list-bounces at redhat.com <spacewalk-list-bounces at redhat.com> On Behalf Of Alexandru Raceanu
Sent: Thursday, March 15, 2018 3:40 AM
To: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication
Well... That part doesn't work at the moment as far as I can see and never managed to get it working on SW 2.5/2.6/2.7.
I've already opened a bug report over 1 year ago ( https://bugzilla.redhat.com/show_bug.cgi?id=1382974 )
Feel free to add a +1 to that one.
If anyone else has any input on this part, feel free to comment, i'm also interested in fixing this.
/Alex
________________________________
From: "DiOrio, Max" <Max.DiOrio at ieeeglobalspec.com<mailto:Max.DiOrio at ieeeglobalspec.com>>
To: spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>
Sent: Wednesday, March 14, 2018 9:52:15 PM
Subject: Re: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication
Sorry – one more issue I’m running into. Looks like anything that communicates via XMLPRC can’t authenticate.
# spacewalk-channel --add -c microsoft_rhel7 -u mdiorio -p
Error validating data at server:
Error Message:
Invalid username/password combination
Error Class Code: 2
Error Class Info: Invalid username and password combination.
Explanation:
An error has occurred while processing your request. If this problem
persists please enter a bug report at bugzilla.redhat.com.
If you choose to submit the bug report, please be sure to include
details of what you were trying to do when this error occurred and
details on how to reproduce this problem.
In the rhn_server_xmlrpc.log, I see the request, but no errors:
xmlrpc/up2date.subscribeChannels(1000010030, ['microsoft_rhel7'])
In ssl_request_log:
10.85.164.46 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "POST /XMLRPC HTTP/1.1" 737
I can’t find anything specific in any of the event logs as to why it’s failing.
Max DiOrio
Global Systems Administrator
From: spacewalk-list-bounces at redhat.com<mailto:spacewalk-list-bounces at redhat.com> [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of DiOrio, Max
Sent: Tuesday, March 13, 2018 2:35 PM
To: spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>
Subject: Re: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication
Got it!
Had to uncomment the following line in lookup_identity.conf
# LookupUserGroupsIter AJP_REMOTE_USER_GROUP
Seems to work perfectly now! Now to document all this just in case!
Thanks for the help.
Max DiOrio
Global Systems Administrator
From: spacewalk-list-bounces at redhat.com<mailto:spacewalk-list-bounces at redhat.com> [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of DiOrio, Max
Sent: Tuesday, March 13, 2018 1:55 PM
To: spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>
Subject: Re: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication
Thanks Alex – I’m almost there!
I can now successfully log into Spacewalk as a user authenticating with SSSD and Group Policy. Needed to add a few more pieces to get it to work properly – it was doing the authentication but not the authorization, and wasn’t passing large Kerberos tokens.
It seems my External Authentication Group Role Mapping isn’t working though. I have created a new group “spacewalkadmins” in AD and added the users to it. I can id the username and see that the user is a member of the group. I added the group name to the Spacewalk External Authentication Group Role Mapping, but the mapping is not happening. The user is getting added with no role mapping permissions.
Any idea where I can see the logs for what is happening and why it may not be mapping?
Thanks!
Max DiOrio
Global Systems Administrator
From: spacewalk-list-bounces at redhat.com<mailto:spacewalk-list-bounces at redhat.com> [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of Alexandru Raceanu
Sent: Monday, March 12, 2018 2:58 PM
To: spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>
Subject: Re: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication
Try to go trough the SW/FreeIPA documentation (https://github.com/spacewalkproject/spacewalk/wiki/SpacewalkAndIPA)
DON'T COPY PASTE, read, understand and skip the parts of ipa installation and config as you already have sssd up and running so that should be sufficient.
Take a backup before you mess around with you SW deployment so I won't feel bad about the tips!
As far as the channel related stuff, after you have the external auth working for rhn admins, you should be able to map another group for dev's with specific permissions (subscribe/unsubscribe systems to software channels)
That's at least how the theory would be, personally I would prefer to add all development required software channels to the whole development env/machines, and they can install whatever they want from that channels.
It will save you the hassle of educating users on how to use spacewalk or other time consuming questions.
/Alex
________________________________
From: "DiOrio, Max" <Max.DiOrio at ieeeglobalspec.com<mailto:Max.DiOrio at ieeeglobalspec.com>>
To: spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>
Sent: Monday, March 12, 2018 7:44:07 PM
Subject: Re: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication
SW 2.7 on RHEL 7.4
The HTTPD conf files are either commented out, or in the case of auth_kerb.conf, empty. This is a completely out of the box setup and the only documentation I’ve been able to find on this on RH’s portal mentions just the config changes I made. Nothing to do with the files you mentioned.
Is there a better how-to to describe the full changes that need to take place to enable this?
As far as role map, I only want end users to be able to subscribe to additional software channels that we don’t push by default. For example, we don’t have Microsoft’s channel in our base activation key, but would like to give our developers an opportunity to install software from it without admin intervention.
It appears that doing spacewalk-channel –add –c microsoft_rhel7 prompts for a username and password so they are unable to add the channel.
Max DiOrio
Global Systems Administrator
From: spacewalk-list-bounces at redhat.com<mailto:spacewalk-list-bounces at redhat.com> [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of Alexandru Raceanu
Sent: Monday, March 12, 2018 2:08 PM
To: spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>
Subject: Re: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication
Spacewalk version and OS please...
Also log entries except the tomcat would be helpful.
What's the content of following:
/etc/httpd/conf.d/intercept_form_submit.conf
/etc/httpd/conf.d/authnz_pam.conf
/etc/httpd/conf.d/auth_kerb.conf
I don't think that you need to create the user if you do role map for external authenticated users ( Admin -> Users -> External Authentication -> Group Role Mapping )
/Alex
________________________________
From: "DiOrio, Max" <Max.DiOrio at ieeeglobalspec.com<mailto:Max.DiOrio at ieeeglobalspec.com>>
To: spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>
Sent: Monday, March 12, 2018 4:52:21 PM
Subject: [Spacewalk-list] Spacewalk and AD/SSSD Based User Authentication
Hi!
I’m looking to potentially use SSSD and Active Directory to authenticate our users to Spacewalk. The Spacewalk server is already on the domain and we authenticate just fine via SSH using AD.
I added the following to the rhn.conf file:
pam_auth_service = spacewalk-satellite
Created the spacewalk-satellite pam.d file:
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_sss.so no_user_check
auth required pam_deny.so
account required pam_sss.so no_user_check
Restarted spacewalk. Created a user mdiorio in the GUI and checked the box to use PAM.
But get the following error when I go to log in.
Mar 12 11:51:21 la-1pspacewalk server: 2018-03-12 11:51:21,304 [ajp-bio-0:0:0:0:0:0:0:1-8009-exec-4] WARN com.redhat.rhn.domain.user.legacy.UserImpl - PAM login for user User mdiorio (id 2, org_id 1) failed with error Permission denied.
Mar 12 11:51:23 la-1pspacewalk server: 2018-03-12 11:51:23,304 [ajp-bio-0:0:0:0:0:0:0:1-8009-exec-4] INFO com.redhat.rhn.frontend.action.LoginAction - LOCAL AUTH FAILURE: [mdiorio]
I can kinit my account on the server without a problem.
Not sure what I’m missing. Thanks!
Max DiOrio
Global Systems Administrator
[cid:image002.jpg at 01D26A5C.D5C0BF00]
201 Fuller Road, Suite 202
Albany, NY 12203-3621
Phone: +518-238-6516 | Mobile: +518-944-5289
max.diorio at ieeeglobalspec.com<mailto:max.diorio at ieeeglobalspec.com>
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com<mailto:Spacewalk-list at redhat.com>
https://www.redhat.com/mailman/listinfo/spacewalk-list
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com<mailto:Spacewalk-list at redhat.com>
https://www.redhat.com/mailman/listinfo/spacewalk-list
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com<mailto:Spacewalk-list at redhat.com>
https://www.redhat.com/mailman/listinfo/spacewalk-list
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20180316/feee4623/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2276 bytes
Desc: image001.jpg
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20180316/feee4623/attachment.jpg>
More information about the Spacewalk-list
mailing list