AD Authentication

Posted on

I'm trying to configure a new installation of RedHat Satellite 6.9 for AD authentication. I was able to successfully configure AD as an additional authentication source. Logging in with an AD account is not successful. I'm following the documented method detailed at

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.3/html-single/administering_red_hat_satellite/index#sect-Red_Hat_Satellite-Administering_Red_Hat_Satellite-Configuring_External_Authentication-Using_Active_Directory

which failed at step "13.3.2 Step 7. Enable IPA authenication in Satellite:"
The command issued is:
satellite-installer --foreman-ipa-authentication=true
The errors received are:
2021-07-20 14:50:43 [ERROR ] [configure] '/bin/echo Get keytab && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s unused -k /etc/httpd/conf/http.keytab -p HTTP/shxp-sysap002.health.summa.inet && kdestroy -c KEYRING:session:get-http-service-keytab' returned 1 instead of one of [0]
2021-07-20 14:50:43 [ERROR ] [configure] /Stage[main]/Foreman::Config/Exec[ipa-getkeytab]/returns: change from 'notrun' to ['0'] failed: '/bin/echo Get keytab && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s unused -k /etc/httpd/conf/http.keytab -p HTTP/shxp-sysap002.health.summa.inet && kdestroy -c KEYRING:session:get-http-service-keytab' returned 1 instead of one of [0]
2021-07-20 14:50:43 [ERROR ] [configure] /Stage[main]/Foreman::Config/Exec[ipa-getkeytab]: Failed to call refresh: '/bin/echo Get keytab && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s unused -k /etc/httpd/conf/http.keytab -p HTTP/shxp-sysap002.health.summa.inet && kdestroy -c KEYRING:session:get-http-service-keytab' returned 1 instead of one of [0]
2021-07-20 14:50:43 [ERROR ] [configure] /Stage[main]/Foreman::Config/Exec[ipa-getkeytab]: '/bin/echo Get keytab && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s unused -k /etc/httpd/conf/http.keytab -p HTTP/shxp-sysap002.health.summa.inet && kdestroy -c KEYRING:session:get-http-service-keytab' returned 1 instead of one of [0]

  1. The previous steps are:
    Insert the following line at the beginning of the /etc/krb5.conf file:

includedir /var/lib/sss/pubconf/krb5.include.d/
6. Create a keytab entry:

KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf

chown root.apache /etc/httpd/conf/http.keytab

chmod 640 /etc/httpd/conf/http.keytab

The context of step six appears to be a continuation of editing the /etc/krb5.conf file from step 5 but there are no other lines like those listed in step 6 in this so I'm wondering if that assumption is incorrect.
Thanks for your help.