Red Hat Summit13.3.3. Configuring Direct AD Integration with GSS-proxy
In the Satellite CLI, configure the direct Active Directory integration with GSS-proxy.
Prerequisite
Satellite is enrolled with the Active Directory server.
For more information, see 「Enrolling Satellite Server with the AD Server」.
Procedure
Create the
/etc/ipa/directory and thedefault.conffile:mkdir /etc/ipa touch /etc/ipa/default.conf
# mkdir /etc/ipa # touch /etc/ipa/default.confCopy to Clipboard Copied! Toggle word wrap Toggle overflow To the
default.conffile, add the following content:[global] server = unused realm = EXAMPLE.ORG
[global] server = unused realm = EXAMPLE.ORGCopy to Clipboard Copied! Toggle word wrap Toggle overflow Create the
/etc/net-keytab.conffile with the following content:[global] workgroup = EXAMPLE realm = EXAMPLE.ORG kerberos method = system keytab security = ads
[global] workgroup = EXAMPLE realm = EXAMPLE.ORG kerberos method = system keytab security = adsCopy to Clipboard Copied! Toggle word wrap Toggle overflow Determine the effective user ID of the Apache user:
id apache
# id apacheCopy to Clipboard Copied! Toggle word wrap Toggle overflow Apache user must not have access to the keytab file.
Create the
/etc/gssproxy/00-http.conffile with the following content:[service/HTTP] mechs = krb5 cred_store = keytab:/etc/krb5.keytab cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U euid = ID_of_Apache_User
[service/HTTP] mechs = krb5 cred_store = keytab:/etc/krb5.keytab cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U euid = ID_of_Apache_UserCopy to Clipboard Copied! Toggle word wrap Toggle overflow Create a keytab entry:
KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf chown root.apache /etc/httpd/conf/http.keytab chmod 640 /etc/httpd/conf/http.keytab
# KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf # chown root.apache /etc/httpd/conf/http.keytab # chmod 640 /etc/httpd/conf/http.keytabCopy to Clipboard Copied! Toggle word wrap Toggle overflow Enable IPA authenication in Satellite:
satellite-installer --foreman-ipa-authentication=true
# satellite-installer --foreman-ipa-authentication=trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow Start and enable the
gssproxyservice:systemctl restart gssproxy.service systemctl enable gssproxy.service
# systemctl restart gssproxy.service # systemctl enable gssproxy.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow Configure the Apache server to use the gssproxy service:
Create the
/etc/systemd/system/httpd.servicefile with the following content:.include /lib/systemd/system/httpd.service [Service] Environment=GSS_USE_PROXY=1
.include /lib/systemd/system/httpd.service [Service] Environment=GSS_USE_PROXY=1Copy to Clipboard Copied! Toggle word wrap Toggle overflow Apply changes to the service:
systemctl daemon-reload
# systemctl daemon-reloadCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Start and enable the
httpdservice:systemctl restart httpd.service
# systemctl restart httpd.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow Verify that SSO is working as expected.
With a running Apache server, users making HTTP requests against the server are authenticated if the client has a valid Kerberos ticket.
Retrieve the Kerberos ticket of the LDAP user, using the following command:
kinit ldapuser
# kinit ldapuserCopy to Clipboard Copied! Toggle word wrap Toggle overflow View the Kerberos ticket, using the following command:
klist
# klistCopy to Clipboard Copied! Toggle word wrap Toggle overflow View output from successful SSO-based authentication, using the following command:
curl -k -u : --negotiate https://satellite.example.com/users/extlogin
# curl -k -u : --negotiate https://satellite.example.com/users/extloginCopy to Clipboard Copied! Toggle word wrap Toggle overflow This returns the following response:
<html><body>You are being <a href="https://satellite.example.com/users/4-ldapuserexample-com/edit">redirected</a>.</body></html>
<html><body>You are being <a href="https://satellite.example.com/users/4-ldapuserexample-com/edit">redirected</a>.</body></html>Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}