Repling with the trigger/fix to this issue, I am not sure what causes the scenario tough. In /etc/foreman-proxy are two files: realm.yaml and realm_freeipa.yaml. Foreman-installer appears to to ready and modify realm.yaml, while foreman-proxy is reading realm_freeipa.yaml. By correcting the realm_freeipa.yaml from realm-pr...@example.com to katello-serv...@idm.nwc.nws to resolve the issue with Kerberos credentials. There is probably still a bug somewhere in the installer that needs to be found triggering this.
On Tuesday, August 29, 2017 at 1:10:12 AM UTC-5, evan....@noaa.gov wrote: > > This is a clean install on CENTOS 7.3 with 1.15.3 and 3.4. As you can see > from the debug when I attempt to create/provision a host Foreman tries to > use realm-pr...@example.com rather than the principle setting of > katello-serv...@idm.nwc.nws: > > D, [2017-08-28T17:37:36.017066 ] DEBUG -- : freeipa: realm IDM.NWC.NWS > D, [2017-08-28T17:37:36.017346 ] DEBUG -- : freeipa: uri is > https://nwcal-idm01.idm.nwc.nws/ipa/xml > D, [2017-08-28T17:37:36.017543 ] DEBUG -- : Making IPA call: ["host_show", > ["nwcal-kvm1.nwc.nws"]] > D, [2017-08-28T17:37:36.022298 ] DEBUG -- : Requesting credentials for > Kerberos principal realm-pr...@example.com using keytab > /etc/foreman-proxy/freeipa.keytab > E, [2017-08-28T17:37:36.023160 ] ERROR -- : Failed to initialise > credential cache from keytab: krb5_get_init_creds_keytab: Key table entry > not found > E, [2017-08-28T17:37:36.023990 ] ERROR -- : Failed to initailize > credentials cache from keytab: krb5_get_init_creds_keytab: Key table entry > not found > > > foreman-installer --help | grep realm > --foreman-proxy-freeipa-remove-dns Remove DNS entries from FreeIPA > when deleting hosts from realm (current: true) > --foreman-proxy-realm Enable realm management feature > (current: true) > --foreman-proxy-realm-keytab Kerberos keytab path to authenticate > realm updates (current: "/etc/foreman-proxy/freeipa.keytab") > --foreman-proxy-realm-listen-on Realm proxy to listen on https, http, > or both (current: "https") > --foreman-proxy-realm-principal Kerberos principal for realm updates > (current: > "katello-serv...@idm.nwc.nws") > --foreman-proxy-realm-provider Realm management provider (current: > "freeipa") > --foreman-proxy-realm-split-config-files Split realm configuration > files. This is needed since version 1.15. (current: false) > > I am guessing there is either a setting being missed in the configuration > at install, or this setting is hanging on the install. Other than in the > settings file, where is this set, or defaulted to? > -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscr...@googlegroups.com. To post to this group, send email to foreman-users@googlegroups.com. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
