Feature #9516
open
Foreman does not reset one time password with ldap realm smart proxy when existing host is set to "build"
Description
when foreman 1.7.2 is configured to use an ldap host for new build authentication (IPA) the provision process creates a one time password to allow the new build to join the realm, upon joining the realm the password is reset.
If you decide to rebuild this host, using the "build" button within foreman for an existing host, the machine will rebuild, but will not re-join the ipa realm due to the host already existing and the one time password no longer being valid due to the host joining the realm from the initial build.
The best way around this is to delete the host and re-add it thus deleting it from the realm and creating a new host with the same name and a new onetime password. This makes the build button functionality unusable when using an ldap realm as the one time password is not reset.
Request functionality to either default reset the one time password with the build button, or have a submenu/drop down button up press of the build button to just "build" or "build resetting otp" - open to other solutions, but from a cloud based estate with multiple hosts that will get a rebuild this is a feature greatly needed.
Updated by Dominic Cleal about 9 years ago
- Category changed from Smart Proxy to Realm
This is meant to work actually, since when the build succeeds (the host moves from build to non-build state), the OTP in Foreman's database is deleted. Next time the host requests its provision (kickstart/preseed) template then it should generate a new OTP from the smart proxy (I'm unsure if this happens with image provisioning though, so it'd be interesting to know the method you use).
Updated by Matt Darcy about 9 years ago
Not using image based deployment.
Standard kickstart process for Centos 6 hosts, registering with FreeIPA on Centos 6 and the foreman supplied iparegister snippet.
All works fine, but the rebuild button does not reset the one time password.
Updated by Dominic Cleal about 9 years ago
Check production.log for the provision URL request, as it should log "Setting realm for host foo.example.com". The other thing to perhaps check is that when you put the host back into build mode that the 'otp' field in the database is now blank, which is a pre-req for it requesting the OTP again during the kickstart request.
Updated by Matt Darcy about 9 years ago
This looks correct based on your feedback, however the OTP does not get reset
Is this more likely a problem with our environment, eg: is this confirmed working ?
Started GET "/unattended/provision?token=2736c10b-9af2-48c7-9d9c-1dcba6a4f80a" for 192.168.125.114 at 2015-03-03 10:03:46 +0000
Processing by UnattendedController#provision as */*
Parameters: {"token"=>"2736c10b-9af2-48c7-9d9c-1dcba6a4f80a"}
Found jenkins.int.mgt.local
Remove puppet certificate for jenkins.int.mgt.local
Adding autosign entry for jenkins.int.mgt.local
Setting realm for host jenkins.int.mgt.local
Add realm entry for reprovisioned host jenkins.int.mgt.local
Rendered inline template (229.9ms)
Completed 200 OK in 2391ms (Views: 227.9ms | ActiveRecord: 39.1ms)
Updated by Dominic Cleal about 9 years ago
Agreed, that all looks correct. It was checked a while ago, I'm not aware of a known issue here and I expect Stephen or Josh might have picked it up since if there were.
The next bit to look at is the smart proxy interaction with FreeIPA, as Foreman looks OK. There's not much debugging in the proxy itself, so if you have httpd access logs from FreeIPA at the moment the provision call is made to Foreman, that should show what's happening.
On a rebuild, the proxy should check if the host already exists in FreeIPA. If it does, it will call host_mod with 'random' to generate a new OTP. If a keytab exists, it will first call host_disable.
https://github.com/theforeman/smart-proxy/blob/develop/modules/realm/freeipa.rb#L87-L101
Updated by Matt Darcy about 9 years ago
There is nothing in the IPA http access or error log to show that it's actually being hit by the foreman smart proxy. which is backed up by the foreman-proxy logs showing interaction with the pxe server when the build button is hit, but no reference to the LDAP or a host_mod request.