ERF12-5287: Unable to create realm entry

Look at /var/log/foreman-proxy/proxy.log and /var/log/foreman/production.log for errors.

Possible solutions to this issue:

Can you kinit?

Is the keytab readable by the foreman-proxy user? Can you successfully kinit? Try this:

KRB5_TRACE=/dev/stdout sudo -u foreman-proxy kinit realm-proxy@EXAMPLE.COM -k -t /etc/foreman-proxy/freeipa.keytab

Upgraded IPA 3.x to 4.x

If you upgraded IPA from 3 to 4, the permissions system has changed and the custom permissions foreman needs are not migrated correctly. You can verify this is the problem by looking at /var/log/httpd/*.log for permissions errors.

Re-run `foreman-prepare-realm` from a server with the IPA version 4 client tools installed (such as the FreeIPA server itself).

Expired Keytab

Do you see an error like this in /var/log/foreman-proxy/proxy.log?

ERROR -- : Failed to initailize credentials cache from keytab: krb5_get_init_creds_keytab: Decrypt integrity check failed

Your Keytab may be expired. The keytab expiration follows your password expiration policies.

You can get a new one by:

# kinit admin@EXAMPLE.COM (or other suitable IPA admin)
# ipa-getkeytab -s ipa01.example.com -p realm-proxy@EXAMPLE.COM -k /etc/foreman-proxy/freeipa.keytab
# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab

Wrong Size Error

Do you see an error like this in /var/log/foreman-proxy/proxy.log?

E, [2014-11-03T15:23:02.715791 #21273] ERROR -- : Wrong size. Was 307, should be 191

This is due to a bug in Ruby:
https://bugs.ruby-lang.org/issues/8182

This has been fixed in RHEL 7.1 + rebuilds, please run yum update ruby. The relevant bugzilla
is: https://bugzilla.redhat.com/show_bug.cgi?id=1071187

On 7.0, you can temporarily work around the problem by commenting these out on lines 505-506 in
/usr/share/ruby/xmlrpc/client.rb:

      #elsif expected != "<unknown>" and expected.to_i != data.bytesize and resp["Transfer-Encoding"].nil?
            #  raise "Wrong size. Was #{data.bytesize}, should be
            #  #{expected}"