Anonymous via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
writes:
I want to authenticate to cockpit with kerberos. Some of the servers
however have other services running on the http service in
freeipa. Freeipa is also an example. What is the proper way that I can
have kerberos authentication on cockpit running on freeipa master and
replica servers? I know that I can create a service called
cockpit/master.domain.com but from what I've been told, or at least
I've understood for kerberos to function the service needs to be
HTTP/master.domain.com
The cockpit documentation details what need to be done:
https://cockpit-project.org/guide/latest/sso.html
I do use the followinf ansible-play to install and configure cockpit.
---
# Maybe this can be used?
#
https://github.com/linux-system-roles/cockpit
- name: Install, enable, and configure cockpit on a host
hosts: cockpit
become: true
vars:
keytab: /etc/cockpit/krb5.keytab
tasks:
- name: Install cockpit packages
ansible.builtin.package:
name:
- cockpit
state: present
- name: Install cockpit-machines packages on KVM hosts
ansible.builtin.package:
name:
- cockpit-machines
state: present
when: "'kvm' in group_names"
- name: Remove cockpit-machines packages on non-KVM hosts
ansible.builtin.package:
name:
- cockpit-machines
state: absent
when: "'kvm' not in group_names"
- name: Ensure that cockpit.socket is started
ansible.builtin.systemd:
state: started
enabled: true
name: cockpit.socket
- name: Ensure the cockpit port 9090 is accessible
ansible.posix.firewalld:
service: cockpit
permanent: true
immediate: true
state: enabled
when: ansible_os_family == "RedHat"
# On Debian our user needs urllib-gssapi (via pip3)
# Fedora has a package for that
- name: Install urllib-gssapi python package on Debian
ansible.builtin.pip:
name: urllib-gssapi
when: ansible_os_family == 'Debian'
- name: Install urllib-gssapi python package on RedHat systems
ansible.builtin.package:
name:
- python3-urllib-gssapi
state: present
when: ansible_os_family == 'RedHat'
- name: Ensure kerberos service principal for cockpit is present
community.general.ipa_service:
name: "{{ item }}"
state: present
environment:
KRB5_CLIENT_KTNAME: /etc/krb5.keytab
with_items:
- "cockpit/{{ inventory_hostname }}(a)JOCHEN.ORG"
- name: Ensure kerberos service principal for HTTP is present
freeipa.ansible_freeipa.ipaservice:
name: "{{ item }}"
state: present
ok_as_delegate: true
ok_to_auth_as_delegate: true
ipaadmin_principal: "host/{{ inventory_hostname }}(a)JOCHEN.ORG"
environment:
KRB5_CLIENT_KTNAME: /etc/krb5.keytab
with_items:
- "HTTP/{{ inventory_hostname }}(a)JOCHEN.ORG"
# With this heuristic we try to find a suitable keytab to copy.
# Another approach might be tr retrieve the keytab (needing
# special permissions).
- name: Looking for a suitable keytab for cockpit
ansible.builtin.shell:
cmd: |
for i in /etc/apache2/http.keytab /etc/keycloak/keycloak.keytab
/var/lib/ipa/gssproxy/http.keytab; do
if [ -f $i ]; then echo "$i"; exit; fi
done
changed_when: false
check_mode: false
register: _found_file
- name: Debug
ansible.builtin.debug:
var: _found_file
- name: Get the keytab, we don't have one
ansible.builtin.command:
argv:
- /usr/sbin/ipa-getkeytab
- -k
- "{{ keytab }}"
- -p
- 'HTTP/{{ inventory_hostname }}(a)JOCHEN.ORG'
creates: "{{ keytab }}"
register: ipagetkeytab
# Do not fail on error codes 3 and 5:
# 3 - Unable to open keytab
# 5 - Principal name or realm not found in keytab
failed_when: ipagetkeytab.rc != 0 and ipagetkeytab.rc != 3 and ipagetkeytab.rc != 5
when: "(_found_file.stdout | length) == 0"
- name: Copy http.keytab to /etc/cockpit/krb5.keytab
ansible.builtin.copy:
src: "{{ _found_file.stdout }}"
dest: /etc/cockpit/krb5.keytab
remote_src: true
mode: "0600"
when: "(_found_file | length) != 0"
- name: Play the role fedora.linux_system_roles.certificate
ansible.builtin.include_role:
name: fedora.linux_system_roles.certificate
vars:
certificate_requests:
- name: /etc/cockpit/ws-certs.d/50-from-certmonger
dns: '{{ ansible_fqdn }}'
ip:
- '{{ ansible_default_ipv4.address }}'
- "{{ ansible_all_ipv6_addresses | select('match',
'^fd23:e163:19f7:1234:') | first }}"
ca: ipa
principal: 'cockpit/{{ ansible_fqdn }}@{{ ansible_domain | upper }}'
owner: root
group: cockpit-ws
# Cockpit refreshes the certs automatically
handlers:
- name: Daemon reload
ansible.builtin.systemd:
daemon_reload: true
---
Hope that helps
Jochen
--
This space is intentionally left blank.