Enrolling Foreman
Preparations
Install the necessary tools:
sudo yum -y install ipa-client foreman-proxy ipa-admintools
Run the ipa client installer:
sudo ipa-client-install
expected output
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
Discovery was successful!
Client hostname: foreman.internal.virtnet
Realm: INTERNAL.VIRTNET
DNS Domain: internal.virtnet
IPA Server: ldap1.internal.virtnet
BaseDN: dc=internal,dc=virtnet
If it was configured successfully, refer to the following table:
| Questions | Answers |
|---|---|
| Continue to configure the system with these values? [no]: | yes |
| User authorized to enroll computers: | admin |
| Password for admin@INTERNAL.VIRTNET: | [admin password] |
expected output
...
Configuring internal.virtnet as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
Set up smart proxy
sudo foreman-prepare-realm admin realm-proxy
expected output
-------------------------
Number of members added 1
-------------------------
Keytab successfully retrieved and stored in: freeipa.keytab
Realm Proxy User: realm-proxy
Realm Proxy Keytab: /home/jeremy/freeipa.keytab
Copy/move the keytab file into /etc/foreman-proxy and set the permissions:
sudo mv /home/jeremy/freeipa.keytab /etc/foreman-proxy
sudo chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab
Enable realm via https:
/etc/foreman-proxy/settings.d/realm.yml
---
# Can be true, false, or http/https to enable just one of the protocols
:enabled: https
# Available providers:
# realm_ad
# realm_freeipa
:use_provider: realm_freeipa
Trust the IPA certificate authority:
sudo cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt
sudo update-ca-trust enable
sudo update-ca-trust
Re-run the installer to enable realms
sudo foreman-installer --scenario katello --foreman-proxy-realm true \
--foreman-proxy-realm-keytab /etc/foreman-proxy/freeipa.keytab \
--foreman-proxy-realm-principal realm-proxy
Create realm in foreman
Now that foreman is set up for realms, create a realm in foreman:
hammer realm create --location "Default Location" \
--name "INTERNAL.VIRTNET" \
--organization "internal.virtnet" \
--realm-proxy-id 1 \
--realm-type "FreeIPA"
Associate realm with hostgroup
Update the hostgroup in foreman to include the realm id. This will automatically add the hosts within the group to the realm:
hammer hostgroup update --id 1 --realm-id 1