PAM and IPA authentication for RHN Satellite

If you have a larger installation on your site, you may wish to have a single source of credentials not only for common system services, but for your RHN Satellite too.

This will show you how to configure your RHN Satellite Server to use PAM with SSSD. SSSD, the System Security Services Daemon is a common framework to provide authentication services. Needless to say that IPA is supported as well.

Assumptions:

  • You have a RHN Satellite running on RHEL6
  • You have an IPA infrastructure running (at least on RHEL 6.2)

Preparations
First you need to install the ipa-client on your satellite:

yum -y install ipa-client

And then join the server to your IPA environment:

ipa-client-install -p admin

Configuring PAM as follows:

cat << EOF > /etc/pam.d/rhn-satellite
auth        required      pam_env.so
auth        sufficient    pam_sss.so 
auth        required      pam_deny.so
account     sufficient    pam_sss.so
account     required      pam_deny.so
EOF

Configure the RHN Satellite
Your Satellite now needs to be aware that there is the possibility to authenticate users with PAM against IPA.

echo "pam_auth_service = rhn-satellite" >> /etc/rhn/rhn.conf

If you have users in your IPA domain with usernames shorter than five characters, you will need to add one more line to be able to create the users in RHN Satellite:

echo "web.min_user_len = 3" >>   /etc/rhn/rhn.conf

After this change, restart your RHN Satellite

rhn-satellite restart

Configuring users
Now you can log in to your RHN Satellite with your already configured admin user and select the checkbox “Pluggable Authentication Modules (PAM)” on existing users and/or new users.

Things to be considered
It is strongly recomended to have at leat one user per organization (ususally a “Organization Administrator”) plus the “RHN Satellite Administrator” not having PAM authentication enabled. Despite of the easy implementation of redundancy with IPA, this is important for a fallback scenario when your IPA environment has some service interruptions due to mainenance or failure.

SSSD caches users credentials on the RHN Satellite system, but this is only true for users logged in at least once. The default value for offline_credentials_expiration is 0, which means no cache time limit. However, depending on your organizations scurity policy this value can vary. Please check the PAM section in /etc/sssd/sssd.conf

Further documents to read

SUSE Manager based on Fedora Spacewalk

SUSE announced the availability of SUSE manager. Having a closer look to it, one recognizes it is based on Fedora Spacewalk. It is a clone of the Red Hat Satellite.

A few weeks ago I was puzzled to see a post on the spacewalk-devel mailing list. SUSE was contributing some code. What the heck? Now it is clear, they are using Spacewalk as there source for its own product. Spacewalk is no longer just the upstream of RHN Satellite, but also a major tool for managing SLES systems.

The open source way
It is good practice to share knowledge and code between different distributions. SUSE profits from the work Red Hat has done before, and Red Hat profits from the contributions of SUSE. IMHO this is the right way how open source software should work.

The price tag
SUSE claims “SUSE Manager allows you to save up to 50 percent for Linux support”. Really?

Lets have a look to How to buy. The price is exactly the same as for RHN Satellite: USD 13,500. Really the same price tag? Lets dig deeper on features Click on Database support. One would read

"SUSE Manager provides a built-in Oracle XE database, but can also leverage existing 
Oracle 10g or 11g databases, to locally store all data related to the 
managed Linux servers."  

Means: With the free Oracle XE database delivered with SUSE you can manage just a few systems. If you want to manage more systems, you need to buy a very expensive Oracle License which, last least, doubles the price tag of SUSE Manager.

And Debian? There are some works going on, maybe I’m going to write soon about Spacewalk and what it can do for and with Debian.

Conclusion
Because SUSE was not in a hurry to release its new product, I can not understand why SUSE was not helping the Spacewalk project to get PostgreSQL production ready before releasing it. This would provide its customers (and the spacewalk community) a real benefit.

I hope that SUSE will sustainably contribute code to Spacewalk, it is now in the interest of users of both distributions.

Have fun!

Some impressive figures about Spacewalk and my two cents

Today, I saw a interessing post on the spacewalk-devel mailing list.

Lines of code
Spacewalk has 2,908,841 lines of code, created in estimated 843 person years. This means 843 developers are needed to rewrite Spacewalk from scratch in one year! That’s amazing.

Number of bugs fixed
As stated in the post, the Spacewalk-team fixed 1012 bugs in the year 2010. Some 1061 bugs are still due to be solved, the Spacewalk-team will not running out of work in 2011. See RHN Satellite bugs and Spacewalk bugs.

Contributions from outside Red Hat
96% of the contributions are from Red Hat people. Looks like my small contribution to the German translation is just about 0.0000001% ;-). Seriously: This should be improved. More people outside of Red Hat should contribute. How? A good way can be a better support for Debian based distributions as well as for SLES/OpenSUSE and other distributions. I think this would attracting more Red Hat outsiders.

Another important thing: Instead of mailing list posts, Fedora should release its advisories similar to Red Hat. This would enable people to have the errata in its Spacewalk servers. This would lead into more people interested in Spacewalk in the Fedora community.

Communications
The IRC communication stats can somehow be a bit problematic. Is it really needed to log all IRC traffic? Its was stated that 24.1% have been questions, the mail list post also disclosed which are the most aggressive persons and so on. Privacy? For myself: I’m probably going to change my real name nick to something else…

Missing numbers
It would be interesting how many people are subscribed to the spacewalk and spacewalk-devel mailing lists and the number of posts to these lists.

Major achievements in 2010
This is just my point of view…

– PostgreSQL support reached a point where it is ready for broad testing.
– spacewalk-repo-sync allows to directly sync with yum repos.
– Staging of content
– Support for eliminating duplicate system profiles
– Performance improvements (felt, not measured)

Did I had fun this year?
I had a lot of fun with Spacewalk, for sure. I did not challenged Spacewalk with all the stuff that I need @work with the RHN Satellite.

Will I have fun in 2011?
With Spacewalk of course, it is a cool project. If the Fedora project decides to publish Spacewalk-like erratas I’m pretty sure that France will have a problem to produce the amount of Champagne needed. If it comes down to the RHN Satellite: Due to severe bugs, I only can manage RHEL6 systems with some workarounds but I am confident that this will change soon.

In short: Yes I’ll having fun 🙂

Important RHN Satellite 5.4 bugs has been fixed

Red Hat recently released some bugfixes for the RHN-Satellite version 5.4. They needed approx. one month to develop a fix for those serious bugs.

If you upgraded to sat540 before those bugsfixes have been released you will have a crippled database. The errata provides a way how to fix it. It needs some time, but it works perfectly. For “my” satellites it was taking about 48h for both satellites, about 12h for the master and 36h for the slave satellite.

This time, Red Hat’s QA also made a good job, it is now working like expected. The developers had a hard time too, according to the git log they worked on weekends too.

If you are new to sat540 or upgrading to it, please ensure that you do NOT take any action before applying the errara!

Have fun! (This time REALLY for sure)