Linux OSBN/Ubuntuusers Planet XING / LinkedIn / Amazon

Authenticate Spacewalk users with FreeIPA

A fresh Spacewalk installation usually defines user accounts in a local manner – including permissions. Especially for bigger system landscapes with requirements such as Single Sign-on, this is not a practical solution.

Fortunately, Spacewalk and Red Hat Satellite 5 support authentication using FreeIPA and Red Hat Identity Management. Beginning with Spacewalk 2.3 and Red Hat Satellite 5.7 there is an utility called spacewalk-setup-ipa-authentication which fully automates configuration all participating components (SSSD, Apache, Tomcat, SELinux). Prior to those versions, changes need to be made manually.


First of all, an appropriate Kerberos service specifying the Spacewalk server’s FQDN needs to be created. To ensure this, open the FreeIPA web interface and click Identity > Services > Add:

Creating a Kerberos service using the FreeIPA web interface

Alternatively, create the service using a registered system by utilizing the ipa command with a specified administrator Kerberos ticket:

# kinit admin
# ipa service-add HTTP/spacewalk-fqdn

Afterwards it is a good idea to create user groups in FreeIPA for the Spacewalk accounts and their required permissions. For this, click Identity > User Groups > Add nötig. Spacewalk supports the following roles:

Administrative roles (system-wide)

  • Organisation administrator
  • Spacewalk administrator


  • Activation key dministrator (per organisation)
  • configuration administrator (client configuration files)
  • channel administrator
  • system group administrator

In a next step, these FreeIPA groups are assigned to the appropriate roles inside Spacewalk. Depending on your use-case it might be a good idea to create multiple groups – e.g. a group for all Spacewalk-wide administrators:

Creating a user group using the FreeIPA web interface

Of course, there is also an ipa command for that:

# ipa group-add spacewalk-admins --desc "Spacewalk administrators"


The next step is to configure IPA authentication on the Spacewalk system:

# spacewalk-setup-ipa-authentication
Enabling authentication against [pinkepank.stankowic.loc].
Retrieving HTTP/ service keytab into [/etc/httpd/conf/http.keytab] ...
Keytab successfully retrieved and stored in: /etc/httpd/conf/http.keytab
changed ownership of `/etc/httpd/conf/http.keytab' to apache
Configuring PAM service [spacewalk].
Will install additional packages ...

** /etc/sssd/sssd.conf has been backed up to sssd.conf-swsave
Updated sssd configuration.
Turning SELinux boolean [httpd_dbus_sssd] on ...
        ... done.
Turning SELinux boolean [allow_httpd_mod_auth_pam] on ...
        ... done.
Configuring Apache modules.
** /etc/tomcat6/server.xml has been backed up to server.xml-swsave.ipa
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
Stopping tomcat6: [  OK  ]
Starting tomcat6: [  OK  ]
Stopping httpd: [  OK  ]
Starting httpd: httpd: [  OK  ]
Waiting for tomcat to be ready ...
Authentication against [pinkepank.stankowic.loc] sucessfully enabled.
As admin, at Admin > Users > External Authentication, select
          Default organization to autopopulate new users into.

Afterwards, a default organization for FreeIPA users that have never logged in into Spacewalk needs to be configured. For this, open the Spacewalk web interface and click Admin > Users > External Authentication.

External FreeIPA authentication under Spacewalk

If organizations in Spacewalk match those defined in FreeIPA, check “Use organization unit name passed from IPA“. If names differ, it is possible to define a default organization next to “Default Organization“. Make sure to check “Keep temporary roles granted due to external authentication configuration” in any case as otherwise group memberships in FreeIPA won’t trigger permissions in Spacewalk.

Group and role memberships are defined in the Group Role Mapping pane:

Mapping FreeIPA groups to Spacewalk roles

Depending on the Spacewalk patch level it might be necessary to restart the service before authentication works:

# spacewalk-service restart
Spacewalk administrator authenticated using FreeIPA

Sharing is caring

5 Comments Add New Comment

  1. Narayan says:

    Christian Stankowic
    i have followed above steps, but still i am not able to login using IPA users in spacewalk.
    could you please help me out here

    1. Christian says:

      Hi Narayan,

      which Spacewalk and FreeIPA versions are you using? Which Linux distributions are you running them on?

      Can you find any suspicious messages in the Spacewalk logs?

      Best wishes,

  2. Narayan says:

    Hi Christian
    i am using spacewalk version 2.10 freshly installed and IPA version 4.6.4 .
    linux distribution:- CentOS Linux release 7.8.2003 (Core)

    From ssl_request_log
    PAM authentication failed for user narayan: Authentication failure, referer: https://server-Ip/rhn/

    for any user either admin or narayan this error is comming.

    admin is a spacewalk administrator user able to login but error is still showing for admin user.

    verified all configuration based on you post and also from
    No luck still..

    1. Christian says:

      Hi Narayan,

      hard to say – haven’t used Spacewalk and FreeIPA for a long time to be honest.

      In the meantime, the Spacewalk project also reached it’s EOL. But there is Uyuni Project – a more modern fork of Spacewalk.

      If your problem is a bug, it is not going to be fixed in Spacewalk – but maybe it works in Uyuni.

      Best wishes,

Leave a Reply

Your email address will not be published. Required fields are marked *