Scott Kaminski wrote:
I have a cactiEZ v0.6 server, and its actually running CentOS4.7. I
wanted to hook my cacti to my FreeIPA domain. I seam to have a number of
issues I can't actually work out with this machine and they appear to be
related to HTTP kerberos authentication.
I seam to be-able to authenticate to the machine locally using FreeIPA
without any major issues. I noticed one thing that seams odd to me is
that when I execute id as a user on C5 machine i see all my group
membership, when I login to the C4 machine and execute id I only see 1
group associate for my user account and other user accounts have the
same issue.
I want to access the machine by host and ip. I can authenticate via
hostname without a problem. When i attempt to access the machine via ip
it doesn't work. I have a C5 machine that doesn't have this problem,
hostname or ip i can authenticate.
When I attempt to access via the ip here is what shows in the apache logs:
[Mon Feb 08 17:23:04 2010] [error] [client 192.168.169.194]
krb5_sname_to_principal() failed: Cannot determine realm for numeric
host address
Does the IP resolve into a host name? I think that may be the problem.
Here are the packages i installed:
[r...@wtw-man6 conf]# rpm -qa | grep mod_auth
mod_auth_kerb-5.0-1.3
mod_authz_ldap-0.26-2.1
Here is my apache auth configuration:
<Location /scott>
SSLRequireSSL
AuthType Kerberos
AuthName "Cacti login"
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbServiceName HTTP
KrbAuthRealms QUADRANT.LOCAL
Krb5KeyTab /etc/httpd/conf/http.keytab
KrbSaveCredentials on
#KrbVerifyKDC off
AuthLDAPUrl
ldap://ldap.quadrant.local:389/dc=quadrant,dc=local?krbPrincipalName
#require group
cn=NetopsResources,cn=groups,cn=accounts,dc=quadrant,dc=local
require valid-user
</Location>
C4 seams to be running an older version of the mod_auth_kerb, and apache
when compared to C5. I suspect this is part of the issue I'm sure.
The other detail i'm having a problem with seams to be related to group
membership. On the C4 machine the require group or require ldap-group
doesn't seam to work at all. I really don't mind this as much, but if
anyone has any ideas i would love to hear what the solution is?
What does it do/not do? You may need to watch the DS access log while
doing an authentication so you can see the query being sent and how many
entries (if any) are being returned.
rob
Thanks,
------------------------------------------------------------------------
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
