Forgot to CC the mailing list on my original reply. On Tue, Feb 9, 2010 at 2:40 PM, Scott Kaminski <[email protected]>wrote:
> > > On Tue, Feb 9, 2010 at 11:34 AM, Rob Crittenden <[email protected]>wrote: > >> Scott Kaminski wrote: >> >>> I have a cactiEZ v0.6 server, and its actually running CentOS4.7. I >>> wanted to hook my cacti to my FreeIPA domain. I seam to have a number of >>> issues I can't actually work out with this machine and they appear to be >>> related to HTTP kerberos authentication. >>> >>> I seam to be-able to authenticate to the machine locally using FreeIPA >>> without any major issues. I noticed one thing that seams odd to me is that >>> when I execute id as a user on C5 machine i see all my group membership, >>> when I login to the C4 machine and execute id I only see 1 group associate >>> for my user account and other user accounts have the same issue. >>> >>> I want to access the machine by host and ip. I can authenticate via >>> hostname without a problem. When i attempt to access the machine via ip it >>> doesn't work. I have a C5 machine that doesn't have this problem, hostname >>> or ip i can authenticate. >>> >>> When I attempt to access via the ip here is what shows in the apache >>> logs: >>> >>> [Mon Feb 08 17:23:04 2010] [error] [client 192.168.169.194] >>> krb5_sname_to_principal() failed: Cannot determine realm for numeric host >>> address >>> >> >> Does the IP resolve into a host name? I think that may be the problem. >> >> > Keep in mind this is authentication via apache that is giving me problems > at this point. If I login to the server via ssh I can do passwordless > authentication from this machine to other servers and from other servers to > this machine, assuming i have a valid krb ticket. > > Here is verification of the dns entries just incase: > [r...@ldap-6 log]# dig +short -x 172.16.2.36 > wtw-man6.quadrant.local. > [r...@ldap-6 log]# dig +short wtw-man6.quadrant.local > 172.16.2.36 > > The clientip listed above is not part of the IPA domain if that really > matters. To clairfy if i put in my browser > https://wtw-man6.quadrant.local/scott > i can successfully authenticate. If i do https://172.16.2.36/scott I > cannot authenticate and i see the above log message in the apache error log. > > > I just tried it now and here is what showed up in the krb5.log > > Feb 09 14:34:07 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 172.16.2.36: NEEDED_PREAUTH: [email protected] > krbtgt/[email protected], > Additional pre-authentication required > Feb 09 14:34:07 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754847, etypes > {rep=18 tkt=18 ses=18}, [email protected] for > krbtgt/[email protected] > > > If i use wtw-man6.quadrant.local i see this instead in the krb log which > looks like a valid request/ticket issue process. > > Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754894, etypes > {rep=18 tkt=18 ses=18}, [email protected] for > krbtgt/[email protected] > Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ (7 > etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754894, > etypes {rep=18 tkt=18 ses=18}, [email protected] for > HTTP/[email protected] > Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH: > repeated (retransmitted?) request from 172.16.2.36, resending previous > response > Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754894, etypes > {rep=18 tkt=18 ses=18}, [email protected] for > krbtgt/[email protected] > Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ (7 > etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754894, > etypes {rep=18 tkt=18 ses=18}, [email protected] for > HTTP/[email protected] > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 172.16.2.36: NEEDED_PREAUTH: [email protected] > krbtgt/[email protected], > Additional pre-authentication required > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, etypes > {rep=18 tkt=18 ses=18}, [email protected] for > krbtgt/[email protected] > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ (7 > etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, > etypes {rep=18 tkt=18 ses=18}, [email protected] for > HTTP/[email protected] > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH: > repeated (retransmitted?) request from 172.16.2.36, resending previous > response > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH: > repeated (retransmitted?) request from 172.16.2.36, resending previous > response > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, etypes > {rep=18 tkt=18 ses=18}, [email protected] for > krbtgt/[email protected] > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ (7 > etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, > etypes {rep=18 tkt=18 ses=18}, [email protected] for > HTTP/[email protected] > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, etypes > {rep=18 tkt=18 ses=18}, [email protected] for > krbtgt/[email protected] > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ (7 > etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, > etypes {rep=18 tkt=18 ses=18}, [email protected] for > HTTP/[email protected] > > > > >> >> Here are the packages i installed: >>> [r...@wtw-man6 conf]# rpm -qa | grep mod_auth >>> mod_auth_kerb-5.0-1.3 >>> mod_authz_ldap-0.26-2.1 >>> >>> Here is my apache auth configuration: >>> <Location /scott> >>> SSLRequireSSL >>> AuthType Kerberos >>> AuthName "Cacti login" >>> >>> KrbMethodNegotiate on >>> KrbMethodK5Passwd on >>> KrbServiceName HTTP >>> >>> KrbAuthRealms QUADRANT.LOCAL >>> Krb5KeyTab /etc/httpd/conf/http.keytab >>> KrbSaveCredentials on >>> #KrbVerifyKDC off >>> AuthLDAPUrl >>> ldap://ldap.quadrant.local:389/dc=quadrant,dc=local?krbPrincipalName >>> #require group >>> cn=NetopsResources,cn=groups,cn=accounts,dc=quadrant,dc=local >>> require valid-user >>> </Location> >>> >>> C4 seams to be running an older version of the mod_auth_kerb, and apache >>> when compared to C5. I suspect this is part of the issue I'm sure. >>> >>> The other detail i'm having a problem with seams to be related to group >>> membership. On the C4 machine the require group or require ldap-group >>> doesn't seam to work at all. I really don't mind this as much, but if >>> anyone has any ideas i would love to hear what the solution is? >>> >> >> What does it do/not do? You may need to watch the DS access log while >> doing an authentication so you can see the query being sent and how many >> entries (if any) are being returned. >> >> rob >> >> >>> Thanks, >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> [email protected] >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
