Scott Kaminski wrote:
Forgot to CC the mailing list on my original reply.
On Tue, Feb 9, 2010 at 2:40 PM, Scott Kaminski <[email protected]
<mailto:[email protected]>> wrote:
On Tue, Feb 9, 2010 at 11:34 AM, Rob Crittenden <[email protected]
<mailto:[email protected]>> wrote:
Scott Kaminski wrote:
I have a cactiEZ v0.6 server, and its actually running
CentOS4.7. I wanted to hook my cacti to my FreeIPA domain.
I seam to have a number of issues I can't actually work out
with this machine and they appear to be related to HTTP
kerberos authentication.
I seam to be-able to authenticate to the machine locally
using FreeIPA without any major issues. I noticed one thing
that seams odd to me is that when I execute id as a user on
C5 machine i see all my group membership, when I login to
the C4 machine and execute id I only see 1 group associate
for my user account and other user accounts have the same issue.
I want to access the machine by host and ip. I can
authenticate via hostname without a problem. When i attempt
to access the machine via ip it doesn't work. I have a C5
machine that doesn't have this problem, hostname or ip i can
authenticate.
When I attempt to access via the ip here is what shows in
the apache logs:
[Mon Feb 08 17:23:04 2010] [error] [client 192.168.169.194]
krb5_sname_to_principal() failed: Cannot determine realm for
numeric host address
Does the IP resolve into a host name? I think that may be the
problem.
Keep in mind this is authentication via apache that is giving me
problems at this point. If I login to the server via ssh I can do
passwordless authentication from this machine to other servers and
from other servers to this machine, assuming i have a valid krb ticket.
Here is verification of the dns entries just incase:
[r...@ldap-6 log]# dig +short -x 172.16.2.36
wtw-man6.quadrant.local.
[r...@ldap-6 log]# dig +short wtw-man6.quadrant.local
172.16.2.36
Does this same reverse lookup work on wtw-man6?
Have you tried setting the LogLevel to debug in Apache to see if you get
more output? Note that mod_auth_kerb output is not always that useful in
RHEL 4-based systems but we can always hope.
rob
The clientip listed above is not part of the IPA domain if that
really matters. To clairfy if i put in my browser
https://wtw-man6.quadrant.local/scott i can successfully
authenticate. If i do https://172.16.2.36/scott I cannot
authenticate and i see the above log message in the apache error log.
I just tried it now and here is what showed up in the krb5.log
Feb 09 14:34:07 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
NEEDED_PREAUTH: [email protected] for
krbtgt/[email protected], Additional pre-authentication
required
Feb 09 14:34:07 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
authtime 1265754847, etypes {rep=18 tkt=18 ses=18},
[email protected] for krbtgt/[email protected]
If i use wtw-man6.quadrant.local i see this instead in the krb log
which looks like a valid request/ticket issue process.
Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
authtime 1265754894, etypes {rep=18 tkt=18 ses=18},
[email protected] for krbtgt/[email protected]
Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ
(7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
ISSUE: authtime 1265754894, etypes {rep=18 tkt=18 ses=18},
[email protected] for HTTP/[email protected]
Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH:
repeated (retransmitted?) request from 172.16.2.36, resending
previous response
Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
authtime 1265754894, etypes {rep=18 tkt=18 ses=18},
[email protected] for krbtgt/[email protected]
Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ
(7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
ISSUE: authtime 1265754894, etypes {rep=18 tkt=18 ses=18},
[email protected] for HTTP/[email protected]
Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
NEEDED_PREAUTH: [email protected] for
krbtgt/[email protected], Additional pre-authentication
required
Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
[email protected] for krbtgt/[email protected]
Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ
(7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
[email protected] for HTTP/[email protected]
Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH:
repeated (retransmitted?) request from 172.16.2.36, resending
previous response
Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH:
repeated (retransmitted?) request from 172.16.2.36, resending
previous response
Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
[email protected] for krbtgt/[email protected]
Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ
(7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
[email protected] for HTTP/[email protected]
Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
[email protected] for krbtgt/[email protected]
Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ
(7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
[email protected] for HTTP/[email protected]
Here are the packages i installed:
[r...@wtw-man6 conf]# rpm -qa | grep mod_auth
mod_auth_kerb-5.0-1.3
mod_authz_ldap-0.26-2.1
Here is my apache auth configuration:
<Location /scott>
SSLRequireSSL
AuthType Kerberos
AuthName "Cacti login"
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbServiceName HTTP
KrbAuthRealms QUADRANT.LOCAL
Krb5KeyTab /etc/httpd/conf/http.keytab
KrbSaveCredentials on
#KrbVerifyKDC off
AuthLDAPUrl
ldap://ldap.quadrant.local:389/dc=quadrant,dc=local?krbPrincipalName
#require group
cn=NetopsResources,cn=groups,cn=accounts,dc=quadrant,dc=local
require valid-user
</Location>
C4 seams to be running an older version of the
mod_auth_kerb, and apache when compared to C5. I suspect
this is part of the issue I'm sure.
The other detail i'm having a problem with seams to be
related to group membership. On the C4 machine the require
group or require ldap-group doesn't seam to work at all. I
really don't mind this as much, but if anyone has any ideas
i would love to hear what the solution is?
What does it do/not do? You may need to watch the DS access log
while doing an authentication so you can see the query being
sent and how many entries (if any) are being returned.
rob
Thanks,
------------------------------------------------------------------------
_______________________________________________
Freeipa-users mailing list
[email protected] <mailto:[email protected]>
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
