I have a cactiEZ v0.6 server, and its actually running CentOS4.7.  I wanted
to hook my cacti to my FreeIPA domain. I seam to have a number of issues I
can't actually work out with this machine and they appear to be related to
HTTP kerberos authentication.

I seam to be-able to authenticate to the machine locally using FreeIPA
without any major issues. I noticed one thing that seams odd to me is that
when I execute id as a user on C5 machine i see all my group membership,
when I login to the C4 machine and execute id I only see 1 group associate
for my user account and other user accounts have the same issue.

I want to access the machine by host and ip.  I can authenticate via
hostname without a problem. When i attempt to access the machine via ip it
doesn't work.  I have a C5 machine that doesn't have this problem, hostname
or ip i can authenticate.

When I attempt to access via the ip here is what shows in the apache logs:

[Mon Feb 08 17:23:04 2010] [error] [client]
krb5_sname_to_principal() failed: Cannot determine realm for numeric host

Here are the packages i installed:
[r...@wtw-man6 conf]# rpm -qa | grep mod_auth

Here is my apache auth configuration:
<Location /scott>
   AuthType Kerberos
   AuthName "Cacti login"

   KrbMethodNegotiate on
   KrbMethodK5Passwd on
   KrbServiceName HTTP

   Krb5KeyTab /etc/httpd/conf/http.keytab
   KrbSaveCredentials on
   #KrbVerifyKDC off
   #require group
   require valid-user

C4 seams to be running an older version of the mod_auth_kerb, and apache
when compared to C5. I suspect this is part of the issue I'm sure.

The other detail i'm having a problem with seams to be related to group
membership. On the C4 machine the require group or require ldap-group
doesn't seam to work at all.  I really don't mind this as much, but if
anyone has any ideas i would love to hear what the solution is?

Freeipa-users mailing list

Reply via email to