I have a cactiEZ v0.6 server, and its actually running CentOS4.7. I wanted to hook my cacti to my FreeIPA domain. I seam to have a number of issues I can't actually work out with this machine and they appear to be related to HTTP kerberos authentication.
I seam to be-able to authenticate to the machine locally using FreeIPA without any major issues. I noticed one thing that seams odd to me is that when I execute id as a user on C5 machine i see all my group membership, when I login to the C4 machine and execute id I only see 1 group associate for my user account and other user accounts have the same issue. I want to access the machine by host and ip. I can authenticate via hostname without a problem. When i attempt to access the machine via ip it doesn't work. I have a C5 machine that doesn't have this problem, hostname or ip i can authenticate. When I attempt to access via the ip here is what shows in the apache logs: [Mon Feb 08 17:23:04 2010] [error] [client 192.168.169.194] krb5_sname_to_principal() failed: Cannot determine realm for numeric host address Here are the packages i installed: [r...@wtw-man6 conf]# rpm -qa | grep mod_auth mod_auth_kerb-5.0-1.3 mod_authz_ldap-0.26-2.1 Here is my apache auth configuration: <Location /scott> SSLRequireSSL AuthType Kerberos AuthName "Cacti login" KrbMethodNegotiate on KrbMethodK5Passwd on KrbServiceName HTTP KrbAuthRealms QUADRANT.LOCAL Krb5KeyTab /etc/httpd/conf/http.keytab KrbSaveCredentials on #KrbVerifyKDC off AuthLDAPUrl ldap://ldap.quadrant.local:389/dc=quadrant,dc=local?krbPrincipalName #require group cn=NetopsResources,cn=groups,cn=accounts,dc=quadrant,dc=local require valid-user </Location> C4 seams to be running an older version of the mod_auth_kerb, and apache when compared to C5. I suspect this is part of the issue I'm sure. The other detail i'm having a problem with seams to be related to group membership. On the C4 machine the require group or require ldap-group doesn't seam to work at all. I really don't mind this as much, but if anyone has any ideas i would love to hear what the solution is? Thanks,
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users