Scott Kaminski wrote:
I have a cactiEZ v0.6 server, and its actually running CentOS4.7. I wanted to hook my cacti to my FreeIPA domain. I seam to have a number of issues I can't actually work out with this machine and they appear to be related to HTTP kerberos authentication.


I seam to be-able to authenticate to the machine locally using FreeIPA without any major issues. I noticed one thing that seams odd to me is that when I execute id as a user on C5 machine i see all my group membership, when I login to the C4 machine and execute id I only see 1 group associate for my user account and other user accounts have the same issue.

I want to access the machine by host and ip. I can authenticate via hostname without a problem. When i attempt to access the machine via ip it doesn't work. I have a C5 machine that doesn't have this problem, hostname or ip i can authenticate.

When I attempt to access via the ip here is what shows in the apache logs:

[Mon Feb 08 17:23:04 2010] [error] [client 192.168.169.194] krb5_sname_to_principal() failed: Cannot determine realm for numeric host address

Does the IP resolve into a host name? I think that may be the problem.

Here are the packages i installed:
[r...@wtw-man6 conf]# rpm -qa | grep mod_auth
mod_auth_kerb-5.0-1.3
mod_authz_ldap-0.26-2.1

Here is my apache auth configuration:
<Location /scott>
   SSLRequireSSL
   AuthType Kerberos
   AuthName "Cacti login"

   KrbMethodNegotiate on
   KrbMethodK5Passwd on
   KrbServiceName HTTP

   KrbAuthRealms QUADRANT.LOCAL
   Krb5KeyTab /etc/httpd/conf/http.keytab
   KrbSaveCredentials on
   #KrbVerifyKDC off
AuthLDAPUrl ldap://ldap.quadrant.local:389/dc=quadrant,dc=local?krbPrincipalName #require group cn=NetopsResources,cn=groups,cn=accounts,dc=quadrant,dc=local
   require valid-user
</Location>

C4 seams to be running an older version of the mod_auth_kerb, and apache when compared to C5. I suspect this is part of the issue I'm sure.

The other detail i'm having a problem with seams to be related to group membership. On the C4 machine the require group or require ldap-group doesn't seam to work at all. I really don't mind this as much, but if anyone has any ideas i would love to hear what the solution is?

What does it do/not do? You may need to watch the DS access log while doing an authentication so you can see the query being sent and how many entries (if any) are being returned.

rob


Thanks,


------------------------------------------------------------------------

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to