Scott Kaminski wrote:
Forgot to CC the mailing list on my original reply.

On Tue, Feb 9, 2010 at 2:40 PM, Scott Kaminski <scott.kamin...@gmail.com <mailto:scott.kamin...@gmail.com>> wrote:



    On Tue, Feb 9, 2010 at 11:34 AM, Rob Crittenden <rcrit...@redhat.com
    <mailto:rcrit...@redhat.com>> wrote:

        Scott Kaminski wrote:

            I have a cactiEZ v0.6 server, and its actually running
            CentOS4.7.  I wanted to hook my cacti to my FreeIPA domain.
            I seam to have a number of issues I can't actually work out
            with this machine and they appear to be related to HTTP
            kerberos authentication.

            I seam to be-able to authenticate to the machine locally
            using FreeIPA without any major issues. I noticed one thing
            that seams odd to me is that when I execute id as a user on
            C5 machine i see all my group membership, when I login to
            the C4 machine and execute id I only see 1 group associate
            for my user account and other user accounts have the same issue.

            I want to access the machine by host and ip.  I can
            authenticate via hostname without a problem. When i attempt
            to access the machine via ip it doesn't work.  I have a C5
            machine that doesn't have this problem, hostname or ip i can
            authenticate.

            When I attempt to access via the ip here is what shows in
            the apache logs:

            [Mon Feb 08 17:23:04 2010] [error] [client 192.168.169.194]
            krb5_sname_to_principal() failed: Cannot determine realm for
            numeric host address


        Does the IP resolve into a host name? I think that may be the
        problem.


    Keep in mind this is authentication via apache that is giving me
    problems at this point.  If I login to the server via ssh I can do
    passwordless authentication from this machine to other servers and
    from other servers to this machine, assuming i have a valid krb ticket.

    Here is verification of the dns entries just incase:
    [r...@ldap-6 log]# dig +short -x 172.16.2.36
    wtw-man6.quadrant.local.
    [r...@ldap-6 log]# dig +short wtw-man6.quadrant.local
    172.16.2.36

Does this same reverse lookup work on wtw-man6?

Have you tried setting the LogLevel to debug in Apache to see if you get more output? Note that mod_auth_kerb output is not always that useful in RHEL 4-based systems but we can always hope.

rob


    The clientip listed above is not part of the IPA domain if that
    really matters.  To clairfy if i put in my browser
    https://wtw-man6.quadrant.local/scott i can successfully
    authenticate.  If i do https://172.16.2.36/scott I cannot
    authenticate and i see the above log message in the apache error log.

    I just tried it now and here is what showed up in the krb5.log

    Feb 09 14:34:07 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
    etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
    NEEDED_PREAUTH: sco...@quadrant.local for
    krbtgt/quadrant.lo...@quadrant.local, Additional pre-authentication
    required
    Feb 09 14:34:07 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
    etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
    authtime 1265754847, etypes {rep=18 tkt=18 ses=18},
    sco...@quadrant.local for krbtgt/quadrant.lo...@quadrant.local


    If i use wtw-man6.quadrant.local i see this instead in the krb log
    which looks like a valid request/ticket issue process.

    Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
    etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
    authtime 1265754894, etypes {rep=18 tkt=18 ses=18},
    sco...@quadrant.local for krbtgt/quadrant.lo...@quadrant.local
    Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ
    (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
    ISSUE: authtime 1265754894, etypes {rep=18 tkt=18 ses=18},
    sco...@quadrant.local for HTTP/wtw-man6.quadrant.lo...@quadrant.local
    Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH:
    repeated (retransmitted?) request from 172.16.2.36, resending
    previous response
    Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
    etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
    authtime 1265754894, etypes {rep=18 tkt=18 ses=18},
    sco...@quadrant.local for krbtgt/quadrant.lo...@quadrant.local
    Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ
    (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
    ISSUE: authtime 1265754894, etypes {rep=18 tkt=18 ses=18},
    sco...@quadrant.local for HTTP/wtw-man6.quadrant.lo...@quadrant.local
    Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
    etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
    NEEDED_PREAUTH: sco...@quadrant.local for
    krbtgt/quadrant.lo...@quadrant.local, Additional pre-authentication
    required
    Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
    etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
    authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
    sco...@quadrant.local for krbtgt/quadrant.lo...@quadrant.local
    Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ
    (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
    ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
    sco...@quadrant.local for HTTP/wtw-man6.quadrant.lo...@quadrant.local
    Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH:
    repeated (retransmitted?) request from 172.16.2.36, resending
    previous response
    Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH:
    repeated (retransmitted?) request from 172.16.2.36, resending
    previous response
    Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
    etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
    authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
    sco...@quadrant.local for krbtgt/quadrant.lo...@quadrant.local
    Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ
    (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
    ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
    sco...@quadrant.local for HTTP/wtw-man6.quadrant.lo...@quadrant.local
    Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
    etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
    authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
    sco...@quadrant.local for krbtgt/quadrant.lo...@quadrant.local
    Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ
    (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
    ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
    sco...@quadrant.local for HTTP/wtw-man6.quadrant.lo...@quadrant.local



            Here are the packages i installed:
            [r...@wtw-man6 conf]# rpm -qa | grep mod_auth
            mod_auth_kerb-5.0-1.3
            mod_authz_ldap-0.26-2.1

            Here is my apache auth configuration:
            <Location /scott>
              SSLRequireSSL
              AuthType Kerberos
              AuthName "Cacti login"

              KrbMethodNegotiate on
              KrbMethodK5Passwd on
              KrbServiceName HTTP

              KrbAuthRealms QUADRANT.LOCAL
              Krb5KeyTab /etc/httpd/conf/http.keytab
              KrbSaveCredentials on
              #KrbVerifyKDC off
              AuthLDAPUrl
            ldap://ldap.quadrant.local:389/dc=quadrant,dc=local?krbPrincipalName
              #require group
            cn=NetopsResources,cn=groups,cn=accounts,dc=quadrant,dc=local
              require valid-user
            </Location>

            C4 seams to be running an older version of the
            mod_auth_kerb, and apache when compared to C5. I suspect
            this is part of the issue I'm sure.

            The other detail i'm having a problem with seams to be
            related to group membership. On the C4 machine the require
            group or require ldap-group doesn't seam to work at all.  I
            really don't mind this as much, but if anyone has any ideas
            i would love to hear what the solution is?


        What does it do/not do? You may need to watch the DS access log
        while doing an authentication so you can see the query being
        sent and how many entries (if any) are being returned.

        rob


            Thanks,


            
------------------------------------------------------------------------

            _______________________________________________
            Freeipa-users mailing list
            Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
            https://www.redhat.com/mailman/listinfo/freeipa-users





_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to