[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] FreeIPA with C4 http authentication



Forgot to CC the mailing list on my original reply.

On Tue, Feb 9, 2010 at 2:40 PM, Scott Kaminski <scott kaminski gmail com> wrote:


On Tue, Feb 9, 2010 at 11:34 AM, Rob Crittenden <rcritten redhat com> wrote:
Scott Kaminski wrote:
I have a cactiEZ v0.6 server, and its actually running CentOS4.7.  I wanted to hook my cacti to my FreeIPA domain. I seam to have a number of issues I can't actually work out with this machine and they appear to be related to HTTP kerberos authentication.

I seam to be-able to authenticate to the machine locally using FreeIPA without any major issues. I noticed one thing that seams odd to me is that when I execute id as a user on C5 machine i see all my group membership, when I login to the C4 machine and execute id I only see 1 group associate for my user account and other user accounts have the same issue.

I want to access the machine by host and ip.  I can authenticate via hostname without a problem. When i attempt to access the machine via ip it doesn't work.  I have a C5 machine that doesn't have this problem, hostname or ip i can authenticate.

When I attempt to access via the ip here is what shows in the apache logs:

[Mon Feb 08 17:23:04 2010] [error] [client 192.168.169.194] krb5_sname_to_principal() failed: Cannot determine realm for numeric host address

Does the IP resolve into a host name? I think that may be the problem.


Keep in mind this is authentication via apache that is giving me problems at this point.  If I login to the server via ssh I can do passwordless authentication from this machine to other servers and from other servers to this machine, assuming i have a valid krb ticket.

Here is verification of the dns entries just incase:
[root ldap-6 log]# dig +short -x 172.16.2.36
wtw-man6.quadrant.local.
[root ldap-6 log]# dig +short wtw-man6.quadrant.local
172.16.2.36

The clientip listed above is not part of the IPA domain if that really matters.  To clairfy if i put in my browser https://wtw-man6.quadrant.local/scott i can successfully authenticate.  If i do https://172.16.2.36/scott I cannot authenticate and i see the above log message in the apache error log.

I just tried it now and here is what showed up in the krb5.log

Feb 09 14:34:07 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36: NEEDED_PREAUTH: scottk QUADRANT LOCAL for krbtgt/QUADRANT LOCAL QUADRANT LOCAL, Additional pre-authentication required
Feb 09 14:34:07 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754847, etypes {rep=18 tkt=18 ses=18}, scottk QUADRANT LOCAL for krbtgt/QUADRANT LOCAL QUADRANT LOCAL


If i use wtw-man6.quadrant.local i see this instead in the krb log which looks like a valid request/ticket issue process.

Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754894, etypes {rep=18 tkt=18 ses=18}, scottk QUADRANT LOCAL for krbtgt/QUADRANT LOCAL QUADRANT LOCAL
Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754894, etypes {rep=18 tkt=18 ses=18}, scottk QUADRANT LOCAL for HTTP/wtw-man6 quadrant local QUADRANT LOCAL
Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH: repeated (retransmitted?) request from 172.16.2.36, resending previous response
Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754894, etypes {rep=18 tkt=18 ses=18}, scottk QUADRANT LOCAL for krbtgt/QUADRANT LOCAL QUADRANT LOCAL
Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754894, etypes {rep=18 tkt=18 ses=18}, scottk QUADRANT LOCAL for HTTP/wtw-man6 quadrant local QUADRANT LOCAL
Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36: NEEDED_PREAUTH: scottk QUADRANT LOCAL for krbtgt/QUADRANT LOCAL QUADRANT LOCAL, Additional pre-authentication required
Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18}, scottk QUADRANT LOCAL for krbtgt/QUADRANT LOCAL QUADRANT LOCAL
Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18}, scottk QUADRANT LOCAL for HTTP/wtw-man6 quadrant local QUADRANT LOCAL
Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH: repeated (retransmitted?) request from 172.16.2.36, resending previous response
Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH: repeated (retransmitted?) request from 172.16.2.36, resending previous response
Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18}, scottk QUADRANT LOCAL for krbtgt/QUADRANT LOCAL QUADRANT LOCAL
Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18}, scottk QUADRANT LOCAL for HTTP/wtw-man6 quadrant local QUADRANT LOCAL
Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18}, scottk QUADRANT LOCAL for krbtgt/QUADRANT LOCAL QUADRANT LOCAL
Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18}, scottk QUADRANT LOCAL for HTTP/wtw-man6 quadrant local QUADRANT LOCAL


 

Here are the packages i installed:
[root wtw-man6 conf]# rpm -qa | grep mod_auth
mod_auth_kerb-5.0-1.3
mod_authz_ldap-0.26-2.1

Here is my apache auth configuration:
<Location /scott>
  SSLRequireSSL
  AuthType Kerberos
  AuthName "Cacti login"

  KrbMethodNegotiate on
  KrbMethodK5Passwd on
  KrbServiceName HTTP

  KrbAuthRealms QUADRANT.LOCAL
  Krb5KeyTab /etc/httpd/conf/http.keytab
  KrbSaveCredentials on
  #KrbVerifyKDC off
  AuthLDAPUrl ldap://ldap.quadrant.local:389/dc=quadrant,dc=local?krbPrincipalName
  #require group cn=NetopsResources,cn=groups,cn=accounts,dc=quadrant,dc=local
  require valid-user
</Location>

C4 seams to be running an older version of the mod_auth_kerb, and apache when compared to C5. I suspect this is part of the issue I'm sure.

The other detail i'm having a problem with seams to be related to group membership. On the C4 machine the require group or require ldap-group doesn't seam to work at all.  I really don't mind this as much, but if anyone has any ideas i would love to hear what the solution is?

What does it do/not do? You may need to watch the DS access log while doing an authentication so you can see the query being sent and how many entries (if any) are being returned.

rob


Thanks,


------------------------------------------------------------------------

_______________________________________________
Freeipa-users mailing list
Freeipa-users redhat com
https://www.redhat.com/mailman/listinfo/freeipa-users




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]