[Freeipa-users] FreeIPA with C4 http authentication
Rob Crittenden
rcritten at redhat.com
Wed Feb 10 04:11:13 UTC 2010
Scott Kaminski wrote:
> Forgot to CC the mailing list on my original reply.
>
> On Tue, Feb 9, 2010 at 2:40 PM, Scott Kaminski <scott.kaminski at gmail.com
> <mailto:scott.kaminski at gmail.com>> wrote:
>
>
>
> On Tue, Feb 9, 2010 at 11:34 AM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Scott Kaminski wrote:
>
> I have a cactiEZ v0.6 server, and its actually running
> CentOS4.7. I wanted to hook my cacti to my FreeIPA domain.
> I seam to have a number of issues I can't actually work out
> with this machine and they appear to be related to HTTP
> kerberos authentication.
>
> I seam to be-able to authenticate to the machine locally
> using FreeIPA without any major issues. I noticed one thing
> that seams odd to me is that when I execute id as a user on
> C5 machine i see all my group membership, when I login to
> the C4 machine and execute id I only see 1 group associate
> for my user account and other user accounts have the same issue.
>
> I want to access the machine by host and ip. I can
> authenticate via hostname without a problem. When i attempt
> to access the machine via ip it doesn't work. I have a C5
> machine that doesn't have this problem, hostname or ip i can
> authenticate.
>
> When I attempt to access via the ip here is what shows in
> the apache logs:
>
> [Mon Feb 08 17:23:04 2010] [error] [client 192.168.169.194]
> krb5_sname_to_principal() failed: Cannot determine realm for
> numeric host address
>
>
> Does the IP resolve into a host name? I think that may be the
> problem.
>
>
> Keep in mind this is authentication via apache that is giving me
> problems at this point. If I login to the server via ssh I can do
> passwordless authentication from this machine to other servers and
> from other servers to this machine, assuming i have a valid krb ticket.
>
> Here is verification of the dns entries just incase:
> [root at ldap-6 log]# dig +short -x 172.16.2.36
> wtw-man6.quadrant.local.
> [root at ldap-6 log]# dig +short wtw-man6.quadrant.local
> 172.16.2.36
Does this same reverse lookup work on wtw-man6?
Have you tried setting the LogLevel to debug in Apache to see if you get
more output? Note that mod_auth_kerb output is not always that useful in
RHEL 4-based systems but we can always hope.
rob
>
> The clientip listed above is not part of the IPA domain if that
> really matters. To clairfy if i put in my browser
> https://wtw-man6.quadrant.local/scott i can successfully
> authenticate. If i do https://172.16.2.36/scott I cannot
> authenticate and i see the above log message in the apache error log.
>
> I just tried it now and here is what showed up in the krb5.log
>
> Feb 09 14:34:07 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
> NEEDED_PREAUTH: scottk at QUADRANT.LOCAL for
> krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL, Additional pre-authentication
> required
> Feb 09 14:34:07 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
> authtime 1265754847, etypes {rep=18 tkt=18 ses=18},
> scottk at QUADRANT.LOCAL for krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL
>
>
> If i use wtw-man6.quadrant.local i see this instead in the krb log
> which looks like a valid request/ticket issue process.
>
> Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
> authtime 1265754894, etypes {rep=18 tkt=18 ses=18},
> scottk at QUADRANT.LOCAL for krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL
> Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ
> (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
> ISSUE: authtime 1265754894, etypes {rep=18 tkt=18 ses=18},
> scottk at QUADRANT.LOCAL for HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL
> Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH:
> repeated (retransmitted?) request from 172.16.2.36, resending
> previous response
> Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
> authtime 1265754894, etypes {rep=18 tkt=18 ses=18},
> scottk at QUADRANT.LOCAL for krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL
> Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ
> (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
> ISSUE: authtime 1265754894, etypes {rep=18 tkt=18 ses=18},
> scottk at QUADRANT.LOCAL for HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL
> Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
> NEEDED_PREAUTH: scottk at QUADRANT.LOCAL for
> krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL, Additional pre-authentication
> required
> Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
> authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
> scottk at QUADRANT.LOCAL for krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL
> Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ
> (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
> ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
> scottk at QUADRANT.LOCAL for HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL
> Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH:
> repeated (retransmitted?) request from 172.16.2.36, resending
> previous response
> Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH:
> repeated (retransmitted?) request from 172.16.2.36, resending
> previous response
> Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
> authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
> scottk at QUADRANT.LOCAL for krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL
> Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ
> (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
> ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
> scottk at QUADRANT.LOCAL for HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL
> Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
> authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
> scottk at QUADRANT.LOCAL for krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL
> Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ
> (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
> ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
> scottk at QUADRANT.LOCAL for HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL
>
>
>
>
>
> Here are the packages i installed:
> [root at wtw-man6 conf]# rpm -qa | grep mod_auth
> mod_auth_kerb-5.0-1.3
> mod_authz_ldap-0.26-2.1
>
> Here is my apache auth configuration:
> <Location /scott>
> SSLRequireSSL
> AuthType Kerberos
> AuthName "Cacti login"
>
> KrbMethodNegotiate on
> KrbMethodK5Passwd on
> KrbServiceName HTTP
>
> KrbAuthRealms QUADRANT.LOCAL
> Krb5KeyTab /etc/httpd/conf/http.keytab
> KrbSaveCredentials on
> #KrbVerifyKDC off
> AuthLDAPUrl
> ldap://ldap.quadrant.local:389/dc=quadrant,dc=local?krbPrincipalName
> #require group
> cn=NetopsResources,cn=groups,cn=accounts,dc=quadrant,dc=local
> require valid-user
> </Location>
>
> C4 seams to be running an older version of the
> mod_auth_kerb, and apache when compared to C5. I suspect
> this is part of the issue I'm sure.
>
> The other detail i'm having a problem with seams to be
> related to group membership. On the C4 machine the require
> group or require ldap-group doesn't seam to work at all. I
> really don't mind this as much, but if anyone has any ideas
> i would love to hear what the solution is?
>
>
> What does it do/not do? You may need to watch the DS access log
> while doing an authentication so you can see the query being
> sent and how many entries (if any) are being returned.
>
> rob
>
>
> Thanks,
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
More information about the Freeipa-users
mailing list