[Freeipa-users] FreeIPA with C4 http authentication

Rob Crittenden rcritten at redhat.com
Wed Feb 10 04:11:13 UTC 2010 

Scott Kaminski wrote:
> Forgot to CC the mailing list on my original reply.
> 
> On Tue, Feb 9, 2010 at 2:40 PM, Scott Kaminski <scott.kaminski at gmail.com 
> <mailto:scott.kaminski at gmail.com>> wrote:
> 
> 
> 
>     On Tue, Feb 9, 2010 at 11:34 AM, Rob Crittenden <rcritten at redhat.com
>     <mailto:rcritten at redhat.com>> wrote:
> 
>         Scott Kaminski wrote:
> 
>             I have a cactiEZ v0.6 server, and its actually running
>             CentOS4.7.  I wanted to hook my cacti to my FreeIPA domain.
>             I seam to have a number of issues I can't actually work out
>             with this machine and they appear to be related to HTTP
>             kerberos authentication.
> 
>             I seam to be-able to authenticate to the machine locally
>             using FreeIPA without any major issues. I noticed one thing
>             that seams odd to me is that when I execute id as a user on
>             C5 machine i see all my group membership, when I login to
>             the C4 machine and execute id I only see 1 group associate
>             for my user account and other user accounts have the same issue.
> 
>             I want to access the machine by host and ip.  I can
>             authenticate via hostname without a problem. When i attempt
>             to access the machine via ip it doesn't work.  I have a C5
>             machine that doesn't have this problem, hostname or ip i can
>             authenticate.
> 
>             When I attempt to access via the ip here is what shows in
>             the apache logs:
> 
>             [Mon Feb 08 17:23:04 2010] [error] [client 192.168.169.194]
>             krb5_sname_to_principal() failed: Cannot determine realm for
>             numeric host address
> 
> 
>         Does the IP resolve into a host name? I think that may be the
>         problem.
> 
> 
>     Keep in mind this is authentication via apache that is giving me
>     problems at this point.  If I login to the server via ssh I can do
>     passwordless authentication from this machine to other servers and
>     from other servers to this machine, assuming i have a valid krb ticket.
> 
>     Here is verification of the dns entries just incase:
>     [root at ldap-6 log]# dig +short -x 172.16.2.36
>     wtw-man6.quadrant.local.
>     [root at ldap-6 log]# dig +short wtw-man6.quadrant.local
>     172.16.2.36

Does this same reverse lookup work on wtw-man6?

Have you tried setting the LogLevel to debug in Apache to see if you get 
more output? Note that mod_auth_kerb output is not always that useful in 
  RHEL 4-based systems but we can always hope.

rob

> 
>     The clientip listed above is not part of the IPA domain if that
>     really matters.  To clairfy if i put in my browser
>     https://wtw-man6.quadrant.local/scott i can successfully
>     authenticate.  If i do https://172.16.2.36/scott I cannot
>     authenticate and i see the above log message in the apache error log.
> 
>     I just tried it now and here is what showed up in the krb5.log
> 
>     Feb 09 14:34:07 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
>     etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
>     NEEDED_PREAUTH: scottk at QUADRANT.LOCAL for
>     krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL, Additional pre-authentication
>     required
>     Feb 09 14:34:07 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
>     etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
>     authtime 1265754847, etypes {rep=18 tkt=18 ses=18},
>     scottk at QUADRANT.LOCAL for krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL
> 
> 
>     If i use wtw-man6.quadrant.local i see this instead in the krb log
>     which looks like a valid request/ticket issue process.
> 
>     Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
>     etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
>     authtime 1265754894, etypes {rep=18 tkt=18 ses=18},
>     scottk at QUADRANT.LOCAL for krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL
>     Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ
>     (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
>     ISSUE: authtime 1265754894, etypes {rep=18 tkt=18 ses=18},
>     scottk at QUADRANT.LOCAL for HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL
>     Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH:
>     repeated (retransmitted?) request from 172.16.2.36, resending
>     previous response
>     Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
>     etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
>     authtime 1265754894, etypes {rep=18 tkt=18 ses=18},
>     scottk at QUADRANT.LOCAL for krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL
>     Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ
>     (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
>     ISSUE: authtime 1265754894, etypes {rep=18 tkt=18 ses=18},
>     scottk at QUADRANT.LOCAL for HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL
>     Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
>     etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
>     NEEDED_PREAUTH: scottk at QUADRANT.LOCAL for
>     krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL, Additional pre-authentication
>     required
>     Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
>     etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
>     authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
>     scottk at QUADRANT.LOCAL for krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL
>     Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ
>     (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
>     ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
>     scottk at QUADRANT.LOCAL for HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL
>     Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH:
>     repeated (retransmitted?) request from 172.16.2.36, resending
>     previous response
>     Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH:
>     repeated (retransmitted?) request from 172.16.2.36, resending
>     previous response
>     Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
>     etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
>     authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
>     scottk at QUADRANT.LOCAL for krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL
>     Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ
>     (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
>     ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
>     scottk at QUADRANT.LOCAL for HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL
>     Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7
>     etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>: ISSUE:
>     authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
>     scottk at QUADRANT.LOCAL for krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL
>     Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ
>     (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 <http://172.16.2.36>:
>     ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18},
>     scottk at QUADRANT.LOCAL for HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL
> 
> 
>      
> 
> 
>             Here are the packages i installed:
>             [root at wtw-man6 conf]# rpm -qa | grep mod_auth
>             mod_auth_kerb-5.0-1.3
>             mod_authz_ldap-0.26-2.1
> 
>             Here is my apache auth configuration:
>             <Location /scott>
>               SSLRequireSSL
>               AuthType Kerberos
>               AuthName "Cacti login"
> 
>               KrbMethodNegotiate on
>               KrbMethodK5Passwd on
>               KrbServiceName HTTP
> 
>               KrbAuthRealms QUADRANT.LOCAL
>               Krb5KeyTab /etc/httpd/conf/http.keytab
>               KrbSaveCredentials on
>               #KrbVerifyKDC off
>               AuthLDAPUrl
>             ldap://ldap.quadrant.local:389/dc=quadrant,dc=local?krbPrincipalName
>               #require group
>             cn=NetopsResources,cn=groups,cn=accounts,dc=quadrant,dc=local
>               require valid-user
>             </Location>
> 
>             C4 seams to be running an older version of the
>             mod_auth_kerb, and apache when compared to C5. I suspect
>             this is part of the issue I'm sure.
> 
>             The other detail i'm having a problem with seams to be
>             related to group membership. On the C4 machine the require
>             group or require ldap-group doesn't seam to work at all.  I
>             really don't mind this as much, but if anyone has any ideas
>             i would love to hear what the solution is?
> 
> 
>         What does it do/not do? You may need to watch the DS access log
>         while doing an authentication so you can see the query being
>         sent and how many entries (if any) are being returned.
> 
>         rob
> 
> 
>             Thanks,
> 
> 
>             ------------------------------------------------------------------------
> 
>             _______________________________________________
>             Freeipa-users mailing list
>             Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>             https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> 
>

More information about the Freeipa-users mailing list