[Freeipa-users] FreeIPA with C4 http authentication

Scott Kaminski scott.kaminski at gmail.com
Tue Feb 9 02:00:25 UTC 2010 

I have a cactiEZ v0.6 server, and its actually running CentOS4.7.  I wanted
to hook my cacti to my FreeIPA domain. I seam to have a number of issues I
can't actually work out with this machine and they appear to be related to
HTTP kerberos authentication.

I seam to be-able to authenticate to the machine locally using FreeIPA
without any major issues. I noticed one thing that seams odd to me is that
when I execute id as a user on C5 machine i see all my group membership,
when I login to the C4 machine and execute id I only see 1 group associate
for my user account and other user accounts have the same issue.

I want to access the machine by host and ip.  I can authenticate via
hostname without a problem. When i attempt to access the machine via ip it
doesn't work.  I have a C5 machine that doesn't have this problem, hostname
or ip i can authenticate.

When I attempt to access via the ip here is what shows in the apache logs:

[Mon Feb 08 17:23:04 2010] [error] [client 192.168.169.194]
krb5_sname_to_principal() failed: Cannot determine realm for numeric host
address

Here are the packages i installed:
[root at wtw-man6 conf]# rpm -qa | grep mod_auth
mod_auth_kerb-5.0-1.3
mod_authz_ldap-0.26-2.1

Here is my apache auth configuration:
<Location /scott>
   SSLRequireSSL
   AuthType Kerberos
   AuthName "Cacti login"

   KrbMethodNegotiate on
   KrbMethodK5Passwd on
   KrbServiceName HTTP

   KrbAuthRealms QUADRANT.LOCAL
   Krb5KeyTab /etc/httpd/conf/http.keytab
   KrbSaveCredentials on
   #KrbVerifyKDC off
   AuthLDAPUrl
ldap://ldap.quadrant.local:389/dc=quadrant,dc=local?krbPrincipalName
   #require group
cn=NetopsResources,cn=groups,cn=accounts,dc=quadrant,dc=local
   require valid-user
</Location>

C4 seams to be running an older version of the mod_auth_kerb, and apache
when compared to C5. I suspect this is part of the issue I'm sure.

The other detail i'm having a problem with seams to be related to group
membership. On the C4 machine the require group or require ldap-group
doesn't seam to work at all.  I really don't mind this as much, but if
anyone has any ideas i would love to hear what the solution is?

Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20100208/06e6febd/attachment.htm>

More information about the Freeipa-users mailing list