[Freeipa-users] FreeIPA with C4 http authentication

Rob Crittenden rcritten at redhat.com
Tue Feb 9 19:34:32 UTC 2010 

Scott Kaminski wrote:
> I have a cactiEZ v0.6 server, and its actually running CentOS4.7.  I 
> wanted to hook my cacti to my FreeIPA domain. I seam to have a number of 
> issues I can't actually work out with this machine and they appear to be 
> related to HTTP kerberos authentication.
> 
> I seam to be-able to authenticate to the machine locally using FreeIPA 
> without any major issues. I noticed one thing that seams odd to me is 
> that when I execute id as a user on C5 machine i see all my group 
> membership, when I login to the C4 machine and execute id I only see 1 
> group associate for my user account and other user accounts have the 
> same issue.
> 
> I want to access the machine by host and ip.  I can authenticate via 
> hostname without a problem. When i attempt to access the machine via ip 
> it doesn't work.  I have a C5 machine that doesn't have this problem, 
> hostname or ip i can authenticate.
> 
> When I attempt to access via the ip here is what shows in the apache logs:
> 
> [Mon Feb 08 17:23:04 2010] [error] [client 192.168.169.194] 
> krb5_sname_to_principal() failed: Cannot determine realm for numeric 
> host address

Does the IP resolve into a host name? I think that may be the problem.

> Here are the packages i installed:
> [root at wtw-man6 conf]# rpm -qa | grep mod_auth
> mod_auth_kerb-5.0-1.3
> mod_authz_ldap-0.26-2.1
> 
> Here is my apache auth configuration:
> <Location /scott>
>    SSLRequireSSL
>    AuthType Kerberos
>    AuthName "Cacti login"
> 
>    KrbMethodNegotiate on
>    KrbMethodK5Passwd on
>    KrbServiceName HTTP
> 
>    KrbAuthRealms QUADRANT.LOCAL
>    Krb5KeyTab /etc/httpd/conf/http.keytab
>    KrbSaveCredentials on
>    #KrbVerifyKDC off
>    AuthLDAPUrl 
> ldap://ldap.quadrant.local:389/dc=quadrant,dc=local?krbPrincipalName
>    #require group 
> cn=NetopsResources,cn=groups,cn=accounts,dc=quadrant,dc=local
>    require valid-user
> </Location>
> 
> C4 seams to be running an older version of the mod_auth_kerb, and apache 
> when compared to C5. I suspect this is part of the issue I'm sure.
> 
> The other detail i'm having a problem with seams to be related to group 
> membership. On the C4 machine the require group or require ldap-group 
> doesn't seam to work at all.  I really don't mind this as much, but if 
> anyone has any ideas i would love to hear what the solution is?

What does it do/not do? You may need to watch the DS access log while 
doing an authentication so you can see the query being sent and how many 
entries (if any) are being returned.

rob

> 
> Thanks,
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list