[Freeipa-users] FreeIPA with C4 http authentication

Tue Feb 9 22:42:33 UTC 2010

Forgot to CC the mailing list on my original reply.

On Tue, Feb 9, 2010 at 2:40 PM, Scott Kaminski <scott.kaminski at gmail.com>wrote:

>
>
> On Tue, Feb 9, 2010 at 11:34 AM, Rob Crittenden <rcritten at redhat.com>wrote:
>
>> Scott Kaminski wrote:
>>
>>> I have a cactiEZ v0.6 server, and its actually running CentOS4.7.  I
>>> wanted to hook my cacti to my FreeIPA domain. I seam to have a number of
>>> issues I can't actually work out with this machine and they appear to be
>>> related to HTTP kerberos authentication.
>>>
>>> I seam to be-able to authenticate to the machine locally using FreeIPA
>>> without any major issues. I noticed one thing that seams odd to me is that
>>> when I execute id as a user on C5 machine i see all my group membership,
>>> when I login to the C4 machine and execute id I only see 1 group associate
>>> for my user account and other user accounts have the same issue.
>>>
>>> I want to access the machine by host and ip.  I can authenticate via
>>> hostname without a problem. When i attempt to access the machine via ip it
>>> doesn't work.  I have a C5 machine that doesn't have this problem, hostname
>>> or ip i can authenticate.
>>>
>>> When I attempt to access via the ip here is what shows in the apache
>>> logs:
>>>
>>> [Mon Feb 08 17:23:04 2010] [error] [client 192.168.169.194]
>>> krb5_sname_to_principal() failed: Cannot determine realm for numeric host
>>> address
>>>
>>
>> Does the IP resolve into a host name? I think that may be the problem.
>>
>>
> Keep in mind this is authentication via apache that is giving me problems
> at this point.  If I login to the server via ssh I can do passwordless
> authentication from this machine to other servers and from other servers to
> this machine, assuming i have a valid krb ticket.
>
> Here is verification of the dns entries just incase:
> [root at ldap-6 log]# dig +short -x 172.16.2.36
> wtw-man6.quadrant.local.
> [root at ldap-6 log]# dig +short wtw-man6.quadrant.local
> 172.16.2.36
>
> The clientip listed above is not part of the IPA domain if that really
> matters.  To clairfy if i put in my browser https://wtw-man6.quadrant.local/scott
> i can successfully authenticate.  If i do https://172.16.2.36/scott I
> cannot authenticate and i see the above log message in the apache error log.
>
>
> I just tried it now and here is what showed up in the krb5.log
>
> Feb 09 14:34:07 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes
> {18 17 16 23 1 3 2}) 172.16.2.36: NEEDED_PREAUTH: scottk at QUADRANT.LOCALfor krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL,
> Additional pre-authentication required
> Feb 09 14:34:07 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes
> {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754847, etypes
> {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for
> krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL
>
>
> If i use wtw-man6.quadrant.local i see this instead in the krb log which
> looks like a valid request/ticket issue process.
>
> Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes
> {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754894, etypes
> {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for
> krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL
> Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ (7
> etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754894,
> etypes {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for
> HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL
> Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH:
> repeated (retransmitted?) request from 172.16.2.36, resending previous
> response
> Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes
> {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754894, etypes
> {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for
> krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL
> Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ (7
> etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754894,
> etypes {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for
> HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL
> Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes
> {18 17 16 23 1 3 2}) 172.16.2.36: NEEDED_PREAUTH: scottk at QUADRANT.LOCALfor krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL,
> Additional pre-authentication required
> Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes
> {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, etypes
> {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for
> krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL
> Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ (7
> etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895,
> etypes {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for
> HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL
> Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH:
> repeated (retransmitted?) request from 172.16.2.36, resending previous
> response
> Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH:
> repeated (retransmitted?) request from 172.16.2.36, resending previous
> response
> Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes
> {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, etypes
> {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for
> krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL
> Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ (7
> etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895,
> etypes {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for
> HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL
> Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes
> {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, etypes
> {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for
> krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL
> Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ (7
> etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895,
> etypes {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for
> HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL
>
>
>
>
>>
>>  Here are the packages i installed:
>>> [root at wtw-man6 conf]# rpm -qa | grep mod_auth
>>> mod_auth_kerb-5.0-1.3
>>> mod_authz_ldap-0.26-2.1
>>>
>>> Here is my apache auth configuration:
>>> <Location /scott>
>>>   SSLRequireSSL
>>>   AuthType Kerberos
>>>   AuthName "Cacti login"
>>>
>>>   KrbMethodNegotiate on
>>>   KrbMethodK5Passwd on
>>>   KrbServiceName HTTP
>>>
>>>   KrbAuthRealms QUADRANT.LOCAL
>>>   Krb5KeyTab /etc/httpd/conf/http.keytab
>>>   KrbSaveCredentials on
>>>   #KrbVerifyKDC off
>>>   AuthLDAPUrl
>>> ldap://ldap.quadrant.local:389/dc=quadrant,dc=local?krbPrincipalName
>>>   #require group
>>> cn=NetopsResources,cn=groups,cn=accounts,dc=quadrant,dc=local
>>>   require valid-user
>>> </Location>
>>>
>>> C4 seams to be running an older version of the mod_auth_kerb, and apache
>>> when compared to C5. I suspect this is part of the issue I'm sure.
>>>
>>> The other detail i'm having a problem with seams to be related to group
>>> membership. On the C4 machine the require group or require ldap-group
>>> doesn't seam to work at all.  I really don't mind this as much, but if
>>> anyone has any ideas i would love to hear what the solution is?
>>>
>>
>> What does it do/not do? You may need to watch the DS access log while
>> doing an authentication so you can see the query being sent and how many
>> entries (if any) are being returned.
>>
>> rob
>>
>>
>>> Thanks,
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20100209/21914e3a/attachment.htm>