Kerberos on Nagios 4.1.1

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
BenShirley
Posts: 7
Joined: Thu Jun 26, 2014 3:54 pm

Kerberos on Nagios 4.1.1

Post by BenShirley »

I am attempting to build a new Nagios server with version 4.1.1 using Kerberos authentication on CentOS 7.1 and Apache 2.4. A few months ago, I had built a Nagios 4.0.8 test server and successfully configured Kerberos (documenting my steps).

On the new (4.1.1) server, I am unable to get Kerberos to work quite right with Nagios. The symptom I see is that I can open the web ui without being prompted for credentials. However, when I click on some links (such as the Hosts or Services links in the sidebar), I get an error message such as: It appears as though you do not have permission to view information for any of the services you requested... I get this message despite having my Windows username ([email protected]) configured as a contact and part of the admin group in the Nagios config, which I BELIEVE should allow me to view hosts and services for which that contact is configured (I'm just using the default localhost.cfg right now). For good measure, I also added my [email protected] to all of the authorized_for_* lines in the cgi.cfg file.

I'm fairly certain that my Kerberos service user account and keytab file are set up correctly, as I was able to configure a test site and have it work OK.

One of the first things I noticed when configuring Nagios 4.1.1 is that the Apache nagios.conf file has changed. I read about it here: https://support.nagios.com/forum/viewto ... 34&t=32789. I was unable to get even Basic (local) authentication working with the new file until I commented out all of the <IfVersion> stuff and the section applying to older versions of Apache. Once I did that, I could log on fine as nagiosadmin.

I went on to configure SSL, which was also fine, and then matched my Kerberos configuration as closely as I could to my previous Nagios 4.0.8 installation, which did not work. The only real difference is that, in the newer version of Nagios, the line:

Code: Select all

Require all granted
replaces the obsolete lines:

Code: Select all

Order allow,deny
Allow from all
So, here is my Nagios 4.0.8 nagios.conf:

Code: Select all

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all
   AuthName "Nagios Access"
   AuthType Kerberos
   KrbAuthRealms DOM.TLD
   KrbServiceName HTTP
   Krb5Keytab /etc/httpd/conf.d/bantest-http.keytab
   KrbMethodNegotiate on
   KrbMethodK5Passwd off
   Require valid-user
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
   Options None
   AllowOverride None
   Order allow,deny
   Allow from all
   AuthName "Nagios Access"
   AuthType Kerberos
   KrbAuthRealms DOM.TLD
   KrbServiceName HTTP
   Krb5Keytab /etc/httpd/conf.d/bantest-http.keytab
   KrbMethodNegotiate on
   KrbMethodK5Passwd off
   Require valid-user
</Directory>
And here is nagios.conf from my Nagios 4.1.1 configuration:

Code: Select all

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
   Options ExecCGI
   AllowOverride None
   Require all granted
   Order allow,deny
   Allow from all
   AuthName "Nagios Access"
   AuthType Kerberos
   KrbAuthRealms DOM.TLD
   KrbServiceName HTTP
   Krb5Keytab /etc/httpd/conf.d/bantest-http.keytab
   KrbMethodNegotiate on
   KrbMethodK5Passwd off
   Require valid-user
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
   Options None
   AllowOverride None
   Require all granted
   Order allow,deny
   Allow from all
   AuthName "Nagios Access"
   AuthType Kerberos
   KrbAuthRealms DOM.TLD
   KrbServiceName HTTP
   Krb5Keytab /etc/httpd/conf.d/bantest-http.keytab
   KrbMethodNegotiate on
   KrbMethodK5Passwd off
   Require valid-user
</Directory>
If I watch the ssl_access_log, I see my Windows username on the Nagios 4.0.8 server as I access the web ui:

Code: Select all

192.168.3.9 - - [09/Dec/2015:15:41:58 -0800] "GET /nagios HTTP/1.1" 401 381
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios HTTP/1.1" 301 235
192.168.3.9 - [email protected][09/Dec/2015:15:41:58 -0800] "GET /nagios/ HTTP/1.1" 200 900
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/side.php HTTP/1.1" 200 4576
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/main.php HTTP/1.1" 200 9343
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/stylesheets/common.css?4.0.8 HTTP/1.1" 200 9734
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/images/sblogo.png HTTP/1.1" 200 3231
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/images/logofullsize.png HTTP/1.1" 200 9543
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/images/weblogo1.png HTTP/1.1" 200 2401
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/js/jquery-1.7.1.min.js HTTP/1.1" 200 93868
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/images/sflogo.png HTTP/1.1" 200 469
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/images/passiveonly.gif HTTP/1.1" 200 882
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/cgi-bin/statusjson.cgi?query=programstatus HTTP/1.1" 200 985
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/images/favicon.ico HTTP/1.1" 200 822
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/images/enabled.gif HTTP/1.1" 200 90
But I don't see a username at all on my Nagios 4.1.1 server:

Code: Select all

192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios HTTP/1.1" 301 235
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/ HTTP/1.1" 200 901
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/side.php HTTP/1.1" 200 4776
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/main.php HTTP/1.1" 200 9123
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/stylesheets/common.css?4.1.1 HTTP/1.1" 200 9734
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/images/sblogo.png HTTP/1.1" 200 3231
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/images/logofullsize.png HTTP/1.1" 200 9543
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/images/weblogo1.png HTTP/1.1" 200 2401
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/images/sflogo.png HTTP/1.1" 200 469
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/images/passiveonly.gif HTTP/1.1" 200 882
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/cgi-bin/statusjson.cgi?query=programstatus HTTP/1.1" 200 976
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/images/enabled.gif HTTP/1.1" 200 90
192.168.3.9 - - [09/Dec/2015:15:54:02 -0800] "GET /nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail HTTP/1.1" 200 7742
192.168.3.9 - - [09/Dec/2015:15:54:04 -0800] "GET /nagios/cgi-bin/status.cgi?host=all HTTP/1.1" 200 7932
(By the way, through the magic of VMware snapshots, these two Nagios implementations are actually on the same server so that I could eliminate as many variables as possible. I took a snapshot right before I installed Nagios the first time. When I wanted to test the newer version of Nagios, I went back to that point and did a clean install of Nagios 4.1.1. Both configurations use the exact same nagios-plugins-2.1.1, the same Kerberos service account, the same keytab file, the same Apache installation and version, etc.)

Does anyone have any ideas about how I could further troubleshoot or fix this? I COULD just give up and run my new installation on version 4.0.8, but I would much prefer to be on the latest version of Nagios.

Thanks in advance!
Top
User avatar
Box293
Too Basu
Posts: 5126
Joined: Sun Feb 07, 2010 10:55 pm
Location: Deniliquin, Australia
Contact:
Contact Box293

Re: Kerberos on Nagios 4.1.1

Post by Box293 »

Is SELinux enabled?

Code: Select all

getenforce
This will set it to permissive:

Code: Select all

sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
setenforce 0
Try restarting apache/httpd after doing this.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Top
BenShirley
Posts: 7
Joined: Thu Jun 26, 2014 3:54 pm

Re: Kerberos on Nagios 4.1.1

Post by BenShirley »

Thanks for the response.

SELinux is set to Permissive, so I don't think that is the issue. Any other ideas?
Top
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: Kerberos on Nagios 4.1.1

Post by ssax »

If you edit your /etc/krb5.conf file at the top it should list the log locations, are you seeing any errors in there?

What is the output of this command:

Code: Select all

klist
Also, what are you seeing in your /var/log/httpd/error_log or /var/log/httpd/ssl_error_log?

You could also set LogLevel debug in your /etc/httpd/conf/httpd.conf and/or in your /etc/httpd/conf.d/ssl.conf file to enable debug logging to see if any additional information gets put in there.

Make sure to restart apache after making the changes:

Code: Select all

service httpd restart
Top
BenShirley
Posts: 7
Joined: Thu Jun 26, 2014 3:54 pm

Re: Kerberos on Nagios 4.1.1

Post by BenShirley »

Sorry for the late response. I've been out of the office for the holidays, and for some reason, I'm not getting notifications when there is a post to this thread.

Here is the logging section of my /etc/krb5.conf file:

Code: Select all

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
However, none of those log files exist in /var/log. Do I need to turn on logging somewhere in order to create those log files?

If I do nothing, the output of klist is:

Code: Select all

klist: Credentials cache keyring 'persistent:16777216:16777216' not found
However, if I first run:

Code: Select all

kinit [email protected]
...then I get the following klist output:

Code: Select all

Ticket cache: KEYRING:persistent:16777216:16777216
Default principal: [email protected]

Valid starting       Expires              Service principal
01/04/2016 14:56:49  01/05/2016 00:56:49  krbtgt/[email protected]
	renew until 01/11/2016 14:56:45
I went ahead and set the LogLevel to debug in both my /etc/httpd/conf/httpd.conf and /etc/httpd/conf.d/ssl.conf files and then tailed the logs while accessing the Nagios page from a Kerberos-enabled browser.

The /var/log/httpd/error_log only contained a bunch of events like these:

Code: Select all

[Mon Jan 04 15:01:42.693261 2016] [proxy:debug] [pid 1743] proxy_util.c(1840): AH00925: initializing worker proxy:reverse shared
[Mon Jan 04 15:01:42.693310 2016] [proxy:debug] [pid 1743] proxy_util.c(1882): AH00927: initializing worker proxy:reverse local
[Mon Jan 04 15:01:42.693343 2016] [proxy:debug] [pid 1743] proxy_util.c(1933): AH00931: initialized single connection worker in child 1743 for (*)
The /var/log/httpd/ssl_error_log on the snapshot of my server running 4.1.1 had events such as these:

Code: Select all

[Mon Jan 04 15:03:18.781852 2016] [ssl:info] [pid 1742] [client 10.10.160.62:58993] AH01964: Connection to child 11 established (server banyan-test.dom.tld:443)
[Mon Jan 04 15:03:18.782211 2016] [socache_shmcb:debug] [pid 1742] mod_socache_shmcb.c(522): AH00835: socache_shmcb_retrieve (0x78 -> subcache 24)
[Mon Jan 04 15:03:18.782228 2016] [socache_shmcb:debug] [pid 1742] mod_socache_shmcb.c(845): AH00849: match at idx=0, data=0
[Mon Jan 04 15:03:18.782232 2016] [socache_shmcb:debug] [pid 1742] mod_socache_shmcb.c(532): AH00836: leaving socache_shmcb_retrieve successfully
[Mon Jan 04 15:03:18.782314 2016] [ssl:debug] [pid 1742] ssl_engine_kernel.c(1885): [client 10.10.160.62:58993] AH02044: No matching SSL virtual host for servername banyan-test found (using default/first virtual host)
[Mon Jan 04 15:03:18.812228 2016] [ssl:debug] [pid 1742] ssl_engine_kernel.c(1811): [client 10.10.160.62:58993] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384 (256/256 bits)
[Mon Jan 04 15:03:18.812587 2016] [ssl:debug] [pid 1742] ssl_engine_kernel.c(224): [client 10.10.160.62:58993] AH02034: Initial (No.1) HTTPS request received for child 11 (server banyan-test.dom.tld:443), referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:18.812779 2016] [authz_core:debug] [pid 1742] mod_authz_core.c(809): [client 10.10.160.62:58993] AH01626: authorization result of Require all granted: granted, referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:18.812792 2016] [authz_core:debug] [pid 1742] mod_authz_core.c(809): [client 10.10.160.62:58993] AH01626: authorization result of <RequireAny>: granted, referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.173143 2016] [ssl:debug] [pid 1742] ssl_engine_kernel.c(224): [client 10.10.160.62:58993] AH02034: Subsequent (No.2) HTTPS request received for child 11 (server banyan-test.dom.tld:443), referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.173361 2016] [authz_core:debug] [pid 1742] mod_authz_core.c(809): [client 10.10.160.62:58993] AH01626: authorization result of Require all granted: granted, referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.173382 2016] [authz_core:debug] [pid 1742] mod_authz_core.c(809): [client 10.10.160.62:58993] AH01626: authorization result of <RequireAny>: granted, referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.203141 2016] [ssl:info] [pid 1682] [client 10.10.160.62:58997] AH01964: Connection to child 0 established (server banyan-test.dom.tld:443)
[Mon Jan 04 15:03:19.203140 2016] [ssl:info] [pid 1743] [client 10.10.160.62:58996] AH01964: Connection to child 12 established (server banyan-test.dom.tld:443)
[Mon Jan 04 15:03:19.203264 2016] [socache_shmcb:debug] [pid 1682] mod_socache_shmcb.c(522): AH00835: socache_shmcb_retrieve (0x78 -> subcache 24)
[Mon Jan 04 15:03:19.203273 2016] [socache_shmcb:debug] [pid 1682] mod_socache_shmcb.c(845): AH00849: match at idx=0, data=0
[Mon Jan 04 15:03:19.203276 2016] [socache_shmcb:debug] [pid 1682] mod_socache_shmcb.c(532): AH00836: leaving socache_shmcb_retrieve successfully
[Mon Jan 04 15:03:19.203324 2016] [ssl:debug] [pid 1682] ssl_engine_kernel.c(1885): [client 10.10.160.62:58997] AH02044: No matching SSL virtual host for servername banyan-test found (using default/first virtual host)
[Mon Jan 04 15:03:19.203443 2016] [socache_shmcb:debug] [pid 1743] mod_socache_shmcb.c(522): AH00835: socache_shmcb_retrieve (0x78 -> subcache 24)
[Mon Jan 04 15:03:19.203468 2016] [socache_shmcb:debug] [pid 1743] mod_socache_shmcb.c(845): AH00849: match at idx=0, data=0
[Mon Jan 04 15:03:19.203473 2016] [socache_shmcb:debug] [pid 1743] mod_socache_shmcb.c(532): AH00836: leaving socache_shmcb_retrieve successfully
[Mon Jan 04 15:03:19.203515 2016] [ssl:debug] [pid 1743] ssl_engine_kernel.c(1885): [client 10.10.160.62:58996] AH02044: No matching SSL virtual host for servername banyan-test found (using default/first virtual host)
[Mon Jan 04 15:03:19.236932 2016] [ssl:debug] [pid 1743] ssl_engine_kernel.c(1811): [client 10.10.160.62:58996] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384 (256/256 bits)
[Mon Jan 04 15:03:19.236931 2016] [ssl:debug] [pid 1682] ssl_engine_kernel.c(1811): [client 10.10.160.62:58997] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384 (256/256 bits)
[Mon Jan 04 15:03:19.237103 2016] [ssl:debug] [pid 1682] ssl_engine_kernel.c(224): [client 10.10.160.62:58997] AH02034: Initial (No.1) HTTPS request received for child 0 (server banyan-test.dom.tld:443), referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.237128 2016] [ssl:debug] [pid 1743] ssl_engine_kernel.c(224): [client 10.10.160.62:58996] AH02034: Initial (No.1) HTTPS request received for child 12 (server banyan-test.dom.tld:443), referer: https://banyan-test/nagios/main.php
[Mon Jan 04 15:03:19.237220 2016] [authz_core:debug] [pid 1682] mod_authz_core.c(809): [client 10.10.160.62:58997] AH01626: authorization result of Require all granted: granted, referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.237237 2016] [authz_core:debug] [pid 1743] mod_authz_core.c(809): [client 10.10.160.62:58996] AH01626: authorization result of Require all granted: granted, referer: https://banyan-test/nagios/main.php
[Mon Jan 04 15:03:19.237245 2016] [authz_core:debug] [pid 1743] mod_authz_core.c(809): [client 10.10.160.62:58996] AH01626: authorization result of <RequireAny>: granted, referer: https://banyan-test/nagios/main.php
[Mon Jan 04 15:03:19.237243 2016] [authz_core:debug] [pid 1682] mod_authz_core.c(809): [client 10.10.160.62:58997] AH01626: authorization result of <RequireAny>: granted, referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.275865 2016] [ssl:debug] [pid 1742] ssl_engine_kernel.c(224): [client 10.10.160.62:58993] AH02034: Subsequent (No.3) HTTPS request received for child 11 (server banyan-test.dom.tld:443), referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.275962 2016] [authz_core:debug] [pid 1742] mod_authz_core.c(809): [client 10.10.160.62:58993] AH01626: authorization result of Require all granted: granted, referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.275969 2016] [authz_core:debug] [pid 1742] mod_authz_core.c(809): [client 10.10.160.62:58993] AH01626: authorization result of <RequireAny>: granted, referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.276042 2016] [ssl:debug] [pid 1743] ssl_engine_kernel.c(224): [client 10.10.160.62:58996] AH02034: Subsequent (No.2) HTTPS request received for child 12 (server banyan-test.dom.tld:443), referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.276106 2016] [authz_core:debug] [pid 1743] mod_authz_core.c(809): [client 10.10.160.62:58996] AH01626: authorization result of Require all granted: granted, referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.276113 2016] [authz_core:debug] [pid 1743] mod_authz_core.c(809): [client 10.10.160.62:58996] AH01626: authorization result of <RequireAny>: granted, referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
That same log on the Nagios 4.0.8 server (on which Kerberos is working):

Code: Select all

[Mon Jan 04 15:30:28.196294 2016] [ssl:info] [pid 1570] [client 10.10.160.62:62095] AH01964: Connection to child 1 established (server banyan-test.dom.tld:443)
[Mon Jan 04 15:30:28.196630 2016] [socache_shmcb:debug] [pid 1570] mod_socache_shmcb.c(522): AH00835: socache_shmcb_retrieve (0x50 -> subcache 16)
[Mon Jan 04 15:30:28.196658 2016] [socache_shmcb:debug] [pid 1570] mod_socache_shmcb.c(845): AH00849: match at idx=0, data=0
[Mon Jan 04 15:30:28.196666 2016] [socache_shmcb:debug] [pid 1570] mod_socache_shmcb.c(532): AH00836: leaving socache_shmcb_retrieve successfully
[Mon Jan 04 15:30:28.196718 2016] [ssl:debug] [pid 1570] ssl_engine_kernel.c(1885): [client 10.10.160.62:62095] AH02044: No matching SSL virtual host for servername banyan-test found (using default/first virtual host)
[Mon Jan 04 15:30:28.242456 2016] [ssl:debug] [pid 1570] ssl_engine_kernel.c(1811): [client 10.10.160.62:62095] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384 (256/256 bits)
[Mon Jan 04 15:30:28.243254 2016] [ssl:debug] [pid 1570] ssl_engine_kernel.c(224): [client 10.10.160.62:62095] AH02034: Initial (No.1) HTTPS request received for child 1 (server banyan-test.dom.tld:443)
[Mon Jan 04 15:30:28.243384 2016] [authz_core:debug] [pid 1570] mod_authz_core.c(809): [client 10.10.160.62:62095] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jan 04 15:30:28.243410 2016] [authz_core:debug] [pid 1570] mod_authz_core.c(809): [client 10.10.160.62:62095] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jan 04 15:30:28.243433 2016] [auth_kerb:debug] [pid 1570] src/mod_auth_kerb.c(1954): [client 10.10.160.62:62095] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Jan 04 15:30:28.280948 2016] [ssl:debug] [pid 1570] ssl_engine_io.c(992): [client 10.10.160.62:62095] AH02001: Connection closed to child 1 with standard shutdown (server banyan-test.dom.tld:443)
[Mon Jan 04 15:30:28.320587 2016] [ssl:info] [pid 1597] [client 10.10.160.62:62096] AH01964: Connection to child 5 established (server banyan-test.dom.tld:443)
[Mon Jan 04 15:30:28.320882 2016] [socache_shmcb:debug] [pid 1597] mod_socache_shmcb.c(522): AH00835: socache_shmcb_retrieve (0x50 -> subcache 16)
[Mon Jan 04 15:30:28.320917 2016] [socache_shmcb:debug] [pid 1597] mod_socache_shmcb.c(845): AH00849: match at idx=0, data=0
[Mon Jan 04 15:30:28.320926 2016] [socache_shmcb:debug] [pid 1597] mod_socache_shmcb.c(532): AH00836: leaving socache_shmcb_retrieve successfully
[Mon Jan 04 15:30:28.320974 2016] [ssl:debug] [pid 1597] ssl_engine_kernel.c(1885): [client 10.10.160.62:62096] AH02044: No matching SSL virtual host for servername banyan-test found (using default/first virtual host)
[Mon Jan 04 15:30:28.350571 2016] [ssl:debug] [pid 1597] ssl_engine_kernel.c(1811): [client 10.10.160.62:62096] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384 (256/256 bits)
[Mon Jan 04 15:30:28.354394 2016] [ssl:debug] [pid 1597] ssl_engine_kernel.c(224): [client 10.10.160.62:62096] AH02034: Initial (No.1) HTTPS request received for child 5 (server banyan-test.dom.tld:443)
[Mon Jan 04 15:30:28.354569 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jan 04 15:30:28.354622 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jan 04 15:30:28.354817 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1954): [client 10.10.160.62:62096] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Jan 04 15:30:28.354931 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1295): [client 10.10.160.62:62096] Acquiring creds for HTTP@banyan-test
[Mon Jan 04 15:30:28.363911 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1708): [client 10.10.160.62:62096] Verifying client data using KRB5 GSS-API 
[Mon Jan 04 15:30:28.364757 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1724): [client 10.10.160.62:62096] Client didn't delegate us their credential
[Mon Jan 04 15:30:28.364805 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1743): [client 10.10.160.62:62096] GSS-API token of length 22 bytes will be sent back
[Mon Jan 04 15:30:28.365328 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of Require valid-user : granted
[Mon Jan 04 15:30:28.365356 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of <RequireAny>: granted
[Mon Jan 04 15:30:28.365444 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jan 04 15:30:28.365463 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jan 04 15:30:28.365503 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1954): [client 10.10.160.62:62096] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Jan 04 15:30:28.365546 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1295): [client 10.10.160.62:62096] Acquiring creds for HTTP@banyan-test
[Mon Jan 04 15:30:28.374002 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1708): [client 10.10.160.62:62096] Verifying client data using KRB5 GSS-API 
[Mon Jan 04 15:30:28.374805 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1724): [client 10.10.160.62:62096] Client didn't delegate us their credential
[Mon Jan 04 15:30:28.374852 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1743): [client 10.10.160.62:62096] GSS-API token of length 22 bytes will be sent back
[Mon Jan 04 15:30:28.375368 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of Require valid-user : granted
[Mon Jan 04 15:30:28.375400 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of <RequireAny>: granted
[Mon Jan 04 15:30:28.375533 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jan 04 15:30:28.375563 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jan 04 15:30:28.375578 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1954): [client 10.10.160.62:62096] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Jan 04 15:30:28.375601 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1295): [client 10.10.160.62:62096] Acquiring creds for HTTP@banyan-test
[Mon Jan 04 15:30:28.383806 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1708): [client 10.10.160.62:62096] Verifying client data using KRB5 GSS-API 
[Mon Jan 04 15:30:28.384519 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1724): [client 10.10.160.62:62096] Client didn't delegate us their credential
[Mon Jan 04 15:30:28.384578 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1743): [client 10.10.160.62:62096] GSS-API token of length 22 bytes will be sent back
[Mon Jan 04 15:30:28.385372 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of Require valid-user : granted
[Mon Jan 04 15:30:28.385404 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of <RequireAny>: granted
[Mon Jan 04 15:30:28.848923 2016] [ssl:info] [pid 1572] [client 10.10.160.62:62100] AH01964: Connection to child 3 established (server banyan-test.dom.tld:443)
[Mon Jan 04 15:30:28.848979 2016] [ssl:info] [pid 1573] [client 10.10.160.62:62099] AH01964: Connection to child 4 established (server banyan-test.dom.tld:443)
[Mon Jan 04 15:30:28.849201 2016] [socache_shmcb:debug] [pid 1573] mod_socache_shmcb.c(522): AH00835: socache_shmcb_retrieve (0x50 -> subcache 16)
[Mon Jan 04 15:30:28.849229 2016] [socache_shmcb:debug] [pid 1573] mod_socache_shmcb.c(845): AH00849: match at idx=0, data=0
[Mon Jan 04 15:30:28.849236 2016] [socache_shmcb:debug] [pid 1573] mod_socache_shmcb.c(532): AH00836: leaving socache_shmcb_retrieve successfully
[Mon Jan 04 15:30:28.849272 2016] [socache_shmcb:debug] [pid 1572] mod_socache_shmcb.c(522): AH00835: socache_shmcb_retrieve (0x50 -> subcache 16)
[Mon Jan 04 15:30:28.849290 2016] [socache_shmcb:debug] [pid 1572] mod_socache_shmcb.c(845): AH00849: match at idx=0, data=0
The thing I notice is that the 4.0.8 server uses mod_auth_kerb to acquire credentials for HTTP@banyan-test, which is the SPN I created for this server. I'm not sure why the difference. (Yes, mod_auth_kerb is loaded on the Nagios 4.1.1 server.)
Top
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: Kerberos on Nagios 4.1.1

Post by ssax »

Is there any other differences in your /etc/httpd/conf/httpd.conf or your /etc/httpd/conf.d/* files?

Can you run a diff on the /etc/httpd/conf/httpd.conf files and on the /etc/httpd/conf.d directories, something has to be different.

Code: Select all

diff -r folder1 folder2
Top
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: Kerberos on Nagios 4.1.1

Post by ssax »

It's weird you're not seeing any mod_auth_kerb stuff, do you have the module installed and loaded (check the httpd.conf)?

Code: Select all

ls -l /usr/lib64/httpd/modules/
Top
BenShirley
Posts: 7
Joined: Thu Jun 26, 2014 3:54 pm

Re: Kerberos on Nagios 4.1.1

Post by BenShirley »

I think you have pointed me in the right direction, ssax!

I removed the following line (it appears twice) from the /etc/httpd/conf.d/nagios.conf file on the Nagios 4.1.1 file:

Code: Select all

Require all granted
After restarting apache, Kerberos started working!

Thanks so much!
Top
rkennedy
Posts: 6579
Joined: Mon Oct 05, 2015 11:45 am

Re: Kerberos on Nagios 4.1.1

Post by rkennedy »

Glad to see this working now. I'll go ahead and close this thread out now, but feel free to open a new one if you ever need assistance!
Former Nagios Employee
Top
Locked

Return to “Open Source Nagios Projects”