Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Kerberos on Nagios 4.1.1

https://support.nagios.com/forum/viewtopic.php?t=36136

Page 1 of 1

Kerberos on Nagios 4.1.1

Posted: Wed Dec 09, 2015 7:55 pm
by BenShirley
I am attempting to build a new Nagios server with version 4.1.1 using Kerberos authentication on CentOS 7.1 and Apache 2.4. A few months ago, I had built a Nagios 4.0.8 test server and successfully configured Kerberos (documenting my steps).

On the new (4.1.1) server, I am unable to get Kerberos to work quite right with Nagios. The symptom I see is that I can open the web ui without being prompted for credentials. However, when I click on some links (such as the Hosts or Services links in the sidebar), I get an error message such as: It appears as though you do not have permission to view information for any of the services you requested... I get this message despite having my Windows username ([email protected]) configured as a contact and part of the admin group in the Nagios config, which I BELIEVE should allow me to view hosts and services for which that contact is configured (I'm just using the default localhost.cfg right now). For good measure, I also added my [email protected] to all of the authorized_for_* lines in the cgi.cfg file.

I'm fairly certain that my Kerberos service user account and keytab file are set up correctly, as I was able to configure a test site and have it work OK.

One of the first things I noticed when configuring Nagios 4.1.1 is that the Apache nagios.conf file has changed. I read about it here: https://support.nagios.com/forum/viewto ... 34&t=32789. I was unable to get even Basic (local) authentication working with the new file until I commented out all of the <IfVersion> stuff and the section applying to older versions of Apache. Once I did that, I could log on fine as nagiosadmin.

I went on to configure SSL, which was also fine, and then matched my Kerberos configuration as closely as I could to my previous Nagios 4.0.8 installation, which did not work. The only real difference is that, in the newer version of Nagios, the line:

Code: Select all

Require all granted
replaces the obsolete lines:

Code: Select all

Order allow,deny
Allow from all
So, here is my Nagios 4.0.8 nagios.conf:

Code: Select all

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all
   AuthName "Nagios Access"
   AuthType Kerberos
   KrbAuthRealms DOM.TLD
   KrbServiceName HTTP
   Krb5Keytab /etc/httpd/conf.d/bantest-http.keytab
   KrbMethodNegotiate on
   KrbMethodK5Passwd off
   Require valid-user
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
   Options None
   AllowOverride None
   Order allow,deny
   Allow from all
   AuthName "Nagios Access"
   AuthType Kerberos
   KrbAuthRealms DOM.TLD
   KrbServiceName HTTP
   Krb5Keytab /etc/httpd/conf.d/bantest-http.keytab
   KrbMethodNegotiate on
   KrbMethodK5Passwd off
   Require valid-user
</Directory>
And here is nagios.conf from my Nagios 4.1.1 configuration:

Code: Select all

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
   Options ExecCGI
   AllowOverride None
   Require all granted
   Order allow,deny
   Allow from all
   AuthName "Nagios Access"
   AuthType Kerberos
   KrbAuthRealms DOM.TLD
   KrbServiceName HTTP
   Krb5Keytab /etc/httpd/conf.d/bantest-http.keytab
   KrbMethodNegotiate on
   KrbMethodK5Passwd off
   Require valid-user
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
   Options None
   AllowOverride None
   Require all granted
   Order allow,deny
   Allow from all
   AuthName "Nagios Access"
   AuthType Kerberos
   KrbAuthRealms DOM.TLD
   KrbServiceName HTTP
   Krb5Keytab /etc/httpd/conf.d/bantest-http.keytab
   KrbMethodNegotiate on
   KrbMethodK5Passwd off
   Require valid-user
</Directory>
If I watch the ssl_access_log, I see my Windows username on the Nagios 4.0.8 server as I access the web ui:

Code: Select all

192.168.3.9 - - [09/Dec/2015:15:41:58 -0800] "GET /nagios HTTP/1.1" 401 381
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios HTTP/1.1" 301 235
192.168.3.9 - [email protected][09/Dec/2015:15:41:58 -0800] "GET /nagios/ HTTP/1.1" 200 900
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/side.php HTTP/1.1" 200 4576
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/main.php HTTP/1.1" 200 9343
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/stylesheets/common.css?4.0.8 HTTP/1.1" 200 9734
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/images/sblogo.png HTTP/1.1" 200 3231
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/images/logofullsize.png HTTP/1.1" 200 9543
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/images/weblogo1.png HTTP/1.1" 200 2401
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/js/jquery-1.7.1.min.js HTTP/1.1" 200 93868
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/images/sflogo.png HTTP/1.1" 200 469
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/images/passiveonly.gif HTTP/1.1" 200 882
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/cgi-bin/statusjson.cgi?query=programstatus HTTP/1.1" 200 985
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/images/favicon.ico HTTP/1.1" 200 822
192.168.3.9 - [email protected] [09/Dec/2015:15:41:58 -0800] "GET /nagios/images/enabled.gif HTTP/1.1" 200 90
But I don't see a username at all on my Nagios 4.1.1 server:

Code: Select all

192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios HTTP/1.1" 301 235
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/ HTTP/1.1" 200 901
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/side.php HTTP/1.1" 200 4776
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/main.php HTTP/1.1" 200 9123
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/stylesheets/common.css?4.1.1 HTTP/1.1" 200 9734
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/images/sblogo.png HTTP/1.1" 200 3231
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/images/logofullsize.png HTTP/1.1" 200 9543
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/images/weblogo1.png HTTP/1.1" 200 2401
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/images/sflogo.png HTTP/1.1" 200 469
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/images/passiveonly.gif HTTP/1.1" 200 882
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/cgi-bin/statusjson.cgi?query=programstatus HTTP/1.1" 200 976
192.168.3.9 - - [09/Dec/2015:15:53:59 -0800] "GET /nagios/images/enabled.gif HTTP/1.1" 200 90
192.168.3.9 - - [09/Dec/2015:15:54:02 -0800] "GET /nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail HTTP/1.1" 200 7742
192.168.3.9 - - [09/Dec/2015:15:54:04 -0800] "GET /nagios/cgi-bin/status.cgi?host=all HTTP/1.1" 200 7932
(By the way, through the magic of VMware snapshots, these two Nagios implementations are actually on the same server so that I could eliminate as many variables as possible. I took a snapshot right before I installed Nagios the first time. When I wanted to test the newer version of Nagios, I went back to that point and did a clean install of Nagios 4.1.1. Both configurations use the exact same nagios-plugins-2.1.1, the same Kerberos service account, the same keytab file, the same Apache installation and version, etc.)

Does anyone have any ideas about how I could further troubleshoot or fix this? I COULD just give up and run my new installation on version 4.0.8, but I would much prefer to be on the latest version of Nagios.

Thanks in advance!

Re: Kerberos on Nagios 4.1.1

Posted: Wed Dec 09, 2015 10:02 pm
by Box293
Is SELinux enabled?

Code: Select all

getenforce
This will set it to permissive:

Code: Select all

sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
setenforce 0
Try restarting apache/httpd after doing this.

Re: Kerberos on Nagios 4.1.1

Posted: Mon Dec 14, 2015 6:42 pm
by BenShirley
Thanks for the response.

SELinux is set to Permissive, so I don't think that is the issue. Any other ideas?

Re: Kerberos on Nagios 4.1.1

Posted: Tue Dec 15, 2015 4:25 pm
by ssax
If you edit your /etc/krb5.conf file at the top it should list the log locations, are you seeing any errors in there?

What is the output of this command:

Code: Select all

klist
Also, what are you seeing in your /var/log/httpd/error_log or /var/log/httpd/ssl_error_log?

You could also set LogLevel debug in your /etc/httpd/conf/httpd.conf and/or in your /etc/httpd/conf.d/ssl.conf file to enable debug logging to see if any additional information gets put in there.

Make sure to restart apache after making the changes:

Code: Select all

service httpd restart

Re: Kerberos on Nagios 4.1.1

Posted: Mon Jan 04, 2016 7:14 pm
by BenShirley
Sorry for the late response. I've been out of the office for the holidays, and for some reason, I'm not getting notifications when there is a post to this thread.

Here is the logging section of my /etc/krb5.conf file:

Code: Select all

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
However, none of those log files exist in /var/log. Do I need to turn on logging somewhere in order to create those log files?

If I do nothing, the output of klist is:

Code: Select all

klist: Credentials cache keyring 'persistent:16777216:16777216' not found
However, if I first run:

Code: Select all

kinit [email protected]
...then I get the following klist output:

Code: Select all

Ticket cache: KEYRING:persistent:16777216:16777216
Default principal: [email protected]

Valid starting       Expires              Service principal
01/04/2016 14:56:49  01/05/2016 00:56:49  krbtgt/[email protected]
	renew until 01/11/2016 14:56:45
I went ahead and set the LogLevel to debug in both my /etc/httpd/conf/httpd.conf and /etc/httpd/conf.d/ssl.conf files and then tailed the logs while accessing the Nagios page from a Kerberos-enabled browser.

The /var/log/httpd/error_log only contained a bunch of events like these:

Code: Select all

[Mon Jan 04 15:01:42.693261 2016] [proxy:debug] [pid 1743] proxy_util.c(1840): AH00925: initializing worker proxy:reverse shared
[Mon Jan 04 15:01:42.693310 2016] [proxy:debug] [pid 1743] proxy_util.c(1882): AH00927: initializing worker proxy:reverse local
[Mon Jan 04 15:01:42.693343 2016] [proxy:debug] [pid 1743] proxy_util.c(1933): AH00931: initialized single connection worker in child 1743 for (*)
The /var/log/httpd/ssl_error_log on the snapshot of my server running 4.1.1 had events such as these:

Code: Select all

[Mon Jan 04 15:03:18.781852 2016] [ssl:info] [pid 1742] [client 10.10.160.62:58993] AH01964: Connection to child 11 established (server banyan-test.dom.tld:443)
[Mon Jan 04 15:03:18.782211 2016] [socache_shmcb:debug] [pid 1742] mod_socache_shmcb.c(522): AH00835: socache_shmcb_retrieve (0x78 -> subcache 24)
[Mon Jan 04 15:03:18.782228 2016] [socache_shmcb:debug] [pid 1742] mod_socache_shmcb.c(845): AH00849: match at idx=0, data=0
[Mon Jan 04 15:03:18.782232 2016] [socache_shmcb:debug] [pid 1742] mod_socache_shmcb.c(532): AH00836: leaving socache_shmcb_retrieve successfully
[Mon Jan 04 15:03:18.782314 2016] [ssl:debug] [pid 1742] ssl_engine_kernel.c(1885): [client 10.10.160.62:58993] AH02044: No matching SSL virtual host for servername banyan-test found (using default/first virtual host)
[Mon Jan 04 15:03:18.812228 2016] [ssl:debug] [pid 1742] ssl_engine_kernel.c(1811): [client 10.10.160.62:58993] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384 (256/256 bits)
[Mon Jan 04 15:03:18.812587 2016] [ssl:debug] [pid 1742] ssl_engine_kernel.c(224): [client 10.10.160.62:58993] AH02034: Initial (No.1) HTTPS request received for child 11 (server banyan-test.dom.tld:443), referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:18.812779 2016] [authz_core:debug] [pid 1742] mod_authz_core.c(809): [client 10.10.160.62:58993] AH01626: authorization result of Require all granted: granted, referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:18.812792 2016] [authz_core:debug] [pid 1742] mod_authz_core.c(809): [client 10.10.160.62:58993] AH01626: authorization result of <RequireAny>: granted, referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.173143 2016] [ssl:debug] [pid 1742] ssl_engine_kernel.c(224): [client 10.10.160.62:58993] AH02034: Subsequent (No.2) HTTPS request received for child 11 (server banyan-test.dom.tld:443), referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.173361 2016] [authz_core:debug] [pid 1742] mod_authz_core.c(809): [client 10.10.160.62:58993] AH01626: authorization result of Require all granted: granted, referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.173382 2016] [authz_core:debug] [pid 1742] mod_authz_core.c(809): [client 10.10.160.62:58993] AH01626: authorization result of <RequireAny>: granted, referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.203141 2016] [ssl:info] [pid 1682] [client 10.10.160.62:58997] AH01964: Connection to child 0 established (server banyan-test.dom.tld:443)
[Mon Jan 04 15:03:19.203140 2016] [ssl:info] [pid 1743] [client 10.10.160.62:58996] AH01964: Connection to child 12 established (server banyan-test.dom.tld:443)
[Mon Jan 04 15:03:19.203264 2016] [socache_shmcb:debug] [pid 1682] mod_socache_shmcb.c(522): AH00835: socache_shmcb_retrieve (0x78 -> subcache 24)
[Mon Jan 04 15:03:19.203273 2016] [socache_shmcb:debug] [pid 1682] mod_socache_shmcb.c(845): AH00849: match at idx=0, data=0
[Mon Jan 04 15:03:19.203276 2016] [socache_shmcb:debug] [pid 1682] mod_socache_shmcb.c(532): AH00836: leaving socache_shmcb_retrieve successfully
[Mon Jan 04 15:03:19.203324 2016] [ssl:debug] [pid 1682] ssl_engine_kernel.c(1885): [client 10.10.160.62:58997] AH02044: No matching SSL virtual host for servername banyan-test found (using default/first virtual host)
[Mon Jan 04 15:03:19.203443 2016] [socache_shmcb:debug] [pid 1743] mod_socache_shmcb.c(522): AH00835: socache_shmcb_retrieve (0x78 -> subcache 24)
[Mon Jan 04 15:03:19.203468 2016] [socache_shmcb:debug] [pid 1743] mod_socache_shmcb.c(845): AH00849: match at idx=0, data=0
[Mon Jan 04 15:03:19.203473 2016] [socache_shmcb:debug] [pid 1743] mod_socache_shmcb.c(532): AH00836: leaving socache_shmcb_retrieve successfully
[Mon Jan 04 15:03:19.203515 2016] [ssl:debug] [pid 1743] ssl_engine_kernel.c(1885): [client 10.10.160.62:58996] AH02044: No matching SSL virtual host for servername banyan-test found (using default/first virtual host)
[Mon Jan 04 15:03:19.236932 2016] [ssl:debug] [pid 1743] ssl_engine_kernel.c(1811): [client 10.10.160.62:58996] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384 (256/256 bits)
[Mon Jan 04 15:03:19.236931 2016] [ssl:debug] [pid 1682] ssl_engine_kernel.c(1811): [client 10.10.160.62:58997] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384 (256/256 bits)
[Mon Jan 04 15:03:19.237103 2016] [ssl:debug] [pid 1682] ssl_engine_kernel.c(224): [client 10.10.160.62:58997] AH02034: Initial (No.1) HTTPS request received for child 0 (server banyan-test.dom.tld:443), referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.237128 2016] [ssl:debug] [pid 1743] ssl_engine_kernel.c(224): [client 10.10.160.62:58996] AH02034: Initial (No.1) HTTPS request received for child 12 (server banyan-test.dom.tld:443), referer: https://banyan-test/nagios/main.php
[Mon Jan 04 15:03:19.237220 2016] [authz_core:debug] [pid 1682] mod_authz_core.c(809): [client 10.10.160.62:58997] AH01626: authorization result of Require all granted: granted, referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.237237 2016] [authz_core:debug] [pid 1743] mod_authz_core.c(809): [client 10.10.160.62:58996] AH01626: authorization result of Require all granted: granted, referer: https://banyan-test/nagios/main.php
[Mon Jan 04 15:03:19.237245 2016] [authz_core:debug] [pid 1743] mod_authz_core.c(809): [client 10.10.160.62:58996] AH01626: authorization result of <RequireAny>: granted, referer: https://banyan-test/nagios/main.php
[Mon Jan 04 15:03:19.237243 2016] [authz_core:debug] [pid 1682] mod_authz_core.c(809): [client 10.10.160.62:58997] AH01626: authorization result of <RequireAny>: granted, referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.275865 2016] [ssl:debug] [pid 1742] ssl_engine_kernel.c(224): [client 10.10.160.62:58993] AH02034: Subsequent (No.3) HTTPS request received for child 11 (server banyan-test.dom.tld:443), referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.275962 2016] [authz_core:debug] [pid 1742] mod_authz_core.c(809): [client 10.10.160.62:58993] AH01626: authorization result of Require all granted: granted, referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.275969 2016] [authz_core:debug] [pid 1742] mod_authz_core.c(809): [client 10.10.160.62:58993] AH01626: authorization result of <RequireAny>: granted, referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.276042 2016] [ssl:debug] [pid 1743] ssl_engine_kernel.c(224): [client 10.10.160.62:58996] AH02034: Subsequent (No.2) HTTPS request received for child 12 (server banyan-test.dom.tld:443), referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.276106 2016] [authz_core:debug] [pid 1743] mod_authz_core.c(809): [client 10.10.160.62:58996] AH01626: authorization result of Require all granted: granted, referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
[Mon Jan 04 15:03:19.276113 2016] [authz_core:debug] [pid 1743] mod_authz_core.c(809): [client 10.10.160.62:58996] AH01626: authorization result of <RequireAny>: granted, referer: https://banyan-test/nagios/cgi-bin/status.cgi?hostgroup=all&style=hostdetail
That same log on the Nagios 4.0.8 server (on which Kerberos is working):

Code: Select all

[Mon Jan 04 15:30:28.196294 2016] [ssl:info] [pid 1570] [client 10.10.160.62:62095] AH01964: Connection to child 1 established (server banyan-test.dom.tld:443)
[Mon Jan 04 15:30:28.196630 2016] [socache_shmcb:debug] [pid 1570] mod_socache_shmcb.c(522): AH00835: socache_shmcb_retrieve (0x50 -> subcache 16)
[Mon Jan 04 15:30:28.196658 2016] [socache_shmcb:debug] [pid 1570] mod_socache_shmcb.c(845): AH00849: match at idx=0, data=0
[Mon Jan 04 15:30:28.196666 2016] [socache_shmcb:debug] [pid 1570] mod_socache_shmcb.c(532): AH00836: leaving socache_shmcb_retrieve successfully
[Mon Jan 04 15:30:28.196718 2016] [ssl:debug] [pid 1570] ssl_engine_kernel.c(1885): [client 10.10.160.62:62095] AH02044: No matching SSL virtual host for servername banyan-test found (using default/first virtual host)
[Mon Jan 04 15:30:28.242456 2016] [ssl:debug] [pid 1570] ssl_engine_kernel.c(1811): [client 10.10.160.62:62095] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384 (256/256 bits)
[Mon Jan 04 15:30:28.243254 2016] [ssl:debug] [pid 1570] ssl_engine_kernel.c(224): [client 10.10.160.62:62095] AH02034: Initial (No.1) HTTPS request received for child 1 (server banyan-test.dom.tld:443)
[Mon Jan 04 15:30:28.243384 2016] [authz_core:debug] [pid 1570] mod_authz_core.c(809): [client 10.10.160.62:62095] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jan 04 15:30:28.243410 2016] [authz_core:debug] [pid 1570] mod_authz_core.c(809): [client 10.10.160.62:62095] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jan 04 15:30:28.243433 2016] [auth_kerb:debug] [pid 1570] src/mod_auth_kerb.c(1954): [client 10.10.160.62:62095] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Jan 04 15:30:28.280948 2016] [ssl:debug] [pid 1570] ssl_engine_io.c(992): [client 10.10.160.62:62095] AH02001: Connection closed to child 1 with standard shutdown (server banyan-test.dom.tld:443)
[Mon Jan 04 15:30:28.320587 2016] [ssl:info] [pid 1597] [client 10.10.160.62:62096] AH01964: Connection to child 5 established (server banyan-test.dom.tld:443)
[Mon Jan 04 15:30:28.320882 2016] [socache_shmcb:debug] [pid 1597] mod_socache_shmcb.c(522): AH00835: socache_shmcb_retrieve (0x50 -> subcache 16)
[Mon Jan 04 15:30:28.320917 2016] [socache_shmcb:debug] [pid 1597] mod_socache_shmcb.c(845): AH00849: match at idx=0, data=0
[Mon Jan 04 15:30:28.320926 2016] [socache_shmcb:debug] [pid 1597] mod_socache_shmcb.c(532): AH00836: leaving socache_shmcb_retrieve successfully
[Mon Jan 04 15:30:28.320974 2016] [ssl:debug] [pid 1597] ssl_engine_kernel.c(1885): [client 10.10.160.62:62096] AH02044: No matching SSL virtual host for servername banyan-test found (using default/first virtual host)
[Mon Jan 04 15:30:28.350571 2016] [ssl:debug] [pid 1597] ssl_engine_kernel.c(1811): [client 10.10.160.62:62096] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384 (256/256 bits)
[Mon Jan 04 15:30:28.354394 2016] [ssl:debug] [pid 1597] ssl_engine_kernel.c(224): [client 10.10.160.62:62096] AH02034: Initial (No.1) HTTPS request received for child 5 (server banyan-test.dom.tld:443)
[Mon Jan 04 15:30:28.354569 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jan 04 15:30:28.354622 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jan 04 15:30:28.354817 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1954): [client 10.10.160.62:62096] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Jan 04 15:30:28.354931 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1295): [client 10.10.160.62:62096] Acquiring creds for HTTP@banyan-test
[Mon Jan 04 15:30:28.363911 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1708): [client 10.10.160.62:62096] Verifying client data using KRB5 GSS-API 
[Mon Jan 04 15:30:28.364757 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1724): [client 10.10.160.62:62096] Client didn't delegate us their credential
[Mon Jan 04 15:30:28.364805 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1743): [client 10.10.160.62:62096] GSS-API token of length 22 bytes will be sent back
[Mon Jan 04 15:30:28.365328 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of Require valid-user : granted
[Mon Jan 04 15:30:28.365356 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of <RequireAny>: granted
[Mon Jan 04 15:30:28.365444 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jan 04 15:30:28.365463 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jan 04 15:30:28.365503 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1954): [client 10.10.160.62:62096] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Jan 04 15:30:28.365546 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1295): [client 10.10.160.62:62096] Acquiring creds for HTTP@banyan-test
[Mon Jan 04 15:30:28.374002 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1708): [client 10.10.160.62:62096] Verifying client data using KRB5 GSS-API 
[Mon Jan 04 15:30:28.374805 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1724): [client 10.10.160.62:62096] Client didn't delegate us their credential
[Mon Jan 04 15:30:28.374852 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1743): [client 10.10.160.62:62096] GSS-API token of length 22 bytes will be sent back
[Mon Jan 04 15:30:28.375368 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of Require valid-user : granted
[Mon Jan 04 15:30:28.375400 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of <RequireAny>: granted
[Mon Jan 04 15:30:28.375533 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jan 04 15:30:28.375563 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jan 04 15:30:28.375578 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1954): [client 10.10.160.62:62096] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Jan 04 15:30:28.375601 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1295): [client 10.10.160.62:62096] Acquiring creds for HTTP@banyan-test
[Mon Jan 04 15:30:28.383806 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1708): [client 10.10.160.62:62096] Verifying client data using KRB5 GSS-API 
[Mon Jan 04 15:30:28.384519 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1724): [client 10.10.160.62:62096] Client didn't delegate us their credential
[Mon Jan 04 15:30:28.384578 2016] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1743): [client 10.10.160.62:62096] GSS-API token of length 22 bytes will be sent back
[Mon Jan 04 15:30:28.385372 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of Require valid-user : granted
[Mon Jan 04 15:30:28.385404 2016] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client 10.10.160.62:62096] AH01626: authorization result of <RequireAny>: granted
[Mon Jan 04 15:30:28.848923 2016] [ssl:info] [pid 1572] [client 10.10.160.62:62100] AH01964: Connection to child 3 established (server banyan-test.dom.tld:443)
[Mon Jan 04 15:30:28.848979 2016] [ssl:info] [pid 1573] [client 10.10.160.62:62099] AH01964: Connection to child 4 established (server banyan-test.dom.tld:443)
[Mon Jan 04 15:30:28.849201 2016] [socache_shmcb:debug] [pid 1573] mod_socache_shmcb.c(522): AH00835: socache_shmcb_retrieve (0x50 -> subcache 16)
[Mon Jan 04 15:30:28.849229 2016] [socache_shmcb:debug] [pid 1573] mod_socache_shmcb.c(845): AH00849: match at idx=0, data=0
[Mon Jan 04 15:30:28.849236 2016] [socache_shmcb:debug] [pid 1573] mod_socache_shmcb.c(532): AH00836: leaving socache_shmcb_retrieve successfully
[Mon Jan 04 15:30:28.849272 2016] [socache_shmcb:debug] [pid 1572] mod_socache_shmcb.c(522): AH00835: socache_shmcb_retrieve (0x50 -> subcache 16)
[Mon Jan 04 15:30:28.849290 2016] [socache_shmcb:debug] [pid 1572] mod_socache_shmcb.c(845): AH00849: match at idx=0, data=0
The thing I notice is that the 4.0.8 server uses mod_auth_kerb to acquire credentials for HTTP@banyan-test, which is the SPN I created for this server. I'm not sure why the difference. (Yes, mod_auth_kerb is loaded on the Nagios 4.1.1 server.)

Re: Kerberos on Nagios 4.1.1

Posted: Tue Jan 05, 2016 4:59 pm
by ssax
Is there any other differences in your /etc/httpd/conf/httpd.conf or your /etc/httpd/conf.d/* files?

Can you run a diff on the /etc/httpd/conf/httpd.conf files and on the /etc/httpd/conf.d directories, something has to be different.

Code: Select all

diff -r folder1 folder2

Re: Kerberos on Nagios 4.1.1

Posted: Tue Jan 05, 2016 5:05 pm
by ssax
It's weird you're not seeing any mod_auth_kerb stuff, do you have the module installed and loaded (check the httpd.conf)?

Code: Select all

ls -l /usr/lib64/httpd/modules/

Re: Kerberos on Nagios 4.1.1

Posted: Tue Jan 05, 2016 8:09 pm
by BenShirley
I think you have pointed me in the right direction, ssax!

I removed the following line (it appears twice) from the /etc/httpd/conf.d/nagios.conf file on the Nagios 4.1.1 file:

Code: Select all

Require all granted
After restarting apache, Kerberos started working!

Thanks so much!

Re: Kerberos on Nagios 4.1.1

Posted: Wed Jan 06, 2016 10:41 am
by rkennedy
Glad to see this working now. I'll go ahead and close this thread out now, but feel free to open a new one if you ever need assistance!
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited