Nagios Authentication with Active Directory (Slightly Off-Topic)

Dimitri Yioulos dyioulos at firstbhph.com
Wed Jan 5 23:02:08 CET 2005

Previous message: Nagios Authentication with Active Directory (Slightly Off-Topic)
Next message: INETD and NRPE daemon in solaris 8
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

<CLIP>

>The following are instructions for Fedora Core 3 in a typical Active
>Directory environment, but they should be adaptable to other distros.  
>
>You will need the following packages and their dependencies 
>(preferrably
>most recent):
>
>krb5-workstation
>pam_krb5
>mod_auth_pam (http://pam.sourceforge.net/mod_auth_pam)
>
>Optional, but highly recommended:
>nscd (to cache authentication requests)
>
>The instructions that follow assume that you are using Apache v2.x with
>module support and SSL, and that you are wanting to 
>authenticate against
>a Windows 2003 Server DC.
>
>Make sure that the following services are enabled in your init scripts
>for your runlevel (chkconfig):
>
>winbind
>nscd (if being used--highly recommended so that your DC is not pounded
>with numerous requests)
>
>Add the following to your /etc/krb5.conf as follows.  Automatic kdc and
>realm lookup will save you a lot of headaches (may be less secure since
>it informs kerberos to locate the nearest kdc, a.k.a. domain 
>controller.
>Read the docs if you want to hard wire it to a specific kdc). Note that
>your realms must be ALL CAPS:
>
>[libdefaults]
>default_realm = YOUR.FULLY.QUALIFIED.DOMAIN
>dns_lookup_realm = true
>dns_lookup_kdc = true
>
>Add this to /etc/httpd/conf/httpd.conf.  I highly recommend 
>that you use
>SSL to protect your domain passwords from being sent across the network
>in plain text (Note that statuswrl.cgi will not load in Internet
>Explorer when using SSL, a small price to pay. You should also set up a
>certificate, which I will not delve into here.):
>
>LoadModule auth_pam_module modules/mod_auth_pam.so
>SSLProtocol -all +SSLv2
>SSLVerifyClient none
>
>Also, add a nagios.conf to your /etc/httpd/conf.d/ to configure
>authentication and disregard the instructions that come with nagios for
>configuring web authorization (they are somewhat outdated):
>ScriptAlias /nagios/cgi-bin/ /usr/local/nagios/sbin/
><Directory "/usr/local/nagios/sbin/">
>    Options ExecCGI
>    AllowOverride None
>    Order deny,allow
>    Deny from all
>    Allow from 127.0.0.1
>    Allow from x.x.x.x/x ;your subnet(s)
>    AuthType Basic
>    AuthName "Nagios Web Access"
>    Require user your_domain_users ;(or use 'require group', read the
>docs)
>    AuthPAM_Enabled on
>    AuthPAM_FallThrough off
>    SSLCipherSuite -all:SSLv2:+HIGH 
></Directory>
>
>Alias /nagios /usr/local/nagios/share/
><Directory "/usr/local/nagios/share/">
>    Options None
>    AllowOverride None
>    Order deny,allow
>    Deny from all
>    Allow from 127.0.0.1
>    Allow from x.x.x.x/x ;your subnet(s)
>    AuthType Basic
>    AuthName "Nagios Web Access"
>    Require user your_domain_users 
>    AuthPAM_Enabled on
>    AuthPAM_FallThrough off
>   SSLCipherSuite -all:SSLv2:+HIGH
></Directory>
>
>Edit /etc/pam.d/httpd to enable kerberos authentication with pam.
>Something similar to this will work:
>
>#%PAM-1.0
>auth       sufficient   /lib/security/pam_krb5.so
>auth       required /lib/security/pam_unix.so
>account     sufficient    /lib/security/pam_krb5.so
>account    required /lib/security/pam_unix.so
>
>Now you must join your linux box to your directory and test your
>configuration.  See chapter 6 of the Official Samba-3 HOWTO for more
>information
>(http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/dom
>ain-membe
>r.html#ads-member). You will also probably want to set up ntp so that
>your time stays synchronized.
>

<CLIP>

Shawn,

Thanks for the above post.

Unfortunately, I'm having a problem.  Samba is installed and has been
working successfully for some time using ADS.  However, my nagios login
doesn't work.  Here's the output from syslog:

Jan  5 16:54:39 kingston httpd: pam_krb5: authenticate error: KRB5 error
code 52 (-1765328332)
Jan  5 16:54:39 kingston httpd: pam_krb5: authentication fails for
`dyioulos'
Jan  5 16:54:39 kingston httpd(pam_unix)[8513]: authentication failure;
logname= uid=48 euid=48 tty= ruser= rhost=  user=dyioulos

What have I done wrong?

Thanks.

Dimitri



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: Nagios Authentication with Active Directory (Slightly Off-Topic)
Next message: INETD and NRPE daemon in solaris 8
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list