[rt-users] SSO fallback to RT Login failure

Myrat Saparow muratsaparow at gmail.com
Tue Feb 3 00:52:14 EST 2015 

"require ip 127.0.0.1" was put to allow local mail requests to pass, moved
it to a separate location in config.

#Allow mail gateway to send mails via RT site
 <Location /REST/1.0/NoAuth/mail-gateway>
 Order deny,allow
 Deny from all
 Allow from localhost
 Satisfy any
 </Location>

 <Location /NoAuth>
 Satisfy any
 Allow from all
 </Location>

SSO works fine with machines that are members of the local AD.
The authorization problem arises when I try to login from machine that is
not a member of AD. I thought that with "$WebFallbackToRTLogin" set to
true, the user is redirected to RT login form when authentication with
Kerberos fails. Am I missing something here? Or should I just setup another
virtual host without SSO to be able to logon with local users as suggested
in this post <http://www.gossamer-threads.com/lists/rt/users/117509#117509>?

Regards,
Myrat

On Tue Feb 03 2015 at 2:08:30 AM Kevin Falcone <falcone at bestpractical.com>
wrote:

> On Mon, Feb 02, 2015 at 07:51:20AM +0000, Myrat Saparow wrote:
> > I have been trying to implement SSO on our RT test enviroment, the SSO
> login
> > from machines that are authenticated by our dc works fine but I can't
> get it to
> > fall back to RT login when SSO fails. I constantly get the
> "Unauthorized" page
> > from Apache instead.
>
> I believe you want to read up on the Satisfy directive.
> There's some additional docs here:
> https://bestpractical.com/docs/rt/latest/authentication
> http://httpd.apache.org/docs/2.2/mod/core.html#satisfy
>
> -kevin
>
> > Can someone help me with configuring falling back to RT login?
> >
> > Environment:
> > Ubuntu Server 14.01
> > RT 4.2.9
> > Apache2
> > mod_auth_kerb + krb5
> >
> > Relevant config file entries
> >
> > RT_Siteconfig.pm
> >
> > Set( $WebRemoteUserAuth, 1);
> > Set( $WebRemoteUserInfo, 1);
> > Set( $WebRemoteUserContinuous, 1);
> > Set( $WebFallbackToRTLogin, 1);
> > Set( $WebRemoteUserAutocreate, 1);
> > Set( $UserAutocreateDefaultsOnLogin, { Privileged => 0 });
> >
> >
> > /etc/apache2/sites-available/rt.conf
> >
> >  <Location />
> >   AuthType Kerberos
> >   Krb5Keytab /etc/apache2/http.keytab
> >   KrbMethodNegotiate on
> >   KrbMethodK5Passwd off
> >   KrbLocalUserMapping on
> >   Require valid-user
> >   Require ip 127.0.0.1
> >   AllowOverride None
> >  </Location>
> >
> > /var/log/apache2/error.log
> >
> > [Mon Feb 02 12:10:45.728093 2015] [ssl:info] [pid 27607:tid
> 140437369087744]
> > [client xxx.xxx.xxx.xxx:3832] AH01964: Connection to child 10 established
> > (server rt.server:443)
> > [Mon Feb 02 12:10:45.728678 2015] [socache_shmcb:debug] [pid 27607:tid
> > 140437369087744] mod_socache_shmcb.c(520): AH00835:
> socache_shmcb_retrieve
> > (0xc1 -> subcache 1)
> > [Mon Feb 02 12:10:45.728708 2015] [socache_shmcb:debug] [pid 27607:tid
> > 140437369087744] mod_socache_shmcb.c(843): AH00849: match at idx=0,
> data=0
> > [Mon Feb 02 12:10:45.728716 2015] [socache_shmcb:debug] [pid 27607:tid
> > 140437369087744] mod_socache_shmcb.c(530): AH00836: leaving
> > socache_shmcb_retrieve successfully
> > [Mon Feb 02 12:10:45.730549 2015] [ssl:debug] [pid 27607:tid
> 140437369087744]
> > ssl_engine_kernel.c(1844): [client xxx.xxx.xxx.xxx:3832] AH02041:
> Protocol:
> > TLSv1, Cipher: RC4-SHA (128/128 bits)
> > [Mon Feb 02 12:10:45.732144 2015] [ssl:debug] [pid 27607:tid
> 140437369087744]
> > ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832] AH02034: Initial
> (No.1)
> > HTTPS request received for child 10 (server rt.server:443)
> > [Mon Feb 02 12:10:45.732270 2015] [authz_core:debug] [pid 27607:tid
> > 140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
> AH01626:
> > authorization result of Require valid-user : denied (no authenticated
> user yet)
> > [Mon Feb 02 12:10:45.732312 2015] [authz_core:debug] [pid 27607:tid
> > 140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
> AH01626:
> > authorization result of Require ip [1]127.0.0.1: denied
> > [Mon Feb 02 12:10:45.732336 2015] [authz_core:debug] [pid 27607:tid
> > 140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
> AH01626:
> > authorization result of <RequireAny>: denied (no authenticated user yet)
> > [Mon Feb 02 12:10:45.732377 2015] [auth_kerb:debug] [pid 27607:tid
> > 140437369087744] src/mod_auth_kerb.c(1652): [client xxx.xxx.xxx.xxx:3832]
> > kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
> > [Mon Feb 02 12:10:45.734251 2015] [ssl:debug] [pid 27607:tid
> 140437360695040]
> > ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832] AH02034:
> Subsequent
> > (No.2) HTTPS request received for child 10 (server rt.server:443)
> > [Mon Feb 02 12:10:45.734355 2015] [authz_core:debug] [pid 27607:tid
> > 140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
> AH01626:
> > authorization result of Require valid-user : denied (no authenticated
> user yet)
> > [Mon Feb 02 12:10:45.734390 2015] [authz_core:debug] [pid 27607:tid
> > 140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
> AH01626:
> > authorization result of Require ip [2]127.0.0.1: denied
> > [Mon Feb 02 12:10:45.734413 2015] [authz_core:debug] [pid 27607:tid
> > 140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
> AH01626:
> > authorization result of <RequireAny>: denied (no authenticated user yet)
> > [Mon Feb 02 12:10:45.734447 2015] [auth_kerb:debug] [pid 27607:tid
> > 140437360695040] src/mod_auth_kerb.c(1652): [client xxx.xxx.xxx.xxx:3832]
> > kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
> > [Mon Feb 02 12:10:45.734513 2015] [auth_kerb:debug] [pid 27607:tid
> > 140437360695040] src/mod_auth_kerb.c(1260): [client xxx.xxx.xxx.xxx:3832]
> > Acquiring creds for HTTP at rt.server
> > [Mon Feb 02 12:10:45.739959 2015] [auth_kerb:debug] [pid 27607:tid
> > 140437360695040] src/mod_auth_kerb.c(1406): [client xxx.xxx.xxx.xxx:3832]
> > Verifying client data using KRB5 GSS-API
> > [Mon Feb 02 12:10:45.740081 2015] [auth_kerb:debug] [pid 27607:tid
> > 140437360695040] src/mod_auth_kerb.c(1422): [client xxx.xxx.xxx.xxx:3832]
> > Client didn't delegate us their credential
> > [Mon Feb 02 12:10:45.740113 2015] [auth_kerb:debug] [pid 27607:tid
> > 140437360695040] src/mod_auth_kerb.c(1450): [client xxx.xxx.xxx.xxx:3832]
> > Warning: received token seems to be NTLM, which isn't supported by the
> Kerberos
> > module. Check your IE configuration.
> > [Mon Feb 02 12:10:45.740139 2015] [auth_kerb:debug] [pid 27607:tid
> > 140437360695040] src/mod_auth_kerb.c(1121): [client xxx.xxx.xxx.xxx:3832]
> > GSS-API major_status:00010000, minor_status:00000000
> > [Mon Feb 02 12:10:45.740178 2015] [auth_kerb:error] [pid 27607:tid
> > 140437360695040] [client xxx.xxx.xxx.xxx:3832] gss_accept_sec_context()
> failed:
> > An unsupported mechanism was requested (, Unknown error)
> >
> >
> > Best Regards,
> > Myrat
> >
> > References:
> >
> > [1] http://127.0.0.1/
> > [2] http://127.0.0.1/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150203/ade63300/attachment.htm>

More information about the rt-users mailing list