[rt-users] WebExternalAuth and no root for you

Mauricio Tavares raubvogel at gmail.com
Mon Nov 21 10:50:59 EST 2011


On Mon, Nov 21, 2011 at 10:15 AM, Kevin Falcone
<falcone at bestpractical.com> wrote:
> On Mon, Nov 21, 2011 at 03:57:30AM -0500, Mauricio Tavares wrote:
>> So I am trying to see if I can understand how to use WebExternalAuth.
>> In /etc/apache2/sites-available/default I have:
>>
>>         DocumentRoot /var/www
>>         <Directory />
>>                 Options FollowSymLinks
>>                 AllowOverride None
>>
>>                 AuthType Kerberos
>>                 AuthName "Kerberos Login"
>>                 KrbAuthRealms DOMAIN.COM
>>                 KrbServiceName HTTP
>>                 Krb5Keytab /etc/apache2/krb5.keytab
>>                 KrbMethodK5Passwd on
>>                 KrbDelegateBasic on
>>                 Require valid-user
>>         </Directory>
>>
>> Then in RT_SiteConf.pm I added
>>
>> Set($WebExternalAuth , 1);
>> Set($WebFallbackToInternalAuth , 1);
>> Set($WebExternalAuto , 1);
>>
>> When I try to login as the root user, I am told it does not exist in kerberos:
>>
>> [Mon Nov 21 03:53:34 2011] [error] [client 192.168.1.115]
>> krb5_get_init_creds_password() failed: Client not found in Kerberos
>> database
>>
>> Would anyone know why it is not checking if rt knows of this user
>> internally (as opposite to through kerberos)?
>
> I suspect you need a Satisfy line in your apache config to allow it
> through kerberos to the normal RT login screen.
>
      Thanks for the suggestion! I just tried "Satisfy any" and after
I restarted apache, I was able to login as root. Unfortunately I then
was not able to login as a kerberos user. In fact, it now cheerfully
ignores the TGT.

I know I am missing a step somewhere...

> -kevin
>
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> *  Barcelona, Spain — November 28 & 29, 2011
>



More information about the rt-users mailing list