[rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb
Oliver Weinmann
oliver.weinmann at telespazio-vega.de
Wed Sep 4 08:16:35 EDT 2013
Hi,
thanks for the hint, but this doesn’t solve the issue yet.
I have done the following. I have tested the KRB5 setup on the host directly. This works fine.
I see this in the logs on the RT host.
Accessing the RT host directly:
[Wed Sep 04 14:00:10 2013] [debug] src/mod_auth_kerb.c(1628): [client xxxx] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Sep 04 14:00:10 2013] [debug] src/mod_auth_kerb.c(1240): [client xxxx] Acquiring creds for HTTP at gedadvl05-clone
[Wed Sep 04 14:00:10 2013] [debug] src/mod_auth_kerb.c(1385): [client xxxx] Verifying client data using KRB5 GSS-API
[Wed Sep 04 14:00:10 2013] [debug] src/mod_auth_kerb.c(1401): [client xxxx] Client didn't delegate us their credential
[Wed Sep 04 14:00:10 2013] [debug] src/mod_auth_kerb.c(1420): [client xxxx] GSS-API token of length 181 bytes will be sent back
[Wed Sep 04 14:00:11 2013] [debug] mod_deflate.c(615): [client xxxx] Zlib: Compressed 43435 to 6091 : URL /rt/
Accessing via the reverse proxy:
[Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1628): [client xxxx] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1240): [client xxxx] Acquiring creds for HTTP at gedadvl05-clone
[Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1385): [client xxxx] Verifying client data using KRB5 GSS-API
[Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1401): [client xxxx] Client didn't delegate us their credential
[Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1420): [client xxxx] GSS-API token of length 9 bytes will be sent back
[Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1101): [client xxxx] GSS-API major_status:000d0000, minor_status:000186a5
[Wed Sep 04 14:02:55 2013] [error] [client xxxx] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, )
[Wed Sep 04 14:02:55 2013] [debug] mod_deflate.c(615): [client xxxx] Zlib: Compressed 482 to 326 : URL /rt/
I’m also not sure about the configuration of the RT host itself. Does it have to be Kerberos enabled too? I have this in /etc/apache2/httpd.conf:
#<Directory "/usr/share/request-tracker4/html">
# AuthType Kerberos
# AuthName "Request Tracker"
# KrbMethodNegotiate On
# KrbMethodK5Passwd On
# KrbVerifyKDC On
# Krb5Keytab /etc/apache2/rtkeytab
# KrbAuthoritative On
# KrbSaveCredentials On
# Require valid-user
# AllowOverride None
#</Directory
If I disable this I’m not logged in but there is also not login (username/password) displayed, but the RT website is shown also when accessing via the proxy.
From: ruslan.zakirov at gmail.com [mailto:ruslan.zakirov at gmail.com] On Behalf Of Ruslan Zakirov
Sent: Mittwoch, 4. September 2013 13:19
To: Oliver Weinmann
Cc: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb
Hi,
http://www.gossamer-threads.com/lists/apache/dev/370306
On Wed, Sep 4, 2013 at 10:37 AM, Oliver Weinmann <oliver.weinmann at telespazio-vega.de<mailto:oliver.weinmann at telespazio-vega.de>> wrote:
Hi,
there are these settings in RT:
# tells RT to use the REMOTE_USER provided by the web server
Set($WebExternalAuth , 1);
# tells RT to display its normal login screen if REMOTE_USER fails
Set($WebFallbackToInternalAuth , 1);
# tells RT to create users automatically if no user matching REMOTE_USER is found
Set($WebExternalAuto , 1);
I have them all set except the last one as we use LDAPImport. So I would expect RT to not drop the REMOTE_USER. Or is this obsolete?
Best Regards,
Oliver
From: ruslan.zakirov at gmail.com<mailto:ruslan.zakirov at gmail.com> [mailto:ruslan.zakirov at gmail.com<mailto:ruslan.zakirov at gmail.com>] On Behalf Of Ruslan Zakirov
Sent: Dienstag, 3. September 2013 21:47
To: Oliver Weinmann
Cc: rt-users at lists.bestpractical.com<mailto:rt-users at lists.bestpractical.com>
Subject: Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb
Hi,
Why do you expect remote server where you host RT to respect REMOTE_USER and not to drop it? If a web server would pass remotely provided REMOTE_USER further to an app without additional configuration then we wouldn't use it for authentication.
On Mon, Sep 2, 2013 at 5:14 PM, Oliver Weinmann <oliver.weinmann at telespazio-vega.de<mailto:oliver.weinmann at telespazio-vega.de>> wrote:
Hi all,
we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb. Now we need to get the setup running through our reverse proxy.
What we have on our reverse proxy is this:
ProxyPass /rt/ http://hostname.local/rt/ max=100
ProxyPassReverse /rt/ http://hostname.local/rt/
RedirectMatch ^/$ /rt/
# Proxy all locations
<Proxy *>
AddDefaultCharset off
Order deny,allow
Deny from none
</Proxy>
<Location /rt>
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms KRB5.LOCAL
Krb5KeyTab /etc/apache2/host.keytab
KrbMethodNegotiate on
KrbAuthoritative on
KrbMethodK5Passwd off
KrbSaveCredentials on
require valid-user
# SSO
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)$
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER %{RU}e
</Location>
Running tcpdump we can see that REMOTE_USER is set and send to the host hosting RT. It looks like RT is not picking it up. As far as I understood is that my user gets authenticated at the proxy and RT should trust these credentials and log in the user.
--
Best regards, Ruslan.
--
Best regards, Ruslan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20130904/9604e40e/attachment.htm>
More information about the rt-users
mailing list