On Mon, Feb 02, 2015 at 07:51:20AM +0000, Myrat Saparow wrote: > I have been trying to implement SSO on our RT test enviroment, the SSO login > from machines that are authenticated by our dc works fine but I can't get it > to > fall back to RT login when SSO fails. I constantly get the "Unauthorized" page > from Apache instead.
I believe you want to read up on the Satisfy directive. There's some additional docs here: https://bestpractical.com/docs/rt/latest/authentication http://httpd.apache.org/docs/2.2/mod/core.html#satisfy -kevin > Can someone help me with configuring falling back to RT login? > > Environment: > Ubuntu Server 14.01 > RT 4.2.9 > Apache2 > mod_auth_kerb + krb5 > > Relevant config file entries > > RT_Siteconfig.pm > > Set( $WebRemoteUserAuth, 1); > Set( $WebRemoteUserInfo, 1); > Set( $WebRemoteUserContinuous, 1); > Set( $WebFallbackToRTLogin, 1); > Set( $WebRemoteUserAutocreate, 1); > Set( $UserAutocreateDefaultsOnLogin, { Privileged => 0 }); > > > /etc/apache2/sites-available/rt.conf > > <Location /> > AuthType Kerberos > Krb5Keytab /etc/apache2/http.keytab > KrbMethodNegotiate on > KrbMethodK5Passwd off > KrbLocalUserMapping on > Require valid-user > Require ip 127.0.0.1 > AllowOverride None > </Location> > > /var/log/apache2/error.log > > [Mon Feb 02 12:10:45.728093 2015] [ssl:info] [pid 27607:tid 140437369087744] > [client xxx.xxx.xxx.xxx:3832] AH01964: Connection to child 10 established > (server rt.server:443) > [Mon Feb 02 12:10:45.728678 2015] [socache_shmcb:debug] [pid 27607:tid > 140437369087744] mod_socache_shmcb.c(520): AH00835: socache_shmcb_retrieve > (0xc1 -> subcache 1) > [Mon Feb 02 12:10:45.728708 2015] [socache_shmcb:debug] [pid 27607:tid > 140437369087744] mod_socache_shmcb.c(843): AH00849: match at idx=0, data=0 > [Mon Feb 02 12:10:45.728716 2015] [socache_shmcb:debug] [pid 27607:tid > 140437369087744] mod_socache_shmcb.c(530): AH00836: leaving > socache_shmcb_retrieve successfully > [Mon Feb 02 12:10:45.730549 2015] [ssl:debug] [pid 27607:tid 140437369087744] > ssl_engine_kernel.c(1844): [client xxx.xxx.xxx.xxx:3832] AH02041: Protocol: > TLSv1, Cipher: RC4-SHA (128/128 bits) > [Mon Feb 02 12:10:45.732144 2015] [ssl:debug] [pid 27607:tid 140437369087744] > ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832] AH02034: Initial > (No.1) > HTTPS request received for child 10 (server rt.server:443) > [Mon Feb 02 12:10:45.732270 2015] [authz_core:debug] [pid 27607:tid > 140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626: > authorization result of Require valid-user : denied (no authenticated user > yet) > [Mon Feb 02 12:10:45.732312 2015] [authz_core:debug] [pid 27607:tid > 140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626: > authorization result of Require ip [1]127.0.0.1: denied > [Mon Feb 02 12:10:45.732336 2015] [authz_core:debug] [pid 27607:tid > 140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626: > authorization result of <RequireAny>: denied (no authenticated user yet) > [Mon Feb 02 12:10:45.732377 2015] [auth_kerb:debug] [pid 27607:tid > 140437369087744] src/mod_auth_kerb.c(1652): [client xxx.xxx.xxx.xxx:3832] > kerb_authenticate_user entered with user (NULL) and auth_type Kerberos > [Mon Feb 02 12:10:45.734251 2015] [ssl:debug] [pid 27607:tid 140437360695040] > ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832] AH02034: Subsequent > (No.2) HTTPS request received for child 10 (server rt.server:443) > [Mon Feb 02 12:10:45.734355 2015] [authz_core:debug] [pid 27607:tid > 140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626: > authorization result of Require valid-user : denied (no authenticated user > yet) > [Mon Feb 02 12:10:45.734390 2015] [authz_core:debug] [pid 27607:tid > 140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626: > authorization result of Require ip [2]127.0.0.1: denied > [Mon Feb 02 12:10:45.734413 2015] [authz_core:debug] [pid 27607:tid > 140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626: > authorization result of <RequireAny>: denied (no authenticated user yet) > [Mon Feb 02 12:10:45.734447 2015] [auth_kerb:debug] [pid 27607:tid > 140437360695040] src/mod_auth_kerb.c(1652): [client xxx.xxx.xxx.xxx:3832] > kerb_authenticate_user entered with user (NULL) and auth_type Kerberos > [Mon Feb 02 12:10:45.734513 2015] [auth_kerb:debug] [pid 27607:tid > 140437360695040] src/mod_auth_kerb.c(1260): [client xxx.xxx.xxx.xxx:3832] > Acquiring creds for [email protected] > [Mon Feb 02 12:10:45.739959 2015] [auth_kerb:debug] [pid 27607:tid > 140437360695040] src/mod_auth_kerb.c(1406): [client xxx.xxx.xxx.xxx:3832] > Verifying client data using KRB5 GSS-API > [Mon Feb 02 12:10:45.740081 2015] [auth_kerb:debug] [pid 27607:tid > 140437360695040] src/mod_auth_kerb.c(1422): [client xxx.xxx.xxx.xxx:3832] > Client didn't delegate us their credential > [Mon Feb 02 12:10:45.740113 2015] [auth_kerb:debug] [pid 27607:tid > 140437360695040] src/mod_auth_kerb.c(1450): [client xxx.xxx.xxx.xxx:3832] > Warning: received token seems to be NTLM, which isn't supported by the > Kerberos > module. Check your IE configuration. > [Mon Feb 02 12:10:45.740139 2015] [auth_kerb:debug] [pid 27607:tid > 140437360695040] src/mod_auth_kerb.c(1121): [client xxx.xxx.xxx.xxx:3832] > GSS-API major_status:00010000, minor_status:00000000 > [Mon Feb 02 12:10:45.740178 2015] [auth_kerb:error] [pid 27607:tid > 140437360695040] [client xxx.xxx.xxx.xxx:3832] gss_accept_sec_context() > failed: > An unsupported mechanism was requested (, Unknown error) > > > Best Regards, > Myrat > > References: > > [1] http://127.0.0.1/ > [2] http://127.0.0.1/
pgpk7YhGoonGc.pgp
Description: PGP signature
