"require ip 127.0.0.1" was put to allow local mail requests to pass, moved it to a separate location in config.
#Allow mail gateway to send mails via RT site <Location /REST/1.0/NoAuth/mail-gateway> Order deny,allow Deny from all Allow from localhost Satisfy any </Location> <Location /NoAuth> Satisfy any Allow from all </Location> SSO works fine with machines that are members of the local AD. The authorization problem arises when I try to login from machine that is not a member of AD. I thought that with "$WebFallbackToRTLogin" set to true, the user is redirected to RT login form when authentication with Kerberos fails. Am I missing something here? Or should I just setup another virtual host without SSO to be able to logon with local users as suggested in this post <http://www.gossamer-threads.com/lists/rt/users/117509#117509>? Regards, Myrat On Tue Feb 03 2015 at 2:08:30 AM Kevin Falcone <[email protected]> wrote: > On Mon, Feb 02, 2015 at 07:51:20AM +0000, Myrat Saparow wrote: > > I have been trying to implement SSO on our RT test enviroment, the SSO > login > > from machines that are authenticated by our dc works fine but I can't > get it to > > fall back to RT login when SSO fails. I constantly get the > "Unauthorized" page > > from Apache instead. > > I believe you want to read up on the Satisfy directive. > There's some additional docs here: > https://bestpractical.com/docs/rt/latest/authentication > http://httpd.apache.org/docs/2.2/mod/core.html#satisfy > > -kevin > > > Can someone help me with configuring falling back to RT login? > > > > Environment: > > Ubuntu Server 14.01 > > RT 4.2.9 > > Apache2 > > mod_auth_kerb + krb5 > > > > Relevant config file entries > > > > RT_Siteconfig.pm > > > > Set( $WebRemoteUserAuth, 1); > > Set( $WebRemoteUserInfo, 1); > > Set( $WebRemoteUserContinuous, 1); > > Set( $WebFallbackToRTLogin, 1); > > Set( $WebRemoteUserAutocreate, 1); > > Set( $UserAutocreateDefaultsOnLogin, { Privileged => 0 }); > > > > > > /etc/apache2/sites-available/rt.conf > > > > <Location /> > > AuthType Kerberos > > Krb5Keytab /etc/apache2/http.keytab > > KrbMethodNegotiate on > > KrbMethodK5Passwd off > > KrbLocalUserMapping on > > Require valid-user > > Require ip 127.0.0.1 > > AllowOverride None > > </Location> > > > > /var/log/apache2/error.log > > > > [Mon Feb 02 12:10:45.728093 2015] [ssl:info] [pid 27607:tid > 140437369087744] > > [client xxx.xxx.xxx.xxx:3832] AH01964: Connection to child 10 established > > (server rt.server:443) > > [Mon Feb 02 12:10:45.728678 2015] [socache_shmcb:debug] [pid 27607:tid > > 140437369087744] mod_socache_shmcb.c(520): AH00835: > socache_shmcb_retrieve > > (0xc1 -> subcache 1) > > [Mon Feb 02 12:10:45.728708 2015] [socache_shmcb:debug] [pid 27607:tid > > 140437369087744] mod_socache_shmcb.c(843): AH00849: match at idx=0, > data=0 > > [Mon Feb 02 12:10:45.728716 2015] [socache_shmcb:debug] [pid 27607:tid > > 140437369087744] mod_socache_shmcb.c(530): AH00836: leaving > > socache_shmcb_retrieve successfully > > [Mon Feb 02 12:10:45.730549 2015] [ssl:debug] [pid 27607:tid > 140437369087744] > > ssl_engine_kernel.c(1844): [client xxx.xxx.xxx.xxx:3832] AH02041: > Protocol: > > TLSv1, Cipher: RC4-SHA (128/128 bits) > > [Mon Feb 02 12:10:45.732144 2015] [ssl:debug] [pid 27607:tid > 140437369087744] > > ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832] AH02034: Initial > (No.1) > > HTTPS request received for child 10 (server rt.server:443) > > [Mon Feb 02 12:10:45.732270 2015] [authz_core:debug] [pid 27607:tid > > 140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] > AH01626: > > authorization result of Require valid-user : denied (no authenticated > user yet) > > [Mon Feb 02 12:10:45.732312 2015] [authz_core:debug] [pid 27607:tid > > 140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] > AH01626: > > authorization result of Require ip [1]127.0.0.1: denied > > [Mon Feb 02 12:10:45.732336 2015] [authz_core:debug] [pid 27607:tid > > 140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] > AH01626: > > authorization result of <RequireAny>: denied (no authenticated user yet) > > [Mon Feb 02 12:10:45.732377 2015] [auth_kerb:debug] [pid 27607:tid > > 140437369087744] src/mod_auth_kerb.c(1652): [client xxx.xxx.xxx.xxx:3832] > > kerb_authenticate_user entered with user (NULL) and auth_type Kerberos > > [Mon Feb 02 12:10:45.734251 2015] [ssl:debug] [pid 27607:tid > 140437360695040] > > ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832] AH02034: > Subsequent > > (No.2) HTTPS request received for child 10 (server rt.server:443) > > [Mon Feb 02 12:10:45.734355 2015] [authz_core:debug] [pid 27607:tid > > 140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] > AH01626: > > authorization result of Require valid-user : denied (no authenticated > user yet) > > [Mon Feb 02 12:10:45.734390 2015] [authz_core:debug] [pid 27607:tid > > 140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] > AH01626: > > authorization result of Require ip [2]127.0.0.1: denied > > [Mon Feb 02 12:10:45.734413 2015] [authz_core:debug] [pid 27607:tid > > 140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] > AH01626: > > authorization result of <RequireAny>: denied (no authenticated user yet) > > [Mon Feb 02 12:10:45.734447 2015] [auth_kerb:debug] [pid 27607:tid > > 140437360695040] src/mod_auth_kerb.c(1652): [client xxx.xxx.xxx.xxx:3832] > > kerb_authenticate_user entered with user (NULL) and auth_type Kerberos > > [Mon Feb 02 12:10:45.734513 2015] [auth_kerb:debug] [pid 27607:tid > > 140437360695040] src/mod_auth_kerb.c(1260): [client xxx.xxx.xxx.xxx:3832] > > Acquiring creds for [email protected] > > [Mon Feb 02 12:10:45.739959 2015] [auth_kerb:debug] [pid 27607:tid > > 140437360695040] src/mod_auth_kerb.c(1406): [client xxx.xxx.xxx.xxx:3832] > > Verifying client data using KRB5 GSS-API > > [Mon Feb 02 12:10:45.740081 2015] [auth_kerb:debug] [pid 27607:tid > > 140437360695040] src/mod_auth_kerb.c(1422): [client xxx.xxx.xxx.xxx:3832] > > Client didn't delegate us their credential > > [Mon Feb 02 12:10:45.740113 2015] [auth_kerb:debug] [pid 27607:tid > > 140437360695040] src/mod_auth_kerb.c(1450): [client xxx.xxx.xxx.xxx:3832] > > Warning: received token seems to be NTLM, which isn't supported by the > Kerberos > > module. Check your IE configuration. > > [Mon Feb 02 12:10:45.740139 2015] [auth_kerb:debug] [pid 27607:tid > > 140437360695040] src/mod_auth_kerb.c(1121): [client xxx.xxx.xxx.xxx:3832] > > GSS-API major_status:00010000, minor_status:00000000 > > [Mon Feb 02 12:10:45.740178 2015] [auth_kerb:error] [pid 27607:tid > > 140437360695040] [client xxx.xxx.xxx.xxx:3832] gss_accept_sec_context() > failed: > > An unsupported mechanism was requested (, Unknown error) > > > > > > Best Regards, > > Myrat > > > > References: > > > > [1] http://127.0.0.1/ > > [2] http://127.0.0.1/ >
