Re: [rt-users] SSO fallback to RT Login failure
On Mon, Feb 02, 2015 at 07:51:20AM +, Myrat Saparow wrote:
I have been trying to implement SSO on our RT test enviroment, the SSO login
from machines that are authenticated by our dc works fine but I can't get it
to
fall back to RT login when SSO fails. I constantly get the Unauthorized page
from Apache instead.
I believe you want to read up on the Satisfy directive.
There's some additional docs here:
https://bestpractical.com/docs/rt/latest/authentication
http://httpd.apache.org/docs/2.2/mod/core.html#satisfy
-kevin
Can someone help me with configuring falling back to RT login?
Environment:
Ubuntu Server 14.01
RT 4.2.9
Apache2
mod_auth_kerb + krb5
Relevant config file entries
RT_Siteconfig.pm
Set( $WebRemoteUserAuth, 1);
Set( $WebRemoteUserInfo, 1);
Set( $WebRemoteUserContinuous, 1);
Set( $WebFallbackToRTLogin, 1);
Set( $WebRemoteUserAutocreate, 1);
Set( $UserAutocreateDefaultsOnLogin, { Privileged = 0 });
/etc/apache2/sites-available/rt.conf
Location /
AuthType Kerberos
Krb5Keytab /etc/apache2/http.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbLocalUserMapping on
Require valid-user
Require ip 127.0.0.1
AllowOverride None
/Location
/var/log/apache2/error.log
[Mon Feb 02 12:10:45.728093 2015] [ssl:info] [pid 27607:tid 140437369087744]
[client xxx.xxx.xxx.xxx:3832] AH01964: Connection to child 10 established
(server rt.server:443)
[Mon Feb 02 12:10:45.728678 2015] [socache_shmcb:debug] [pid 27607:tid
140437369087744] mod_socache_shmcb.c(520): AH00835: socache_shmcb_retrieve
(0xc1 - subcache 1)
[Mon Feb 02 12:10:45.728708 2015] [socache_shmcb:debug] [pid 27607:tid
140437369087744] mod_socache_shmcb.c(843): AH00849: match at idx=0, data=0
[Mon Feb 02 12:10:45.728716 2015] [socache_shmcb:debug] [pid 27607:tid
140437369087744] mod_socache_shmcb.c(530): AH00836: leaving
socache_shmcb_retrieve successfully
[Mon Feb 02 12:10:45.730549 2015] [ssl:debug] [pid 27607:tid 140437369087744]
ssl_engine_kernel.c(1844): [client xxx.xxx.xxx.xxx:3832] AH02041: Protocol:
TLSv1, Cipher: RC4-SHA (128/128 bits)
[Mon Feb 02 12:10:45.732144 2015] [ssl:debug] [pid 27607:tid 140437369087744]
ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832] AH02034: Initial
(No.1)
HTTPS request received for child 10 (server rt.server:443)
[Mon Feb 02 12:10:45.732270 2015] [authz_core:debug] [pid 27607:tid
140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626:
authorization result of Require valid-user : denied (no authenticated user
yet)
[Mon Feb 02 12:10:45.732312 2015] [authz_core:debug] [pid 27607:tid
140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626:
authorization result of Require ip [1]127.0.0.1: denied
[Mon Feb 02 12:10:45.732336 2015] [authz_core:debug] [pid 27607:tid
140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626:
authorization result of RequireAny: denied (no authenticated user yet)
[Mon Feb 02 12:10:45.732377 2015] [auth_kerb:debug] [pid 27607:tid
140437369087744] src/mod_auth_kerb.c(1652): [client xxx.xxx.xxx.xxx:3832]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Feb 02 12:10:45.734251 2015] [ssl:debug] [pid 27607:tid 140437360695040]
ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832] AH02034: Subsequent
(No.2) HTTPS request received for child 10 (server rt.server:443)
[Mon Feb 02 12:10:45.734355 2015] [authz_core:debug] [pid 27607:tid
140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626:
authorization result of Require valid-user : denied (no authenticated user
yet)
[Mon Feb 02 12:10:45.734390 2015] [authz_core:debug] [pid 27607:tid
140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626:
authorization result of Require ip [2]127.0.0.1: denied
[Mon Feb 02 12:10:45.734413 2015] [authz_core:debug] [pid 27607:tid
140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626:
authorization result of RequireAny: denied (no authenticated user yet)
[Mon Feb 02 12:10:45.734447 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1652): [client xxx.xxx.xxx.xxx:3832]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Feb 02 12:10:45.734513 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1260): [client xxx.xxx.xxx.xxx:3832]
Acquiring creds for HTTP@rt.server
[Mon Feb 02 12:10:45.739959 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1406): [client xxx.xxx.xxx.xxx:3832]
Verifying client data using KRB5 GSS-API
[Mon Feb 02 12:10:45.740081 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1422): [client xxx.xxx.xxx.xxx:3832]
Client didn't delegate us their credential
[Mon Feb 02 12:10:45.740113 2015] [auth_kerb:debug] [pid 27607:tid
140437360695040] src/mod_auth_kerb.c(1450): [client
Re: [rt-users] Stripping Attachments During Create
Scrips wouldn't help you because they get processed after ticket creation. If I were in your position I'd probably try dealing with this at the mail delivery level, e.g. by adding some sort of postprocessor that rewrites incoming mail when it encounters attachments with certain MD5/SHA checksums. I imagine that doing this by attachment filename would be a bad idea, because theoretically desired attachments could have those filenames. I don't know whether this is technically feasible, but another option might be to write a script (as opposed to scrip) that prunes matching attachments from RT's database (which would also take care of tickets created up to this point). What is your main concern about these attachments reaching RT? Database storage? UI cosmetics? Depending on the actual concern, other solutions might exist. On 3 Feb 2015 5:16 am, Trev tre...@onepost.net wrote: My situation is this, I have users sending in support requests and they are processing just fine. I am using fetchmail and mailgate, no problems, tickets get created etc... I want to strip attachments however, specifically those associated with signatures internal to the company. How can I best go about stripping these? Preferably based on attachment name: image001.png image002.png Thanks in advance!
Re: [rt-users] How to get different queues to send from different email addresses
If you're using a relatively newer version of RT, you can configure a global From address in RT_SiteConfig.pm and queue-specific From addresses in RT's UI. If you've already done this then it sounds like msmtp is rewriting your From headers. Maybe msmtp's auto_from setting is relevant? If you're just relaying to an external server, can you just feed the SMTP connection details into RT and bypass msmtp altogether? Hi We've used RT for a while just for IT issues, now we're adding an additional facilities queue. Everything is working to receive tickets via email, but we can only get it to send emails through the ithelpdesk email account regardless of queue. We're using MSMTP in order to use Google Apps to send emails. We have two accounts configured in msmtp_wrapper.conf ithelpdesk and facilities, but I can't see how to tell RT to use the facilities account when sending emails from that queue, so it sends everything as ithelpdesk. Can anyone help? Thanks Ian *Ian McNaught* *Head of eLearning Information Systems* *Tel: (+968) 24730404* Majan College (University College) P.O. Box 710, Postal Code 112, Ruwi Sultanate of Oman Switchboard: +968 24730400 Fax: +968 24730490 Find us: Website http://www.majancollege.edu.om/ | Linkedin http://www.linkedin.com/company/majan-college-university-college-?trk=hb_tab_compy_id_2839692 | Facebook https://www.facebook.com/majan.college | Twitter http://twitter.com/Majan_College*Ranked No.1 Private College in Oman - Oman Observer Survey Oct.2011* This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Majan College (University College) therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission
[rt-users] New cert breaks mailgate
Hi, We just updated the cert from the default self signed cert to one from our local CA. We have the web server side working via https but now incoming email will not generate a new ticket or comment on an old one. Looking at the mail log it shows a 500 error, Can't connect to rt.x.x:443 (certificate verify failed). We are using the --no-verify-ssl flag in the aliases file for all the queues. Any suggestions on where to go from here? Thanks -- Mitch Kyser Network Administrator Albion.College mky...@albion.edu
Re: [rt-users] How to get different queues to send from different email addresses
On Tue, Feb 03, 2015 at 07:59:18AM +1100, Alex Peters wrote: If you're just relaying to an external server, can you just feed the SMTP connection details into RT and bypass msmtp altogether? Just addressing this part, since the other part (Setting From at the Queue level and/or using $OverrideOutgoingMailFrom) has been addressed. RT 4.2 finally dropped internal SMTP support because it was slow and easily dropped email if there was an upstream error. Many simple relay clients are vulnerable to the same problem if your smarthost ever drops offline while you're trying to relay. Postfix/exim/sendmail in smarthost only mode avoid this failure. -kevin pgp_M8AZWsRzy.pgp Description: PGP signature
[rt-users] How to get different queues to send from different email addresses
Hi We've used RT for a while just for IT issues, now we're adding an additional facilities queue. Everything is working to receive tickets via email, but we can only get it to send emails through the ithelpdesk email account regardless of queue. We're using MSMTP in order to use Google Apps to send emails. We have two accounts configured in msmtp_wrapper.conf ithelpdesk and facilities, but I can't see how to tell RT to use the facilities account when sending emails from that queue, so it sends everything as ithelpdesk. Can anyone help? Thanks Ian *Ian McNaught* *Head of eLearning Information Systems* *Tel: (+968) 24730404* -- Majan College (University College) P.O. Box 710, Postal Code 112, Ruwi Sultanate of Oman Switchboard: +968 24730400 Fax: +968 24730490 Find us: Website http://www.majancollege.edu.om/ | Linkedin http://www.linkedin.com/company/majan-college-university-college-?trk=hb_tab_compy_id_2839692 | Facebook https://www.facebook.com/majan.college | Twitter http://twitter.com/Majan_College*Ranked No.1 Private College in Oman - Oman Observer Survey Oct.2011* -- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Majan College (University College) therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission
Re: [rt-users] How to get different queues to send from different email addresses
You could use something like this in RT_Siteconfig.pm:
Set($OverrideOutgoingMailFrom, {
'Queue1' =
'ithelpd...@dummy.commailto:ithelpd...@dummy.com',
'Queue2' =
'ithelpd...@dummy.commailto:ithelpd...@dummy.com',
.
.
.
'QueueN' =
'ithelpd...@dummy.commailto:ithelpd...@dummy.com',
'SpecialQueue'=
'facilit...@dummy.commailto:facilit...@dummy.com'
});
Hope this helps.
Cris
On 02/02/2015 12:27, Mr. Ian Mc Naught wrote:
Hi
We've used RT for a while just for IT issues, now we're adding an additional
facilities queue. Everything is working to receive tickets via email, but we
can only get it to send emails through the ithelpdesk email account regardless
of queue. We're using MSMTP in order to use Google Apps to send emails. We have
two accounts configured in msmtp_wrapper.conf ithelpdesk and facilities, but I
can't see how to tell RT to use the facilities account when sending emails from
that queue, so it sends everything as ithelpdesk.
Can anyone help?
Thanks
Ian
Ian McNaught
Head of eLearning Information Systems
Tel: (+968) 24730404
[http://www.majancollege.edu.om/images/majan+greatest+brand.png]Majan
College (University College)
P.O. Box 710, Postal Code 112, Ruwi
Sultanate of Oman
Switchboard: +968 24730400
Fax: +968 24730490
Find us:
Websitehttp://www.majancollege.edu.om/ |
Linkedinhttp://www.linkedin.com/company/majan-college-university-college-?trk=hb_tab_compy_id_2839692
| Facebookhttps://www.facebook.com/majan.college |
Twitterhttp://twitter.com/Majan_College
Ranked No.1 Private College in Oman - Oman Observer Survey Oct.2011
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. Majan College
(University College) therefore does not accept liability for any errors or
omissions in the contents of this message, which arise as a result of e-mail
transmission
Re: [rt-users] SSO fallback to RT Login failure
require ip 127.0.0.1 was put to allow local mail requests to pass, moved
it to a separate location in config.
#Allow mail gateway to send mails via RT site
Location /REST/1.0/NoAuth/mail-gateway
Order deny,allow
Deny from all
Allow from localhost
Satisfy any
/Location
Location /NoAuth
Satisfy any
Allow from all
/Location
SSO works fine with machines that are members of the local AD.
The authorization problem arises when I try to login from machine that is
not a member of AD. I thought that with $WebFallbackToRTLogin set to
true, the user is redirected to RT login form when authentication with
Kerberos fails. Am I missing something here? Or should I just setup another
virtual host without SSO to be able to logon with local users as suggested
in this post http://www.gossamer-threads.com/lists/rt/users/117509#117509?
Regards,
Myrat
On Tue Feb 03 2015 at 2:08:30 AM Kevin Falcone falc...@bestpractical.com
wrote:
On Mon, Feb 02, 2015 at 07:51:20AM +, Myrat Saparow wrote:
I have been trying to implement SSO on our RT test enviroment, the SSO
login
from machines that are authenticated by our dc works fine but I can't
get it to
fall back to RT login when SSO fails. I constantly get the
Unauthorized page
from Apache instead.
I believe you want to read up on the Satisfy directive.
There's some additional docs here:
https://bestpractical.com/docs/rt/latest/authentication
http://httpd.apache.org/docs/2.2/mod/core.html#satisfy
-kevin
Can someone help me with configuring falling back to RT login?
Environment:
Ubuntu Server 14.01
RT 4.2.9
Apache2
mod_auth_kerb + krb5
Relevant config file entries
RT_Siteconfig.pm
Set( $WebRemoteUserAuth, 1);
Set( $WebRemoteUserInfo, 1);
Set( $WebRemoteUserContinuous, 1);
Set( $WebFallbackToRTLogin, 1);
Set( $WebRemoteUserAutocreate, 1);
Set( $UserAutocreateDefaultsOnLogin, { Privileged = 0 });
/etc/apache2/sites-available/rt.conf
Location /
AuthType Kerberos
Krb5Keytab /etc/apache2/http.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbLocalUserMapping on
Require valid-user
Require ip 127.0.0.1
AllowOverride None
/Location
/var/log/apache2/error.log
[Mon Feb 02 12:10:45.728093 2015] [ssl:info] [pid 27607:tid
140437369087744]
[client xxx.xxx.xxx.xxx:3832] AH01964: Connection to child 10 established
(server rt.server:443)
[Mon Feb 02 12:10:45.728678 2015] [socache_shmcb:debug] [pid 27607:tid
140437369087744] mod_socache_shmcb.c(520): AH00835:
socache_shmcb_retrieve
(0xc1 - subcache 1)
[Mon Feb 02 12:10:45.728708 2015] [socache_shmcb:debug] [pid 27607:tid
140437369087744] mod_socache_shmcb.c(843): AH00849: match at idx=0,
data=0
[Mon Feb 02 12:10:45.728716 2015] [socache_shmcb:debug] [pid 27607:tid
140437369087744] mod_socache_shmcb.c(530): AH00836: leaving
socache_shmcb_retrieve successfully
[Mon Feb 02 12:10:45.730549 2015] [ssl:debug] [pid 27607:tid
140437369087744]
ssl_engine_kernel.c(1844): [client xxx.xxx.xxx.xxx:3832] AH02041:
Protocol:
TLSv1, Cipher: RC4-SHA (128/128 bits)
[Mon Feb 02 12:10:45.732144 2015] [ssl:debug] [pid 27607:tid
140437369087744]
ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832] AH02034: Initial
(No.1)
HTTPS request received for child 10 (server rt.server:443)
[Mon Feb 02 12:10:45.732270 2015] [authz_core:debug] [pid 27607:tid
140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626:
authorization result of Require valid-user : denied (no authenticated
user yet)
[Mon Feb 02 12:10:45.732312 2015] [authz_core:debug] [pid 27607:tid
140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626:
authorization result of Require ip [1]127.0.0.1: denied
[Mon Feb 02 12:10:45.732336 2015] [authz_core:debug] [pid 27607:tid
140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626:
authorization result of RequireAny: denied (no authenticated user yet)
[Mon Feb 02 12:10:45.732377 2015] [auth_kerb:debug] [pid 27607:tid
140437369087744] src/mod_auth_kerb.c(1652): [client xxx.xxx.xxx.xxx:3832]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Feb 02 12:10:45.734251 2015] [ssl:debug] [pid 27607:tid
140437360695040]
ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832] AH02034:
Subsequent
(No.2) HTTPS request received for child 10 (server rt.server:443)
[Mon Feb 02 12:10:45.734355 2015] [authz_core:debug] [pid 27607:tid
140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626:
authorization result of Require valid-user : denied (no authenticated
user yet)
[Mon Feb 02 12:10:45.734390 2015] [authz_core:debug] [pid 27607:tid
140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
AH01626:
authorization result of Require ip [2]127.0.0.1: denied
[Mon Feb 02 12:10:45.734413 2015] [authz_core:debug] [pid 27607:tid
140437360695040]
[rt-users] Stripping Attachments During Create
My situation is this, I have users sending in support requests and they are processing just fine. I am using fetchmail and mailgate, no problems, tickets get created etc... I want to strip attachments however, specifically those associated with signatures internal to the company. How can I best go about stripping these? Preferably based on attachment name: image001.png image002.png Thanks in advance!
Re: [rt-users] strange things with multi-value custom field in CLI
On Mon, Feb 02, 2015 at 06:47:50AM +, Eierschmalz, Bernhard wrote: I have one custom field with type “enter multiple values” I tried to create a ticket in CLI and directly enter multiple values into my CF with this command: rt create -t ticket set subject=”test” queue=”test” CF-42= ”value1,value2” after this, my CF had one value “value1,value2” strange thing is, when I try to edit the CF with this command rt edit ticket/ticketnumber set CF-42=”value1,value2” status= ”new” (so exactly the same syntax at CF-42=”value1,value2”) I have 2 values, “value1” and “value2” I believe this came up recently on this list, along with a patch for consideration. However, it turns out there is a better piece of code that addresses this. https://github.com/bestpractical/rt/compare/4.2/multi-value-cf-in-rest It would be interesting to hear if this resolves your issue. -kevin pgpoVPILpNYw2.pgp Description: PGP signature
