Re: [rt-users] SSO fallback to RT Login failure

[Myrat Saparow]

"require ip 127.0.0.1" was put to allow local mail requests to pass, moved
it to a separate location in config.

#Allow mail gateway to send mails via RT site
 
 Order deny,allow
 Deny from all
 Allow from localhost
 Satisfy any
 

 
 Satisfy any
 Allow from all
 

SSO works fine with machines that are members of the local AD.
The authorization problem arises when I try to login from machine that is
not a member of AD. I thought that with "$WebFallbackToRTLogin" set to
true, the user is redirected to RT login form when authentication with
Kerberos fails. Am I missing something here? Or should I just setup another
virtual host without SSO to be able to logon with local users as suggested
in this post ?

Regards,
Myrat

On Tue Feb 03 2015 at 2:08:30 AM Kevin Falcone 
wrote:

> On Mon, Feb 02, 2015 at 07:51:20AM +, Myrat Saparow wrote:
> > I have been trying to implement SSO on our RT test enviroment, the SSO
> login
> > from machines that are authenticated by our dc works fine but I can't
> get it to
> > fall back to RT login when SSO fails. I constantly get the
> "Unauthorized" page
> > from Apache instead.
>
> I believe you want to read up on the Satisfy directive.
> There's some additional docs here:
> https://bestpractical.com/docs/rt/latest/authentication
> http://httpd.apache.org/docs/2.2/mod/core.html#satisfy
>
> -kevin
>
> > Can someone help me with configuring falling back to RT login?
> >
> > Environment:
> > Ubuntu Server 14.01
> > RT 4.2.9
> > Apache2
> > mod_auth_kerb + krb5
> >
> > Relevant config file entries
> >
> > RT_Siteconfig.pm
> >
> > Set( $WebRemoteUserAuth, 1);
> > Set( $WebRemoteUserInfo, 1);
> > Set( $WebRemoteUserContinuous, 1);
> > Set( $WebFallbackToRTLogin, 1);
> > Set( $WebRemoteUserAutocreate, 1);
> > Set( $UserAutocreateDefaultsOnLogin, { Privileged => 0 });
> >
> >
> > /etc/apache2/sites-available/rt.conf
> >
> >  
> >   AuthType Kerberos
> >   Krb5Keytab /etc/apache2/http.keytab
> >   KrbMethodNegotiate on
> >   KrbMethodK5Passwd off
> >   KrbLocalUserMapping on
> >   Require valid-user
> >   Require ip 127.0.0.1
> >   AllowOverride None
> >  
> >
> > /var/log/apache2/error.log
> >
> > [Mon Feb 02 12:10:45.728093 2015] [ssl:info] [pid 27607:tid
> 140437369087744]
> > [client xxx.xxx.xxx.xxx:3832] AH01964: Connection to child 10 established
> > (server rt.server:443)
> > [Mon Feb 02 12:10:45.728678 2015] [socache_shmcb:debug] [pid 27607:tid
> > 140437369087744] mod_socache_shmcb.c(520): AH00835:
> socache_shmcb_retrieve
> > (0xc1 -> subcache 1)
> > [Mon Feb 02 12:10:45.728708 2015] [socache_shmcb:debug] [pid 27607:tid
> > 140437369087744] mod_socache_shmcb.c(843): AH00849: match at idx=0,
> data=0
> > [Mon Feb 02 12:10:45.728716 2015] [socache_shmcb:debug] [pid 27607:tid
> > 140437369087744] mod_socache_shmcb.c(530): AH00836: leaving
> > socache_shmcb_retrieve successfully
> > [Mon Feb 02 12:10:45.730549 2015] [ssl:debug] [pid 27607:tid
> 140437369087744]
> > ssl_engine_kernel.c(1844): [client xxx.xxx.xxx.xxx:3832] AH02041:
> Protocol:
> > TLSv1, Cipher: RC4-SHA (128/128 bits)
> > [Mon Feb 02 12:10:45.732144 2015] [ssl:debug] [pid 27607:tid
> 140437369087744]
> > ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832] AH02034: Initial
> (No.1)
> > HTTPS request received for child 10 (server rt.server:443)
> > [Mon Feb 02 12:10:45.732270 2015] [authz_core:debug] [pid 27607:tid
> > 140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
> AH01626:
> > authorization result of Require valid-user : denied (no authenticated
> user yet)
> > [Mon Feb 02 12:10:45.732312 2015] [authz_core:debug] [pid 27607:tid
> > 140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
> AH01626:
> > authorization result of Require ip [1]127.0.0.1: denied
> > [Mon Feb 02 12:10:45.732336 2015] [authz_core:debug] [pid 27607:tid
> > 140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
> AH01626:
> > authorization result of : denied (no authenticated user yet)
> > [Mon Feb 02 12:10:45.732377 2015] [auth_kerb:debug] [pid 27607:tid
> > 140437369087744] src/mod_auth_kerb.c(1652): [client xxx.xxx.xxx.xxx:3832]
> > kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
> > [Mon Feb 02 12:10:45.734251 2015] [ssl:debug] [pid 27607:tid
> 140437360695040]
> > ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832] AH02034:
> Subsequent
> > (No.2) HTTPS request received for child 10 (server rt.server:443)
> > [Mon Feb 02 12:10:45.734355 2015] [authz_core:debug] [pid 27607:tid
> > 140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
> AH01626:
> > authorization result of Require valid-user : denied (no authenticated
> user yet)
> > [Mon Feb 02 12:10:45.734390 2015] [authz_core:debug] [pid 27607:tid
> > 140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832]
> AH01626:
> > authorization result of Require ip [2]127.0.0.1: denied
> > [Mon Feb 02 12:10:45.734413 20

[rt-users] New cert breaks mailgate

[Mitch Kyser]

Hi,

We just updated the cert from the default self signed cert to one from our
local CA.  We have the web server side working via https but now incoming
email will not generate a new ticket or comment on an old one.  Looking at
the mail log it shows a 500 error, Can't connect to rt.x.x:443 (certificate
verify failed).   We are using the --no-verify-ssl flag in the aliases file
for all the queues.  Any suggestions on where to go from here?

Thanks
-- 
Mitch Kyser
Network Administrator
Albion.College
mky...@albion.edu

Re: [rt-users] How to get different queues to send from different email addresses

[Kevin Falcone]

On Tue, Feb 03, 2015 at 07:59:18AM +1100, Alex Peters wrote:
> If you're just relaying to an external server, can you just feed the SMTP
> connection details into RT and bypass msmtp altogether?

Just addressing this part, since the other part (Setting From at the
Queue level and/or using $OverrideOutgoingMailFrom) has been
addressed.

RT 4.2 finally dropped internal SMTP support because it was slow and
easily dropped email if there was an upstream error.  Many simple
relay clients are vulnerable to the same problem if your smarthost
ever drops offline while you're trying to relay.

Postfix/exim/sendmail in smarthost only mode avoid this failure.

-kevin


pgp_M8AZWsRzy.pgp
Description: PGP signature

Re: [rt-users] strange things with multi-value custom field in CLI

[Kevin Falcone]

On Mon, Feb 02, 2015 at 06:47:50AM +, Eierschmalz, Bernhard wrote:
> 
> I have one custom field with type “enter multiple values”
> 
> I tried to create a ticket in CLI and directly enter multiple values into my 
> CF
> with this command:
> 
> rt create -t ticket set subject=”test” queue=”test” CF-42=
> ”value1,value2”
> 
> after this, my CF had one value “value1,value2”
>  
> 
> strange thing is, when I try to edit the CF with this command
> 
> rt edit ticket/ set CF-42=”value1,value2” 
> status=
> ”new”
> 
>  
> 
> (so exactly the same syntax at CF-42=”value1,value2”)
> 
> I have 2 values, “value1” and “value2”

I believe this came up recently on this list, along with a patch for
consideration.  However, it turns out there is a better piece of code
that addresses this.

https://github.com/bestpractical/rt/compare/4.2/multi-value-cf-in-rest

It would be interesting to hear if this resolves your issue.

-kevin


pgpoVPILpNYw2.pgp
Description: PGP signature

Re: [rt-users] SSO fallback to RT Login failure

[Kevin Falcone]

On Mon, Feb 02, 2015 at 07:51:20AM +, Myrat Saparow wrote:
> I have been trying to implement SSO on our RT test enviroment, the SSO login
> from machines that are authenticated by our dc works fine but I can't get it 
> to
> fall back to RT login when SSO fails. I constantly get the "Unauthorized" page
> from Apache instead.

I believe you want to read up on the Satisfy directive.
There's some additional docs here:
https://bestpractical.com/docs/rt/latest/authentication
http://httpd.apache.org/docs/2.2/mod/core.html#satisfy

-kevin

> Can someone help me with configuring falling back to RT login?
> 
> Environment:
> Ubuntu Server 14.01
> RT 4.2.9
> Apache2
> mod_auth_kerb + krb5
> 
> Relevant config file entries
> 
> RT_Siteconfig.pm
> 
> Set( $WebRemoteUserAuth, 1);
> Set( $WebRemoteUserInfo, 1);
> Set( $WebRemoteUserContinuous, 1);
> Set( $WebFallbackToRTLogin, 1);
> Set( $WebRemoteUserAutocreate, 1);
> Set( $UserAutocreateDefaultsOnLogin, { Privileged => 0 });
> 
> 
> /etc/apache2/sites-available/rt.conf
> 
>  
>   AuthType Kerberos
>   Krb5Keytab /etc/apache2/http.keytab
>   KrbMethodNegotiate on
>   KrbMethodK5Passwd off
>   KrbLocalUserMapping on
>   Require valid-user
>   Require ip 127.0.0.1
>   AllowOverride None
>  
> 
> /var/log/apache2/error.log
> 
> [Mon Feb 02 12:10:45.728093 2015] [ssl:info] [pid 27607:tid 140437369087744]
> [client xxx.xxx.xxx.xxx:3832] AH01964: Connection to child 10 established
> (server rt.server:443)
> [Mon Feb 02 12:10:45.728678 2015] [socache_shmcb:debug] [pid 27607:tid
> 140437369087744] mod_socache_shmcb.c(520): AH00835: socache_shmcb_retrieve
> (0xc1 -> subcache 1)
> [Mon Feb 02 12:10:45.728708 2015] [socache_shmcb:debug] [pid 27607:tid
> 140437369087744] mod_socache_shmcb.c(843): AH00849: match at idx=0, data=0
> [Mon Feb 02 12:10:45.728716 2015] [socache_shmcb:debug] [pid 27607:tid
> 140437369087744] mod_socache_shmcb.c(530): AH00836: leaving
> socache_shmcb_retrieve successfully
> [Mon Feb 02 12:10:45.730549 2015] [ssl:debug] [pid 27607:tid 140437369087744]
> ssl_engine_kernel.c(1844): [client xxx.xxx.xxx.xxx:3832] AH02041: Protocol:
> TLSv1, Cipher: RC4-SHA (128/128 bits)
> [Mon Feb 02 12:10:45.732144 2015] [ssl:debug] [pid 27607:tid 140437369087744]
> ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832] AH02034: Initial 
> (No.1)
> HTTPS request received for child 10 (server rt.server:443)
> [Mon Feb 02 12:10:45.732270 2015] [authz_core:debug] [pid 27607:tid
> 140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626:
> authorization result of Require valid-user : denied (no authenticated user 
> yet)
> [Mon Feb 02 12:10:45.732312 2015] [authz_core:debug] [pid 27607:tid
> 140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626:
> authorization result of Require ip [1]127.0.0.1: denied
> [Mon Feb 02 12:10:45.732336 2015] [authz_core:debug] [pid 27607:tid
> 140437369087744] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626:
> authorization result of : denied (no authenticated user yet)
> [Mon Feb 02 12:10:45.732377 2015] [auth_kerb:debug] [pid 27607:tid
> 140437369087744] src/mod_auth_kerb.c(1652): [client xxx.xxx.xxx.xxx:3832]
> kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
> [Mon Feb 02 12:10:45.734251 2015] [ssl:debug] [pid 27607:tid 140437360695040]
> ssl_engine_kernel.c(222): [client xxx.xxx.xxx.xxx:3832] AH02034: Subsequent
> (No.2) HTTPS request received for child 10 (server rt.server:443)
> [Mon Feb 02 12:10:45.734355 2015] [authz_core:debug] [pid 27607:tid
> 140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626:
> authorization result of Require valid-user : denied (no authenticated user 
> yet)
> [Mon Feb 02 12:10:45.734390 2015] [authz_core:debug] [pid 27607:tid
> 140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626:
> authorization result of Require ip [2]127.0.0.1: denied
> [Mon Feb 02 12:10:45.734413 2015] [authz_core:debug] [pid 27607:tid
> 140437360695040] mod_authz_core.c(802): [client xxx.xxx.xxx.xxx:3832] AH01626:
> authorization result of : denied (no authenticated user yet)
> [Mon Feb 02 12:10:45.734447 2015] [auth_kerb:debug] [pid 27607:tid
> 140437360695040] src/mod_auth_kerb.c(1652): [client xxx.xxx.xxx.xxx:3832]
> kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
> [Mon Feb 02 12:10:45.734513 2015] [auth_kerb:debug] [pid 27607:tid
> 140437360695040] src/mod_auth_kerb.c(1260): [client xxx.xxx.xxx.xxx:3832]
> Acquiring creds for HTTP@rt.server
> [Mon Feb 02 12:10:45.739959 2015] [auth_kerb:debug] [pid 27607:tid
> 140437360695040] src/mod_auth_kerb.c(1406): [client xxx.xxx.xxx.xxx:3832]
> Verifying client data using KRB5 GSS-API
> [Mon Feb 02 12:10:45.740081 2015] [auth_kerb:debug] [pid 27607:tid
> 140437360695040] src/mod_auth_kerb.c(1422): [client xxx.xxx.xxx.xxx:3832]
> Client didn't delegate us their credential
> [Mon Feb 02 12:10:45.740113 2015] [auth_kerb:debug] [pid 27607:tid
> 140

Re: [rt-users] How to get different queues to send from different email addresses

[Alex Peters]

If you're using a relatively newer version of RT, you can configure a
"global" From address in RT_SiteConfig.pm and queue-specific From addresses
in RT's UI.

If you've already done this then it sounds like msmtp is rewriting your
>From headers.  Maybe msmtp's auto_from setting is relevant?

If you're just relaying to an external server, can you just feed the SMTP
connection details into RT and bypass msmtp altogether?
Hi

We've used RT for a while just for IT issues, now we're adding an
additional facilities queue. Everything is working to receive tickets via
email, but we can only get it to send emails through the ithelpdesk email
account regardless of queue. We're using MSMTP in order to use Google Apps
to send emails. We have two accounts configured in msmtp_wrapper.conf
ithelpdesk and facilities, but I can't see how to tell RT to use the
facilities account when sending emails from that queue, so it sends
everything as ithelpdesk.

Can anyone help?

Thanks

Ian

*Ian McNaught*
*Head of eLearning & Information Systems*
*Tel: (+968) 24730404*

Majan College (University College)
P.O. Box 710, Postal Code 112, Ruwi
Sultanate of Oman
Switchboard: +968 24730400
Fax: +968 24730490
Find us:
Website  | Linkedin

 | Facebook  | Twitter
*Ranked No.1 Private College in Oman -
"Oman Observer Survey Oct.2011"*
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be intercepted,
corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
Majan College (University College) therefore does not accept liability for
any errors or omissions in the contents of this message, which arise as a
result of e-mail transmission

Re: [rt-users] Stripping Attachments During Create

[Alex Peters]

Scrips wouldn't help you because they get processed after ticket creation.

If I were in your position I'd probably try dealing with this at the mail
delivery level, e.g. by adding some sort of postprocessor that rewrites
incoming mail when it encounters attachments with certain MD5/SHA checksums.

I imagine that doing this by attachment filename would be a bad idea,
because theoretically desired attachments could have those filenames.

I don't know whether this is technically feasible, but another option might
be to write a script (as opposed to scrip) that prunes matching attachments
from RT's database (which would also take care of tickets created up to
this point).

What is your main concern about these attachments reaching RT?  Database
storage?  UI cosmetics?  Depending on the actual concern, other solutions
might exist.
On 3 Feb 2015 5:16 am, "Trev"  wrote:

> My situation is this, I have users sending in support requests and they
> are processing just fine. I am using fetchmail and mailgate, no problems,
> tickets get created etc...
>
> I want to strip attachments however, specifically those associated with
> signatures internal to the company.
>
> How can I best go about stripping these?
>
> Preferably based on attachment name:
> image001.png
> image002.png
>
> Thanks in advance!
>

[rt-users] Stripping Attachments During Create

[Trev]

My situation is this, I have users sending in support requests and they are
processing just fine. I am using fetchmail and mailgate, no problems,
tickets get created etc...

I want to strip attachments however, specifically those associated with
signatures internal to the company.

How can I best go about stripping these?

Preferably based on attachment name:
image001.png
image002.png

Thanks in advance!

Re: [rt-users] How to get different queues to send from different email addresses

[Guadagnino Cristiano]

You could use something like this in RT_Siteconfig.pm:


Set($OverrideOutgoingMailFrom, {

 'Queue1'  =>  
'ithelpd...@dummy.com',

 'Queue2'  =>  
'ithelpd...@dummy.com',

.

.

.

 'QueueN'  =>  
'ithelpd...@dummy.com',

 'SpecialQueue'=>  
'facilit...@dummy.com'

});


Hope this helps.

Cris



On 02/02/2015 12:27, Mr. Ian Mc Naught wrote:
Hi

We've used RT for a while just for IT issues, now we're adding an additional 
facilities queue. Everything is working to receive tickets via email, but we 
can only get it to send emails through the ithelpdesk email account regardless 
of queue. We're using MSMTP in order to use Google Apps to send emails. We have 
two accounts configured in msmtp_wrapper.conf ithelpdesk and facilities, but I 
can't see how to tell RT to use the facilities account when sending emails from 
that queue, so it sends everything as ithelpdesk.

Can anyone help?

Thanks

Ian

Ian McNaught
Head of eLearning & Information Systems
Tel: (+968) 24730404

[http://www.majancollege.edu.om/images/majan+greatest+brand.png]Majan 
College (University College)
P.O. Box 710, Postal Code 112, Ruwi
Sultanate of Oman
Switchboard: +968 24730400
Fax: +968 24730490
Find us:
Website | 
Linkedin
 | Facebook | 
Twitter
Ranked No.1 Private College in Oman - "Oman Observer Survey Oct.2011"

This message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system. E-mail transmission cannot be guaranteed to be 
secure or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses. Majan College 
(University College) therefore does not accept liability for any errors or 
omissions in the contents of this message, which arise as a result of e-mail 
transmission

[rt-users] How to get different queues to send from different email addresses

[Mr. Ian Mc Naught]

Hi

We've used RT for a while just for IT issues, now we're adding an
additional facilities queue. Everything is working to receive tickets via
email, but we can only get it to send emails through the ithelpdesk email
account regardless of queue. We're using MSMTP in order to use Google Apps
to send emails. We have two accounts configured in msmtp_wrapper.conf
ithelpdesk and facilities, but I can't see how to tell RT to use the
facilities account when sending emails from that queue, so it sends
everything as ithelpdesk.

Can anyone help?

Thanks

Ian

*Ian McNaught*
*Head of eLearning & Information Systems*
*Tel: (+968) 24730404*

-- 
Majan College (University College)
P.O. Box 710, Postal Code 112, Ruwi
Sultanate of Oman
Switchboard: +968 24730400
Fax: +968 24730490
Find us:
Website  | Linkedin 

 | Facebook  | Twitter 
*Ranked No.1 Private College in Oman - 
"Oman Observer Survey Oct.2011"*

-- 
This message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system. E-mail transmission cannot be 
guaranteed to be secure or error-free as information could be intercepted, 
corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. 
Majan College (University College) therefore does not accept liability for 
any errors or omissions in the contents of this message, which arise as a 
result of e-mail transmission