RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb

Oliver_Weinmann · September 2, 2013, 1:14pm

Hi all,

we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb. Now we need to get the setup running through our reverse proxy.

What we have on our reverse proxy is this:

ProxyPass /rt/ http://hostname.local/rt/ max=100
ProxyPassReverse /rt/ http://hostname.local/rt/

    RedirectMatch ^/$ /rt/

    # Proxy all locations
    <Proxy *>
            AddDefaultCharset off
            Order deny,allow
            Deny from none
    </Proxy>


    <Location /rt>
    AuthType Kerberos
    AuthName "Kerberos Login"
    KrbAuthRealms KRB5.LOCAL
    Krb5KeyTab /etc/apache2/host.keytab
    KrbMethodNegotiate on
    KrbAuthoritative on
    KrbMethodK5Passwd off
    KrbSaveCredentials on
    require valid-user

    # SSO
    RewriteEngine On
    RewriteCond %{LA-U:REMOTE_USER} (.+)$
    RewriteRule . - [E=RU:%1]
    RequestHeader set REMOTE_USER %{RU}e

    </Location>

Running tcpdump we can see that REMOTE_USER is set and send to the host hosting RT. It looks like RT is not picking it up. As far as I understood is that my user gets authenticated at the proxy and RT should trust these credentials and log in the user.

Ruslan_Zakirov1 · September 3, 2013, 7:46pm

Hi,

Why do you expect remote server where you host RT to respect REMOTE_USER
and not to drop it? If a web server would pass remotely provided
REMOTE_USER further to an app without additional configuration then we
wouldn’t use it for authentication.On Mon, Sep 2, 2013 at 5:14 PM, Oliver Weinmann < oliver.weinmann@telespazio-vega.de> wrote:

Hi all,****

we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb.
Now we need to get the setup running through our reverse proxy.****

What we have on our reverse proxy is this:****

ProxyPass /rt/ http://hostname.local/rt/ max=100****

ProxyPassReverse /rt/ http://hostname.local/rt/****
    RedirectMatch ^/$ /rt/****
    # Proxy all locations****

    <Proxy *>****

            AddDefaultCharset off****

            Order deny,allow****

            Deny from none****

    </Proxy>****
    <Location /rt>****

    AuthType Kerberos****

    AuthName "Kerberos Login"****

    KrbAuthRealms KRB5.LOCAL****

    Krb5KeyTab /etc/apache2/host.keytab****

    KrbMethodNegotiate on****

    KrbAuthoritative on****

    KrbMethodK5Passwd off****

    KrbSaveCredentials on****

    require valid-user****
    # SSO****

    RewriteEngine On****

    RewriteCond %{LA-U:REMOTE_USER} (.+)$****

    RewriteRule . - [E=RU:%1]****

    RequestHeader set REMOTE_USER %{RU}e****
    </Location>****
Running tcpdump we can see that REMOTE_USER is set and send to the host
hosting RT. It looks like RT is not picking it up. As far as I understood
is that my user gets authenticated at the proxy and RT should trust these
credentials and log in the user.****

Best regards, Ruslan.

Oliver_Weinmann · September 4, 2013, 6:37am

Hi,

there are these settings in RT:

tells RT to use the REMOTE_USER provided by the web server

Set($WebExternalAuth , 1);

tells RT to display its normal login screen if REMOTE_USER fails

Set($WebFallbackToInternalAuth , 1);

tells RT to create users automatically if no user matching REMOTE_USER is found

Set($WebExternalAuto , 1);

I have them all set except the last one as we use LDAPImport. So I would expect RT to not drop the REMOTE_USER. Or is this obsolete?

Best Regards,
OliverFrom: ruslan.zakirov@gmail.com [mailto:ruslan.zakirov@gmail.com] On Behalf Of Ruslan Zakirov
Sent: Dienstag, 3. September 2013 21:47
To: Oliver Weinmann
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb

Hi,

Why do you expect remote server where you host RT to respect REMOTE_USER and not to drop it? If a web server would pass remotely provided REMOTE_USER further to an app without additional configuration then we wouldn’t use it for authentication.

Ruslan_Zakirov1 · September 4, 2013, 11:18am

Hi,

Carbon60: Managed Cloud Services Wed, Sep 4, 2013 at 10:37 AM, Oliver Weinmann < oliver.weinmann@telespazio-vega.de> wrote:

Hi,****

there are these settings in RT:****

tells RT to use the REMOTE_USER provided by the web server****

Set($WebExternalAuth , 1);****

tells RT to display its normal login screen if REMOTE_USER fails****

Set($WebFallbackToInternalAuth , 1);****

tells RT to create users automatically if no user matching REMOTE_USER

is found****

Set($WebExternalAuto , 1);****

I have them all set except the last one as we use LDAPImport. So I would
expect RT to not drop the REMOTE_USER. Or is this obsolete?****

Best Regards,****

Oliver****

From: ruslan.zakirov@gmail.com [mailto:ruslan.zakirov@gmail.com] On
Behalf Of Ruslan Zakirov
Sent: Dienstag, 3. September 2013 21:47
To: Oliver Weinmann
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with
mod_auth_kerb**

Hi,****

Why do you expect remote server where you host RT to respect REMOTE_USER
and not to drop it? If a web server would pass remotely provided
REMOTE_USER further to an app without additional configuration then we
wouldn’t use it for authentication.****

On Mon, Sep 2, 2013 at 5:14 PM, Oliver Weinmann <
oliver.weinmann@telespazio-vega.de> wrote:****

Hi all,****

we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb.
Now we need to get the setup running through our reverse proxy.****

What we have on our reverse proxy is this:****

ProxyPass /rt/ http://hostname.local/rt/ max=100****

ProxyPassReverse /rt/ http://hostname.local/rt/****
    RedirectMatch ^/$ /rt/****
    # Proxy all locations****

    <Proxy *>****

            AddDefaultCharset off****

            Order deny,allow****

            Deny from none****

    </Proxy>****
    <Location /rt>****

    AuthType Kerberos****

    AuthName "Kerberos Login"****

    KrbAuthRealms KRB5.LOCAL****

    Krb5KeyTab /etc/apache2/host.keytab****

    KrbMethodNegotiate on****

    KrbAuthoritative on****

    KrbMethodK5Passwd off****

    KrbSaveCredentials on****

    require valid-user****
    # SSO****

    RewriteEngine On****

    RewriteCond %{LA-U:REMOTE_USER} (.+)$****

    RewriteRule . - [E=RU:%1]****

    RequestHeader set REMOTE_USER %{RU}e****
    </Location>****
Running tcpdump we can see that REMOTE_USER is set and send to the host
hosting RT. It looks like RT is not picking it up. As far as I understood
is that my user gets authenticated at the proxy and RT should trust these
credentials and log in the user.****

–
Best regards, Ruslan. ****

Best regards, Ruslan.

Oliver_Weinmann · September 4, 2013, 12:16pm

Hi,

thanks for the hint, but this doesn’t solve the issue yet.

I have done the following. I have tested the KRB5 setup on the host directly. This works fine.

I see this in the logs on the RT host.

Accessing the RT host directly:

[Wed Sep 04 14:00:10 2013] [debug] src/mod_auth_kerb.c(1628): [client xxxx] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Sep 04 14:00:10 2013] [debug] src/mod_auth_kerb.c(1240): [client xxxx] Acquiring creds for HTTP@gedadvl05-clone
[Wed Sep 04 14:00:10 2013] [debug] src/mod_auth_kerb.c(1385): [client xxxx] Verifying client data using KRB5 GSS-API
[Wed Sep 04 14:00:10 2013] [debug] src/mod_auth_kerb.c(1401): [client xxxx] Client didn’t delegate us their credential
[Wed Sep 04 14:00:10 2013] [debug] src/mod_auth_kerb.c(1420): [client xxxx] GSS-API token of length 181 bytes will be sent back
[Wed Sep 04 14:00:11 2013] [debug] mod_deflate.c(615): [client xxxx] Zlib: Compressed 43435 to 6091 : URL /rt/

Accessing via the reverse proxy:

[Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1628): [client xxxx] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1240): [client xxxx] Acquiring creds for HTTP@gedadvl05-clone
[Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1385): [client xxxx] Verifying client data using KRB5 GSS-API
[Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1401): [client xxxx] Client didn’t delegate us their credential
[Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1420): [client xxxx] GSS-API token of length 9 bytes will be sent back
[Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1101): [client xxxx] GSS-API major_status:000d0000, minor_status:000186a5
[Wed Sep 04 14:02:55 2013] [error] [client xxxx] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, )
[Wed Sep 04 14:02:55 2013] [debug] mod_deflate.c(615): [client xxxx] Zlib: Compressed 482 to 326 : URL /rt/

I’m also not sure about the configuration of the RT host itself. Does it have to be Kerberos enabled too? I have this in /etc/apache2/httpd.conf:

#<Directory “/usr/share/request-tracker4/html”>

AuthType Kerberos

AuthName “Request Tracker”

KrbMethodNegotiate On

KrbMethodK5Passwd On

KrbVerifyKDC On

Krb5Keytab /etc/apache2/rtkeytab

KrbAuthoritative On

KrbSaveCredentials On

Require valid-user

AllowOverride None

#</Directory

If I disable this I’m not logged in but there is also not login (username/password) displayed, but the RT website is shown also when accessing via the proxy.From: ruslan.zakirov@gmail.com [mailto:ruslan.zakirov@gmail.com] On Behalf Of Ruslan Zakirov
Sent: Mittwoch, 4. September 2013 13:19
To: Oliver Weinmann
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb

Hi,