SSO mit Znuny 6.4.5

ANSY · Post by **ANSY** » 20 Feb 2023, 16:31

Hallo,

ich verzweifle seit Tagen an der Konfiguration von SSO via LDAP/Kerberos und Znuny 6.4.5. LDAP-Anmeldung funktioniert ohne Probleme.
Das OTRS-Log gibt lediglich Need "UserLogin or UserID!" bzw. "Need User!" aus.

Die unterschiedlichen Einträge im Forum zu dieser Fehlermeldung habe ich bereits durchgearbeitet. Irgendwo hakt es allerdings noch.

Anbei meine Config, vielleicht sieht jemand den Fehler, den ich nicht sehe....

Config.pm

Code: Select all

# ---------------------------------------------------- #
    # LDAP Setting for Agents
    # ---------------------------------------------------- #
    $Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
    $Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@domain.LOCAL';
    $Self->{'AuthModule2'} = 'Kernel::System::Auth::LDAP';
#    $Self->{'AuthModule::LDAP::UID'} = 'uid';
    $Self->{'AuthModule::LDAP::Host2'} = 'domaingdc1.domain.local';
    $Self->{'AuthModule::LDAP::BaseDN2'} = 'dc=domain,dc=local';
    $Self->{'AuthModule::LDAP::UID2'} = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::GroupDN2'} = 'CN=ROL_domainG_OTRS_Agents,OU=Rollen,OU=Gruppen,OU=domainG,OU=domain,DC=domain,DC=local';
    $Self->{'AuthModule::LDAP::AccessAttr2'} = 'member';
    $Self->{'AuthModule::LDAP::SearchUserDN2'} = 'domainG_Dienst.OTRS';
    $Self->{'AuthModule::LDAP::SearchUserPw2'} = 'xyz';
    $Self->{'AuthModule::LDAP::AlwaysFilter2'} = '';
    $Self->{'AuthModule::LDAP::Params2'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,

zzz_otrs.conf

Code: Select all

# --
# added for OTRS (http://otrs.org/)
# --

ScriptAlias /otrs/ "/opt/otrs/bin/cgi-bin/"
Alias /otrs-web/ "/opt/otrs/var/httpd/htdocs/"

<IfModule mod_perl.c>

    # Setup environment and preload modules
    Perlrequire /opt/otrs/scripts/apache2-perl-startup.pl

    # Reload Perl modules when changed on disk
    PerlModule Apache2::Reload
    PerlInitHandler Apache2::Reload

    # general mod_perl2 options
    <Location /otrs>
#        ErrorDocument 403 /otrs/customer.pl
        ErrorDocument 403 /otrs/index.pl
        SetHandler  perl-script
        PerlResponseHandler ModPerl::Registry
        Options +ExecCGI
        PerlOptions +ParseHeaders
        PerlOptions +SetupEnv

        <IfModule mod_version.c>
            <IfVersion < 2.4>
                Order allow,deny
                Allow from all
            </IfVersion>
            <IfVersion >= 2.4>
              Require all granted
            </IfVersion>
        </IfModule>
       <IfModule !mod_version.c>
           Order allow,deny
            Allow from all
        </IfModule>
    </Location>

    # mod_perl2 options for GenericInterface
    <Location /otrs/nph-genericinterface.pl>
        PerlOptions -ParseHeaders
    </Location>

</IfModule>

LoadModule auth_kerb_module usr/lib/apache2/modules/mod_auth_kerb.so

<Directory "/opt/otrs/bin/cgi-bin/">
    AllowOverride None
        AuthType Kerberos
        AuthName "OTRS"
        Krb5Keytab /etc/krb5.keytab
        KrbAuthRealms DOMAIN.LOCAL
        KrbServiceName HTTP/helpdesk.domain.local@DOMAIN.LOCAL
        KrbMethodNegotiate on
        KrbSaveCredentials off
        KrbMethodK5Passwd on
        KrbLocalUserMapping on
        Require valid-user
    Options +ExecCGI -Includes
    Order allow,deny
    Allow from all
</Directory>

<Directory "/opt/otrs/var/httpd/htdocs/">
    AllowOverride None

    <IfModule mod_version.c>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order allow,deny
        Allow from all
    </IfModule>

    <IfModule mod_filter.c>
        <IfModule mod_deflate.c>
            AddOutputFilterByType DEFLATE text/html text/javascript application/javascript text/css text/xml application/json text/json
         </IfModule>
    </IfModule>

    # Make sure CSS and JS files are read as UTF8 by the browsers.
    AddCharset UTF-8 .css
    AddCharset UTF-8 .js

    # Set explicit mime type for woff fonts since it is relatively new and apache may not know about it.
    AddType application/font-woff .woff

</Directory>
</Directory>

# Allow access to public interface for unauthenticated requests on systems with set-up authentication.
# Will work only for RegistrationUpdate, since page resources are still not be loaded.
# <Location /otrs/public.pl>
#     <IfModule mod_version.c>
#         <IfVersion < 2.4>
#             Order allow,deny
#             Allow from all
#         </IfVersion>
#         <IfVersion >= 2.4>
#             Require all granted
#         </IfVersion>
#     </IfModule>
#     <IfModule !mod_version.c>
#         Order allow,deny
#         Allow from all
#     </IfModule>
# </Location>

<IfModule mod_headers.c>
    # Cache css-cache for 30 days
    <Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css-cache">
        <FilesMatch "\.(css|CSS)$">
            Header set Cache-Control "max-age=2592000, must-revalidate"
        </FilesMatch>
    </Directory>

    # Cache css thirdparty for 4 hours, including icon fonts
    <Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css/thirdparty">
        <FilesMatch "\.(css|CSS|woff|svg)$">
            Header set Cache-Control "max-age=14400, must-revalidate"
        </FilesMatch>
    </Directory>

    # Cache js-cache for 30 days
    <Directory "/opt/otrs/var/httpd/htdocs/js/js-cache">
        <FilesMatch "\.(js|JS)$">
            Header set Cache-Control "max-age=2592000, must-revalidate"
        </FilesMatch>
    </Directory>

    # Cache js thirdparty for 4 hours
    <Directory "/opt/otrs/var/httpd/htdocs/js/thirdparty/">
        <FilesMatch "\.(js|JS)$">
            Header set Cache-Control "max-age=14400, must-revalidate"
        </FilesMatch>
    </Directory>
</IfModule>

# Limit the number of requests per child to avoid excessive memory usage
MaxRequestsPerChild 4000

error.log

[Mon Feb 20 15:19:39.138340 2023] [deflate:debug] [pid 416654] mod_deflate.c(854): [client 172.18.1.1:63260] AH01384: Zlib: Compressed 10446 to 3480 : URL /otrs/index.pl, referer: https://server.domain.local/otrs/index. ... sponseID=1
[Mon Feb 20 15:19:39.456837 2023] [ssl:debug] [pid 416654] ssl_engine_kernel.c(415): [client 172.18.1.1:63260] AH02034: Subsequent (No.2) HTTPS request received for child 11 (server server.domain.local:443), referer: https://server.domain.local/otrs/index. ... eID=194574
[Mon Feb 20 15:19:39.456910 2023] [authz_core:debug] [pid 416654] mod_authz_core.c(817): [client 172.18.1.1:63260] AH01626: authorization result of Require all granted: granted, referer: https://server.domain.local/otrs/index. ... eID=194574
[Mon Feb 20 15:19:39.456914 2023] [authz_core:debug] [pid 416654] mod_authz_core.c(817): [client 172.18.1.1:63260] AH01626: authorization result of <RequireAny>: granted, referer: https://server.domain.local/otrs/index. ... eID=194574
[Mon Feb 20 15:19:39.456933 2023] [auth_gssapi:debug] [pid 416654] mod_auth_gssapi.c(727): [client 172.18.1.1:63260] GSSapiImpersonate not On, skipping impersonation., referer: https://server.domain.local/otrs/index. ... eID=194574
[Mon Feb 20 15:19:39.667073 2023] [deflate:debug] [pid 416654] mod_deflate.c(854): [client 172.18.1.1:63260] AH01384: Zlib: Compressed 69280 to 11412 : URL /otrs/index.pl, referer: https://server.domain.local/otrs/index. ... eID=194574
[Mon Feb 20 15:19:39.846471 2023] [ssl:debug] [pid 416654] ssl_engine_kernel.c(415): [client 172.18.1.1:63260] AH02034: Subsequent (No.3) HTTPS request received for child 11 (server server.domain.local:443), referer: https://server.domain.local/otrs/index. ... eID=194575
[Mon Feb 20 15:19:39.846530 2023] [authz_core:debug] [pid 416654] mod_authz_core.c(817): [client 172.18.1.1:63260] AH01626: authorization result of Require all granted: granted, referer: https://server.domain.local/otrs/index. ... eID=194575
[Mon Feb 20 15:19:39.846534 2023] [authz_core:debug] [pid 416654] mod_authz_core.c(817): [client 172.18.1.1:63260] AH01626: authorization result of <RequireAny>: granted, referer: https://server.domain.local/otrs/index. ... eID=194575
[Mon Feb 20 15:19:39.846554 2023] [auth_gssapi:debug] [pid 416654] mod_auth_gssapi.c(727): [client 172.18.1.1:63260] GSSapiImpersonate not On, skipping impersonation., referer: https://server.domain.local/otrs/index. ... eID=194575
[Mon Feb 20 15:19:39.877880 2023] [deflate:debug] [pid 416654] mod_deflate.c(854): [client 172.18.1.1:63260] AH01384: Zlib: Compressed 1512 to 831 : URL /otrs/index.pl, referer: https://server.domain.local/otrs/index. ... eID=194575

Danke,
ANSY

Post by **root** » 20 Feb 2023, 16:58

Hi,

ich würde zuerst einmal damit anfangen die Webserverkonfigurationen aufzuräumen. Die reguläre Znuny Konfiguration muss man nicht anpacken. Lass die zzz_otrs.conf wie sie ausgeliefert wird und lege eine eigene zzz_znuny.conf an:

LoadModule auth_kerb_module usr/lib/apache2/modules/mod_auth_kerb.so
<Location "/otrs/index.pl">
AuthType Kerberos
AuthName "OTRS"
Krb5Keytab /etc/krb5.keytab
KrbAuthRealms DOMAIN.LOCAL
KrbServiceName HTTP/helpdesk.domain.local@DOMAIN.LOCAL
KrbMethodNegotiate on
KrbSaveCredentials off
KrbMethodK5Passwd on
KrbLocalUserMapping on
Require valid-user
</Location>

Was mich allerdings wundert sind die auth_gssapi Einträge in deinem Log und die Konfiguration mit mod_auth_kerb.
Als nächstes finde ich das LoadModule verdächtig. Wenn Du mod_auth_kerb installierst reicht, ich vermuteten bei Dir Debian/Ubuntu, auch a2enmod MODUL um es zu aktivieren.

Solange keine auth_kerb meldungen im Log sind kann man nichts machen. Die nächsten Schritte:

- Prüfe die Webserverkonfiguration
- Passt die Kerberoskonfiguration, funktioniert kinit?
- Ist die Keytab in Ordnung? Was liefert ktpass wenn Du die Keytab prüfst?
- Stimmen die DNS A/CNAME und PTR Einträge?

- Roy

ANSY · Post by **ANSY** » 21 Feb 2023, 11:40

Hallo Roy,

danke für die Hinweise. Es schaut schon mal besser aus.

Habe die zzz_znuny.conf entsprechend angelegt, die zzz_otrs.conf wieder in den Originalzustand zurückgeführt.

Das Log gibt nun auth_kerb Einträge aus. Irgendwas stimmt allerdings noch nicht mit dem key table entry

[Tue Feb 21 10:11:02.239977 2023] [auth_kerb:error] [pid 469866] [client 172.18.1.1:53106] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, No key table entry found for HTTP/helpdesk.domain.local@DOMAIN.LOCAL)

error.log

[Tue Feb 21 10:11:01.603138 2023] [ssl:debug] [pid 469887] ssl_engine_io.c(1102): [client 172.18.1.1:53078] AH02001: Connection closed to child 5 with standard shutdown (server helpdesk.domain.local:443)
[Tue Feb 21 10:11:02.207664 2023] [ssl:info] [pid 469866] [client 172.18.1.1:53106] AH01964: Connection to child 1 established (server provisioning1.domain.local:443)
[Tue Feb 21 10:11:02.207801 2023] [ssl:debug] [pid 469866] ssl_engine_kernel.c(2372): [client 172.18.1.1:53106] AH02043: SSL virtual host for servername helpdesk.domain.local found
[Tue Feb 21 10:11:02.209785 2023] [ssl:debug] [pid 469866] ssl_engine_kernel.c(2254): [client 172.18.1.1:53106] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Feb 21 10:11:02.210761 2023] [ssl:debug] [pid 469866] ssl_engine_kernel.c(415): [client 172.18.1.1:53106] AH02034: Initial (No.1) HTTPS request received for child 1 (server helpdesk.domain.local:443)
[Tue Feb 21 10:11:02.210809 2023] [authz_core:debug] [pid 469866] mod_authz_core.c(817): [client 172.18.1.1:53106] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Feb 21 10:11:02.210815 2023] [authz_core:debug] [pid 469866] mod_authz_core.c(817): [client 172.18.1.1:53106] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Feb 21 10:11:02.210823 2023] [auth_kerb:debug] [pid 469866] src/mod_auth_kerb.c(1963): [client 172.18.1.1:53106] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Tue Feb 21 10:11:02.239637 2023] [ssl:debug] [pid 469866] ssl_engine_kernel.c(415): [client 172.18.1.1:53106] AH02034: Subsequent (No.2) HTTPS request received for child 1 (server helpdesk.domain.local:443)
[Tue Feb 21 10:11:02.239681 2023] [authz_core:debug] [pid 469866] mod_authz_core.c(817): [client 172.18.1.1:53106] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Feb 21 10:11:02.239687 2023] [authz_core:debug] [pid 469866] mod_authz_core.c(817): [client 172.18.1.1:53106] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Feb 21 10:11:02.239694 2023] [auth_kerb:debug] [pid 469866] src/mod_auth_kerb.c(1963): [client 172.18.1.1:53106] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Tue Feb 21 10:11:02.239704 2023] [auth_kerb:debug] [pid 469866] src/mod_auth_kerb.c(1296): [client 172.18.1.1:53106] Acquiring creds for HTTP/helpdesk.domain.local@domain.LOCAL
[Tue Feb 21 10:11:02.239912 2023] [auth_kerb:debug] [pid 469866] src/mod_auth_kerb.c(1719): [client 172.18.1.1:53106] Verifying client data using KRB5 GSS-API with our SPNEGO lib
[Tue Feb 21 10:11:02.239965 2023] [auth_kerb:debug] [pid 469866] src/mod_auth_kerb.c(1735): [client 172.18.1.1:53106] Client didn't delegate us their credential
[Tue Feb 21 10:11:02.239970 2023] [auth_kerb:debug] [pid 469866] src/mod_auth_kerb.c(1754): [client 172.18.1.1:53106] GSS-API token of length 9 bytes will be sent back
[Tue Feb 21 10:11:02.239973 2023] [auth_kerb:debug] [pid 469866] src/mod_auth_kerb.c(1156): [client 172.18.1.1:53106] GSS-API major_status:000d0000, minor_status:96c73a2d
[Tue Feb 21 10:11:02.239977 2023] [auth_kerb:error] [pid 469866] [client 172.18.1.1:53106] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, No key table entry found for HTTP/helpdesk.domain.local@domain.LOCAL)

klist

sudo klist -e -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 HTTP/helpdesk.domain.local@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)

Keytab Prüfung ergibt:

sudo klist -kte /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
4 01.01.1970 01:00:00 HTTP/helpdesk.domain.local@domain.LOCAL (aes256-cts-hmac-sha1-96)

Das Datum scheint mir spanisch zu sein.

Irgendetwas scheint noch krumm zu sein.
Wo kann ich ansetzen?

Danke,
ANSY

Post by **root** » 21 Feb 2023, 13:18

Hi,

Ich machs kurz, weil das alles nichts mit Znuny zu tun hat:

1.) Die Keytab ist tendenziell nicht ok. Die kerberos-Domain muss IMMER in Grossbuchstaben sein, also hostname@DOMAIN.LOCAL
2.) DNS prüfen, wenn der hostname server1.domain.local ist, Znuny aber mit helpdesk.domain.local aufgerufen wird gilt:
- Keytab auf hostnamen ausstellen
- Hostname sollte DNS A Eintrag mit korrektem PTR sein. Und der PTR sollte nirgends sonst hinzeigen als auf diese einen Server.
- IPv6 mit AAAA bei Bedarf analog
- FQDN für Znuny muss CNAME sein: helpdesk.domain.local CNAME server1.domain.local

- Roy

Znuny and ((OTRS)) Community Edition

SSO mit Znuny 6.4.5

SSO mit Znuny 6.4.5

Re: SSO mit Znuny 6.4.5

Re: SSO mit Znuny 6.4.5

Re: SSO mit Znuny 6.4.5