I finally after to many hours.. days... got it working! (Centos 7). Extra information...
my server's name is: feto1s080
realm: fednet.local
1. create user
-> samAccountName: ITMOTRSSSO
-> servicePrincipalName: HTTPS/feto1s080.fednet.local, HTTPS/feto1s080
-> userPrincipalName: HTTPS/
feto1s080.fednet.local@FEDNET.LOCAL
2. create keytab
ktpass /princ HTTPS/
feto1s080.fednet.local@FEDNET.LOCAL /mapuser
ITMOTRSSSO@FEDNET.LOCAL /pass [password] /crypto ALL /ptype KRB5_NT_PRINCIPAL /kvno 0 /out ITMOTRSSSO.http.keytab
3. copy the keytab
I chose /etc/
4. Packages needed
yum install httpd
yum install krb5-workstation
yum install krb5-libs
Yum install samba-client
Yum install samba-windbind
Yum install mod_auth_kerb
authconfig-tui
authconfig --update --enablewinbindusedefaultdomain
--update -> the "-" char was not the same on my keyboard, I had to copy the char from that link:
https://access.redhat.com/documentation ... -auth.html
Kinit ITMOTRSSSO
net ads keytab add HTTP -U ITMOTRSSSO
If you have that issue (if I remember when you try to start winbind service):
"kerberos method" must be set to a keytab method to use keytab functions.
add then:
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
https://readthefuckingmanual.net/error/ ... -functions
Files needed
->/opt/otrs/Kernel/Config.pm
->/etc/httpd/conf.d/zzz_otrs.conf
->/etc/itmotrssso.https.keytab
->/etc/krb5.conf
->/etc/samba/smb.conf
Config.pm (only customers)
Code: Select all
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@FEDNET.LOCAL';
zzz_otrs.conf
Code: Select all
<Directory "/opt/otrs/bin/cgi-bin/">
AllowOverride None
Options +ExecCGI -Includes
<IfModule mod_version.c>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</IfModule>
<IfModule !mod_version.c>
Order allow,deny
Allow from all
</IfModule>
<IfModule mod_filter.c>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/javascript application/javascript text/css text/xml application/json text/json
</IfModule>
</IfModule>
[b] <Files "customer.pl">
AuthType Kerberos
AuthName "Kerberos AUTH"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbServiceName HTTPS/feto1s080.fednet.local
Krb5Keytab /etc/itmotrssso.https.keytab
Require valid-user
KrbAuthRealms FEDNET.LOCAL
KrbSaveCredentials off
</Files>[/b]
</Directory>
krb5.conf
Code: Select all
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = FEDNET.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
FEDNET.LOCAL = {
kdc = fednet.local:88
admin_server = fednet.local:749
kdc = FETO1S012.FEDNET.LOCAL
}
[domain_realm]
fednet.local = FEDNET.LOCAL
.fednet.local = FEDNET.LOCAL
smb.conf
Code: Select all
[global]
#--authconfig--start-line--
# Generated by authconfig on 2018/06/27 16:13:01
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = FEDNET
password server = FETO1S012.FEDNET.LOCAL
realm = FEDNET.LOCAL
security = ads
idmap config * : range = 16777216-33554431
template shell = /sbin/nologin
# kerberos method = secrets only
winbind use default domain = true
winbind offline logon = false
kerberos method = dedicated keytab
dedicated keytab file = /etc/itmotrssso.https.keytab
# ....
logs
/var/log/httpd/ssl_error_log
/var/log/httpd/error_log