kerberos auth problem

bootal · Post by **bootal** » 23 Nov 2023, 16:15

Hey, everybody.
I apologize for my English, this is machine translation.
I faced a problem after switching to LDAP authentication from HTTPBasic.
Initially for login customers used

Code: Select all

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
 $Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@DOMEN.COM';

  $Self->{CustomerUser} = {
     Name => 'LDAP ALEX AD',
     Module => 'Kernel::System::CustomerUser::LDAP',
     Params => {
           # ldap host
           Host => 'ldap://dc01-dc1.domen.com/',
           # ldap base dn
           BaseDN => 'DC=domen,DC=com',
           SSCOPE => 'sub',
           UserDN => 'CN=SVC-OTRSQuery,OU=OTRS,OU=ServiceAccounts,DC=domen,DC=com',
           UserPw => 'zaq1@WSX',
 	   AlwaysFilter => '(&(objectCategory=organizationalPerson)(objectClass=User)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
           SourceCharset => 'utf-8',
           DestCharset   => 'utf-8',
           Params => {
                    port => 389,
                    timeout => 120,
                    async => 0,
                    version => 3,
           },
  },
  CustomerKey => 'sAMAccountName',
  CustomerID => 'mail',
  CustomerUserListFields => ['cn', 'mail'],
  CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
  CustomerUserSearchPrefix => '',
  CustomerUserSearchSuffix => '*',
  CustomerUserSearchListLimit => 250,
  CustomerUserPostMasterSearchFields => ['mail'],
  CustomerUserNameFields => ['givenname', 'sn'],
  CustomerUserExcludePrimaryCustomerID => 0,
  AdminSetPreferences => 0,
  CacheTTL => 30,
  Map => [
          [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
          [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
          [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
          [ 'UserLogin',      'Username',   'sAMAccountName',  1, 1, 'var', '', 0 ],
          [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
          [ 'UserCustomerID', 'CustomerID', 'mail',         0, 1, 'var', '', 0 ],
          [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
          [ 'UserDepartment', 'Department', 'department',      1, 0, 'var', '', 0 ],
          [ 'UserOffice',     'Office',     'office',          1, 0, 'var', '', 0 ],
          [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
          [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],

        ],

I needed to add a second domain for customers authorization.

It started to look like this

Code: Select all

---------------------------------------------------- #
    # User Configurations - Domain 1                       #
    # ---------------------------------------------------- #

$Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host1'} = 'dc01-dc1.domen.com';
    $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=domen,dc=com';
    $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::UserAttr1'} = 'DN';
    $Self->{'AuthSyncModule::LDAP::AccessAttr1'} = 'member';
	$Self->{'AuthModule::LDAP::GroupDN3'} = 'CN=OTRS Users,OU=OTRS,OU=Groups,DC=domen,DC=com';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=SVC-OTRSQuery,OU=OTRS,OU=ServiceAccounts,DC=domen,DC=com';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'pass';
    $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];

# ---------------------------------------------------- #
    # User Configurations - Domain 2                       #
    # ---------------------------------------------------- #

$Self->{'AuthSyncModule2'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host2'} = 'ad-dc1.domen2.com';
    $Self->{'AuthSyncModule::LDAP::BaseDN2'} = 'dc=domen2,dc=com';
    $Self->{'AuthSyncModule::LDAP::UID2'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::UserAttr2'} = 'DN';
    $Self->{'AuthSyncModule::LDAP::AccessAttr2'} = 'member';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN2'} = 'CN=Moodle Service,OU=Service Accounts,DC=domen2,DC=com';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw2'} = 'pass2';
    $Self->{'AuthSyncModule::LDAP::UserSyncMap2'} = {
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];

# ---------------------------------------------------- #
    # LDAP Configuration Settings for Domain 1 Customers   #
    # ---------------------------------------------------- #
    $Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host1'} = 'ldap://dc01-dc1.domen.com/';
    $Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'dc=domen,dc=com';
    $Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
    $Self->{'Customer::AuthModule::LDAP::UserAttr1'} = 'DN';
    $Self->{'Customer::AuthModule::LDAP::AccessAttr1'} = 'member';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'CN=SVC-OTRSQuery,OU=OTRS,OU=ServiceAccounts,DC=domen,DC=com';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'pass';
    $Self->{'Customer::AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };

$Self->{CustomerUser1} = {
        Name => 'LDAP Backend1',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            Host => 'dc01-dc1.domen.com',
            BaseDN => 'DC=domen,DC=com',
            SSCOPE => 'sub',
            UserDN => 'CN=SVC-OTRSQuery,OU=OTRS,OU=ServiceAccounts,DC=domen,DC=com',
            UserPw => 'pass',
            AlwaysFilter => '(objectclass=user)',
            SourceCharset => 'utf-8',
            DestCharset   => 'utf-8',
        },
        CustomerKey => 'sAMAccountName',
        CustomerID => 'mail',
        CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserSearchFields => ['sAMAccountName', 'cn', 'givenname', 'mail'],
        CustomerUserSearchPrefix => '',
        CustomerUserSearchSuffix => '*',
        CustomerUserSearchListLimit => 250,
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],
        CustomerUserExcludePrimaryCustomerID => 0,
        AdminSetPreferences => 0,
        CacheTTL => 0,
        Map => [
          [ 'UserTitle',      'Title',      'title',           						 1, 0, 'var', '', 0 ],
          [ 'UserFirstname',  'Firstname',  'givenname',     						 1, 1, 'var', '', 0 ],
          [ 'UserLastname',   'Lastname',   'sn',              						 1, 1, 'var', '', 0 ],
          [ 'UserLogin',      'Username',   'sAMAccountName',  						 1, 1, 'var', '', 0 ],
          [ 'UserEmail',      'Email',      'mail',         					     1, 1, 'var', '', 0 ],
          [ 'UserCustomerID', 'CustomerID', 'mail',           						 0, 1, 'var', '', 0 ],
          [ 'UserPhone',      'Phone',      'telephonenumber', 						 1, 0, 'var', '', 0 ],
          [ 'UserDepartment', 'Department', 'department',                            1, 0, 'var', '', 0 ],
          [ 'UserOffice',     'Office',     'physicalDeliveryOfficeName',            1, 0, 'var', '', 0 ],
          [ 'UserAddress',    'Address',    'postaladdress',                         1, 0, 'var', '', 0 ],
          [ 'UserComment',    'Comment',    'description',                           1, 0, 'var', '', 0 ],
        ],
    };

# ---------------------------------------------------- #
    # LDAP Configuration Settings for Domain 2 Customers   #
    # ---------------------------------------------------- #

$Self->{'Customer::AuthModule2'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host2'} = 'ldap://ad-dc1.domen2.com/';
    $Self->{'Customer::AuthModule::LDAP::BaseDN2'} = 'dc=domen2,dc=com';
    $Self->{'Customer::AuthModule::LDAP::UID2'} = 'sAMAccountName';
    $Self->{'Customer::AuthModule::LDAP::UserAttr2'} = 'DN';
    $Self->{'Customer::AuthModule::LDAP::AccessAttr2'} = 'member';
	$Self->{'AuthModule::LDAP::GroupDN4'} = 'CN=OTRS Users,OU=OTRS,OU=Groups,DC=domen2,DC=com';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN2'} = 'CN=Moodle Service,OU=Service Accounts,DC=domen2,DC=com';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw2'} = 'pass2';
    $Self->{'Customer::AuthModule::LDAP::Params2'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };

$Self->{CustomerUser2} = {
        Name => 'LDAP Backend2',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            Host => 'ad-dc1.domen2.com',
            BaseDN => 'DC=domen2,DC=com',
            SSCOPE => 'sub',
            UserDN => 'CN=Moodle Service,OU=Service Accounts,DC=domen2,DC=com',
            UserPw => 'pass2',
            AlwaysFilter => '(objectclass=user)',
            SourceCharset => 'utf-8',
            DestCharset   => 'utf-8',
        },
        CustomerKey => 'sAMAccountName',
        CustomerID => 'mail',
        CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserSearchFields => ['sAMAccountName', 'cn', 'givenname', 'mail'],
        CustomerUserSearchPrefix => '',
        CustomerUserSearchSuffix => '*',
        CustomerUserSearchListLimit => 250,
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],
        CustomerUserExcludePrimaryCustomerID => 0,
        AdminSetPreferences => 0,
        CacheTTL => 0,
        Map => [
          [ 'UserTitle',      'Title',      'title',           						 1, 0, 'var', '', 0 ],
          [ 'UserFirstname',  'Firstname',  'givenname',     						 1, 1, 'var', '', 0 ],
          [ 'UserLastname',   'Lastname',   'sn',              						 1, 1, 'var', '', 0 ],
          [ 'UserLogin',      'Username',   'sAMAccountName',  						 1, 1, 'var', '', 0 ],
          [ 'UserEmail',      'Email',      'mail',         					     1, 1, 'var', '', 0 ],
          [ 'UserCustomerID', 'CustomerID', 'mail',           						 0, 1, 'var', '', 0 ],
          [ 'UserPhone',      'Phone',      'telephonenumber', 						 1, 0, 'var', '', 0 ],
          [ 'UserDepartment', 'Department', 'department',                            1, 0, 'var', '', 0 ],
          [ 'UserOffice',     'Office',     'physicalDeliveryOfficeName',            1, 0, 'var', '', 0 ],
          [ 'UserAddress',    'Address',    'postaladdress',                         1, 0, 'var', '', 0 ],
          [ 'UserComment',    'Comment',    'description',                           1, 0, 'var', '', 0 ],
        ],
    };

when trying to enter domen.com/otrs/customers.pl

kerberos authorization window pops up, and it accepts only accounts of the old domain, accounts of the new domain it does not accept.
If you pass authorization in this window, then the portal window appears, and both domain accounts work there.
What can it be?

Post by **root** » 23 Nov 2023, 17:10

Hi,

Before you continue with the Znuny configuration, you have to fix the Kerberos part with the Apache. Multi-domain requires afaik Trusts between the domains. Your domain administrator should be able to shine light on this.

- Roy

bootal · Post by **bootal** » 23 Nov 2023, 19:46

Thank you for your response. Domains in trust. About Apache, or rather I have HTTPD. In zzz_otrs.conf I didn't find anything related to kerberos.
The only thing I found is the auth_kerb module, but when you disable it, otrs stops working.

Post by **root** » 23 Nov 2023, 23:01

Hi,

The zzz_otrs.conf has, without modification, nothing to do with Kerberos. OTRS just takes the username from the request's environment.
You can see the username in the web server access log and there should be a domain component in it.

- Roy

bootal · Post by **bootal** » 24 Nov 2023, 09:36

root wrote: ↑23 Nov 2023, 23:01 The zzz_otrs.conf has, without modification, nothing to do with Kerberos. OTRS just takes the username from the request's environment.
You can see the username in the web server access log and there should be a domain component in it.

Hi
If the account is successfully entered, the access log shows the user name with the added domain. If we enter a new domain account, we see the following error

Code: Select all

[Thu Nov 23 16:35:13.590352 2023] [auth_kerb:error] [pid 3102] [client 10.1.254.14:65095] krb5_get_init_creds_password() failed: Preauthentication failed
[Thu Nov 23 16:35:15.263162 2023] [auth_kerb:error] [pid 3102] [client 10.1.254.14:65095] krb5_get_init_creds_password() failed: Preauthentication failed

Just if kerberos is not enabled anywhere, how does the authorization window appear.

Here is zzz_otrs itself, maybe I did not see kerberos authorization

Code: Select all

# --
# added for OTRS (http://otrs.org/)
# --

ScriptAlias /otrs/ "/opt/otrs/bin/cgi-bin/"
 Alias /otrs-web/ "/opt/otrs/var/httpd/htdocs/"
ServerName otrs.doemn.com
# ServerName dc01-shd-01.domen.com
# ServerAlias otrs.domen.com


<IfModule mod_perl.c>

    # Setup environment and preload modules
    Perlrequire /opt/otrs/scripts/apache2-perl-startup.pl

    # Reload Perl modules when changed on disk
    PerlModule Apache2::Reload
    PerlInitHandler Apache2::Reload

    # general mod_perl2 options
    <Location /otrs>
#        ErrorDocument 403 /otrs/customer.pl

	Options FollowSymLinks
#        AllowOverride None
#        Order allow,deny
#        Allow from all

        ErrorDocument 403 /otrs/index.pl
        SetHandler  perl-script
        PerlResponseHandler ModPerl::Registry
        Options +ExecCGI
        PerlOptions +ParseHeaders
        PerlOptions +SetupEnv

#        <IfModule mod_version.c>
#            <IfVersion < 2.4>
#                Order allow,deny
#                Allow from all
#            </IfVersion>
#           <IfVersion >= 2.4>
#                Require all granted
#            </IfVersion>
#        </IfModule>
#        <IfModule !mod_version.c>
#            Order allow,deny
#            Allow from all
#        </IfModule>
    </Location>

    # mod_perl2 options for GenericInterface
    <Location /otrs/nph-genericinterface.pl>
        PerlOptions -ParseHeaders
    </Location>

</IfModule>

<Directory "/opt/otrs/bin/cgi-bin/">
## disable by Radek:
#   AllowOverride None


## enable by Radek:
    AllowOverride All
## end my changes

    Options +ExecCGI -Includes
        Order allow,deny
        Allow from all


</Directory>

<Directory "/opt/otrs/var/httpd/htdocs/">
    AllowOverride None

    <IfModule mod_version.c>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order allow,deny
        Allow from all
    </IfModule>

    <IfModule mod_filter.c>
        <IfModule mod_deflate.c>
            AddOutputFilterByType DEFLATE text/html text/javascript application/javascript text/css text/xml application/json text/json
         </IfModule>
    </IfModule>

    # Make sure CSS and JS files are read as UTF8 by the browsers.
    AddCharset UTF-8 .css
    AddCharset UTF-8 .js

    # Set explicit mime type for woff fonts since it is relatively new and apache may not know about it.
    AddType application/font-woff .woff

</Directory>

# Allow access to public interface for unauthenticated requests on systems with set-up authentication.
# Will work only for RegistrationUpdate, since page resources are still not be loaded.
# <Location /otrs/public.pl>
#     <IfModule mod_version.c>
#         <IfVersion < 2.4>
#             Order allow,deny
#             Allow from all
#         </IfVersion>
#         <IfVersion >= 2.4>
#             Require all granted
#         </IfVersion>
#     </IfModule>
#     <IfModule !mod_version.c>
#         Order allow,deny
#         Allow from all
#     </IfModule>
# </Location>

<IfModule mod_headers.c>
    # Cache css-cache for 30 days
    <Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css-cache">
        <FilesMatch "\.(css|CSS)$">
            Header set Cache-Control "max-age=2592000 must-revalidate"
        </FilesMatch>
    </Directory>

    # Cache css thirdparty for 4 hours, including icon fonts
    <Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css/thirdparty">
        <FilesMatch "\.(css|CSS|woff|svg)$">
            Header set Cache-Control "max-age=14400 must-revalidate"
        </FilesMatch>
    </Directory>

    # Cache js-cache for 30 days
    <Directory "/opt/otrs/var/httpd/htdocs/js/js-cache">
        <FilesMatch "\.(js|JS)$">
            Header set Cache-Control "max-age=2592000 must-revalidate"
        </FilesMatch>
    </Directory>

    # Cache js thirdparty for 4 hours
    <Directory "/opt/otrs/var/httpd/htdocs/js/thirdparty/">
        <FilesMatch "\.(js|JS)$">
            Header set Cache-Control "max-age=14400 must-revalidate"
        </FilesMatch>
    </Directory>
</IfModule>

# Limit the number of requests per child to avoid excessive memory usage
MaxRequestsPerChild 4000

Post by **root** » 24 Nov 2023, 10:53

Hi,

Exactly what I'm telling you. You need to fix your Kerberos authentication that is performed by the Apache httpd.

- Roy

bootal · Post by **bootal** » 28 Nov 2023, 09:18

Thanks for your help. The kerberos settings were in the .httpaccess file. But it was in a non-standard location /opt/otrs/bin/cgi-bin/.

Znuny Open Source Ticketsystem

kerberos auth problem

kerberos auth problem

Re: kerberos auth problem

Re: kerberos auth problem

Re: kerberos auth problem

Re: kerberos auth problem

Re: kerberos auth problem

Re: kerberos auth problem