RT4 & Kerberos & SSO & Ubuntu 10.04 & Apache 2 & AD & Windows Server & Adding User Data & a lot of Windows Clients

From Request Tracker Wiki
Jump to: navigation, search

Unofficial Installation Guide

This is an unofficial installation guide. It may be outdated or apply only to very specific configurations and versions. The official and maintained installation steps for RT are in the README and UPGRADING documents included in the official .tar.gz packages.

Preamble

Read this first: This is how I got SSO with Kerberos to work. So don't blame me, if this won't work for your RT. Anyway, I hope that this will help you going through the awful Kerberos config.:)
I'm using MIT Kerberos. If you want to use Heimdal Kerberos, stop reading and good luck. :)

Disambiguation:
ADServer: PC where your Active Directory is situated (some Windows Server).
Rtmachine: Name of your RT-Server (in my case Ubuntu 10.04 - I guess it would work with any other Linux where RT can be run, some paths and commands may be different).
Kerb: Kerberos (I'm just too lazy to write Kerberos every time:)
Auth: Authentification
SSO: Single-SignOn

Reqirements: A working RT.

Before we begin: Get yourself a cup of coffee. Ready to start?

---(Remarks are written in italic and are surrounded by brackets.)---

PART 1: Kerberos SSO

(still a bit under construction;)
-> powered by: mod_auth_kerb

0. Download and Setup (if you don't have it yet)

  • apache2-mpm-prefork
  • libapache2-mod-auth-kerb
  • krb5-config
  • krb5-clients
  • krb5-user
  • ntpdate
  • samba winbind
  • msktutil

...and everything that is also suggested by apt-get.

1. Make Backups!

  • /etc/apache2/httpd.conf
  • /etc/krb5.conf
  • /etc/samba/smb.conf
  • /etc/ntp.conf
====2. Edit the following configs
====
a) ntp.conf server 192.168.0.1 (IP of your time server) server timeserver.workgroup.com (FQDN of your time server)

(Why ntp.conf? For Kerb authentification server and client are not allowed to have a time difference more than 5 minutes.)

b) krb5.conf (more information at http://linux.die.net/man/5/krb5.conf)
   [libdefaults]
        default_realm = WORKGROUP.COM
        default_tkt_enctypes = rc4-hmac-md5 arcfour-hmac-md5 des-cbc-crs des-cbc-md5 des3-hmac-sha1 (I'm not sure about that, so I put everything in there:)
        default_tgs_enctypes = rc4-hmac-md5 arcfour-hmac-md5 des-cbc-crs des-cbc-md5 des3-hmac-sha1
        ticket_lifetime = 1728000
        default_keytab_name = ”WRFILE:/etc/apache2/http.keytab” (the keytab you're going to create and use)
        clockskew = 300 (time difference for server and client)
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
   [realms]
        WORKGROUP.COM = {
            kdc = ADSERVER.WORKGROUP.COM
            admin_server = ADSERVER.WORKGROUP.COM
            default_domain = WORKGROUP.COM
        }
   [domain_realm]
        workgroup.com = WORKGROUP.COM
        .workgroup.com = WORKGROUP.COM
c) smb.conf
    [global]
        security = ADS
        netbios name = RTMACHINE
        realm = WORKGROUP.COM
        unix charset = ISO-8859-15
        workgroup = WORKGROUP
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
        client ntlmv2 auth = yes (INCREDIBLY important for all Windows clients newer than XP, since they all use NTLMv2 unless you configured it different.)
        encrypt passwords = yes
        restrict anonymous = 2
        domain master = no
        local master = no
        preferred master = auto
        os level = 0
        log file = /var/log/samba/smb.log.%m (logs different machines with different logs)
        log level = 3 (logs a lot, but not everything)
        kerberos method = system keytab (uses a keytab)
d) httpd.conf (say apache what to do, see http://modauthkerb.sourceforge.net/configure.html)
      [...]
         (Although I use RT4, this is my path because of updating the old RT3.8.)
            AuthType Kerberos (sets authentification to kerberos)
            AuthName “Request Tracker”
            KrbMethodNegotiate On
            KrbMethodK5Passwd On
            KrbVerifyKDC On (To test Kerb and to see how your auth should behave, set it to Off. But remember to switch it back to On to get a real Kerb auth.)
            Krb5Keytab /etc/apache2/http.keytab
            KrbAuthoritative On
            KrbSaveCredentials On
            Require valid-user
            AllowOverride None
        
      [...]

3. Add your RT Server to the Active Directory

net ads join -U username

...And reset the machine password in the AD (default password = name of RT server).

4. Create a keytab with msktutil (with root account!!)

(See https://fuhm.net/software/msktutil/ for more details.)

sudo kinit username@WORKGROUP.COM ''(a user with rights to add PCs to the AD)''
sudo msktutil -c -k /etc/apache2/http.keytab --verbose ''(verbose shows what msktutil is actually doing, -c means create, -k uses the specified file)''
sudo msktutil -s HTTP/rtmachine.workgroup.com -k /etc/apache2/http.keytab -h rtmachine.workgroup.com --computer-name RTMACHINE --upn HTTP/rtmachine.workgroup.com --server adserver.workgroup.com

sudo klist -k /etc/apache2/http.keytab ''(to check everything has gone right)''

5. Restart deamons & change the owner of the created keytab

sudo service nmbd restart
sudo service smbd restart
sudo service ntp restart
sudo service apache2 restart
sudo chown www-data /etc/apache2/http.keytab

6. Change RT_SiteConfig.pm to use your Kerb config

Set($WebExternalAuth, 1); #''(forces RT to use another authentifiction than the internal one)''
Set($WebExternalAuto, 1); #''(creates users not found in the database logging in with Kerb)''
Set($AutoCreateNonExternalUsers, 1);  #''(autocrates all new users who log in by using the login screen)''
Set($WAutoCreate, {Privileged => 1}); #''(sets all new added users as privileged users)''
Set($WebfallbackToInternalAuth, 1);  #''(if there is something wrong with your Kerb config, RT will switch back to the normal login screen)''
Set($WebExternalAuthContinous, 1);'' #(for staying logged in when changing sites)''
Set($WebExternalGecos, undef); #''(won't use the Gecos field as a username)''
Set($ExternalServiceUsesSSLorTLS, 1); #''(If you configured a secure connection before - otherwise set it to 0)''

WebExternalAuth and ExternalAuth won't get along with each other...
-> So use LDAPImport for getting user data from the AD. (follows down below)

7. Restart Apache again

/etc/init.d/apache2 restart or service apache2 restart or apache2ctl restart - whatever you like :)

sudo service apache2 restart ''(or /etc/init.d/apache2 restart or apache2ctl restart - whatever you like :)''

Until now you should be able to use SSO with your RT if the user you want to log in with exists in the RT database. Congrats so far!
Let's go on with the last step. :)

PART 2: Getting user data from the AD

-> powered by LDAPImport-Extension

8. Download RT-Extension-LDAPImport

from CPAN (http://search.cpan.org/~falcone/RT-Extension-LDAPImport-0.31/lib/RT/Extension/LDAPImport.pm) and install it.

9. Customize RT_SiteConfig.pm again

 Set(@Plugins, [...], qw(RT::Extension::LDAPImport)); ''(add the plugin to your plugin list)''
 Set($LDAPHost, ‘adserver.workgroup.com’);'' (use the DC to get your information)''
 Set($LDAPUser, ‘workgroup\readinguser’); ''(use a specific user with rights to read from the AD)''
 Set($LDAPPassword, ‘password’); ''(the user's password)''
 Set($LDAPBAse, ‘OU=Users, DC=workgroup, DC=com’); ''(the LDAP base where the search shall start)''
 Set($LDAPFilter, ‘(&(objectCategory=person)(objectClass=User))’); ''(only use the Users, not everything)''
 Set($LDAPMapping,{Name => ‘userPrincipalName’, ''(now set what you want RT to know about your users, more information at: http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm)''
                   EmailAddress => ‘mail’,
                   RealName => ‘cn’,
                   WorkPhone => ‘userPrincipalName’,
                   Organisation => ‘company’,
                   FreeFormContactInfo => ‘description’,
                   City => ‘l’,
                   Address1 => ‘physicalDeliveryOfficeName’,
                   Address2 => ‘department’,
                   Gecos => ‘’,
 });
 Set($LDAPGroupName, ‘user’); ''(group name for added users in RT)''
 Set($LDAPUpdateUsers, 1); ''(if something has changed, update it...)''
 Set($LDAPUpdateOnly, 1); ''(...but update only for now - you can set it later to 0, but this can be very useful for the first try.)''

10. Configure your cronjobs

sudo crontab -e

...and add the following line:

0 0 * * * sudo perl /opt/rt3/local/plugins/RT-Extension-LDAPImport/bin/rtldapimport --import (imports users every day at 0:0 am)

That's it! If you've come this far, all I can say now is: Congratulations! You're now using Kerberos to authenticate your users.

I hope you understood everything, due the fact that English is not my native language.
Although this way is not perfect (I had to learn all this by myself), it works (somehow). Still, I'm getting some errors in the logs, but the auth works pretty well so that the users won't notice the little problems at all.
If you know how to improve my solution feel free to update this tutorial. :)

Useful links I've visited:

German links:

Thanks to: BestPractical for making me use RT, the Forums & Mailing Lists, above mentioned websites, all folks who helped me and Slagsmålsklubben for their great music helping me through the dark shallows of Kerberos.:) Declaya 12:58, June 12, 2012 (UTC)