Apache Single Sign On trabalhando em 1 de 2 portais

tag-icon tag-icon apache-2.2 active-directory ldap kerberos single-sign-on
Apache Single Sign On trabalhando em 1 de 2 portais

Eu uso um sistema de helpdesk em nossa intranet que configurei para login único via LDAP/Active Directory.

O próprio servidor de helpdesk reside em uma caixa do servidor Ubuntu 16.04 rodando em Apache, versão do servidor: Apache/2.4.18 (Ubuntu) Servidor construído: 2018-04-18T14:53:04

Possui dois portais, um para os Agentes fazerem login e outro para os Clientes/Usuários Finais fazerem login e verificarem os tickets que colocaram.

Eu tenho o cliente funcionando, ele faz login automaticamente e funciona perfeitamente.

No entanto, o Portal do Agente ainda está enfrentando problemas. O LDAP/AD funciona bem, porque os agentes ainda podem autenticar usando suas credenciais do Active Directory; no entanto, ele não os registra perfeitamente via SSO como deveria.

Estou recebendo os erros atuais no meu log do Apache e não tenho certeza do que eles estão tentando me dizer.

[Fri Sep 07 06:26:01.351695 2018] [auth_kerb:debug] [pid 64957] src/mod_auth_kerb.c(1971): [client 10.1.11.57:50052] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Sep 07 06:26:01.351711 2018] [core:trace3] [pid 64957] request.c(119): [client 10.1.11.57:50052] auth phase 'check user' gave status 401: /scp/tickets.php
[Fri Sep 07 06:26:01.351747 2018] [http:trace3] [pid 64957] http_filters.c(1129): [client 10.1.11.57:50052] Response sent with status 401, headers:
[Fri Sep 07 06:26:01.351754 2018] [http:trace5] [pid 64957] http_filters.c(1136): [client 10.1.11.57:50052]   Date: Fri, 07 Sep 2018 13:26:01 GMT
[Fri Sep 07 06:26:01.351760 2018] [http:trace5] [pid 64957] http_filters.c(1139): [client 10.1.11.57:50052]   Server: Apache
[Fri Sep 07 06:26:01.351768 2018] [http:trace4] [pid 64957] http_filters.c(958): [client 10.1.11.57:50052]   WWW-Authenticate: Negotiate
[Fri Sep 07 06:26:01.351774 2018] [http:trace4] [pid 64957] http_filters.c(958): [client 10.1.11.57:50052]   WWW-Authenticate: Basic realm=\\"Kerberos Login\\"
[Fri Sep 07 06:26:01.351780 2018] [http:trace4] [pid 64957] http_filters.c(958): [client 10.1.11.57:50052]   Content-Length: 381
[Fri Sep 07 06:26:01.351793 2018] [http:trace4] [pid 64957] http_filters.c(958): [client 10.1.11.57:50052]   Keep-Alive: timeout=5, max=100
[Fri Sep 07 06:26:01.351799 2018] [http:trace4] [pid 64957] http_filters.c(958): [client 10.1.11.57:50052]   Connection: Keep-Alive
[Fri Sep 07 06:26:01.351804 2018] [http:trace4] [pid 64957] http_filters.c(958): [client 10.1.11.57:50052]   Content-Type: text/html; charset=iso-8859-1
[Fri Sep 07 06:26:01.351826 2018] [core:trace6] [pid 64957] core_filters.c(525): [client 10.1.11.57:50052] core_output_filter: flushing because of FLUSH bucket
[Fri Sep 07 06:26:01.352918 2018] [core:trace5] [pid 64957] protocol.c(653): [client 10.1.11.57:50052] Request received from client: GET /scp/tickets.php HTTP/1.1
[Fri Sep 07 06:26:01.352952 2018] [http:trace4] [pid 64957] http_request.c(394): [client 10.1.11.57:50052] Headers received from client:
[Fri Sep 07 06:26:01.352958 2018] [http:trace4] [pid 64957] http_request.c(398): [client 10.1.11.57:50052]   Host: osticket.mydomain.com
[Fri Sep 07 06:26:01.352964 2018] [http:trace4] [pid 64957] http_request.c(398): [client 10.1.11.57:50052]   Connection: keep-alive
[Fri Sep 07 06:26:01.352976 2018] [http:trace4] [pid 64957] http_request.c(398): [client 10.1.11.57:50052]   Authorization: Negotiate YIIH7QYGKwYBBQUCoIIH4TCCB92gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCB6cEggejYIIHnwYJKoZIhvcSAQICAQBuggeOMIIHiqADAgEFoQMCAQ6iBwMFACAAAACjggW9YYIFuTCCBbWgAwIBBaENGwtOSFNPQ0FMLkNPTaInMCWgAwIBAqEeMBwbBEhUVFAbFG9zdGlja2V0Lm5oc29jYWwuY29to4IFdDCCBXCgAwIBF6EDAgEMooIFYgSCBV51E6PV42YBaCCG0Zr20SuBkqOyNzqw9CfixGSgwnhJ/892+uP6Ep+n+paE3vElApTDA5J5ufzYzpL8m+u2uIO8/RECD5c5yCee1qH8s4LKCa9Idjs36032eeQvhLe9GUaD3FOkBzTxdbjZty4mgqqcRXQDfJpEYVsTAlBAOVYPDkI/nQVZz00VEKklrQxw6bDupXX77W8iaksZ9CsA/M93kSvAKFKz5fskM9n9mCQ0W9YfQwBU4A3ni83byitdXePQ1g6oaVkpaX3avj6nD2YP3qG0ekyOirQ41JTcXud8RBRJhYkrqRy+ttws34RCjOwY6JlvOu7WdQSgppkGSXbH+bnMpcoM7fg3m1t0CfGvdI4NRr/5+r7YSkMEetkOiBu49jlz5AM7LU3m2Z5d8ZnaXtWfuAvv+26Skz+UR4+t6GlsKPxycBsx+LfGETtVGqwWbAwq9T9fCF7blPgEM8qdCNcR16QVc9RvLg+avDUFkrPysvIR10xtgoqdLfje2aUZL1mXcpLWzljjPm7J9RhZaWFqwXwBEShYwnvwys3ommWCCFOANrwccYuf6XcSdEF6/7srZdJhXu4orRrGyJbzkKikIU6wkyqiOyygJTDptw8kNXEZTcK3FLra3NG6Y3iRaw25f0b0Wv9cwGcTcIdn8lss2TowE91Q35csEq4ASq2bfZoq7aP384vuSOhLO0NgwxGZcF9nIEk3BqFPCdoBjsZbfKxPgSRN8WCVOscgiyWtLK4niQCa3hxYGI2po3ONIaXknR7WkcotSAk9hozeK3YiIcx5tNJkY0AWOslRMPbk3yn+e8KaOF1abtTKfp2zU96XQqdrArGh2a/ZOkea0JmcEMWKWmzlr+MUoHZfalu4ed8q5N2Ij80q6oRrnoTwINuxShOwae/N/PwGKv74fJAe/MBaHRi/glCQ7clnljDSkx40Cz+8BzNhrH1iE8vug++U14/a4Epi1Hw5YWEabskIriyz6mM0CB9afNXvkHNrNkknSDZRekV3HzWv0kHlb3rV9QKWsO0Esv12H4INga/tOggKEE4KOOV+Wm3KzHyR7vuoHUOYEOsb1LgSDcJkjl9h61RReRvHcmWKsWZUrmZJpRr7sACEgkbssCyHD4Be/78REQ4THGOZXnkm584zBTtqh4ARS3Yn09iJAQA7YxjltNGMn2/ELXJEvdiFbDkjqFMWLnTnzqrMjSzl2gwt24fxtuZeg7y+c0YkMoUMdVGMBT5bYQzyQJ9InuzYAueUrUBzrQUPEgsBokJUR2XwsFHSSC8lFjbpeN0GYK/w1kcuxg4QTQYosg1LopDUJMSJkPYE0oITntp9BQFMYw8NopxHzFgS7W6wPeT1e1SiKxtZJlD0AoOrDoHhKcZ6qCxD0avG8GnHQqG1mU06IALsdZxMeZgWjI72cWFJnD7q9VuHs4n/P6h3OIlnIaJaQo2kXnO1+ux/WZs4g02p58GCjvyLjdvhoAnrnAABrKcVVmzZYNXW5wqURQrbw2z/NgLb6OXuJ4OsY7V6B+WHaAZXdUVsoogA3rtNR5mOF0iiTfH/w3W4U7J0bYKx5RI3qEvT9Jr8io3A+6V9l2awr3l1LtbeBNNH0SXIVGoK3TUdh9vsMADv+BRnagwaH4dDE+APbARbY7VuN8Tac62p8t2yauZ+VDIqSN2GWQm6yNqzPExkv11U5d5TdLd1HHO56KDl4y4lLI4Z2r4NVx6sfom9oyvPfzFb+ILHwqdv6FouT7FmvUNUXJvwK9E893HrGWyJmucsccVhesmz2gBckLVCUNC3fGicz9kwAWcML8jagNfN7jlq22jWhRgjx36kggGyMIIBrqADAgEXooIBpQSCAaENAXuNi/bVhghzIIWTYrRObL/hWcbX1pUE5O7MzVptiT0RBeWTrWv/tMtLDMDCnHCGusN3pOQ7t9/2XgYSLfm/ufKl/FrbSGLLdC0NWbJt/1Bm4mCqcjq1eZ5rLtb3zd4KhAIudyGDdeirBgikNOSZjmjEtNVcuEfw/egc8XMlp5va0EdJx2EW4M1fCLtfF3h1pcqKPUKGpiC5CM/0ldgzobuIF6hMafX7getRHsdjiqb65DKAvsgRJEKnZsZNtjJ/XaelOsDqPAOnHnGeindMwcJQVBuqNQpAi0d1+UKCJnLC2tXIruE3KcyvbP0fKqCVsHeX6J27WG8s58HpdrLMl/xwDEHGs5kEMfBpbDjUo7uGSikX4JlxO+rY6SIXk1pdBMlINLq+Fbhj5newJ1ptkwSXsSY79HW6+4R12aE9P3q4ffMt8ehtol6cMzXhW+Bsv/rRXoNEvRtRa/dCUE0lukJ+oWTwWO5hHhksJzrRxu9VSE34SP+9rkeZ4x/IwciiUFo8eejit04OzcnplKIDhpaPpSmY7ZAYesD2pwjEKwI=
[Fri Sep 07 06:26:01.352989 2018] [http:trace4] [pid 64957] http_request.c(398): [client 10.1.11.57:50052]   Accept: */*
[Fri Sep 07 06:26:01.352999 2018] [http:trace4] [pid 64957] http_request.c(398): [client 10.1.11.57:50052]   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
[Fri Sep 07 06:26:01.353005 2018] [http:trace4] [pid 64957] http_request.c(398): [client 10.1.11.57:50052]   Accept-Encoding: gzip, deflate
[Fri Sep 07 06:26:01.353010 2018] [http:trace4] [pid 64957] http_request.c(398): [client 10.1.11.57:50052]   Accept-Language: en-US,en;q=0.9
[Fri Sep 07 06:26:01.353015 2018] [http:trace4] [pid 64957] http_request.c(398): [client 10.1.11.57:50052]   Cookie: OSTSESSID=f7udqsee20qr32mmg9loh7aci5
[Fri Sep 07 06:26:01.353054 2018] [authz_core:debug] [pid 64957] mod_authz_core.c(809): [client 10.1.11.57:50052] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Fri Sep 07 06:26:01.353062 2018] [authz_core:debug] [pid 64957] mod_authz_core.c(809): [client 10.1.11.57:50052] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Fri Sep 07 06:26:01.353069 2018] [auth_kerb:debug] [pid 64957] src/mod_auth_kerb.c(1971): [client 10.1.11.57:50052] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Sep 07 06:26:01.353102 2018] [auth_kerb:debug] [pid 64957] src/mod_auth_kerb.c(1722): [client 10.1.11.57:50052] Verifying client data using KRB5 GSS-API with our SPNEGO lib
[Fri Sep 07 06:26:01.353619 2018] [auth_kerb:debug] [pid 64957] src/mod_auth_kerb.c(1738): [client 10.1.11.57:50052] Client didn't delegate us their credential

Abaixo estão minhas configurações de Apache, Kerberos e SMB.

<VirtualHost osticket.domain.com:80>
#RewriteEngine On
#RedirectMatch ^/view.php$ /tickets.php
#RedirectMatch ^/account.php$ /tickets.php
ServerName osticket.domain.com
ServerAlias osticket
ServerAdmin [email protected]
DocumentRoot /var/www/osticket/upload
LogLevel trace8
#LogLevel debug
ErrorLog ${APACHE_LOG_DIR}/osticket_error.log
CustomLog ${APACHE_LOG_DIR}/osticket_access.log combined
<Location />
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms DOMAIN.COM
KrbServiceName Any
Krb5Keytab "/etc/krb5.keytab"
KrbSaveCredentials On
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbVerifyKDC Off
require valid-user
</Location>
</VirtualHost>

KRB5.CONF

[logging]
        default = FILE:/var/log/kerberos.log
[libdefaults]
        default_realm = DOMAIN.COM
        dns_lookup_realm = true
        dns_lookup_kdc = true
# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        DOMAIN.COM = {
                kdc = 10.1.10.15
                master_kdc = 10.1.10.15
                admin_server = 10.1.10.15
                default_domain = DOMAIN.COM
        }
[domain_realm]
        .domain.com = DOMAIN.COM
        domain.com = DOMAIN.COM
[login]
        krb4_convert = true
        krb4_get_tickets = false

SMB.CNF

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = DOMAIN
   realm = DOMAIN.COM
   netbios name = osticket
   security = ADS
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   passdb backend = tdbsam
   kerberos method = dedicated keytab
   dedicated keytab file = /etc/krb5.keytab
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   password server = 10.1.10.15
   encrypt passwords = yes
   #machine password timeout = 0 #needed when using only the machine account

informação relacionada