Trac + kerberos auth against Active Directory

lionel3030
lionel3030 used Ask the Experts™
on
Hi i have trac 0.11.5 and apache 2 + kerberos, each time i authenticate it will show my full email address instead of my username only, the server was rebooted a month ago and this issue started around that point, i looked everywhere to no avail and if i put KerbLocalUserMapping on, apache will tell me about a syntax error as I though it was the only way to strip the @domain.com for auth.
Any help is greatly appreciated
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
cjl7freelance for hire

Commented:
Hi,

Do you need to specify @domain for auth or does it show up afterwords when you are logged in?

The Kerberos module defaults to the realm that you have configured in your krb5.conf and normally you shouldn't need to specify it.

//jonas

Author

Commented:
thanks for answering,
it show up afterward it cause confusion as ticket cannot be seen under username@domain.com when before it was only username

Author

Commented:
here is what i have in my krb5.conf
[libdefaults]
        default_realm = DOMAIN.COM
        ticket_lifetime = 24000
        dns_lookup_realm = false
        dns_lookup_kdc = false

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

                kdc = vice12.fs.andrew.cmu.edu
                admin_server = vice28.fs.andrew.cmu.edu
                default_domain = andrew.cmu.edu
        }
        CS.CMU.EDU = {
                kdc = kerberos.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
        DEMENTIA.ORG = {
                kdc = kerberos.dementia.org
                kdc = kerberos2.dementia.org
                admin_server = kerberos.dementia.org
        }
        stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                master_kdc = krb5auth1.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
        }

[realms]
        DOMAIN.COM = {
                kdc = domain.com:88
                admin_server = domain.com
        }
        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu:88
                kdc = kerberos-1.mit.edu:88
                kdc = kerberos-2.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        }
        MEDIA-LAB.MIT.EDU = {
                kdc = kerberos.media.mit.edu
                admin_server = kerberos.media.mit.edu
        }
        ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
        }
        MOOF.MIT.EDU = {
                kdc = three-headed-dogcow.mit.edu:88
                kdc = three-headed-dogcow-1.mit.edu:88
                admin_server = three-headed-dogcow.mit.edu
        }
        CSAIL.MIT.EDU = {
                kdc = kerberos-1.csail.mit.edu
                kdc = kerberos-2.csail.mit.edu
                admin_server = kerberos.csail.mit.edu
                default_domain = csail.mit.edu
                krb524_server = krb524.csail.mit.edu
        }
        IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
        }
        GNU.ORG = {
                kdc = kerberos.gnu.org
                kdc = kerberos-2.gnu.org
                kdc = kerberos-3.gnu.org
                admin_server = kerberos.gnu.org

1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
        }
        GRATUITOUS.ORG = {
                kdc = kerberos.gratuitous.org
                admin_server = kerberos.gratuitous.org
        }
        DOOMCOM.ORG = {
                kdc = kerberos.doomcom.org
                admin_server = kerberos.doomcom.org
        }
        ANDREW.CMU.EDU = {
                kdc = vice28.fs.andrew.cmu.edu
                kdc = vice2.fs.andrew.cmu.edu
                kdc = vice11.fs.andrew.cmu.edu
                kdc = vice12.fs.andrew.cmu.edu
                admin_server = vice28.fs.andrew.cmu.edu
                default_domain = andrew.cmu.edu
        }
        CS.CMU.EDU = {
                kdc = kerberos.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
        DEMENTIA.ORG = {
                kdc = kerberos.dementia.org
                kdc = kerberos2.dementia.org
                admin_server = kerberos.dementia.org
        }
        stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                master_kdc = krb5auth1.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
        }
[domain_realm]
        .domain.com = DOMAIN.COM
        domain.com = DOMAIN.COM
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu
        .slac.stanford.edu = SLAC.STANFORD.EDU

[login]
        krb4_convert = true
        krb4_get_tickets = false

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

Author

Commented:
and this is my default-ssl conf file where the auth supposedly is being made
SetHandler mod_python
PythonInterpreter main_interpreter
PythonHandler trac.web.modpython_frontend
# PythonOption TracEnv /mnt/data/trac
PythonOption TracEnvParentDir /mnt/data/trac
# PythonOption TracUriRoot /trac/

# Kerberos
AuthName "Authorized Access Required"
AuthType Kerberos
Krb5Keytab /mnt/data/apache2/ssl/auth_kerb.keytab
KrbAuthRealm DOMAIN.COM
KrbMethodNegotiate off
KrbSaveCredentials off
KrbVerifyKDC off
Require valid-user
Commented:
Which authentication module are you using for Kerberos authentication in Apache? From config it seems like mod_auth_kerb, but just wanted to be sure.

I do not know anything about trac, but I know mod_auth_kerb sets REMOTE_USER variable to UPN (user@DOMAIN.COM) by default. KerbLocalUserMapping setting is only available with mod_auth_kerb version 5.4 and later. REMOTE_USER variable is used by applications to determine the name of user accessing the applications and the applications normally manupulate the string to trim the REALM part if needed.

If you are on a version earlier than 5.4 of mod_auth_kerb then there should have been some configuration within trac that would trim "@DOMAIN.COM" part from the UPN that might have been lost after reboot for some reason.

Author

Commented:
took a long to get uncomplete solution

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial