Follow-up: #338 - Improve SSO related parts slightly

Co-authored-by: Ralf Schmid <rsc@zammad.com>

appendix/single-sign-on.rst

@@ -246,7 +246,14 @@ SSO requires modules that are not enabled by default. By default you can use
 
 .. tabs::
 
-   .. tab:: a2enmod
+   .. tab:: a2enmod (Ubuntu / Debian)
+
+      .. code-block:: sh
+
+         $ a2enmod auth_gssapi rewrite
+         $ systemctl restart apache2
+
+   .. tab:: a2enmod (OpenSUSE)
 
       .. code-block:: sh
 
@@ -280,50 +287,38 @@ how to reach the *domain controller* (Active Directory server).
                                     (must not be read-only,
                                     but can be the same as ``<domain-controller>``)
 
-.. tabs::
-
-   .. tab:: Ubuntu / Debian
-
-      .. code-block::
-
-         # /etc/krb5.conf
+.. code-block::
 
-         [libdefaults]
-           default_realm = <DOMAIN>
+   # /etc/krb5.conf
 
-           default_tkt_enctypes = aes256-cts-hmac-sha1-96
-           default_tgs_enctypes = aes256-cts-hmac-sha1-96
-           permitted_enctypes = aes256-cts-hmac-sha1-96
+   [libdefaults]
+      default_realm = <DOMAIN>
 
-   .. tab:: CentOS/OpenSUSE
-
-      .. code-block::
+      default_tkt_enctypes = aes256-cts-hmac-sha1-96
+      default_tgs_enctypes = aes256-cts-hmac-sha1-96
+      permitted_enctypes = aes256-cts-hmac-sha1-96
 
-         # /etc/krb5.conf
+      kdc_timesync = 1
+      ccache_type = 4
+      forwardable = false
+      proxiable = false
+      fcc-mit-ticketflags = false
 
-         [libdefaults]
-           default_realm = <DOMAIN>
-           default_tkt_enctypes = aes256-cts-hmac-sha1-96
-           default_tgs_enctypes = aes256-cts-hmac-sha1-96
-           permitted_enctypes = aes256-cts-hmac-sha1-96
+   [realms]
+            # multiple KDCs ok (one `kdc = ...` definition per line)
+            <DOMAIN> = {
+                     kdc = <domain-controller>
+                     admin_server = <master-domain-controller>
+                     default_domain = <domain>
 
-           kdc_timesync = 1
-           ccache_type = 4
-           forwardable = false
-           proxiable = false
-           fcc-mit-ticketflags = false
+                     # below is only for GSSAPI
+                     auth_to_local = RULE:[1:$1@$0](.*@<domain>)s/@<domain>$//
+                     auth_to_local = DEFAULT
+            }
 
-         [realms]
-                 # multiple KDCs ok (one `kdc = ...` definition per line)
-                 <DOMAIN> = {
-                         kdc = <domain-controller>
-                         admin_server = <master-domain-controller>
-                         default_domain = <domain>
-                 }
-
-         [domain_realm]
-                 .<domain> = <DOMAIN>
-                 <domain> = <DOMAIN>
+   [domain_realm]
+            .<domain> = <DOMAIN>
+            <domain> = <DOMAIN>
 
 .. _sso-generate-keytab:
 
@@ -369,16 +364,16 @@ and set the appropriate permissions:
       .. code-block:: sh
 
          $ mv /root/zammad.keytab /etc/apache2/
-         $ chown www-data:www-data /etc/apache2/zammad.keytab
-         $ chmod 400 /etc/apache2/zammad.keytab
+         $ chown root:www-data /etc/apache2/zammad.keytab
+         $ chmod 640 /etc/apache2/zammad.keytab
 
    .. tab:: CentOS
 
       .. code-block:: sh
 
          $ mv /root/zammad.keytab /etc/httpd/
-         $ chown apache:apache /etc/httpd/zammad.keytab
-         $ chmod 400 /etc/httpd/zammad.keytab
+         $ chown root:apache /etc/httpd/zammad.keytab
+         $ chmod 640 /etc/httpd/zammad.keytab
 
 2g. Configure Apache
 ^^^^^^^^^^^^^^^^^^^^
@@ -397,24 +392,19 @@ to create your Kerberos SSO endpoint at ``/auth/sso``:
 
 .. tabs::
 
-   .. tab:: CentOS/OpenSUSE
+   .. tab:: Ubuntu/Debian
 
       .. code-block:: apache
 
          # /etc/apache2/sites-available/zammad.conf
 
          <LocationMatch "/auth/sso">
             SSLRequireSSL
-            AuthType Kerberos
+            AuthType GSSAPI
             AuthName "Your Zammad"
-            KrbMethodNegotiate On
-            KrbVerifyKDC On
-            KrbMethodK5Passwd On
-            KrbAuthRealms <DOMAIN>
-            KrbLocalUserMapping on                 # strips @REALM suffix from REMOTE_USER variable
-            KrbServiceName HTTP/<zammad-host>@<DOMAIN>
-            Krb5KeyTab /etc/apache2/zammad.keytab  # Ubuntu, Debian, & openSUSE
-            Krb5KeyTab /etc/httpd/zammad.keytab    # CentOS
+            GssapiBasicAuth On
+            GssapiCredStore keytab:/etc/apache2/zammad.keytab
+            GssapiLocalName On
             require valid-user
 
             RewriteEngine On
@@ -423,19 +413,24 @@ to create your Kerberos SSO endpoint at ``/auth/sso``:
             RequestHeader set X-Forwarded-User "%{RU}e" env=RU
          </LocationMatch>
 
-   .. tab:: Debian/Ubuntu
+   .. tab:: CentOS/OpenSUSE
 
       .. code-block:: apache
 
          # /etc/apache2/sites-available/zammad.conf
 
          <LocationMatch "/auth/sso">
             SSLRequireSSL
-            AuthType GSSAPI
+            AuthType Kerberos
             AuthName "Your Zammad"
-            GssapiBasicAuth On
-            GssapiCredStore keytab:/etc/apache2/zammad.keytab
-            GssapiLocalName On
+            KrbMethodNegotiate On
+            KrbVerifyKDC On
+            KrbMethodK5Passwd On
+            KrbAuthRealms <DOMAIN>
+            KrbLocalUserMapping on                 # strips @REALM suffix from REMOTE_USER variable
+            KrbServiceName HTTP/<zammad-host>@<DOMAIN>
+            Krb5KeyTab /etc/apache2/zammad.keytab  # Ubuntu, Debian, & openSUSE
+            Krb5KeyTab /etc/httpd/zammad.keytab    # CentOS
             require valid-user
 
             RewriteEngine On