[Samba] Security notes on Apache2 GSSAPI (basic) authentication

[Andrew Bartlett]

On Mon, 2022-05-09 at 21:31 +0200, Kees van Vloten via samba wrote:
> Hi Team,
> 
> 
> I fail to get logged in by apache2 on a webpage from a non-domain 
> machine (i.e. I get the browser basic auth dialog and pass my credentials).
> The apache server is not joined to the DC either but it does have a 
> computer-account and a keytab on the webserver.

Well done sorting this out, but I also need to pass on a warning:

The username as seen by the likes of mod_auth_kerb can be misleading.

Bug 14556 (CVE-2020-25717) that we released in Nov 2021 was all about a
user on the domain being able to pretend to be other usernames. 

The usernames that are possible are (in any case variation):

samAccountName, samAccountName-without-trailing-$ (eg a ticket for
'root' against an AD user of root$) and the UPN.

So lock down who can modify accounts in your AD, including
machineAccountQuota, and match back the account to AD against
samAccountName (eg with an LDAP search) if any of this scares you. 

I tried to get MIT and Heimdal Kerberos to require and parse the PAC to
thwart this, but nothing has been released as far as I'm aware, and it
is optional at best.

In your situation, for the basic auth side, please ensure that
canonicalisation is on in your krb5.conf, as that will help a little,
but you can't detect - without reading the PAC - if a Kerberos-enabled
attacker is doing it to you.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba