[Samba] Apache2 GSSAPI basic authentication
Kees van Vloten
keesvanvloten at gmail.com
Mon May 9 19:31:31 UTC 2022
Hi Team,
I fail to get logged in by apache2 on a webpage from a non-domain
machine (i.e. I get the browser basic auth dialog and pass my credentials).
The apache server is not joined to the DC either but it does have a
computer-account and a keytab on the webserver.
All machines involved run on Debian 11, the DC runs Louis' Samba 4.15.7,
all machines are on the same subnet.
Authentication on the same webpage does work when I am trying this from
a domain-joined Windows machine, i.e. when I present a krb5-ticket.
Apache's error log says:
[Mon May 09 20:43:10.717747 2022] [auth_gssapi:error] [pid 92032]
[client 192.168.1.100:40992] GSS ERROR gss_init_sec_context():
[Unspecified GSS failure. Minor code may provide more information (KDC
has no support for encryption type)], referer:
https://internal.samdom.lan/home.html
I am using mod_auth_gssapi with this config:
<Directory /var/www/pages>
AuthName "Login"
AuthType GSSAPI
GssapiSSLonly On
GssapiLocalName On
GssapiUseSessions On
Session On
SessionCookieName gssapi_session path=/private;httponly;secure;
GssapiSessionKey file:/var/lib/apache2/secrets/session.key
GssapiCredStore keytab:/etc/keytab/apache.keytab
GssapiDelegCcacheDir /run/apache2/krb5
GssapiBasicAuth On
GssapiAllowedMech krb5
Require valid-user
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ls -l /etc/keytab/apache.keytab
-rw-r----- 1 root www-data 94 May 3 18:55 /etc/keytab/apache.keytab
When I look on the DC, it seems the authentication process is fine and I
am authenticated:
[2022/05/09 20:55:22.312671, 3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ testuser at SAMDOM.LAN from ipv4:192.168.8.8:42579 for
krbtgt/SAMDOM.LAN at SAMDOM.LAN
[2022/05/09 20:55:22.333446, 3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: encrypted-timestamp, 150, 149
[2022/05/09 20:55:22.333529, 3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- testuser at SAMDOM.LAN
[2022/05/09 20:55:22.333564, 3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- testuser at SAMDOM.LAN
[2022/05/09 20:55:22.333696, 3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: ENC-TS Pre-authentication succeeded -- testuser at SAMDOM.LAN
using aes256-cts-hmac-sha1-96
[2022/05/09 20:55:22.333765, 3]
../../auth/auth_log.c:647(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[testuser at SAMDOM.LAN] at [Mon, 09 May 2022 20:55:22.333741
CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation
[(null)] remote host [ipv4:192.168.8.8:42579] became
[DINTELMOND]\[testuser] [S-1-5-21-1366037735-1163107043-795354949-1197].
local host [NULL]
[2022/05/09 20:55:22.359384, 3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ authtime: 2022-05-09T20:55:22 starttime: unset
endtime: 2022-05-10T06:55:22 renew till: unset
[2022/05/09 20:55:22.359463, 3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, using
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2022/05/09 20:55:22.359500, 3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Requested flags: renewable-ok, proxiable, forwardable
[2022/05/09 20:55:22.564106, 3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ testuser at SAMDOM.LAN from ipv4:192.168.1.10:58486
for http/webserver01.samdom.lan at SAMDOM.LAN [canonicalize, proxiable,
forwardable]
[2022/05/09 20:55:22.569549, 3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Server (http/webserver01.samdom.lan at SAMDOM.LAN) has no
support for etypes
[2022/05/09 20:55:22.569670, 3]
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed building TGS-REP to ipv4:192.168.8.8:58486
[2022/05/09 20:55:22.570030, 3]
../../source4/samba/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
I guess there must be an issue in the apache2 gssapi configuration, but
what is it?
- Kees
More information about the samba
mailing list