[Samba] Apache2 GSSAPI basic authentication

Kees van Vloten keesvanvloten at gmail.com
Mon May 9 19:31:31 UTC 2022 

Hi Team,


I fail to get logged in by apache2 on a webpage from a non-domain 
machine (i.e. I get the browser basic auth dialog and pass my credentials).
The apache server is not joined to the DC either but it does have a 
computer-account and a keytab on the webserver.

All machines involved run on Debian 11, the DC runs Louis' Samba 4.15.7, 
all machines are on the same subnet.

Authentication on the same webpage does work when I am trying this from 
a domain-joined Windows machine, i.e. when I present a krb5-ticket.

Apache's error log says:

[Mon May 09 20:43:10.717747 2022] [auth_gssapi:error] [pid 92032] 
[client 192.168.1.100:40992] GSS ERROR gss_init_sec_context(): 
[Unspecified GSS failure.  Minor code may provide more information (KDC 
has no support for encryption type)], referer: 
https://internal.samdom.lan/home.html

I am using mod_auth_gssapi with this config:

<Directory /var/www/pages>
     AuthName "Login"
     AuthType GSSAPI
     GssapiSSLonly On
     GssapiLocalName On
     GssapiUseSessions On
     Session On
     SessionCookieName gssapi_session path=/private;httponly;secure;
     GssapiSessionKey file:/var/lib/apache2/secrets/session.key
     GssapiCredStore keytab:/etc/keytab/apache.keytab
     GssapiDelegCcacheDir /run/apache2/krb5
     GssapiBasicAuth On
     GssapiAllowedMech krb5
     Require valid-user
     AllowOverride None
     Order allow,deny
     Allow from all
</Directory>

ls -l /etc/keytab/apache.keytab
-rw-r----- 1 root www-data 94 May  3 18:55 /etc/keytab/apache.keytab


When I look on the DC, it seems the authentication process is fine and I 
am authenticated:

[2022/05/09 20:55:22.312671,  3] 
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ testuser at SAMDOM.LAN from ipv4:192.168.8.8:42579 for 
krbtgt/SAMDOM.LAN at SAMDOM.LAN
[2022/05/09 20:55:22.333446,  3] 
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Client sent patypes: encrypted-timestamp, 150, 149
[2022/05/09 20:55:22.333529,  3] 
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for PKINIT pa-data -- testuser at SAMDOM.LAN
[2022/05/09 20:55:22.333564,  3] 
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for ENC-TS pa-data -- testuser at SAMDOM.LAN
[2022/05/09 20:55:22.333696,  3] 
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: ENC-TS Pre-authentication succeeded -- testuser at SAMDOM.LAN 
using aes256-cts-hmac-sha1-96
[2022/05/09 20:55:22.333765,  3] 
../../auth/auth_log.c:647(log_authentication_event_human_readable)
   Auth: [Kerberos KDC,ENC-TS Pre-authentication] user 
[(null)]\[testuser at SAMDOM.LAN] at [Mon, 09 May 2022 20:55:22.333741 
CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation 
[(null)] remote host [ipv4:192.168.8.8:42579] became 
[DINTELMOND]\[testuser] [S-1-5-21-1366037735-1163107043-795354949-1197]. 
local host [NULL]
[2022/05/09 20:55:22.359384,  3] 
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ authtime: 2022-05-09T20:55:22 starttime: unset 
endtime: 2022-05-10T06:55:22 renew till: unset
[2022/05/09 20:55:22.359463,  3] 
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, using 
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2022/05/09 20:55:22.359500,  3] 
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Requested flags: renewable-ok, proxiable, forwardable
[2022/05/09 20:55:22.564106,  3] 
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: TGS-REQ testuser at SAMDOM.LAN from ipv4:192.168.1.10:58486 
for http/webserver01.samdom.lan at SAMDOM.LAN [canonicalize, proxiable, 
forwardable]
[2022/05/09 20:55:22.569549,  3] 
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Server (http/webserver01.samdom.lan at SAMDOM.LAN) has no 
support for etypes
[2022/05/09 20:55:22.569670,  3] 
../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Failed building TGS-REP to ipv4:192.168.8.8:58486
[2022/05/09 20:55:22.570030,  3] 
../../source4/samba/service_stream.c:67(stream_terminate_connection)
   stream_terminate_connection: Terminating connection - 
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED'


I guess there must be an issue in the apache2 gssapi configuration, but 
what is it?


- Kees

More information about the samba mailing list