[Samba] Apache2 GSSAPI basic authentication
Christian
chanlists at googlemail.com
Mon May 9 19:37:37 UTC 2022
Hi Kees,
Are CNAMEs involved?
Best,
Christian
Am 09.05.2022 um 21:31 schrieb Kees van Vloten via samba:
> Hi Team,
>
>
> I fail to get logged in by apache2 on a webpage from a non-domain
> machine (i.e. I get the browser basic auth dialog and pass my
> credentials).
> The apache server is not joined to the DC either but it does have a
> computer-account and a keytab on the webserver.
>
> All machines involved run on Debian 11, the DC runs Louis' Samba
> 4.15.7, all machines are on the same subnet.
>
> Authentication on the same webpage does work when I am trying this
> from a domain-joined Windows machine, i.e. when I present a krb5-ticket.
>
> Apache's error log says:
>
> [Mon May 09 20:43:10.717747 2022] [auth_gssapi:error] [pid 92032]
> [client 192.168.1.100:40992] GSS ERROR gss_init_sec_context():
> [Unspecified GSS failure. Minor code may provide more information
> (KDC has no support for encryption type)], referer:
> https://internal.samdom.lan/home.html
>
> I am using mod_auth_gssapi with this config:
>
> <Directory /var/www/pages>
> AuthName "Login"
> AuthType GSSAPI
> GssapiSSLonly On
> GssapiLocalName On
> GssapiUseSessions On
> Session On
> SessionCookieName gssapi_session path=/private;httponly;secure;
> GssapiSessionKey file:/var/lib/apache2/secrets/session.key
> GssapiCredStore keytab:/etc/keytab/apache.keytab
> GssapiDelegCcacheDir /run/apache2/krb5
> GssapiBasicAuth On
> GssapiAllowedMech krb5
> Require valid-user
> AllowOverride None
> Order allow,deny
> Allow from all
> </Directory>
>
> ls -l /etc/keytab/apache.keytab
> -rw-r----- 1 root www-data 94 May 3 18:55 /etc/keytab/apache.keytab
>
>
> When I look on the DC, it seems the authentication process is fine and
> I am authenticated:
>
> [2022/05/09 20:55:22.312671, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: AS-REQ testuser at SAMDOM.LAN from ipv4:192.168.8.8:42579 for
> krbtgt/SAMDOM.LAN at SAMDOM.LAN
> [2022/05/09 20:55:22.333446, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Client sent patypes: encrypted-timestamp, 150, 149
> [2022/05/09 20:55:22.333529, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Looking for PKINIT pa-data -- testuser at SAMDOM.LAN
> [2022/05/09 20:55:22.333564, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Looking for ENC-TS pa-data -- testuser at SAMDOM.LAN
> [2022/05/09 20:55:22.333696, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: ENC-TS Pre-authentication succeeded -- testuser at SAMDOM.LAN
> using aes256-cts-hmac-sha1-96
> [2022/05/09 20:55:22.333765, 3]
> ../../auth/auth_log.c:647(log_authentication_event_human_readable)
> Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> [(null)]\[testuser at SAMDOM.LAN] at [Mon, 09 May 2022 20:55:22.333741
> CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation
> [(null)] remote host [ipv4:192.168.8.8:42579] became
> [DINTELMOND]\[testuser]
> [S-1-5-21-1366037735-1163107043-795354949-1197]. local host [NULL]
> [2022/05/09 20:55:22.359384, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: AS-REQ authtime: 2022-05-09T20:55:22 starttime: unset
> endtime: 2022-05-10T06:55:22 renew till: unset
> [2022/05/09 20:55:22.359463, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, using
> aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> [2022/05/09 20:55:22.359500, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Requested flags: renewable-ok, proxiable, forwardable
> [2022/05/09 20:55:22.564106, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: TGS-REQ testuser at SAMDOM.LAN from ipv4:192.168.1.10:58486
> for http/webserver01.samdom.lan at SAMDOM.LAN [canonicalize, proxiable,
> forwardable]
> [2022/05/09 20:55:22.569549, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Server (http/webserver01.samdom.lan at SAMDOM.LAN) has no
> support for etypes
> [2022/05/09 20:55:22.569670, 3]
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Failed building TGS-REP to ipv4:192.168.8.8:58486
> [2022/05/09 20:55:22.570030, 3]
> ../../source4/samba/service_stream.c:67(stream_terminate_connection)
> stream_terminate_connection: Terminating connection -
> 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED'
>
>
> I guess there must be an issue in the apache2 gssapi configuration,
> but what is it?
>
>
> - Kees
>
>
>
>
More information about the samba
mailing list