[Samba] Apache2 GSSAPI basic authentication
Christian
chanlists at googlemail.com
Mon May 9 22:39:49 UTC 2022
Hi Kees,
what is the output of
net ads enctypes list <account of service principal>
And when you load the keytab on the webserver with ktutil, what is the
output of
ktutil
rkt /etc/keytab/apache.keytab
l -e
If you kinit to testuser directly on the webserver, what is the ouput of
klist -e ?
After that, if you do a
kvno http/webserver01.samdom.lan at SAMDOM.LAN
what is the output of
klist -e
then? Also, the content of krb5.conf on the webserver would be useful...
Best wishes,
Christian
Am 09.05.2022 um 21:51 schrieb Kees van Vloten:
> Hi Christian
>
> Op 09-05-2022 om 21:37 schreef Christian via samba:
>> Hi Kees,
>>
>> Are CNAMEs involved?
>
> No, the webserver is reached though an A record (the vhost is configured
> on the A-record).
> The non-domain client is DHCP and has no DNS entry (I do not have DDNS
> configured).
>
> Does that answer the question?
>
>>
>> Best,
>>
>> Christian
>>
>> Am 09.05.2022 um 21:31 schrieb Kees van Vloten via samba:
>>> Hi Team,
>>>
>>>
>>> I fail to get logged in by apache2 on a webpage from a non-domain
>>> machine (i.e. I get the browser basic auth dialog and pass my
>>> credentials).
>>> The apache server is not joined to the DC either but it does have a
>>> computer-account and a keytab on the webserver.
>>>
>>> All machines involved run on Debian 11, the DC runs Louis' Samba
>>> 4.15.7, all machines are on the same subnet.
>>>
>>> Authentication on the same webpage does work when I am trying this
>>> from a domain-joined Windows machine, i.e. when I present a krb5-ticket.
>>>
>>> Apache's error log says:
>>>
>>> [Mon May 09 20:43:10.717747 2022] [auth_gssapi:error] [pid 92032]
>>> [client 192.168.1.100:40992] GSS ERROR gss_init_sec_context():
>>> [Unspecified GSS failure. Minor code may provide more information
>>> (KDC has no support for encryption type)], referer:
>>> https://internal.samdom.lan/home.html
>>>
>>> I am using mod_auth_gssapi with this config:
>>>
>>> <Directory /var/www/pages>
>>> AuthName "Login"
>>> AuthType GSSAPI
>>> GssapiSSLonly On
>>> GssapiLocalName On
>>> GssapiUseSessions On
>>> Session On
>>> SessionCookieName gssapi_session path=/private;httponly;secure;
>>> GssapiSessionKey file:/var/lib/apache2/secrets/session.key
>>> GssapiCredStore keytab:/etc/keytab/apache.keytab
>>> GssapiDelegCcacheDir /run/apache2/krb5
>>> GssapiBasicAuth On
>>> GssapiAllowedMech krb5
>>> Require valid-user
>>> AllowOverride None
>>> Order allow,deny
>>> Allow from all
>>> </Directory>
>>>
>>> ls -l /etc/keytab/apache.keytab
>>> -rw-r----- 1 root www-data 94 May 3 18:55 /etc/keytab/apache.keytab
>>>
>>>
>>> When I look on the DC, it seems the authentication process is fine
>>> and I am authenticated:
>>>
>>> [2022/05/09 20:55:22.312671, 3]
>>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>>
>>> Kerberos: AS-REQ testuser at SAMDOM.LAN from ipv4:192.168.8.8:42579
>>> for krbtgt/SAMDOM.LAN at SAMDOM.LAN
>>> [2022/05/09 20:55:22.333446, 3]
>>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>>
>>> Kerberos: Client sent patypes: encrypted-timestamp, 150, 149
>>> [2022/05/09 20:55:22.333529, 3]
>>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>>
>>> Kerberos: Looking for PKINIT pa-data -- testuser at SAMDOM.LAN
>>> [2022/05/09 20:55:22.333564, 3]
>>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>>
>>> Kerberos: Looking for ENC-TS pa-data -- testuser at SAMDOM.LAN
>>> [2022/05/09 20:55:22.333696, 3]
>>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>>
>>> Kerberos: ENC-TS Pre-authentication succeeded --
>>> testuser at SAMDOM.LAN using aes256-cts-hmac-sha1-96
>>> [2022/05/09 20:55:22.333765, 3]
>>> ../../auth/auth_log.c:647(log_authentication_event_human_readable)
>>> Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
>>> [(null)]\[testuser at SAMDOM.LAN] at [Mon, 09 May 2022 20:55:22.333741
>>> CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK]
>>> workstation [(null)] remote host [ipv4:192.168.8.8:42579] became
>>> [DINTELMOND]\[testuser]
>>> [S-1-5-21-1366037735-1163107043-795354949-1197]. local host [NULL]
>>> [2022/05/09 20:55:22.359384, 3]
>>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>>
>>> Kerberos: AS-REQ authtime: 2022-05-09T20:55:22 starttime: unset
>>> endtime: 2022-05-10T06:55:22 renew till: unset
>>> [2022/05/09 20:55:22.359463, 3]
>>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>>
>>> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, using
>>> aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
>>> [2022/05/09 20:55:22.359500, 3]
>>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>>
>>> Kerberos: Requested flags: renewable-ok, proxiable, forwardable
>>> [2022/05/09 20:55:22.564106, 3]
>>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>>
>>> Kerberos: TGS-REQ testuser at SAMDOM.LAN from ipv4:192.168.1.10:58486
>>> for http/webserver01.samdom.lan at SAMDOM.LAN [canonicalize, proxiable,
>>> forwardable]
>>> [2022/05/09 20:55:22.569549, 3]
>>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>>
>>> Kerberos: Server (http/webserver01.samdom.lan at SAMDOM.LAN) has no
>>> support for etypes
>>> [2022/05/09 20:55:22.569670, 3]
>>> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>>>
>>> Kerberos: Failed building TGS-REP to ipv4:192.168.8.8:58486
>>> [2022/05/09 20:55:22.570030, 3]
>>> ../../source4/samba/service_stream.c:67(stream_terminate_connection)
>>> stream_terminate_connection: Terminating connection -
>>> 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
>>> NT_STATUS_CONNECTION_DISCONNECTED'
>>>
>>>
>>> I guess there must be an issue in the apache2 gssapi configuration,
>>> but what is it?
>>>
>>>
>>> - Kees
>>>
>>>
>>>
>>>
>>
>>
More information about the samba
mailing list