[Samba] Apache reverse-proxy krb5-ticket forwarding (s4u2proxy) not working

Sat Nov 5 23:02:43 UTC 2022

Hi Team,

I have a webapp behind an Apache reverse-proxy that I would like to 
authenticate users on based on their kerberos ticket.

I am using Samba 4.16.2 on the DCs and mod_auth_gssapi on Apache (all 
machines run Bullseye).

Apache config excerpt of the reverse-proxy server:

<Location /webapp>
     AuthName "Kerberos Login"
     AuthType GSSAPI
     GssapiSSLonly On
     GssapiUseSessions Off  # for testing
     GssapiCredStore keytab:/etc/keytab/apache.keytab
     GSSapiImpersonate On
     GssapiUseS4U2Proxy On
     GssapiCredStore client_keytab:/etc/keytab/apache.keytab
     GssapiDelegCcacheDir /run/apache2/krb5
     GssapiBasicAuth Off
     GssapiAllowedMech krb5
     require valid-user

     ProxyPass https://backend.example.com/webapp
     ProxyPassReverse https://backend.example.com/webapp
</Location>

When I switch 'GssapiUseS4U2Proxy' to 'Off' in the apache revproxy 
authentication succeeds, which proves that keytab and computer-account 
are setup properly for simple authentication.

However when 'GssapiUseS4U2Proxy' is set 'On', this failure shows up on 
the DC in Samba audit.log:

{"timestamp": "2022-11-05T23:19:38.622527+0100", "type": 
"Authentication", "Authentication": {"version": {"major": 1, "minor": 
2}, "eventId": 4625, "logonId": "a494a6184c8cd16c", "logonType": 3, 
"status": "NT_STATUS_NO_SUCH_USER", "localAddress": null, 
"remoteAddress": "ipv4:192.168.100.2:33746", "serviceDescription": 
"Kerberos KDC", "authDescription": "AS-REQ", "clientDomain": null, 
"clientAccount": "http/revproxy.example.com at EXAMPLE.COM", "workstation": 
null, "becameAccount": null, "becameDomain": null, "becameSid": null, 
"mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, 
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", 
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, 
"passwordType": null, "duration": 1072}}

And log.samba has this:

[2022/11/05 23:19:38.621478,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
Kerberos: Probing for AS-REQ
[2022/11/05 23:19:38.621533,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
Kerberos: Not a FAST request
[2022/11/05 23:19:38.621555,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
Kerberos: AS-REQ http/revproxy.example.com at EXAMPLE.COM from 
ipv4:192.168.100.2:33746 for krbtgt/EXAMPLE.COM at EXAMPLE.COM
[2022/11/05 23:19:38.622450,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
Kerberos: UNKNOWN -- http/revproxy.example.com at EXAMPLE.COM: no such 
entry found in hdb
[2022/11/05 23:19:38.622472,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
Kerberos: heim_audit_setkv_number(): setting kv pair #auth_event=2
[2022/11/05 23:19:38.622497,  2] 
../../auth/auth_log.c:647(log_authentication_event_human_readable) Auth: 
[Kerberos KDC,AS-REQ] user 
[(null)]\[http/revproxy.example.com at EXAMPLE.COM] at [Sat, 05 Nov 2022 
23:19:38.622490 CET] with [(null)] status [NT_STATUS_NO_SUCH_USER] 
workstation [(null)] remote host [ipv4:192.168.100.2:33746] mapped to 
[(null)]\[(null)]. local host [NULL]
[2022/11/05 23:19:38.622582,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
Kerberos: as-req: sending error: -1765328378 to client
[2022/11/05 23:19:38.622614,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
Kerberos: Making non-FAST KRB-ERROR
[2022/11/05 23:19:38.622655,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.001184
[2022/11/05 23:19:38.622668,  3] 
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) 
Kerberos: AS-REQ ERR_C_PRINCIPAL_UNKNOWN ipv4:192.168.100.2:33746 
http/revproxy.example.com at EXAMPLE.COM krbtgt/EXAMPLE.COM at EXAMPLE.COM 
elapsed=0.001184

I have configured:

samba-tool delegation add-service 'backend$' 'http/revproxy.example.com'
samba-tool delegation for-any-protocol revproxy$ on

It looks like there is something incorrect or missing in the delegation 
settings on the accounts.

Perhaps it is not relevant but this line seems to be interesting:

Kerberos: UNKNOWN -- http/revproxy.example.com at EXAMPLE.COM: no such 
entry found in hdb

Indeed I have not defined it as an explicit principal since my 
understanding is that this is one of the default 'sPNMappings' on a 
computer-account.

Is it obvious to someone what the culprit is?

Or what can I do to debug this?

- Kees.