[Samba] Apache reverse-proxy krb5-ticket forwarding (s4u2proxy) not working
Kees van Vloten
keesvanvloten at gmail.com
Sat Nov 5 23:02:43 UTC 2022
Hi Team,
I have a webapp behind an Apache reverse-proxy that I would like to
authenticate users on based on their kerberos ticket.
I am using Samba 4.16.2 on the DCs and mod_auth_gssapi on Apache (all
machines run Bullseye).
Apache config excerpt of the reverse-proxy server:
<Location /webapp>
AuthName "Kerberos Login"
AuthType GSSAPI
GssapiSSLonly On
GssapiUseSessions Off # for testing
GssapiCredStore keytab:/etc/keytab/apache.keytab
GSSapiImpersonate On
GssapiUseS4U2Proxy On
GssapiCredStore client_keytab:/etc/keytab/apache.keytab
GssapiDelegCcacheDir /run/apache2/krb5
GssapiBasicAuth Off
GssapiAllowedMech krb5
require valid-user
ProxyPass https://backend.example.com/webapp
ProxyPassReverse https://backend.example.com/webapp
</Location>
When I switch 'GssapiUseS4U2Proxy' to 'Off' in the apache revproxy
authentication succeeds, which proves that keytab and computer-account
are setup properly for simple authentication.
However when 'GssapiUseS4U2Proxy' is set 'On', this failure shows up on
the DC in Samba audit.log:
{"timestamp": "2022-11-05T23:19:38.622527+0100", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor":
2}, "eventId": 4625, "logonId": "a494a6184c8cd16c", "logonType": 3,
"status": "NT_STATUS_NO_SUCH_USER", "localAddress": null,
"remoteAddress": "ipv4:192.168.100.2:33746", "serviceDescription":
"Kerberos KDC", "authDescription": "AS-REQ", "clientDomain": null,
"clientAccount": "http/revproxy.example.com at EXAMPLE.COM", "workstation":
null, "becameAccount": null, "becameDomain": null, "becameSid": null,
"mappedAccount": null, "mappedDomain": null, "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
"passwordType": null, "duration": 1072}}
And log.samba has this:
[2022/11/05 23:19:38.621478, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Probing for AS-REQ
[2022/11/05 23:19:38.621533, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Not a FAST request
[2022/11/05 23:19:38.621555, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: AS-REQ http/revproxy.example.com at EXAMPLE.COM from
ipv4:192.168.100.2:33746 for krbtgt/EXAMPLE.COM at EXAMPLE.COM
[2022/11/05 23:19:38.622450, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: UNKNOWN -- http/revproxy.example.com at EXAMPLE.COM: no such
entry found in hdb
[2022/11/05 23:19:38.622472, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_setkv_number(): setting kv pair #auth_event=2
[2022/11/05 23:19:38.622497, 2]
../../auth/auth_log.c:647(log_authentication_event_human_readable) Auth:
[Kerberos KDC,AS-REQ] user
[(null)]\[http/revproxy.example.com at EXAMPLE.COM] at [Sat, 05 Nov 2022
23:19:38.622490 CET] with [(null)] status [NT_STATUS_NO_SUCH_USER]
workstation [(null)] remote host [ipv4:192.168.100.2:33746] mapped to
[(null)]\[(null)]. local host [NULL]
[2022/11/05 23:19:38.622582, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: as-req: sending error: -1765328378 to client
[2022/11/05 23:19:38.622614, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Making non-FAST KRB-ERROR
[2022/11/05 23:19:38.622655, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.001184
[2022/11/05 23:19:38.622668, 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: AS-REQ ERR_C_PRINCIPAL_UNKNOWN ipv4:192.168.100.2:33746
http/revproxy.example.com at EXAMPLE.COM krbtgt/EXAMPLE.COM at EXAMPLE.COM
elapsed=0.001184
I have configured:
samba-tool delegation add-service 'backend$' 'http/revproxy.example.com'
samba-tool delegation for-any-protocol revproxy$ on
It looks like there is something incorrect or missing in the delegation
settings on the accounts.
Perhaps it is not relevant but this line seems to be interesting:
Kerberos: UNKNOWN -- http/revproxy.example.com at EXAMPLE.COM: no such
entry found in hdb
Indeed I have not defined it as an explicit principal since my
understanding is that this is one of the default 'sPNMappings' on a
computer-account.
Is it obvious to someone what the culprit is?
Or what can I do to debug this?
- Kees.
More information about the samba
mailing list