[Samba] Apache reverse-proxy krb5-ticket forwarding (s4u2proxy) not working
Andrew Bartlett
abartlet at samba.org
Sun Nov 6 04:35:53 UTC 2022
On Sun, 2022-11-06 at 00:02 +0100, Kees van Vloten via samba wrote:
> Hi Team,
>
> I have a webapp behind an Apache reverse-proxy that I would like to
> authenticate users on based on their kerberos ticket.
>
> I am using Samba 4.16.2 on the DCs and mod_auth_gssapi on Apache (all
> machines run Bullseye).
>
> Apache config excerpt of the reverse-proxy server:
>
> <Location /webapp>
> AuthName "Kerberos Login"
> AuthType GSSAPI
> GssapiSSLonly On
> GssapiUseSessions Off # for testing
> GssapiCredStore keytab:/etc/keytab/apache.keytab
> GSSapiImpersonate On
> GssapiUseS4U2Proxy On
> GssapiCredStore client_keytab:/etc/keytab/apache.keytab
> GssapiDelegCcacheDir /run/apache2/krb5
> GssapiBasicAuth Off
> GssapiAllowedMech krb5
> require valid-user
>
> ProxyPass https://backend.example.com/webapp
> ProxyPassReverse https://backend.example.com/webapp
> </Location>
>
> When I switch 'GssapiUseS4U2Proxy' to 'Off' in the apache revproxy
> authentication succeeds, which proves that keytab and computer-account
> are setup properly for simple authentication.
>
> However when 'GssapiUseS4U2Proxy' is set 'On', this failure shows up on
> the DC in Samba audit.log:
Try adding http/revproxy.example.com at EXAMPLE.COM as the
userPrincipalName of the service account.
If that works, please add a page on our wiki describing the integration
steps.
Also please be aware
of https://wiki.samba.org/index.php/Security/Dollar_Ticket_Attack and
be aware that there are a signficant number of situations where you
can't trust the given username.
Speak to your Kerberos provider about allowing you to require access to
the sAMAccountName in the PAC or better the user's SID.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
More information about the samba
mailing list