[Samba] Apache reverse-proxy krb5-ticket forwarding (s4u2proxy) not working

Andrew Bartlett abartlet at samba.org
Sun Nov 6 04:35:53 UTC 2022

On Sun, 2022-11-06 at 00:02 +0100, Kees van Vloten via samba wrote:
> Hi Team,
> I have a webapp behind an Apache reverse-proxy that I would like to 
> authenticate users on based on their kerberos ticket.
> I am using Samba 4.16.2 on the DCs and mod_auth_gssapi on Apache (all 
> machines run Bullseye).
> Apache config excerpt of the reverse-proxy server:
> <Location /webapp>
>      AuthName "Kerberos Login"
>      AuthType GSSAPI
>      GssapiSSLonly On
>      GssapiUseSessions Off  # for testing
>      GssapiCredStore keytab:/etc/keytab/apache.keytab
>      GSSapiImpersonate On
>      GssapiUseS4U2Proxy On
>      GssapiCredStore client_keytab:/etc/keytab/apache.keytab
>      GssapiDelegCcacheDir /run/apache2/krb5
>      GssapiBasicAuth Off
>      GssapiAllowedMech krb5
>      require valid-user
>      ProxyPass https://backend.example.com/webapp
>      ProxyPassReverse https://backend.example.com/webapp
> </Location>
> When I switch 'GssapiUseS4U2Proxy' to 'Off' in the apache revproxy 
> authentication succeeds, which proves that keytab and computer-account 
> are setup properly for simple authentication.
> However when 'GssapiUseS4U2Proxy' is set 'On', this failure shows up on 
> the DC in Samba audit.log:

Try adding http/revproxy.example.com at EXAMPLE.COM as the
userPrincipalName of the service account.

If that works, please add a page on our wiki describing the integration

Also please be aware
of https://wiki.samba.org/index.php/Security/Dollar_Ticket_Attack and
be aware that there are a signficant number of situations where you
can't trust the given username.

Speak to your Kerberos provider about allowing you to require access to
the sAMAccountName in the PAC or better the user's SID.

Andrew Bartlett
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba

More information about the samba mailing list