[Samba] Apache reverse-proxy krb5-ticket forwarding (s4u2proxy) not working
Kees van Vloten
keesvanvloten at gmail.com
Sun Nov 6 19:15:35 UTC 2022
On 06-11-2022 05:35, Andrew Bartlett wrote:
> On Sun, 2022-11-06 at 00:02 +0100, Kees van Vloten via samba wrote:
>> Hi Team,
>> I have a webapp behind an Apache reverse-proxy that I would like to
>> authenticate users on based on their kerberos ticket.
>> I am using Samba 4.16.2 on the DCs and mod_auth_gssapi on Apache (all
>> machines run Bullseye).
>> Apache config excerpt of the reverse-proxy server:
>> <Location /webapp>
>> AuthName "Kerberos Login"
>> AuthType GSSAPI
>> GssapiSSLonly On
>> GssapiUseSessions Off # for testing
>> GssapiCredStore keytab:/etc/keytab/apache.keytab
>> GSSapiImpersonate On
>> GssapiUseS4U2Proxy On
>> GssapiCredStore client_keytab:/etc/keytab/apache.keytab
>> GssapiDelegCcacheDir /run/apache2/krb5
>> GssapiBasicAuth Off
>> GssapiAllowedMech krb5
>> require valid-user
>> ProxyPasshttps://backend.example.com/webapp
>> ProxyPassReversehttps://backend.example.com/webapp
>> </Location>
>> When I switch 'GssapiUseS4U2Proxy' to 'Off' in the apache revproxy
>> authentication succeeds, which proves that keytab and computer-account
>> are setup properly for simple authentication.
>> However when 'GssapiUseS4U2Proxy' is set 'On', this failure shows up on
>> the DC in Samba audit.log:
>
> Try adding http/revproxy.example.com at EXAMPLE.COM as the
> userPrincipalName of the service account.
I am currently using the computer-account as the service account. Is my
understanding correct that you advice to create a separate (service
user-)account for this purpose?
How would adding a specific principal as the UPN work when there are
multiple principals associated with the account? There can be only one
UPN...
>
> If that works, please add a page on our wiki describing the
> integration steps.
>
> Also please be aware of
> https://wiki.samba.org/index.php/Security/Dollar_Ticket_Attack and be
> aware that there are a signficant number of situations where you can't
> trust the given username.
I have the MIT kerberos client installed on my Linux machines, do you
suggest the replace that with the heimdal client?
>
> Speak to your Kerberos provider about allowing you to require access
> to the sAMAccountName in the PAC or better the user's SID.
Since I am the domain admin, I can configure it as it suits me, as long
as it does not break anything for my users of course :-).
How would you advice to change the configuration?
>
> Andrew Bartlett
> --
> Andrew Bartlett (he/him)https://samba.org/~abartlet/
> Samba Team Member (since 2001)https://samba.org
> Samba Developer, Catalyst IThttps://catalyst.net.nz/services/samba
>
More information about the samba
mailing list