[Samba] Apache reverse-proxy krb5-ticket forwarding (s4u2proxy) not working

Kees van Vloten keesvanvloten at gmail.com
Sun Nov 6 19:15:35 UTC 2022

On 06-11-2022 05:35, Andrew Bartlett wrote:
> On Sun, 2022-11-06 at 00:02 +0100, Kees van Vloten via samba wrote:
>> Hi Team,
>> I have a webapp behind an Apache reverse-proxy that I would like to
>> authenticate users on based on their kerberos ticket.
>> I am using Samba 4.16.2 on the DCs and mod_auth_gssapi on Apache (all
>> machines run Bullseye).
>> Apache config excerpt of the reverse-proxy server:
>> <Location /webapp>
>>       AuthName "Kerberos Login"
>>       AuthType GSSAPI
>>       GssapiSSLonly On
>>       GssapiUseSessions Off  # for testing
>>       GssapiCredStore keytab:/etc/keytab/apache.keytab
>>       GSSapiImpersonate On
>>       GssapiUseS4U2Proxy On
>>       GssapiCredStore client_keytab:/etc/keytab/apache.keytab
>>       GssapiDelegCcacheDir /run/apache2/krb5
>>       GssapiBasicAuth Off
>>       GssapiAllowedMech krb5
>>       require valid-user
>>       ProxyPasshttps://backend.example.com/webapp
>>       ProxyPassReversehttps://backend.example.com/webapp
>> </Location>
>> When I switch 'GssapiUseS4U2Proxy' to 'Off' in the apache revproxy
>> authentication succeeds, which proves that keytab and computer-account
>> are setup properly for simple authentication.
>> However when 'GssapiUseS4U2Proxy' is set 'On', this failure shows up on
>> the DC in Samba audit.log:
> Try adding http/revproxy.example.com at EXAMPLE.COM as the 
> userPrincipalName of the service account.

I am currently using the computer-account as the service account. Is my 
understanding correct that you advice to create a separate (service 
user-)account for this purpose?

How would adding a specific principal as the UPN work when there are 
multiple principals associated with the account? There can be only one 

> If that works, please add a page on our wiki describing the 
> integration steps.
> Also please be aware of 
> https://wiki.samba.org/index.php/Security/Dollar_Ticket_Attack and be 
> aware that there are a signficant number of situations where you can't 
> trust the given username.
I have the MIT kerberos client installed on my Linux machines, do you 
suggest the replace that with the heimdal client?
> Speak to your Kerberos provider about allowing you to require access 
> to the sAMAccountName in the PAC or better the user's SID.

Since I am the domain admin, I can configure it as it suits me, as long 
as it does not break anything for my users of course :-).
How would you advice to change the configuration?

> Andrew Bartlett
> -- 
> Andrew Bartlett (he/him)https://samba.org/~abartlet/
> Samba Team Member (since 2001)https://samba.org
> Samba Developer, Catalyst IThttps://catalyst.net.nz/services/samba

More information about the samba mailing list