[Samba] Apache reverse-proxy krb5-ticket forwarding (s4u2proxy) not working

Fri Nov 11 19:11:49 UTC 2022

On Sun, 2022-11-06 at 20:15 +0100, Kees van Vloten wrote:
> 
> On 06-11-2022 05:35, Andrew Bartlett wrote:
> > On Sun, 2022-11-06 at 00:02 +0100, Kees van Vloten via samba wrote:
> > > Hi Team,
> > > I have a webapp behind an Apache reverse-proxy that I would like
> > > to 
> > > authenticate users on based on their kerberos ticket.
> > > I am using Samba 4.16.2 on the DCs and mod_auth_gssapi on Apache
> > > (all 
> > > machines run Bullseye).
> > > Apache config excerpt of the reverse-proxy server:
> > > <Location /webapp>
> > >      AuthName "Kerberos Login"
> > >      AuthType GSSAPI
> > >      GssapiSSLonly On
> > >      GssapiUseSessions Off  # for testing
> > >      GssapiCredStore keytab:/etc/keytab/apache.keytab
> > >      GSSapiImpersonate On
> > >      GssapiUseS4U2Proxy On
> > >      GssapiCredStore client_keytab:/etc/keytab/apache.keytab
> > >      GssapiDelegCcacheDir /run/apache2/krb5
> > >      GssapiBasicAuth Off
> > >      GssapiAllowedMech krb5
> > >      require valid-user
> > >      ProxyPass 
> > > https://backend.example.com/webapp
> > >       ProxyPassReverse 
> > > https://backend.example.com/webapp
> > >  </Location>
> > > When I switch 'GssapiUseS4U2Proxy' to 'Off' in the apache
> > > revproxy 
> > > authentication succeeds, which proves that keytab and computer-
> > > account 
> > > are setup properly for simple authentication.
> > > However when 'GssapiUseS4U2Proxy' is set 'On', this failure shows
> > > up on 
> > > the DC in Samba audit.log:
> > 
> > Try adding http/revproxy.example.com at EXAMPLE.COM as the
> > userPrincipalName of the service account.
> 
> I am currently using the computer-account as the service account. Is
> my understanding correct that you advice to create a separate
> (service user-)account for this purpose?
> 
> How would adding a specific principal as the UPN work when there are
> multiple principals associated with the account? There can be only
> one UPN...

Much of this software was written for interaction with MIT Kerberos,
which only has the concept of one name per principal.  

This means it expects the name when acting as a server (accepting the
ticket) and as the client (asking for S4U2Proxy rights) to be the
same. 

> > If that works, please add a page on our wiki describing the
> > integration steps.
> > 
> > Also please be aware of 
> > https://wiki.samba.org/index.php/Security/Dollar_Ticket_Attack and
> > be aware that there are a signficant number of situations where you
> > can't trust the given username.
>  I have the MIT kerberos client installed on my Linux machines, do
> you suggest the replace that with the heimdal client?

I'm sorry, this was really unclear.  I did a lot of work with MS to
make it possible for MIT/Heimdal to detect when the username in the
ticket is not trustworthy.  However this protocol work hasn't made it
into features available to users as I understand it.  Work and user
demand is needed for this to progress.

Heimdal developers proposed a patch, but haven't made a release in
years.  It may be possible for software using
krb5_gss_get_name_attribute() to obtain the samAccountName or SID from
a modern MIT krb5, speak to the mod_auth_gssapi developers about adding
that, as this would improve your security. 

(There have been no commits to that repo since I disclosed the issue). 

> > Speak to your Kerberos provider about allowing you to require
> > access to the sAMAccountName in the PAC or better the user's SID.
> 
> Since I am the domain admin, I can configure it as it suits me, as
> long as it does not break anything for my users of course :-). 
> How would you advice to change the configuration?
> 

You need to try to work with the mod_auth_gssapi and MIT krb5
communities to see if you can get the SID (as that is stable) or at
least the samAccountName into your logs as the username, not the
provided principal.

Or use the forwarded connection and as the AD server, say over LDAP,
who actually connected (via tokenGroups on the rootDSE). 

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions