I noticed..
Kerberos: Server (http/webserver01.samdom.lan at SAMDOM.LAN) has no support
for etypes
https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-securit
y/unsupported-etype-error-accessing-trusted-domain
Above might be it.. not sure, but go through it.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba Namens Kees van Vloten via samba
> Verzonden: dinsdag 10 mei 2022 00:49
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Apache2 GSSAPI basic authentication
>
> Hi Christian,
>
> I will collect the requested info tomorrow since it is pretty late here.
>
> For now just a quick remark: authentication via the webserver does work if
I> present a krb5-ticket in the authentication, it is just when the fallback
to> user-id/password is involved that it fails with GSS Error in message
below.>
> That makes me believe that krb5.conf, keytab etc. are all fine and it is
also> why I am lost. But anyway, I supply the extra info tomorrow.
>
>
> - Kees
>
>
> Op 10-05-2022 om 00:39 schreef Christian via samba:
> > Hi Kees,
> >
> > what is the output of
> >
> > net ads enctypes list <account of service principal>
> >
> > And when you load the keytab on the webserver with ktutil, what is the
> > output of
> >
> > ktutil
> > rkt /etc/keytab/apache.keytab
> > l -e
> >
> > If you kinit to testuser directly on the webserver, what is the ouput
> > of klist -e ?
> >
> > After that, if you do a
> >
> > kvno http/webserver01.samdom.lan at SAMDOM.LAN
> >
> > what is the output of
> >
> > klist -e
> >
> > then? Also, the content of krb5.conf on the webserver would be
useful...
> >
> > Best wishes,
> >
> > Christian
> >
> > Am 09.05.2022 um 21:51 schrieb Kees van Vloten:
> >> Hi Christian
> >>
> >> Op 09-05-2022 om 21:37 schreef Christian via samba:
> >>> Hi Kees,
> >>>
> >>> Are CNAMEs involved?
> >>
> >> No, the webserver is reached though an A record (the vhost is
> >> configured on the A-record).
> >> The non-domain client is DHCP and has no DNS entry (I do not have
> >> DDNS configured).
> >>
> >> Does that answer the question?
> >>
> >>>
> >>> Best,
> >>>
> >>> Christian
> >>>
> >>> Am 09.05.2022 um 21:31 schrieb Kees van Vloten via samba:
> >>>> Hi Team,
> >>>>
> >>>>
> >>>> I fail to get logged in by apache2 on a webpage from a
non-domain
> >>>> machine (i.e. I get the browser basic auth dialog and pass
my
> >>>> credentials).
> >>>> The apache server is not joined to the DC either but it
does have a
> >>>> computer-account and a keytab on the webserver.
> >>>>
> >>>> All machines involved run on Debian 11, the DC runs
Louis' Samba
> >>>> 4.15.7, all machines are on the same subnet.
> >>>>
> >>>> Authentication on the same webpage does work when I am
trying this
> >>>> from a domain-joined Windows machine, i.e. when I present
a
> >>>> krb5-ticket.
> >>>>
> >>>> Apache's error log says:
> >>>>
> >>>> [Mon May 09 20:43:10.717747 2022] [auth_gssapi:error] [pid
92032]
> >>>> [client 192.168.1.100:40992] GSS ERROR
gss_init_sec_context():
> >>>> [Unspecified GSS failure.? Minor code may provide more
information
> >>>> (KDC has no support for encryption type)], referer:
> >>>> https://internal.samdom.lan/home.html
> >>>>
> >>>> I am using mod_auth_gssapi with this config:
> >>>>
> >>>> <Directory /var/www/pages>
> >>>> ??? AuthName "Login"
> >>>> ??? AuthType GSSAPI
> >>>> ??? GssapiSSLonly On
> >>>> ??? GssapiLocalName On
> >>>> ??? GssapiUseSessions On
> >>>> ??? Session On
> >>>> ??? SessionCookieName gssapi_session
path=/private;httponly;secure;
> >>>> ??? GssapiSessionKey
file:/var/lib/apache2/secrets/session.key
> >>>> ??? GssapiCredStore keytab:/etc/keytab/apache.keytab
> >>>> ??? GssapiDelegCcacheDir /run/apache2/krb5
> >>>> ??? GssapiBasicAuth On
> >>>> ??? GssapiAllowedMech krb5
> >>>> ??? Require valid-user
> >>>> ??? AllowOverride None
> >>>> ??? Order allow,deny
> >>>> ??? Allow from all
> >>>> </Directory>
> >>>>
> >>>> ls -l /etc/keytab/apache.keytab
> >>>> -rw-r----- 1 root www-data 94 May? 3 18:55
/etc/keytab/apache.keytab
> >>>>
> >>>>
> >>>> When I look on the DC, it seems the authentication process
is fine
> >>>> and I am authenticated:
> >>>>
> >>>> [2022/05/09 20:55:22.312671,? 3]
> >>>>
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrap
> per)
> >>>>
> >>>> ? Kerberos: AS-REQ testuser at SAMDOM.LAN from
> ipv4:192.168.8.8:42579
> >>>> for krbtgt/SAMDOM.LAN at SAMDOM.LAN
> >>>> [2022/05/09 20:55:22.333446,? 3]
> >>>>
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrap
> per)
> >>>>
> >>>> ? Kerberos: Client sent patypes: encrypted-timestamp, 150,
149
> >>>> [2022/05/09 20:55:22.333529,? 3]
> >>>>
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrap
> per)
> >>>>
> >>>> ? Kerberos: Looking for PKINIT pa-data -- testuser at
SAMDOM.LAN
> >>>> [2022/05/09 20:55:22.333564,? 3]
> >>>>
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrap
> per)
> >>>>
> >>>> ? Kerberos: Looking for ENC-TS pa-data -- testuser at
SAMDOM.LAN
> >>>> [2022/05/09 20:55:22.333696,? 3]
> >>>>
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrap
> per)
> >>>>
> >>>> ? Kerberos: ENC-TS Pre-authentication succeeded --
> >>>> testuser at SAMDOM.LAN using aes256-cts-hmac-sha1-96
> >>>> [2022/05/09 20:55:22.333765,? 3]
> >>>>
../../auth/auth_log.c:647(log_authentication_event_human_readable)
> >>>> ? Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
> >>>> [(null)]\[testuser at SAMDOM.LAN] at [Mon, 09 May 2022
> 20:55:22.333741
> >>>> CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK]
> >>>> workstation [(null)] remote host [ipv4:192.168.8.8:42579]
became
> >>>> [DINTELMOND]\[testuser]
> >>>> [S-1-5-21-1366037735-1163107043-795354949-1197]. local
host [NULL]
> >>>> [2022/05/09 20:55:22.359384,? 3]
> >>>>
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrap
> per)
> >>>>
> >>>> ? Kerberos: AS-REQ authtime: 2022-05-09T20:55:22
starttime: unset
> >>>> endtime: 2022-05-10T06:55:22 renew till: unset
> >>>> [2022/05/09 20:55:22.359463,? 3]
> >>>>
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrap
> per)
> >>>>
> >>>> ? Kerberos: Client supported enctypes:
aes256-cts-hmac-sha1-96,
> >>>> using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> >>>> [2022/05/09 20:55:22.359500,? 3]
> >>>>
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrap
> per)
> >>>>
> >>>> ? Kerberos: Requested flags: renewable-ok, proxiable,
forwardable
> >>>> [2022/05/09 20:55:22.564106,? 3]
> >>>>
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrap
> per)
> >>>>
> >>>> ? Kerberos: TGS-REQ testuser at SAMDOM.LAN from
> >>>> ipv4:192.168.1.10:58486 for
> http/webserver01.samdom.lan at SAMDOM.LAN
> >>>> [canonicalize, proxiable, forwardable]
> >>>> [2022/05/09 20:55:22.569549,? 3]
> >>>>
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrap
> per)
> >>>>
> >>>> ? Kerberos: Server (http/webserver01.samdom.lan at
SAMDOM.LAN)
> has no
> >>>> support for etypes
> >>>> [2022/05/09 20:55:22.569670,? 3]
> >>>>
> ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrap
> per)
> >>>>
> >>>> ? Kerberos: Failed building TGS-REP to
ipv4:192.168.8.8:58486
> >>>> [2022/05/09 20:55:22.570030,? 3]
> >>>>
> ../../source4/samba/service_stream.c:67(stream_terminate_connection)
> >>>> ? stream_terminate_connection: Terminating connection -
> >>>> 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
> >>>> NT_STATUS_CONNECTION_DISCONNECTED'
> >>>>
> >>>>
> >>>> I guess there must be an issue in the apache2 gssapi
configuration,
> >>>> but what is it?
> >>>>
> >>>>
> >>>> - Kees
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba