Kees van Vloten
2022-Nov-05 23:02 UTC
[Samba] Apache reverse-proxy krb5-ticket forwarding (s4u2proxy) not working
Hi Team,
I have a webapp behind an Apache reverse-proxy that I would like to
authenticate users on based on their kerberos ticket.
I am using Samba 4.16.2 on the DCs and mod_auth_gssapi on Apache (all
machines run Bullseye).
Apache config excerpt of the reverse-proxy server:
<Location /webapp>
??? AuthName "Kerberos Login"
??? AuthType GSSAPI
??? GssapiSSLonly On
??? GssapiUseSessions Off? # for testing
??? GssapiCredStore keytab:/etc/keytab/apache.keytab
??? GSSapiImpersonate On
??? GssapiUseS4U2Proxy On
??? GssapiCredStore client_keytab:/etc/keytab/apache.keytab
??? GssapiDelegCcacheDir /run/apache2/krb5
??? GssapiBasicAuth Off
??? GssapiAllowedMech krb5
??? require valid-user
??? ProxyPass https://backend.example.com/webapp
??? ProxyPassReverse https://backend.example.com/webapp
</Location>
When I switch 'GssapiUseS4U2Proxy' to 'Off' in the apache
revproxy
authentication succeeds, which proves that keytab and computer-account
are setup properly for simple authentication.
However when 'GssapiUseS4U2Proxy' is set 'On', this failure
shows up on
the DC in Samba audit.log:
{"timestamp": "2022-11-05T23:19:38.622527+0100",
"type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor":
2}, "eventId": 4625, "logonId":
"a494a6184c8cd16c", "logonType": 3,
"status": "NT_STATUS_NO_SUCH_USER",
"localAddress": null,
"remoteAddress": "ipv4:192.168.100.2:33746",
"serviceDescription":
"Kerberos KDC", "authDescription": "AS-REQ",
"clientDomain": null,
"clientAccount": "http/revproxy.example.com at EXAMPLE.COM",
"workstation":
null, "becameAccount": null, "becameDomain": null,
"becameSid": null,
"mappedAccount": null, "mappedDomain": null,
"netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
null,
"passwordType": null, "duration": 1072}}
And log.samba has this:
[2022/11/05 23:19:38.621478,? 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Probing for AS-REQ
[2022/11/05 23:19:38.621533,? 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Not a FAST request
[2022/11/05 23:19:38.621555,? 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: AS-REQ http/revproxy.example.com at EXAMPLE.COM from
ipv4:192.168.100.2:33746 for krbtgt/EXAMPLE.COM at EXAMPLE.COM
[2022/11/05 23:19:38.622450,? 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: UNKNOWN -- http/revproxy.example.com at EXAMPLE.COM: no such
entry found in hdb
[2022/11/05 23:19:38.622472,? 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_setkv_number(): setting kv pair #auth_event=2
[2022/11/05 23:19:38.622497,? 2]
../../auth/auth_log.c:647(log_authentication_event_human_readable) Auth:
[Kerberos KDC,AS-REQ] user
[(null)]\[http/revproxy.example.com at EXAMPLE.COM] at [Sat, 05 Nov 2022
23:19:38.622490 CET] with [(null)] status [NT_STATUS_NO_SUCH_USER]
workstation [(null)] remote host [ipv4:192.168.100.2:33746] mapped to
[(null)]\[(null)]. local host [NULL]
[2022/11/05 23:19:38.622582,? 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: as-req: sending error: -1765328378 to client
[2022/11/05 23:19:38.622614,? 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: Making non-FAST KRB-ERROR
[2022/11/05 23:19:38.622655,? 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: heim_audit_vaddkv(): kv pair[0] elapsed=0.001184
[2022/11/05 23:19:38.622668,? 3]
../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper)
Kerberos: AS-REQ ERR_C_PRINCIPAL_UNKNOWN ipv4:192.168.100.2:33746
http/revproxy.example.com at EXAMPLE.COM krbtgt/EXAMPLE.COM at EXAMPLE.COM
elapsed=0.001184
I have configured:
samba-tool delegation add-service 'backend$'
'http/revproxy.example.com'
samba-tool delegation for-any-protocol revproxy$ on
It looks like there is something incorrect or missing in the delegation
settings on the accounts.
Perhaps it is not relevant but this line seems to be interesting:
Kerberos: UNKNOWN -- http/revproxy.example.com at EXAMPLE.COM: no such
entry found in hdb
Indeed I have not defined it as an explicit principal since my
understanding is that this is one of the default 'sPNMappings' on a
computer-account.
Is it obvious to someone what the culprit is?
Or what can I do to debug this?
- Kees.
Andrew Bartlett
2022-Nov-06 04:35 UTC
[Samba] Apache reverse-proxy krb5-ticket forwarding (s4u2proxy) not working
On Sun, 2022-11-06 at 00:02 +0100, Kees van Vloten via samba wrote:> Hi Team, > > I have a webapp behind an Apache reverse-proxy that I would like to > authenticate users on based on their kerberos ticket. > > I am using Samba 4.16.2 on the DCs and mod_auth_gssapi on Apache (all > machines run Bullseye). > > Apache config excerpt of the reverse-proxy server: > > <Location /webapp> > ??? AuthName "Kerberos Login" > ??? AuthType GSSAPI > ??? GssapiSSLonly On > ??? GssapiUseSessions Off? # for testing > ??? GssapiCredStore keytab:/etc/keytab/apache.keytab > ??? GSSapiImpersonate On > ??? GssapiUseS4U2Proxy On > ??? GssapiCredStore client_keytab:/etc/keytab/apache.keytab > ??? GssapiDelegCcacheDir /run/apache2/krb5 > ??? GssapiBasicAuth Off > ??? GssapiAllowedMech krb5 > ??? require valid-user > > ??? ProxyPass https://backend.example.com/webapp > ??? ProxyPassReverse https://backend.example.com/webapp > </Location> > > When I switch 'GssapiUseS4U2Proxy' to 'Off' in the apache revproxy > authentication succeeds, which proves that keytab and computer-account > are setup properly for simple authentication. > > However when 'GssapiUseS4U2Proxy' is set 'On', this failure shows up on > the DC in Samba audit.log:Try adding?http/revproxy.example.com at EXAMPLE.COM?as the userPrincipalName of the service account. If that works, please add a page on our wiki describing the integration steps. Also please be aware of?https://wiki.samba.org/index.php/Security/Dollar_Ticket_Attack?and be aware that there are a signficant number of situations where you can't trust the given username. Speak to your Kerberos provider about allowing you to require access to the sAMAccountName in the PAC or better the user's SID. Andrew Bartlett --? Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba