Andrew Bartlett
2022-Nov-06 04:35 UTC
[Samba] Apache reverse-proxy krb5-ticket forwarding (s4u2proxy) not working
On Sun, 2022-11-06 at 00:02 +0100, Kees van Vloten via samba wrote:> Hi Team, > > I have a webapp behind an Apache reverse-proxy that I would like to > authenticate users on based on their kerberos ticket. > > I am using Samba 4.16.2 on the DCs and mod_auth_gssapi on Apache (all > machines run Bullseye). > > Apache config excerpt of the reverse-proxy server: > > <Location /webapp> > ??? AuthName "Kerberos Login" > ??? AuthType GSSAPI > ??? GssapiSSLonly On > ??? GssapiUseSessions Off? # for testing > ??? GssapiCredStore keytab:/etc/keytab/apache.keytab > ??? GSSapiImpersonate On > ??? GssapiUseS4U2Proxy On > ??? GssapiCredStore client_keytab:/etc/keytab/apache.keytab > ??? GssapiDelegCcacheDir /run/apache2/krb5 > ??? GssapiBasicAuth Off > ??? GssapiAllowedMech krb5 > ??? require valid-user > > ??? ProxyPass https://backend.example.com/webapp > ??? ProxyPassReverse https://backend.example.com/webapp > </Location> > > When I switch 'GssapiUseS4U2Proxy' to 'Off' in the apache revproxy > authentication succeeds, which proves that keytab and computer-account > are setup properly for simple authentication. > > However when 'GssapiUseS4U2Proxy' is set 'On', this failure shows up on > the DC in Samba audit.log:Try adding?http/revproxy.example.com at EXAMPLE.COM?as the userPrincipalName of the service account. If that works, please add a page on our wiki describing the integration steps. Also please be aware of?https://wiki.samba.org/index.php/Security/Dollar_Ticket_Attack?and be aware that there are a signficant number of situations where you can't trust the given username. Speak to your Kerberos provider about allowing you to require access to the sAMAccountName in the PAC or better the user's SID. Andrew Bartlett --? Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Kees van Vloten
2022-Nov-06 19:15 UTC
[Samba] Apache reverse-proxy krb5-ticket forwarding (s4u2proxy) not working
On 06-11-2022 05:35, Andrew Bartlett wrote:> On Sun, 2022-11-06 at 00:02 +0100, Kees van Vloten via samba wrote: >> Hi Team, >> I have a webapp behind an Apache reverse-proxy that I would like to >> authenticate users on based on their kerberos ticket. >> I am using Samba 4.16.2 on the DCs and mod_auth_gssapi on Apache (all >> machines run Bullseye). >> Apache config excerpt of the reverse-proxy server: >> <Location /webapp> >> ??? AuthName "Kerberos Login" >> ??? AuthType GSSAPI >> ??? GssapiSSLonly On >> ??? GssapiUseSessions Off? # for testing >> ??? GssapiCredStore keytab:/etc/keytab/apache.keytab >> ??? GSSapiImpersonate On >> ??? GssapiUseS4U2Proxy On >> ??? GssapiCredStore client_keytab:/etc/keytab/apache.keytab >> ??? GssapiDelegCcacheDir /run/apache2/krb5 >> ??? GssapiBasicAuth Off >> ??? GssapiAllowedMech krb5 >> ??? require valid-user >> ??? ProxyPasshttps://backend.example.com/webapp >> ??? ProxyPassReversehttps://backend.example.com/webapp >> </Location> >> When I switch 'GssapiUseS4U2Proxy' to 'Off' in the apache revproxy >> authentication succeeds, which proves that keytab and computer-account >> are setup properly for simple authentication. >> However when 'GssapiUseS4U2Proxy' is set 'On', this failure shows up on >> the DC in Samba audit.log: > > Try adding http/revproxy.example.com at EXAMPLE.COM?as the > userPrincipalName of the service account.I am currently using the computer-account as the service account. Is my understanding correct that you advice to create a separate (service user-)account for this purpose? How would adding a specific principal as the UPN work when there are multiple principals associated with the account? There can be only one UPN...> > If that works, please add a page on our wiki describing the > integration steps. > > Also please be aware of > https://wiki.samba.org/index.php/Security/Dollar_Ticket_Attack?and be > aware that there are a signficant number of situations where you can't > trust the given username.I have the MIT kerberos client installed on my Linux machines, do you suggest the replace that with the heimdal client?> > Speak to your Kerberos provider about allowing you to require access > to the sAMAccountName in the PAC or better the user's SID.Since I am the domain admin, I can configure it as it suits me, as long as it does not break anything for my users of course :-). How would you advice to change the configuration?> > Andrew Bartlett > -- > Andrew Bartlett (he/him)https://samba.org/~abartlet/ > Samba Team Member (since 2001)https://samba.org > Samba Developer, Catalyst IThttps://catalyst.net.nz/services/samba >