Hey there,
for anyone running bullseye who needed to backport the libapache2-mod-auth-kerb package from sid:
I moved to libapache2-mod-auth-gssapi with (currently) no problems.
Since it doesn’t seem like they’re still putting a lot of work into that package (libapache-mod-auth-kerb - Debian Package Tracker) this could be a “more secure” sso approach for now.
The process is pretty simple and can be done in even under 1 minute. You can try it on your own if you’d like to but keep in mind that this is probably in no way supported by zammad itself (and most of all not by me 
). If stuff goes downtown - you’re on your own.
Danger Zone
The following will only work if you're already running SSO via mod-auth-kerb
As already said: I'm sharing this As-Is. I simply can't provide any troubleshooting if needed
-
Install the GSSAPI package:
apt install libapache2-mod-auth-gssapi -
Edit the
<LocationMatch "/auth/sso">part in your apache2 conf to look like this:
<LocationMatch "/auth/sso">
SSLRequireSSL
AuthType GSSAPI
AuthName "Your Zammad"
GssapiBasicAuth On
GssapiCredStore keytab:/etc/zammad.keytab # wherever it is located on your end
GssapiLocalName On
require valid-user
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1,NS]
RequestHeader set X-Forwarded-User "%{RU}e" env=RU
</LocationMatch>
- Restart the apache2 service:
systemctl restart apache2.service
Now you should be done. You’re free to remove the old libapache2-mod-auth-kerb package now.
cheers