Kerberos/SSO on Debian Bullseye

Finally, Zammad 5.1 is running just fine on a Debian 11 environment with MariaDB and nginx, installed manually like following
Now the next goal should be SSO with Kerberos like explained in
Single Sign-On for Kerberos — Zammad documentation)
Unfortunately, I had to learn that the package libapache2-mod-auth-kerb is not part of Bullseye.

Now the question is: Is there a documented way to use SSO with Kerberos in nginx or any other recommended way to come around this?



Hey @Boris ,

either backport:

or change the package:



Hej Devin,

thanks a lot for your reply!

I was reading a bit deeper into it and as far as I can sum up the statements, Debian feels Kerberos to be unsecure by design

So, with that in mind, I tend to go with gssapi. But I have to get some knowledge about that first.

Thanks again,


1 Like

Hej Devin,
hej all,

let me please put an additional question onto that topic:
Zammad installs on nginx by default. A Kerberos-package for nginx seems to be availabel on Bullseye - so why is it recommended to switch to Apache??

Thanks and regards

Hey Boris,

i don’t think it’s a recommendation per se. I guess zammad was kind enough to share a working guide in their docs - as is. You’re perfectly free to choose any approach you want to on your own as long as you can handle it or you can contact them as stated in their hint.

But those are just my thoughts. I’m in no means connected to the zammad team apart from beeing a customer.


At the time this PoC was written, said modules were only available for apache on a wide range on the supported distributions of us. This is why the guide is fitted to Apache.

I currently have no plans on going through that weeks of kerberos hell again in the near future.
I simply have to much on my plate.

Hej Devin,
hej Marcel,

thanks for your lines!
‘Kerberos hell’ leaves me undecided concerning the motivation to work on that, but there are peaple around me wanting it…


Hey Boris,

don’t get me wrong.
Pull Requests are always welcome.

However, the PoC as is technically works with the mentioned environment. It’s meant as pointer and doesn’t guruantee it’s working on every future OS. I’ve invested over 2 weeks pure work (8 hours, 5 days per week). So this was a quite expensive PoC as you can imagine.


This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.