Openldap + kerberos - cannot reach any KDC in scope
I have a ldap server + kerberos installation in centos vm (done with boot2docker vm) And I am trying to use them to test my web application (from host - my macbook).
For authentication, I need to use the "GSSAPI" mechanism, not simple binding. "simple bind" works fine, but the "GSSAPI" approach doesn't work.
I get the following error when I try to execute the command "ldapwhoami" (I ran "kinit" before running ldapwhoami to make sure I have a valid keberos TGT)
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (unable to reach any KDC in realm DEV.EXAMPLE.COM, tried 1 KDC)
Please note that the LDAP server and kerberos server are working fine, so I tested them with things like "ldapsearch", "ldapwhoami" in a centos VM where I have an ldap server + kerberos setup. I can see the correct output for them.
I only get errors (above error) when I try to execute the same command from my laptop (client).
Note: even I created a master host (host / mymacbook.dev@DEV.EXAMPLE.COM ) from my laptop and added it to my local krb5.keytab file using "kadmin".
Below are my client side configurations:
/etc/krb5.conf in Client (macbook):
[libdefaults]
default_realm = DEV.EXAMPLE.COM
ticket_lifetime = 24000
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DEV.EXAMPLE.COM = {
kdc = d4dc7089282c
admin_server = krb.example.com
}
[domain_realm]
.dev.example.com = DEV.EXAMPLE.COM
dev.example.com = DEV.EXAMPLE.COM
.example.com = DEV.EXAMPLE.COM
example.com = DEV.EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
/ etc / hosts in Client (macbook):
127.0.0.1 localhost
192.168.59.3 mymacbook.dev
255.255.255.255 broadcasthost
::1 localhost
192.168.59.103 ldapserver.example.com
192.168.59.103 d4dc7089282c
192.168.59.103 krb.example.com
192.168.59.103 is my boot2docker vm ip and I am doing port forwarding from boot2docker vm to docker image on all LDAP and kerberos related default ports (88, 389, 464 and 749).
Any idea why I am getting this error?
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (unable to reach any KDC in realm DEV.EXAMPLE.COM, tried 1 KDC)
Is it DNS related or something else? any suggestions?
source to share
You need a few things to get a container KDC accessible from the outside.
Let's assume you are using port 88, as that is the default, and also suggests that your image was called by docker-kdc.
- Make sure your port 88 is open.
EXPOSE 88
- Make sure your KDC daemon is listening on this port. For this example, I'm just using the KDC as the entry point, you should be able to extrapolate if that's not the case for your specific example.
ENTRYPOINT ["/usr/lib/heimdal-servers/kdc", "--config-file=/etc/heimdal-kdc/kdc.conf", "-P 88"]
- I use port forwarding towards 48088 when starting the container. Note that the KDC uses both TCP and UDP .
docker run -d -h kdc --name kdc -p 48088:88/udp -p 48088:88 docker-kdc
From now on, your KDC should be accessible from inside the host system.
=== OSX only ===
- Now, given that you are using OSX (boot2docker -> VirtualBox), you will also need to configure port forwarding to the OSX environment.
VBoxManage controlvm boot2docker-vm natpf1 "48088/tcp,tcp,127.0.0.1,48088,,48088"
VBoxManage controlvm boot2docker-vm natpf1 "48088/udp,udp,127.0.0.1,48088,,48088"
-
Get the IP address of your docker container if needed.
-
When using plain docker (on linux) you can just use loopback
127.0.0.1
. -
When using boot2docker (on OSX), you get this using:
boot2docker ip
-
-
Prepare a minimal krb5.conf that the KDC uses. For this example, I am using an area called EXAMPLE.COM in the domain example.com. Note that you will have to replace the IP with the result from step 5.
[libdefaults]
default_realm = EXAMPLE.COM noaddresses = true
[spheres]
EXAMPLE.COM = { kdc = IP:48088 admin_server = IP:48088 }
[domain_realm]
example.com = EXAMPLE.COM .example.com = EXAMPLE.COM
- Now go ahead and check your configuration.
export KRB5_CONF=PATH_TO_THE_KRB5.CONF_FILE_FROM_STEP_6
kinit test/foo.example.com@EXAMPLE.COM
Since I had to do this for my project, I put it all together into a small script that might be useful for your further research; https://github.com/tillt/docker-kdc
source to share