Clever Geek Handbook

Openldap + kerberos - cannot reach any KDC in scope

I have a ldap server + kerberos installation in centos vm (done with boot2docker vm) And I am trying to use them to test my web application (from host - my macbook).

For authentication, I need to use the "GSSAPI" mechanism, not simple binding. "simple bind" works fine, but the "GSSAPI" approach doesn't work.

I get the following error when I try to execute the command "ldapwhoami" (I ran "kinit" before running ldapwhoami to make sure I have a valid keberos TGT)

ldap_sasl_interactive_bind_s: Local error (-2)
    additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text (unable to reach any KDC in realm DEV.EXAMPLE.COM, tried 1 KDC)

Please note that the LDAP server and kerberos server are working fine, so I tested them with things like "ldapsearch", "ldapwhoami" in a centos VM where I have an ldap server + kerberos setup. I can see the correct output for them.

I only get errors (above error) when I try to execute the same command from my laptop (client).

Note: even I created a master host (host / mymacbook.dev@DEV.EXAMPLE.COM ) from my laptop and added it to my local krb5.keytab file using "kadmin".

Below are my client side configurations:

/etc/krb5.conf in Client (macbook):

[libdefaults]
  default_realm    = DEV.EXAMPLE.COM
  ticket_lifetime  = 24000
  dns_lookup_realm = false
  dns_lookup_kdc   = false

[realms]
  DEV.EXAMPLE.COM = {
    kdc = d4dc7089282c
    admin_server = krb.example.com
  }

[domain_realm]
  .dev.example.com = DEV.EXAMPLE.COM
  dev.example.com = DEV.EXAMPLE.COM
  .example.com = DEV.EXAMPLE.COM
  example.com = DEV.EXAMPLE.COM

[appdefaults]
  pam = {
    debug           = false
    ticket_lifetime = 36000
    renew_lifetime  = 36000
    forwardable     = true
    krb4_convert    = false
  }

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log

/ etc / hosts in Client (macbook):

127.0.0.1       localhost
192.168.59.3    mymacbook.dev
255.255.255.255 broadcasthost
::1             localhost


192.168.59.103  ldapserver.example.com
192.168.59.103  d4dc7089282c
192.168.59.103  krb.example.com

192.168.59.103 is my boot2docker vm ip and I am doing port forwarding from boot2docker vm to docker image on all LDAP and kerberos related default ports (88, 389, 464 and 749).

Any idea why I am getting this error?

ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text (unable to reach any KDC in realm DEV.EXAMPLE.COM, tried 1 KDC)

Is it DNS related or something else? any suggestions?

+3


source to share


3 answers


You need a few things to get a container KDC accessible from the outside.

Let's assume you are using port 88, as that is the default, and also suggests that your image was called by docker-kdc.

  • Make sure your port 88 is open.

EXPOSE 88

  1. Make sure your KDC daemon is listening on this port. For this example, I'm just using the KDC as the entry point, you should be able to extrapolate if that's not the case for your specific example.

ENTRYPOINT ["/usr/lib/heimdal-servers/kdc", "--config-file=/etc/heimdal-kdc/kdc.conf", "-P 88"]

  1. I use port forwarding towards 48088 when starting the container. Note that the KDC uses both TCP and UDP .

docker run -d -h kdc --name kdc -p 48088:88/udp -p 48088:88 docker-kdc

From now on, your KDC should be accessible from inside the host system.

=== OSX only ===



  1. Now, given that you are using OSX (boot2docker -> VirtualBox), you will also need to configure port forwarding to the OSX environment.

VBoxManage controlvm boot2docker-vm natpf1 "48088/tcp,tcp,127.0.0.1,48088,,48088"

VBoxManage controlvm boot2docker-vm natpf1 "48088/udp,udp,127.0.0.1,48088,,48088"

  1. Get the IP address of your docker container if needed.

    • When using plain docker (on linux) you can just use loopback 127.0.0.1

      .

    • When using boot2docker (on OSX), you get this using: boot2docker ip

  2. Prepare a minimal krb5.conf that the KDC uses. For this example, I am using an area called EXAMPLE.COM in the domain example.com. Note that you will have to replace the IP with the result from step 5.

[libdefaults]

    default_realm = EXAMPLE.COM
    noaddresses = true

[spheres]

    EXAMPLE.COM = {
            kdc = IP:48088
            admin_server = IP:48088
    }

[domain_realm]

    example.com = EXAMPLE.COM
    .example.com = EXAMPLE.COM
  1. Now go ahead and check your configuration.

export KRB5_CONF=PATH_TO_THE_KRB5.CONF_FILE_FROM_STEP_6

kinit test/foo.example.com@EXAMPLE.COM

Since I had to do this for my project, I put it all together into a small script that might be useful for your further research; https://github.com/tillt/docker-kdc

+2


source


Make sure the krb5.conf file is in the / etc directory . I had the same problem and I had no problem with the firewall, still getting the same error. Finally, I was able to fix the problem by moving the krb5.conf file to the / etc directory .



+1


source


On macOS, the client does not fall back to TCP by default. prefix your krb.conf with your kdc tcp/

to force the client to use TCP if your network blocks are udp.

kdc = tcp/ds01.int.domain.com:88
+1


source






More articles:


All Articles