ldapdockerkerberosopenldapkdc

openldap + kerberos - unable to reach any KDC in realm


I have a ldap server + kerberos setup in a centos vm (running using boot2docker vm) And i am trying to use them for my web application authentication (from host - my macbook).

For authentication, i need to use the "GSSAPI" mechanism, not the simple bind. 'simple bind' is working perfectly, but the "GSSAPI" based approach is not working.

I am getting the following error whenever i try the "ldapwhoami" command (i ran 'kinit' before running ldapwhoami to make sure i have valid kerberos TGT)

ldap_sasl_interactive_bind_s: Local error (-2)
    additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text (unable to reach any KDC in realm DEV.EXAMPLE.COM, tried 1 KDC)

Please note that the LDAP server and the kerberos server side is working perfectly, means i tested them with things like "ldapsearch", "ldapwhoami" in the centos VM where i have my ldap server + kerberos setup, Its working fine. I am able to see proper output for them.

I am getting errors (above error) only when i try the same command from my laptop (client).

Note: even i created host principal (host/mymacbook.dev@DEV.EXAMPLE.COM) from my laptop and added it to my local krb5.keytab file using 'kadmin'.

Below are my client side configurations:

/etc/krb5.conf file in Client (macbook):

[libdefaults]
  default_realm    = DEV.EXAMPLE.COM
  ticket_lifetime  = 24000
  dns_lookup_realm = false
  dns_lookup_kdc   = false

[realms]
  DEV.EXAMPLE.COM = {
    kdc = d4dc7089282c
    admin_server = krb.example.com
  }

[domain_realm]
  .dev.example.com = DEV.EXAMPLE.COM
  dev.example.com = DEV.EXAMPLE.COM
  .example.com = DEV.EXAMPLE.COM
  example.com = DEV.EXAMPLE.COM

[appdefaults]
  pam = {
    debug           = false
    ticket_lifetime = 36000
    renew_lifetime  = 36000
    forwardable     = true
    krb4_convert    = false
  }

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log

/etc/hosts file in Client (macbook):

127.0.0.1       localhost
192.168.59.3    mymacbook.dev
255.255.255.255 broadcasthost
::1             localhost


192.168.59.103  ldapserver.example.com
192.168.59.103  d4dc7089282c
192.168.59.103  krb.example.com

192.168.59.103 is my boot2docker vm ip, and i am doing port forwarding from boot2docker vm to docker image on all the default ports related to LDAP and kerberos ( 88, 389, 464 & 749)

Any idea why i am getting this error?

ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text (unable to reach any KDC in realm DEV.EXAMPLE.COM, tried 1 KDC)

is it related to DNS or something else? any suggestions?


Solution

  • You need multiple things to get a containerized KDC being reachable from the outside.

    Lets assume you are using port 88 as that is the default and lets also assume your image was called docker-kdc.

    1. Make sure your port 88 is exposed.

    EXPOSE 88

    1. Make sure your KDC daemon listens on that port. For the sake of this example, I am simply using the KDC as an entrypoint, you should be able to extrapolate if that wasn't applying for your specific example.

    ENTRYPOINT ["/usr/lib/heimdal-servers/kdc", "--config-file=/etc/heimdal-kdc/kdc.conf", "-P 88"]

    1. When running the container, I am using port forwarding towards 48088. Note that the KDC uses both, TCP and UDP.

    docker run -d -h kdc --name kdc -p 48088:88/udp -p 48088:88 docker-kdc

    From this point on, your KDC should be reachable from within the host system.


    === OSX Only ===

    1. Now given that you are using OSX (boot2docker -> VirtualBox), you will also need to setup port forwarding towards your OSX environment.

    VBoxManage controlvm boot2docker-vm natpf1 "48088/tcp,tcp,127.0.0.1,48088,,48088"

    VBoxManage controlvm boot2docker-vm natpf1 "48088/udp,udp,127.0.0.1,48088,,48088"


    1. Get the IP address of your docker container if needed.

      • When using plain docker (on linux), you can simply use the loopback 127.0.0.1.

      • When using boot2docker (on OSX), you will get that using: boot2docker ip

    2. Prepare a minimal krb5.conf that makes use of the KDC. For the sake of this example, I am using a realm called EXAMPLE.COM on the domain example.com. Note that you will have to replace IP with the result of step 5.

    [libdefaults]

        default_realm = EXAMPLE.COM
        noaddresses = true
    

    [realms]

        EXAMPLE.COM = {
                kdc = IP:48088
                admin_server = IP:48088
        }
    

    [domain_realm]

        example.com = EXAMPLE.COM
        .example.com = EXAMPLE.COM
    
    1. Now go ahead and test that configuration.

    export KRB5_CONF=PATH_TO_THE_KRB5.CONF_FILE_FROM_STEP_6

    kinit test/foo.example.com@EXAMPLE.COM

    Since I had to do this for a project of mine, I packed it all into some little script that might be helpful for your further research; https://github.com/tillt/docker-kdc