I have a ldap server + kerberos setup in a centos vm (running using boot2docker vm) And i am trying to use them for my web application authentication (from host - my macbook).
For authentication, i need to use the "GSSAPI" mechanism, not the simple bind. 'simple bind' is working perfectly, but the "GSSAPI" based approach is not working.
I am getting the following error whenever i try the "ldapwhoami" command (i ran 'kinit' before running ldapwhoami to make sure i have valid kerberos TGT)
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (unable to reach any KDC in realm DEV.EXAMPLE.COM, tried 1 KDC)
Please note that the LDAP server and the kerberos server side is working perfectly, means i tested them with things like "ldapsearch", "ldapwhoami" in the centos VM where i have my ldap server + kerberos setup, Its working fine. I am able to see proper output for them.
I am getting errors (above error) only when i try the same command from my laptop (client).
Note: even i created host principal (host/mymacbook.dev@DEV.EXAMPLE.COM) from my laptop and added it to my local krb5.keytab file using 'kadmin'.
Below are my client side configurations:
/etc/krb5.conf file in Client (macbook):
[libdefaults]
default_realm = DEV.EXAMPLE.COM
ticket_lifetime = 24000
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DEV.EXAMPLE.COM = {
kdc = d4dc7089282c
admin_server = krb.example.com
}
[domain_realm]
.dev.example.com = DEV.EXAMPLE.COM
dev.example.com = DEV.EXAMPLE.COM
.example.com = DEV.EXAMPLE.COM
example.com = DEV.EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
/etc/hosts file in Client (macbook):
127.0.0.1 localhost
192.168.59.3 mymacbook.dev
255.255.255.255 broadcasthost
::1 localhost
192.168.59.103 ldapserver.example.com
192.168.59.103 d4dc7089282c
192.168.59.103 krb.example.com
192.168.59.103 is my boot2docker vm ip, and i am doing port forwarding from boot2docker vm to docker image on all the default ports related to LDAP and kerberos ( 88, 389, 464 & 749)
Any idea why i am getting this error?
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (unable to reach any KDC in realm DEV.EXAMPLE.COM, tried 1 KDC)
is it related to DNS or something else? any suggestions?
You need multiple things to get a containerized KDC being reachable from the outside.
Lets assume you are using port 88 as that is the default and lets also assume your image was called docker-kdc.
EXPOSE 88
ENTRYPOINT ["/usr/lib/heimdal-servers/kdc", "--config-file=/etc/heimdal-kdc/kdc.conf", "-P 88"]
docker run -d -h kdc --name kdc -p 48088:88/udp -p 48088:88 docker-kdc
From this point on, your KDC should be reachable from within the host system.
=== OSX Only ===
VBoxManage controlvm boot2docker-vm natpf1 "48088/tcp,tcp,127.0.0.1,48088,,48088"
VBoxManage controlvm boot2docker-vm natpf1 "48088/udp,udp,127.0.0.1,48088,,48088"
Get the IP address of your docker container if needed.
When using plain docker (on linux), you can simply use the loopback 127.0.0.1
.
When using boot2docker (on OSX), you will get that using: boot2docker ip
Prepare a minimal krb5.conf that makes use of the KDC. For the sake of this example, I am using a realm called EXAMPLE.COM on the domain example.com. Note that you will have to replace IP with the result of step 5.
[libdefaults]
default_realm = EXAMPLE.COM noaddresses = true
[realms]
EXAMPLE.COM = { kdc = IP:48088 admin_server = IP:48088 }
[domain_realm]
example.com = EXAMPLE.COM .example.com = EXAMPLE.COM
export KRB5_CONF=PATH_TO_THE_KRB5.CONF_FILE_FROM_STEP_6
kinit test/foo.example.com@EXAMPLE.COM
Since I had to do this for a project of mine, I packed it all into some little script that might be helpful for your further research; https://github.com/tillt/docker-kdc