openldap + kerberos - unable to reach any KDC in realm

Question

I have a ldap server + kerberos setup in a centos vm (running using boot2docker vm) And i am trying to use them for my web application authentication (from host - my macbook).

For authentication, i need to use the "GSSAPI" mechanism, not the simple bind. 'simple bind' is working perfectly, but the "GSSAPI" based approach is not working.

I am getting the following error whenever i try the "ldapwhoami" command (i ran 'kinit' before running ldapwhoami to make sure i have valid kerberos TGT)

ldap_sasl_interactive_bind_s: Local error (-2)
    additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text (unable to reach any KDC in realm DEV.EXAMPLE.COM, tried 1 KDC)

Please note that the LDAP server and the kerberos server side is working perfectly, means i tested them with things like "ldapsearch", "ldapwhoami" in the centos VM where i have my ldap server + kerberos setup, Its working fine. I am able to see proper output for them.

I am getting errors (above error) only when i try the same command from my laptop (client).

Note: even i created host principal (host/[email protected]) from my laptop and added it to my local krb5.keytab file using 'kadmin'.

Below are my client side configurations:

/etc/krb5.conf file in Client (macbook):

[libdefaults]
  default_realm    = DEV.EXAMPLE.COM
  ticket_lifetime  = 24000
  dns_lookup_realm = false
  dns_lookup_kdc   = false

[realms]
  DEV.EXAMPLE.COM = {
    kdc = d4dc7089282c
    admin_server = krb.example.com
  }

[domain_realm]
  .dev.example.com = DEV.EXAMPLE.COM
  dev.example.com = DEV.EXAMPLE.COM
  .example.com = DEV.EXAMPLE.COM
  example.com = DEV.EXAMPLE.COM

[appdefaults]
  pam = {
    debug           = false
    ticket_lifetime = 36000
    renew_lifetime  = 36000
    forwardable     = true
    krb4_convert    = false
  }

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log

/etc/hosts file in Client (macbook):

127.0.0.1       localhost
192.168.59.3    mymacbook.dev
255.255.255.255 broadcasthost
::1             localhost


192.168.59.103  ldapserver.example.com
192.168.59.103  d4dc7089282c
192.168.59.103  krb.example.com

192.168.59.103 is my boot2docker vm ip, and i am doing port forwarding from boot2docker vm to docker image on all the default ports related to LDAP and kerberos ( 88, 389, 464 & 749)

Any idea why i am getting this error?

ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text (unable to reach any KDC in realm DEV.EXAMPLE.COM, tried 1 KDC)

is it related to DNS or something else? any suggestions?

Answer 1

You need multiple things to get a containerized KDC being reachable from the outside.

Lets assume you are using port 88 as that is the default and lets also assume your image was called docker-kdc.

1. Make sure your port 88 is exposed.

EXPOSE 88

2. Make sure your KDC daemon listens on that port. For the sake of this example, I am simply using the KDC as an entrypoint, you should be able to extrapolate if that wasn't applying for your specific example.

ENTRYPOINT ["/usr/lib/heimdal-servers/kdc", "--config-file=/etc/heimdal-kdc/kdc.conf", "-P 88"]

3. When running the container, I am using port forwarding towards 48088. Note that the KDC uses both, TCP and UDP.

docker run -d -h kdc --name kdc -p 48088:88/udp -p 48088:88 docker-kdc

From this point on, your KDC should be reachable from within the host system.

---

=== OSX Only ===

4. Now given that you are using OSX (boot2docker -> VirtualBox), you will also need to setup port forwarding towards your OSX environment.

VBoxManage controlvm boot2docker-vm natpf1 "48088/tcp,tcp,127.0.0.1,48088,,48088"

VBoxManage controlvm boot2docker-vm natpf1 "48088/udp,udp,127.0.0.1,48088,,48088"

---

5. Get the IP address of your docker container if needed.

   • When using plain docker (on linux), you can simply use the loopback 127.0.0.1.

   • When using boot2docker (on OSX), you will get that using: boot2docker ip

6. Prepare a minimal krb5.conf that makes use of the KDC. For the sake of this example, I am using a realm called EXAMPLE.COM on the domain example.com. Note that you will have to replace IP with the result of step 5.

[libdefaults]

    default_realm = EXAMPLE.COM
    noaddresses = true

[realms]

    EXAMPLE.COM = {
            kdc = IP:48088
            admin_server = IP:48088
    }

[domain_realm]

    example.com = EXAMPLE.COM
    .example.com = EXAMPLE.COM

7. Now go ahead and test that configuration.

export KRB5_CONF=PATH_TO_THE_KRB5.CONF_FILE_FROM_STEP_6

kinit test/[email protected]

Since I had to do this for a project of mine, I packed it all into some little script that might be helpful for your further research; https://github.com/tillt/docker-kdc

Answer 2

Ensure that krb5.conf file is in /etc directory. I had the same issue and had no firewall issues, still was getting the same error. Finally, I was able to fix the issue by moving the krb5.conf file to /etc directory.

Answer 3

On MacOS the default client does not fall back to TCP. in your krb.conf prefix your kdc with tcp/ to force the client to use TCP if your network blocks UPD traffic (As some network admins might do).

kdc = tcp/ds01.int.domain.com:88