I have a ldap server + kerberos setup in a centos vm (running using boot2docker vm) And i am trying to use them for my web application authentication (from host - my macbook).
For authentication, i need to use the "GSSAPI" mechanism, not the simple bind. 'simple bind' is working perfectly, but the "GSSAPI" based approach is not working.
I am getting the following error whenever i try the "ldapwhoami" command (i ran 'kinit' before running ldapwhoami to make sure i have valid kerberos TGT)
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (unable to reach any KDC in realm DEV.EXAMPLE.COM, tried 1 KDC)
Please note that the LDAP server and the kerberos server side is working perfectly, means i tested them with things like "ldapsearch", "ldapwhoami" in the centos VM where i have my ldap server + kerberos setup, Its working fine. I am able to see proper output for them.
I am getting errors (above error) only when i try the same command from my laptop (client).
Note: even i created host principal (host/[email protected]) from my laptop and added it to my local krb5.keytab file using 'kadmin'.
Below are my client side configurations:
/etc/krb5.conf file in Client (macbook):
[libdefaults]
default_realm = DEV.EXAMPLE.COM
ticket_lifetime = 24000
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DEV.EXAMPLE.COM = {
kdc = d4dc7089282c
admin_server = krb.example.com
}
[domain_realm]
.dev.example.com = DEV.EXAMPLE.COM
dev.example.com = DEV.EXAMPLE.COM
.example.com = DEV.EXAMPLE.COM
example.com = DEV.EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
/etc/hosts file in Client (macbook):
127.0.0.1 localhost
192.168.59.3 mymacbook.dev
255.255.255.255 broadcasthost
::1 localhost
192.168.59.103 ldapserver.example.com
192.168.59.103 d4dc7089282c
192.168.59.103 krb.example.com
192.168.59.103 is my boot2docker vm ip, and i am doing port forwarding from boot2docker vm to docker image on all the default ports related to LDAP and kerberos ( 88, 389, 464 & 749)
Any idea why i am getting this error?
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (unable to reach any KDC in realm DEV.EXAMPLE.COM, tried 1 KDC)
is it related to DNS or something else? any suggestions?
On MacOS the default client does not fall back to TCP.
in your krb.conf prefix your kdc with tcp/
to force the client to use TCP if your network blocks UPD traffic (As some network admins might do).
kdc = tcp/ds01.int.domain.com:88