openldap + kerberos - unable to reach any KDC in realm

heartpicker picture heartpicker · Nov 21, 2014 · Viewed 11.3k times · Source

I have a ldap server + kerberos setup in a centos vm (running using boot2docker vm) And i am trying to use them for my web application authentication (from host - my macbook).

For authentication, i need to use the "GSSAPI" mechanism, not the simple bind. 'simple bind' is working perfectly, but the "GSSAPI" based approach is not working.

I am getting the following error whenever i try the "ldapwhoami" command (i ran 'kinit' before running ldapwhoami to make sure i have valid kerberos TGT)

ldap_sasl_interactive_bind_s: Local error (-2)
    additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text (unable to reach any KDC in realm DEV.EXAMPLE.COM, tried 1 KDC)

Please note that the LDAP server and the kerberos server side is working perfectly, means i tested them with things like "ldapsearch", "ldapwhoami" in the centos VM where i have my ldap server + kerberos setup, Its working fine. I am able to see proper output for them.

I am getting errors (above error) only when i try the same command from my laptop (client).

Note: even i created host principal (host/[email protected]) from my laptop and added it to my local krb5.keytab file using 'kadmin'.

Below are my client side configurations:

/etc/krb5.conf file in Client (macbook):

[libdefaults]
  default_realm    = DEV.EXAMPLE.COM
  ticket_lifetime  = 24000
  dns_lookup_realm = false
  dns_lookup_kdc   = false

[realms]
  DEV.EXAMPLE.COM = {
    kdc = d4dc7089282c
    admin_server = krb.example.com
  }

[domain_realm]
  .dev.example.com = DEV.EXAMPLE.COM
  dev.example.com = DEV.EXAMPLE.COM
  .example.com = DEV.EXAMPLE.COM
  example.com = DEV.EXAMPLE.COM

[appdefaults]
  pam = {
    debug           = false
    ticket_lifetime = 36000
    renew_lifetime  = 36000
    forwardable     = true
    krb4_convert    = false
  }

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log

/etc/hosts file in Client (macbook):

127.0.0.1       localhost
192.168.59.3    mymacbook.dev
255.255.255.255 broadcasthost
::1             localhost


192.168.59.103  ldapserver.example.com
192.168.59.103  d4dc7089282c
192.168.59.103  krb.example.com

192.168.59.103 is my boot2docker vm ip, and i am doing port forwarding from boot2docker vm to docker image on all the default ports related to LDAP and kerberos ( 88, 389, 464 & 749)

Any idea why i am getting this error?

ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text (unable to reach any KDC in realm DEV.EXAMPLE.COM, tried 1 KDC)

is it related to DNS or something else? any suggestions?

Answer

Jens Timmerman picture Jens Timmerman · Feb 14, 2017

On MacOS the default client does not fall back to TCP. in your krb.conf prefix your kdc with tcp/ to force the client to use TCP if your network blocks UPD traffic (As some network admins might do).

kdc = tcp/ds01.int.domain.com:88