Question (not bug): Kerberos SSO over VPN-Slice

[bivald]

Hi,

First of all - thank you, VPN-Slice is very handy (and I would love to buy you a beer/donate a small amount if you would take it). Has anyone any experience with running kerberos SSO over VPN-Slice? Kerberos is a little bit of a black box to me, but it looks like it uses SRV records to lookup things. I've tried adding a lot of _kerberos._tcp.$real.com but to no avail, also looks to be using UDP by default.

I'll keep digging and update this ticket if I find some way to make it happen :)

Regards, Niklas

[bivald]

As always, the hour after you wrote a ticket you figure something out. In my case, I solved it by figuring out all of the SRV records, using:

nslookup -type=SRV _kerberos._tcp.$realm.com

Then add those to vpn-slice, then I added a /etc/krb5.conf file and specified those hostnames instead of using DNS lookup.

Maybe this can help someone else :)

Over for beer/donation still stands, but I need a way to send it (paypal?)

[dlenski]

As always, the hour after you wrote a ticket you figure something out. In my case, I solved it by figuring out all of the SRV records, using:

nslookup -type=SRV _kerberos._tcp.$realm.com

Then add those to vpn-slice, …

That is a really excellent finding, actually. :exploding_head:

Perhaps vpn-slice should have an --lookup-and-route-kerberos REALM option, to do this automatically?

If @bivald or anyone else is interested in working on a PR for it, I'd be delighted. :star_struck: