Open aitorpazos opened 3 years ago
Trying to integrate Vault with FreeIPA I hit the issue with the vault client trying to get the keytab secret from kvno 0, but FreeIPA generates the keytab starting on kvno 1.
Configure vault server following https://www.vaultproject.io/docs/auth/kerberos
Add service to IPA
$ ipa service-add test-svc/host1.example.com@EXAMPLE.COM --------------------------------------------------------------------------------------------- Added service "test-svc/host1.example.com@EXAMPLE.COM" --------------------------------------------------------------------------------------------- Principal name: test-svc/host1.example.com@EXAMPLE.COM Principal alias: test-svc/host1.example.com@EXAMPLE.COM Managed by: host1.example.com
Generate keytab
$ ipa-getkeytab -p test-svc/host1.example.com -e aes256-cts-hmac-sha1-96 -k ./test-svc.keytab Keytab successfully retrieved and stored in: ./test-svc.keytab
Check keytab file
$ klist -k test-svc.keytab Keytab name: FILE:test-svc.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 test-svc/host1.example.com@EXAMPLE.COM
$ vault login -method=kerberos username=my-user service=test-svc/host1.example.com realm=EXAMPLE.COM keytab_path=test-svc.keytab krb5conf_path=/etc/krb5.conf disable_fast_negotiation=false Error authenticating: couldn't log in: [Root cause: Encrypting_Error] KRBMessage_Handling_Error: AS Exchange Error: issue with setting PAData on AS_REQ < Encrypting_Error: error getting key from credentials: matching key not found in keytab. Looking for [host host1.example.com] realm: EXAMPLE.COM kvno: 0 etype: 18
Looking at the code I found the kvno value hardcoded to 0 in v8/client/ASExchange.go, which is the code used by vault client.
Otherwise the file looks good:
$ kvno -k test-svc.keytab test-svc/host1.example.com test-svc/host1.example.com@EXAMPLE.COM: kvno = 1, keytab entry valid
Summary
Trying to integrate Vault with FreeIPA I hit the issue with the vault client trying to get the keytab secret from kvno 0, but FreeIPA generates the keytab starting on kvno 1.
Steps to reproduce
Configure vault server following https://www.vaultproject.io/docs/auth/kerberos
Add service to IPA
Generate keytab
Check keytab file
Looking at the code I found the kvno value hardcoded to 0 in v8/client/ASExchange.go, which is the code used by vault client.
Otherwise the file looks good: