Hi,
I’m trying kerberos auth method on a vault cluster, based on MIT Kerberos and Openldap. All configuration is done: service account, keytab, ldap, but when I try kerberos login using:
VAULT_CAPATH=ca.pem vault login -address=“https://vault03.example.com:30879” -method=kerberos username=sylvain service=HTTP/vault-svc realm=EXP.COM keytab_path=/etc/krb5.keytab krb5conf_path=/etc/krb5.conf disable_fast_negotiation=false
I have this error:
[INFO] auth.kerberos.auth_kerberos_74fb537b: 2a01:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:8080 - SPNEGO could not parse client address: invalid format of client address: address 2a01:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:8080: too many colons in address
auth.kerberos.auth_kerberos_74fb537b: 2a01:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:8080 - SPNEGO validation error: defective token detected: KRB Error: (38) KRB_AP_ERR_BADADDR Incorrect net address - client address not within the list contained in the service ticket
My servers are IPv6-Only, all Kerberos exchanges are ok, so is it possible ‘[’ ‘]’ is missing for IPv6 address before host:port splitting?
Regards,
Sylvain Girod