Hi!
I am trying to set up Kerberos auth method for Vault for an internal service. Currently we use ldap for authentication and I followed the steps in: Kerberos - Auth Methods | Vault | HashiCorp Developer
vault write auth/kerberos/config/ldap
url=“ldaps://ldap.corp.example.com” binddn=“uid=vault_ldap,cn=users,cn=accounts,dc=corp,dc=example,dc=com” bindpass=“<bind_pass>”
userdn=“cn=users,cn=accounts,dc=corp,dc=example,dc=com” userattr=“uid”
groupdn=“cn=groups,cn=accounts,dc=corp,dc=example,dc=com”
upndomain=“”
groupfilter=“(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))”
groupattr=“cn”
userfilter=“(uid={{.Username}})”
vault write auth/kerberos/groups/infrastructure policies=default,list-everything,admin-tasks,eng-dirs,infrastructure-dirs
I created a basic python script to test if it would authenticate:
import requests
from requests_kerberos import HTTPKerberosAuth
def main():
VAULT_ADDR = "https://vault.corp.example.com:8200"
KERBEROS_LOGIN_URL = f"{VAULT_ADDR}/v1/auth/kerberos/login"
# I have a valid Kerberos ticket in my environment
kerberos_auth = HTTPKerberosAuth(mutual_authentication="DISABLED") # also tried with ENABLED AND OPTIONAL options
print(kerberos_auth)
response = requests.post(KERBEROS_LOGIN_URL, auth=kerberos_auth, verify= '/etc/ssl/certs/ca-bundle.crt')
print(response)
if response.ok:
# Extract the token from the response
vault_token = response.json()["auth"]["client_token"]
print("Vault Token:", vault_token)
else:
print("Failed to authenticate with Vault:", response.text)
Output is:
<requests_kerberos.kerberos_.HTTPKerberosAuth object at 0x7fde8567cdc0>
<Response [400]>
Failed to authenticate with Vault: {“errors”:[“auth methods cannot create root tokens”]}
Anyone knows where I am doing wrong?
Here are the vault logs:
e67c03: 10.20.x.x:8080 user@CORP.example.COM - SPNEGO authentication succeeded
Feb 06 13:04:22 vault.corp.example.com vault[21183]: 2024-02-06T13:04:22.950+0100 [WARN] auth.kerberos.auth_kerberos_33e67c03: unable to find vpnuser, does not currently exist
Feb 06 13:04:22 vault.corp.example.com vault[21183]: 2024-02-06T13:04:22.950+0100 [WARN] auth.kerberos.auth_kerberos_33e67c03: unable to find ipausers, does not currently exist