MIT Kerberos Auth Example

I have successfully enabled LDAP authentication with Vault. We are getting the correct roles based on LDAP group membership. I am trying to get the Kerberos authentication plugin working but the documentation is quite AD specific and I am in a pure Linux environment using generic MIT Krb5. I have setup many services to using GSSAPI authentication and have no issue with service accounts and keytabs. What is confusing is (1) what the vault service account that should be created (vault or vault.service.consul or HTTP/vault.service.consul. (2) We have no kerberos specific attributes in our current ldap schema. All users have entries as uid=USER,ou=people,dc=example,dc=com and all of the kerberos principals are the same as their uid. This is pretty standard mapping for many of our apps that strip off the REALM and use the principal as the username. Does anyone have a working example of setting up Vault Kerberos auth using MIT KRB5. I have tried man iterations of vault write auth/kerberos/config/ldap and vault login -method=kerberos using a vaild production account keytab that works for other GSSAPI apps. All and any help is greatly appreciated.
Here is some infor about my setup

KRB5 REALM = EXAMPLE.COM

vault server is addressed as vault.service.consul

prinicipal for the production user is dilbert@EXAMPLE.com

ldap entries for dilbert are

# dilbert, people, example.com
dn: uid=dilbert,ou=people,dc=example,dc=com
cn: dilbert
objectClass: top
objectClass: posixAccount
uid: dilbert
gecos: Dil Bert
uidNumber: 2048
homeDirectory: /home/dilbert
gidNumber: 2048
loginShell: /bin/bash

I just got this working with AD, so may or may not be helpful to you.

  1. I added “HTTP/my-vault.example.org:8200” as a servicePrincipalName in AD and then used that in the keytab and as the “service” parameter in the “vault login” command. However, it seems like vault always uses as the service principal whatever you pass as “service” in “vault login”… so I think that you can make it whatever you want as long as it’s consistent throughout. Vault doesn’t seem to automatically construct the service principal like most clients do, but TBH letting us override it is handy for me.

BTW, the docs are extremely bad at using the same service principal in different examples. Different service principals/names are used at different points. I don’t think you could get a server working with the provided examples.

  1. You don’t need any Kerberos attributes in your LDAP schema. Vault doesn’t seem to use them as far as I can tell. I just setup my Kerberos LDAP the same as my LDAP and it worked. What I think happens is that the Kerberos auth method takes the primary or username part in the authenticating ticket and does a search in LDAP with that (filtering on the the attribute configured as “userattr”) to get additional info like groups.

Two things I got tripped up by when setting mine up.

A) The docs say to use a kvno of “1” when creating the keytab. But my service principal had a different kvno… so I had to look it up and use the correct one instead. You do get an error message in the server logs when this is an issue.

B) The golang kerberos library does not correctly choose the right secret from a keytab when multiple versions are present. So I had a keytab on the client side that had 3 different secret versions for the principal and vault was always trying to use the first one it found. This has just been fixed (https://github.com/jcmturner/gokrb5/releases/tag/v8.4.1) but someone probably needs to create a ticket to ask Vault to update their dependencies.

In the meantime a workaround is to make sure your client side keytab only contains one version of the secret.

C) Vault agent doesn’t actually support the disable_fast_negotiation parameter for kerberos. The vault login command does though. I opened a ticket and PR for this.

D) Vault server doesn’t support Identity Group mappings for Kerberos. You have to use the LDAP based group policy mappings. I opened a ticket and PR for this too.

Thanks very much for your response and suggestions. I am going to have to go to the source code a bit as the vault client can not seem to ready the encryption keys from the keytab that I using to try and login. I even tried having just a single encryption type that is supported but that does not work either. I guess this is not a super well desired functionality and I may end up using approles to do what I need.