Terraform dns provider authentication krb5.conf

I am struggling to get the dns provider to authenticate to our dns servers. I am using gssapi with username and password. I am getting the following error:

Error updating DNS record: Error negotiating GSS context: configuration file could not be opened: open : no such file or directory

I have krb5.conf file located at c:\krb5.conf and have an environment variable called KRB5_CONFIG pointed to this file.

Do I need to install any kerberos packages on my windows box to make this work?

Hey Jeremy :wave:, sorry you’re running into trouble here. I looked a little deeper into the error you’re showing here:

Error updating DNS record: Error negotiating GSS context: configuration file could not be opened: open : no such file or directory

It’s an interesting error, as it doesn’t show us the actual path that should be set in the KRB5_CONFIG environment variable. Can you double check that this KRB5_CONFIG environment variable is set someplace the terraform process can read it?

At the very least we should see the path in the error message.

Thanks!

As for your other question about client software needed, as you’re on Windows, you might already have it installed if you’re joined to an AD domain - ssh - How to install Kerberos client on Windows - Super User

The client software we use for our tests is Linux based krb5-user - terraform-provider-dns/test.yml at 18b99423cc5e87ef7d0d4202b8fcfe5601ec0b3e · hashicorp/terraform-provider-dns · GitHub

Thanks Austin… I installed the Heimdal version and have rebooted and am still seeing the error. I attached a snippet showing the error and in the same terminal that the $env:KRB5_CONFIG is available.

Question: do I need the identity manager as well? See the 2nd part of this document: Kerberos for Windows | Documentation (ed.ac.uk)

I moved this all over to my WSL environment on ubuntu and tried it and same result. installed krb5-config / krb5-user via apt-get and exported the path to the krb5_config file and did an LS on it to ensure it see’s it via the env var and it did. also converted conf file to unix(LF) and still no luck.

I believe your error is only related to the config file itself, as this needs to be read before anything Kerberos related work occurs. So installed software really shouldn’t make a difference at this point.

The error returned unfortunately isn’t particularly useful right now because of this bug raised: Add more detail to error returned from `loadConfig` · Issue #91 · bodgit/tsig · GitHub - but all signs in the code point to the environment variable not being picked up properly.

Actually, I remembered we have a specific acceptance test for this functionality that runs in a Docker container, might give you some information: terraform-provider-dns/acceptance.sh at main · hashicorp/terraform-provider-dns · GitHub

On your linux test, you could also try setting your krb5.conf at /etc/krb5.conf as that’s the default path used by the underlying library: tsig/gokrb5.go at 10b91d46dbdc2db4fc524572ea95da64cb91358c · bodgit/tsig · GitHub