Vault Agent, Kerberos Auto Auth, sink file and ttl expire

Vault
1

Hi,

I’m testing the Vault agent and Kerberos authentication.

The Vault server is running 1.5.5.
The Vault agent is 1.6.1.

I’m authenticating against Active Directory KDCs.

The agent is able to authenticate to Vault writes down a sink file with a token. However - when the TTL of the Kerberos auth method is about to expire the agent tries to authenticate again - but it fails.

2021-01-21T14:57:28.180Z [INFO] sink.file: token written: path=vault.token

2021-01-21T14:58:11.907Z [INFO] auth.handler: lifetime watcher done channel triggered

2021-01-21T14:58:11.907Z [INFO] auth.handler: authenticating

2021-01-21T14:58:11.928Z [ERROR] auth.handler: error authenticating: error="Error making API request.

URL: PUT https://vault.domain.ltd:8200/v1/auth/kerberos/login

Code: 401. Errors:

" backoff=2.507658629

2021-01-21T14:58:14.436Z [INFO] auth.handler: authenticating

2021-01-21T14:58:14.458Z [ERROR] auth.handler: error authenticating: error="Error making API request.

URL: PUT https://vault.domain.ltd:8200/v1/auth/kerberos/login

Code: 401. Errors:

The Vault log:

Jan 21 14:57:12 vault.domain.ltd vault[1148]: 2021-01-21T14:57:12.513Z [INFO] expiration: revoked lease: lease_id=auth/kerberos/login/h0150aa66233597cd251fcb4088c0fccb2b5ca01d6d8f5b0d2d88aab6c6c25c9d

Jan 21 14:57:26 vault.domain.ltd vault[1148]: 2021-01-21T14:57:26.091Z [INFO] auth.kerberos.auth_kerberos_6cbbce91: 10.10.10.10:8080 user@DOMAIN.LTD - SPNEGO authentication succeeded

Jan 21 14:58:11 vault.domain.ltd vault[1148]: 2021-01-21T14:58:11.928Z [INFO] auth.kerberos.auth_kerberos_6cbbce91: 10.10.10.10:8080 - SPNEGO validation error: defective token detected: KRB Error: (34) KRB_AP_ERR_REPEAT Request is a replay - replay detected

Jan 21 14:58:14 vault.domain.ltd vault[1148]: 2021-01-21T14:58:14.458Z [INFO] auth.kerberos.auth_kerberos_6cbbce91: 10.10.10.10:8080 - SPNEGO validation error: defective token detected: KRB Error: (34) KRB_AP_ERR_REPEAT Request is a replay - replay detected

It seems to me that the agent is not capable of re-authenticating.

I’m wondering - is this something that someone has tested and is supposed to be working?

Bgrds,
Finnur

2

Hello,

I’m really not sure why this is happening in the first place, but would you verify that all participants (Vault server, KDC, Vault Client) have their clocks synchronized.

Kind regards,
Martin

3

This seems to be a Kerberos replay cache issue. You can make the vault server ignore this if you need to.

from https://groups.google.com/g/comp.protocols.kerberos/c/4kGd4J0f9HU:
There’s an environment variable you can set (in the SERVER’s environment)-- three, actually, though you only need one here. The library looks for KRB5RCACHETYPE, KRB5RCACHENAME, and KRB5RCACHEDIR. If you set KRB5RCACHETYPE to “none” it should disable the cache.