Hi,
I’m testing the Vault agent and Kerberos authentication.
The Vault server is running 1.5.5.
The Vault agent is 1.6.1.
I’m authenticating against Active Directory KDCs.
The agent is able to authenticate to Vault writes down a sink file with a token. However - when the TTL of the Kerberos auth method is about to expire the agent tries to authenticate again - but it fails.
2021-01-21T14:57:28.180Z [INFO] sink.file: token written: path=vault.token
2021-01-21T14:58:11.907Z [INFO] auth.handler: lifetime watcher done channel triggered
2021-01-21T14:58:11.907Z [INFO] auth.handler: authenticating
2021-01-21T14:58:11.928Z [ERROR] auth.handler: error authenticating: error="Error making API request.
URL: PUT https://vault.domain.ltd:8200/v1/auth/kerberos/login
Code: 401. Errors:
" backoff=2.507658629
2021-01-21T14:58:14.436Z [INFO] auth.handler: authenticating
2021-01-21T14:58:14.458Z [ERROR] auth.handler: error authenticating: error="Error making API request.
URL: PUT https://vault.domain.ltd:8200/v1/auth/kerberos/login
Code: 401. Errors:
The Vault log:
Jan 21 14:57:12 vault.domain.ltd vault[1148]: 2021-01-21T14:57:12.513Z [INFO] expiration: revoked lease: lease_id=auth/kerberos/login/h0150aa66233597cd251fcb4088c0fccb2b5ca01d6d8f5b0d2d88aab6c6c25c9d
Jan 21 14:57:26 vault.domain.ltd vault[1148]: 2021-01-21T14:57:26.091Z [INFO] auth.kerberos.auth_kerberos_6cbbce91: 10.10.10.10:8080 user@DOMAIN.LTD - SPNEGO authentication succeeded
Jan 21 14:58:11 vault.domain.ltd vault[1148]: 2021-01-21T14:58:11.928Z [INFO] auth.kerberos.auth_kerberos_6cbbce91: 10.10.10.10:8080 - SPNEGO validation error: defective token detected: KRB Error: (34) KRB_AP_ERR_REPEAT Request is a replay - replay detected
Jan 21 14:58:14 vault.domain.ltd vault[1148]: 2021-01-21T14:58:14.458Z [INFO] auth.kerberos.auth_kerberos_6cbbce91: 10.10.10.10:8080 - SPNEGO validation error: defective token detected: KRB Error: (34) KRB_AP_ERR_REPEAT Request is a replay - replay detected
It seems to me that the agent is not capable of re-authenticating.
I’m wondering - is this something that someone has tested and is supposed to be working?
Bgrds,
Finnur