Kerberos auth method
Note: This engine can use external X.509 certificates as part of TLS or signature validation. Verifying signatures against X.509 certificates that use SHA-1 is deprecated and is no longer usable without a workaround. See the deprecation FAQ for more information.
The kerberos auth method provides an automated mechanism to retrieve
an OpenBao token for Kerberos entities.
Kerberos is a network authentication protocol invented by MIT in the 1980s. Its name is inspired by Cerberus, the three-headed hound of Hades from Greek mythology. The three heads refer to Kerberos' three entities - an authentication server, a ticket granting server, and a principals database. Kerberos underlies authentication in Active Directory, and its purpose is to distribute a network's authentication workload.
OpenBao's Kerberos auth method was originally written by the folks at Winton, to whom we owe a special thanks for both originally building the plugin, and for collaborating to bring it into HashiCorp's maintenance.
Prerequisites
Kerberos is a very hands-on auth method. Other auth methods like LDAP only require a cursory amount of knowledge for configuration and use. Kerberos, on the other hand, is best used by people already familiar with it. We recommend that you use simpler authentication methods if your use case is achievable through them. If not, we recommend that before approaching Kerberos, you become familiar with its fundamentals.
- MicroNugget: How Kerberos Works in Windows Active Directory
- MIT's Kerberos Documentation
- Kerberos: The Definitive Guide
Regardless of how you gain your knowledge, before using this auth method, ensure you are comfortable with Kerberos' high-level architecture, and ensure you've gone through the exercise of:
- Creating a valid
krb5.conffile - Creating a valid
keytabfile - Authenticating to your domain server with your
keytabfile usingkinit
With that knowledge in hand, and with an environment that's already tested and confirmed working, you will be ready to use Kerberos with OpenBao.
Configuration
- Enable Kerberos authentication in OpenBao:
$ bao auth enable \
-passthrough-request-headers=Authorization \
-allowed-response-headers=www-authenticate \
kerberos
- Create a
keytabfor the Kerberos plugin (this keytab is used by the OpenBao server itself, another keytab should be generated for login purposes):
$ ktutil
ktutil: addent -password -p your_service_account@REALM.COM -e aes256-cts -k 1
Password for your_service_account@REALM.COM:
ktutil: list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 your_service_account@REALM.COM (aes256-cts-hmac-sha1-96)
ktutil: wkt openbao.keytab
The KVNO (-k 1) should match the KVNO of the service account. An error will show in the OpenBao logs if this is incorrect.
Different encryption types can also be added to the keytab, for example -e rc4-hmac with additional addent commands.
Then base64 encode it:
$ base64 openbao.keytab > openbao.keytab.base64
- Configure the Kerberos auth method with the
keytaband entry name that will be used to verify inbound login requests:
$ bao write auth/kerberos/config \
keytab=@openbao.keytab.base64 \
service_account="openbao_svc"
- Configure the Kerberos auth method to communicate with
LDAP using the service account configured above. This is
a sample LDAP configuration. Yours will vary. Ensure you've
first tested your configuration from the OpenBao server using
a tool like
ldapsearch.
$ bao write auth/kerberos/config/ldap \
binddn=openbao_svc@MATRIX.LAN \
bindpass=$OPENBAO_SVC_PASSWORD \
groupattr=sAMAccountName \
groupdn="DC=MATRIX,DC=LAN" \
groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
userdn="CN=Users,DC=MATRIX,DC=LAN" \
userattr=sAMAccountName \
upndomain=MATRIX.LAN \
url=ldaps://somewhere.foo
The LDAP above relies upon the same code as the LDAP auth method. See its documentation for further discussion of available parameters.
- Configure the OpenBao policies that should be granted to those who successfully authenticate based on their LDAP group membership. Since this is identical to the LDAP auth method, see Group Membership Resolution and LDAP Group -> Policy Mapping for further discussion.
$ bao write auth/kerberos/groups/engineering-team \
policies=engineers
The above group grants the "engineers" policy to those who authenticate via Kerberos and are found to be members of the "engineering-team" LDAP group.
Authentication
From a client machine with a valid krb5.conf and keytab, perform a command
like the following:
$ bao login -method=kerberos \
username=grace \
service=HTTP/my-service \
realm=MATRIX.LAN \
keytab_path=/etc/krb5/krb5.keytab \
krb5conf_path=/etc/krb5.conf \
disable_fast_negotiation=false
krb5conf_pathis the path to a validkrb5.conffile describing how to communicate with the Kerberos environment.keytab_pathis the path to thekeytabin which the entry lives for the entity authenticating to OpenBao. Keytab files should be protected from other users on a shared server using appropriate file permissions.usernameis the username for the entry within thekeytabto use for logging into Kerberos. This username must match a service account in LDAP.serviceis the service principal name to use in obtaining a service ticket for gaining a SPNEGO token. This service must exist in LDAP.realmis the name of the Kerberos realm. This realm must match the UPNDomain configured on the LDAP connection. This check is case-sensitive.disable_fast_negotiationis for disabling the Kerberos auth method's default of using FAST negotiation. FAST is a pre-authentication framework for Kerberos. It includes a mechanism for tunneling pre-authentication exchanges using armoured KDC messages. FAST provides increased resistance to passive password guessing attacks. Some common Kerberos implementations do not support FAST negotiation.remove_instance_nameremoves any instance names from a Kerberos service principal name when parsing the keytab file. For example when this is set to true, if a keytab has the service principal namefoo/localhost@example.com, the CLI will strip the service principal name to just befoo@example.com.
Troubleshooting
Identify the malfunctioning piece
Once the malfunctioning piece of the journey is identified, you can focus your debugging efforts in the most useful direction.
- Use
ldapsearchwhile logged into your machine hosting OpenBao to ensure your LDAP configuration is functional. - Authenticate to your domain server using
kinit, yourkeytab, and yourkrb5.conf. Do this with both OpenBao'skeytab, and any clientkeytabbeing used for logging in. This ensures your Kerberos network is working. - While logged into your client machine, verify you can reach OpenBao
through the following command:
$ curl $VAULT_ADDR/v1/sys/health.
Build clear steps to reproduce the problem
If possible, make it easy for someone else to reproduce the problem who is outside of your company. For instance, if you expect that you should be able to login using a command like:
$ bao login -method=kerberos \
username=my-name \
service=HTTP/my-service \
realm=EXAMPLE.COM \
keytab_path=/etc/krb5/krb5.keytab \
krb5conf_path=/etc/krb5.conf
Then make sure you're ready to share the error output of that command, the
contents of the krb5.conf file, and the entries listed
in the keytab file.
Additional troubleshooting resources
The OpenBao Kerberos library has a working integration test environment that can be referenced as an example of a full Kerberos and LDAP environment. It runs through Docker and can be started through either one of the following commands:
$ make integration
$ make dev-env
These commands run variations of a script that spins up a full environment, adds users, and executes a login from a client.
API
The Kerberos auth method has a full HTTP API. Please see the Kerberos auth method API for more details.