3

I don't know much about Kerberos authentication, I just have some basic experience with configuration and usage. Recently I noticed that Windows has a built-in Kerberos implementation that is configured. So when I run klist in PowerShell, I get a nice list of available tickets. For various Dev-Ops topics we use Linux in our team with WSL and Docker as build agent and local dev environment. Our docker image is well configured for Kerberos and I can use kinit to get ticket. In this case, however, the user will have to enter their credentials again.

I saw recently the following answer (link):

As soon as you log into Windows, LSA will retain your principal and password in memory and regain a fresh ticket as soon as it is necessary.

Question: Is there a method to retrieve and copy Kerberos ticket from Windows to Docker container or to WSL environment running on the same system? (Obviously the question is more about "how to" than "is there a solution"...)

In both case we have shared volumes between Linux and Windows.

There is also a reddit post about similar topic: link

Also the following post suggest that we many indeed store those ticket locally: link

Note: In my case we have corporate network environment with domain controllers. On configured Linux nodes (Linux desktop, Docker container) kinit works fine.

Additional references:

Kerberos ticket are stored inside the credentials cache. There are multiple credentials cache supported on Windows:

  • FILE caches: Simple and most portable. A simple flat file format is used to store one credential after another. This is the default on Linux and OSX.
  • API cache: Only implemented on Windows, it communicates with a server process that holds the credentials in memory. This seems to be the default on Windows.

Note: I was suggested to move this question over here from stack overflow.

SchLx
  • 131
  • 1
  • 4
  • Just linking essentially the same question: https://stackoverflow.com/questions/55103417/can-wsl-inherit-windows-auth-credentials – SerG Mar 22 '21 at 15:41
  • @SerG I'm not sure, yes partially: https://stackoverflow.com/a/6745058/5770014 – SchLx Mar 22 '21 at 17:06
  • Why do you point that answer about differences between NTLM and Kerberos? – SerG Mar 22 '21 at 18:22

1 Answers1

0

With the MIT Client the Credential Cache File is the right way but you need some more things inside your container image. e.g. inside a ubuntu Container-

  • a kerberos client e.g. krb5-user package installed
  • a kerberos config /etc/krb5.conf

Configure the %KRB5CCNAME% Variable on your host pointing to a file. e.g. c:\temp\krb5.cache

When you instantiate your container mount the c:\temp\krb5.cache to the /tmp/krb5.cache path and export $KRB5CCNAME Variable inside container to the filepath (or configure the [libdefaults] default_ccache_name = FILE:... )

A better way might be to work with keytabs and mounting the keytab inside the container and kinit from that keyfile.

schmichri
  • 377
  • 2
  • 9
  • 2
    Wasn't the question about default built-in Windows Kerberos implementation, not a MIT Client? – SerG Nov 16 '20 at 20:43
  • not explicit. It might be that kinit and the MIT links gave the wrong impression to me – schmichri Nov 16 '20 at 21:01
  • @schmichri It is about the default built-in Windows implementation: "Recently I noticed that Windows has a built-in Kerberos implementation that is configured. So when I run klist in PowerShell, I get a nice list of available tickets." – SchLx Nov 19 '20 at 08:12
  • so you want to use the in-Memory Kerberos Ticket from Windows inside the Linux container and you expect that to work? I think this is just not possible. – schmichri Nov 20 '20 at 15:18
  • Maybe after all this question should have stayed on stack overflow and more likely we need to find/write code that mirrors Windows Credential Cache API to docker. VS Code does something similar I think. I remember I was able to use GIT somehow inside a container without specifying my credentials, but I will double check this. – SchLx Nov 22 '20 at 09:36
  • @SchLx Git is not windows native tool initially, so its authentication may differ. – SerG Nov 22 '20 at 13:53
  • GL and thx for the upvotes... – schmichri Nov 23 '20 at 07:13
  • @SerG: VSCode inside dev container indeed tunnels credential manager into the container. see .gitconfig: `[credential] helper = "!f() { /root/.vscode-server/bin/2b9aebd5354a3629c3aba0a5f5df49f43d6689f8/node /tmp/vscode-remote-containers-cbfe6d848999569b6e0897c57427e9d82ac7da25.js $*; }; f" ` – SchLx Mar 22 '21 at 17:11