2

I'm running a MIT Kerberos KDC and Kadmin server instances on a docker container for convenience. Am able to build it and run it without a problem, with only extracting important configs do a docker volumes. Am also connecting the KDC to OpenLDAP through kldap module.

However, one possible problem I'm seeing: with each rebuild it seems the KDC initiates different keychains or something, which causes the old authentications to break. All of this makes sense and is not a problem.

My question: is it possible to store the internal database of the KDC (or where is it storing the credentials) to a docker volume? If so, which part should I be looking at?

My goal is that for whatever rebuild of the container, I would be able to connect to the same old KDC database that was made by the old containers. Is this possible?

runr
  • 133
  • 2
  • 6

2 Answers2

1

Isn't just enough to mount the volume to the container's default KDC database path like docker run -v /var/local/docker-volumes/krb5kdc:/usr/local/var/krb5kdc <kdc_image>? Or you can specify database_name option inside your realm configuration in kdc.conf if you want different mounting point in the container.

patok
  • 693
  • 1
  • 5
  • 14
  • I'm not at all sure what is the path to the KDC database. Except from ``/etc``, ``/run`` and ``sbin``, containing configs, the ``/var/lib/krb5kdc`` is an empty folder. – runr Jan 16 '19 at 09:56
  • My knowledge of kerberos isn't perfect, but you could find out database file when you run this command inside of your container: `lsof -p $(pgrep krb5kdc) | grep principal` ; to enter the shell inside of your container run this: `docker exec -i -t /bin/bash` ; you'll probably need to install `lsof` as well before issuing the command itself – patok Jan 16 '19 at 10:25
  • Thanks, but ``grep principal`` returns zero entries. I'm guessing this has something to do with some part of the database being stored in the LDAP, since I init the database through ``kdb5_ldap_util``. Either way, I'm still guessing that some part should also be stored in the machine, since after a rebuild the kdc/kadmin fails to login due to mismatched credentials with the ldap. – runr Jan 16 '19 at 10:46
  • Try run only the part of lsof without `| grep principal` and look if there isn't some important file(s) which should reside on the Docker volume. You can also examine another processes involved (i'm not sure if kldap module runs as a part of krb5kdc or it's standalone process); if you are using some public Kerberos Docker image, you could edit your question and add its name and also Docker run's parameters. Then there is a better chance that someone will test it for you. – patok Jan 16 '19 at 11:08
  • Thanks, I'll try looking around. ``lsof`` returns a bunch of ``socket:``'s, some ``anon_inode``'s and links to ``/var/log``, ``/var/tmp``, or ``/dev/null``. None of which seem helpful.. – runr Jan 16 '19 at 11:15
1

You should check the config file, kdc.conf. That will tell you where the files are stored that are being used.

exec into the container when it's running and find the kdc.conf file. Also the krb5.conf file will contain the location of other files.

https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kdc_conf.html

kdc.conf The KDC configuration file contains configuration information for the KDC and admin servers. kadmind uses settings in this file to locate the Kerberos database, and is also affected by the acl_file, dict_file, kadmind_port, and iprop-related settings.

I suspect you may run into issues with the hostname changing and that generating different keys.

You could look at the work done on the project below to see how they did it. Their solution is a Heimdal Kerberos 5 running in Docker on a MacOS (which uses VirtualBox). https://github.com/tillt/docker-kdc/blob/master/kdc

J Roysdon
  • 131
  • 4