Docker – Kerberos KDC server in a docker container

dockerkerberosmitkerberos

I'm running a MIT Kerberos KDC and Kadmin server instances on a docker container for convenience. Am able to build it and run it without a problem, with only extracting important configs do a docker volumes. Am also connecting the KDC to OpenLDAP through kldap module.

However, one possible problem I'm seeing: with each rebuild it seems the KDC initiates different keychains or something, which causes the old authentications to break. All of this makes sense and is not a problem.

My question: is it possible to store the internal database of the KDC (or where is it storing the credentials) to a docker volume? If so, which part should I be looking at?

My goal is that for whatever rebuild of the container, I would be able to connect to the same old KDC database that was made by the old containers. Is this possible?

Best Answer

Isn't just enough to mount the volume to the container's default KDC database path like docker run -v /var/local/docker-volumes/krb5kdc:/usr/local/var/krb5kdc <kdc_image>? Or you can specify database_name option inside your realm configuration in kdc.conf if you want different mounting point in the container.

Related Solutions

Moving from OpenLDAP/Kerberos to Active Directory

But I have a problem: how to move passwords/auth information from MIT Kerberos to AD?

You don't. While kerberos hashes have to be the same between systems, because they're used as encryption and decryption keys, none of the public APIs allow setting them directly. Given that AD requires it be given plaintext passwords, and your LDAP/KRB5 install is dutifully discarding that, you need to either wait for a password change or break the cardinal rule and keep passwords around in reversible form at least temporarily, assuming you've got something middleware for sending password changes to OpenLDAP/Kerberos you can instrument.

I understand some kind of delegation between them is possible, but this wouldn't solve my problem? Or can I do AD authentication against a MIT Kerberos KDC?

This is the approach we're considering at the moment. Authenticating to Windows using Kerberos This is known as a cross-realm trust. A few important things to note. Finding an encryption type common to all realms is critical, and will usually depend on AD. The version of AD you're using typically dictates the crypt of the day. The best guide to setting this up I've found actually comes from Microsoft: Kerberos Interoperability Step-by-Step Guide for Windows Server 2003. The key problem I ran into was telling it which encryption type to use for the cross-realm trust, which other guides written a long time ago neglected to mention.

Docker – How to Backup and Restore Docker Volumes

You're right. Since you can have multiple containers with volumes on their own, you need to keep track which volume corresponds to which container. How to do that depends on your setup: I use the name -data for the data container, so it's obvious to which container a image belongs. That way it can be backed up like this:

VOLUME=`docker inspect $NAME-data | jq '.[0].Volumes["/path/in/container"]'`
tar -C $VOLUME . -czvf $NAME.tar.gz

Now you just need to rebuild your image and recreate your data container:

cat $NAME.tar.gz | docker run -name $NAME-data -v /path/in/container \
                              -i busybox tar -C /path/int/container -xzf -

So this means you need to backup:

Dockerfile
volume
volume path in container
name of the container the volume belongs to

Update: In the meanwhile I created a tool to backup containers and their volume(s) (container(s)): https://github.com/discordianfish/docker-backup and a backup image that can create backups and push them to s3: https://github.com/discordianfish/docker-lloyd

Best Answer

Related Solutions

Moving from OpenLDAP/Kerberos to Active Directory

Docker – How to Backup and Restore Docker Volumes

Related Topic