I don't know much about Kerberos authentication, I just have some basic experience with configuration and usage.
Recently I noticed that Windows has a built-in Kerberos implementation that is configured. So when I run klist in PowerShell, I get a nice list of available tickets.
For various Dev-Ops topics we use Linux in our team with WSL and Docker as build agent and local dev environment. Our docker image is well configured for Kerberos and I can use kinit to get ticket. In this case, however, the user will have to enter their credentials again.
I saw recently the following answer (link):
As soon as you log into Windows, LSA will retain your principal and password in memory and regain a fresh ticket as soon as it is necessary.
Question: Is there a method to retrieve and copy Kerberos ticket from Windows to Docker container or to WSL environment running on the same system? (Obviously the question is more about "how to" than "is there a solution"…)
In both case we have shared volumes between Linux and Windows.
There is also a reddit post about similar topic: link
Also the following post suggest that we many indeed store those ticket locally: link
Note: In my case we have corporate network environment with domain controllers. On configured Linux nodes (Linux desktop, Docker container) kinit works fine.
Additional references:
- MIT Kerberos Documentation – Credential cache
- Kerberos – Credentials cache
- Windows CCAPI
- How the Kerberos Version 5 Authentication Protocol Works
- Px
- WinKerberos
- NSspi
- Add support for Kerberos/Active Directory/"windows" authentication
- Kerberos and Spnego authentication on Windows with Firefo:
Kerberos ticket are stored inside the credentials cache. There are multiple credentials cache supported on Windows:
- FILE caches: Simple and most portable. A simple flat file format is used to store one credential after another. This is the default on Linux and OSX.
- API cache: Only implemented on Windows, it communicates with a server process that holds the credentials in memory. This seems to be the default on Windows.
Note: I was suggested to move this question over here from stack overflow.
Best Answer
With the MIT Client the Credential Cache File is the right way but you need some more things inside your container image. e.g. inside a ubuntu Container-
krb5-user
package installed/etc/krb5.conf
Configure the
%KRB5CCNAME%
Variable on your host pointing to a file. e.g.c:\temp\krb5.cache
When you instantiate your container mount the
c:\temp\krb5.cache
to the/tmp/krb5.cache
path and export$KRB5CCNAME
Variable inside container to the filepath (or configure the[libdefaults] default_ccache_name = FILE:...
)A better way might be to work with keytabs and mounting the keytab inside the container and kinit from that keyfile.