jupyterhub-kdcauthenticator icon indicating copy to clipboard operation
jupyterhub-kdcauthenticator copied to clipboard

Published 20 hours ago verified publisher icon bloomberg

No key table entry found matching

Open cyberyor opened this issue 6 years ago • 3 comments

Hello,

Trying to set up Jupyterhub to authenticate LDAP users against an existing KDC on a separate node. So far, I have the following:

Dockerfile

FROM jupyterhub/jupyterhub

RUN apt-get update && \
    apt-get install --no-install-recommends -y \
        gcc \
        libpam-krb5 \
        krb5-user \
        libkrb5-dev \
        strace \
        wget \
        bzip2 \
        ca-certificates \
        p7zip-full

WORKDIR /opt/conda/bin/
RUN ./pip install git+https://github.com/bloomberg/jupyterhub-kdcauthenticator.git
RUN ./pip install kerberos
RUN ./pip install dockerspawner

# PAM_KRB5CCNAME is not set when opening the session for some reason and so we have to
# explicitly retain the cache created during auth instead.
# Also, turn on pam debug logging
RUN sed -i 's$1000$1000 ccache=/tmp/krb5cc_%u retain_after_close debug$' /etc/pam.d/common-auth
RUN sed -i 's$1000$1000 debug$' /etc/pam.d/common-session

# Configure kerberos
COPY krb5.conf /etc/

# Add the jupyterhub config
COPY jupyterhub_config.py /etc/jupyterhub/

# Add keytab file
COPY http-test.headless.keytab /etc/

WORKDIR /srv/jupyterhub
CMD KRB5_CONFIG="/etc/krb5.conf" KRB5_KTNAME="/etc/http-test.headless.keytab" jupyterhub --no-ssl  --ip=0.0.0.0 --port=8000 --config="/etc/jupyterhub/jupyterhub_config.py" --log-level=DEBUG --Spawner.debug=True

jupyterhub_config.py

import os

c.JupyterHub.authenticator_class = 'kdcauthenticator.kdcauthenticator.KDCAuthenticator'
c.KDCAuthenticator.service_name = '[email protected]'
c.JupyterHub.spawner_class = 'dockerspawner.DockerSpawner'
notebook_dir = os.environ.get('DOCKER_NOTEBOOK_DIR') or '/home/{user}/notebook'
c.DockerSpawner.notebook_dir = notebook_dir
c.DockerSpawner.volumes = { 'jupyterhub-user-{username}': notebook_dir }

krb5.conf

[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = MYDOMAIN.COM
  ticket_lifetime = 24h
  clock-skew = 300
#  dns_lookup_realm = false
#  dns_lookup_kdc = false
  default_ccache_name = /tmp/krb5cc_%{uid}
  #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
  #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

[domain_realm]
  mydomain.com = MYDOMAIN.COM
  .mydomain.com = MYDOMAIN.COM

[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log

[realms]
  MYDOMAIN.COM = {
    admin_server = kerberos.mydomain.com
    kdc = kerberos.mydomain.com
   database_module = openldap_ldapconf
  }

[dbdefaults]
    ldap_kerberos_container_dn = cn=kerberos,dc=mydomaincomponent

[dbmodules]
   openldap_ldapconf = {
        db_library = kldap
        ldap_kdc_dn = "cn=admin,dc=mydomaincomponent"

                ldap_kadmind_dn = "cn=admin,dc=mydomaincomponent"

                ldap_service_password_file = /etc/krb5kdc/service.keyfile
                        ldap_servers = ldap://kerberos.mydomain.com
        ldap_conns_per_server = 5
   }

However, when authenticating with a valid (LDAP) user, I get the following error:

JupyterHub kdcauthenticator:160] kerberos.GSSError: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('No key table entry found matching http-test/mydomain.com@', 39756033))

cyberyor avatar May 07 '18 14:05 cyberyor

Hi @joychak,

Is @cyberyor's use case with LDAP something that this authenticator supports?

Thanks!

@willingc from Project Jupyter

willingc avatar May 14 '18 11:05 willingc

Hi @cyberyor,

struggling with this myself at the moment. looking at your error - i think the problem is that the service-name has the wrong format.

Service principal names should be of the format <username>/<host>@MYDOMAIN.COM - whereas yours is just <username>@MYDOMAIN.COM (basically a regular principal), which kerberos does not allow/use as service principal names. Also, the host must be resolvable (to the correct IP address) by the KDC.

Unfortunately, information about this authenticator is very sparse, i found the slides for the initial presentation here - however it seems that some components have been modified- but i didn't find any reference to it so far.

xmatthias avatar May 22 '18 10:05 xmatthias

I'm having a similar issue. My keytab file contains service principals `Keytab name: FILE:/etc/httpfs.keytab KVNO Timestamp Principal

2 09/27/2018 14:13:48 httpfs/[email protected] 2 09/27/2018 14:13:48 httpfs/[email protected] 2 09/27/2018 14:13:48 httpfs/[email protected] 2 09/27/2018 14:13:48 HTTP/[email protected] 2 09/27/2018 14:13:48 HTTP/[email protected] 2 09/27/2018 14:13:48 HTTP/[email protected]`

I tried several values for c.KDCAuthenticator.service_name, including 'HTTP', '[email protected]', and 'HTTP/[email protected]', but none works.

@xmatthias Could you show a sample keytab file and service name? Thank you!

cltsao avatar Sep 27 '18 19:09 cltsao