Add ability to provide user specific krb5

Author: macsux

src/KerberosBuildpack/KerberosBuildpack.cs

@@ -1,19 +1,4 @@
-using System;
-using System.Collections.Generic;
-using System.IO;
-using System.Linq;
-using System.Net;
-using System.Reflection;
-using System.Text.Json;
-using System.Text.Json.Nodes;
-using System.Threading.Tasks;
-using Kerberos.NET;
-using Kerberos.NET.Client;
-using Kerberos.NET.Configuration;
-using Kerberos.NET.Credentials;
-using Kerberos.NET.Crypto;
-using Kerberos.NET.Entities;
-using Kerberos.NET.Transport;
+using System.Reflection;
 using NMica.Utils.IO;
 
 namespace KerberosBuildpack
@@ -30,6 +15,7 @@ protected override void Apply(AbsolutePath buildPath, AbsolutePath cachePath, Ab
             EnvironmentalVariables["KRB5_CONFIG"] = "/home/vcap/app/.krb5/krb5.conf";
             EnvironmentalVariables["KRB5CCNAME"] = "/home/vcap/app/.krb5/krb5cc";
             EnvironmentalVariables["KRB5_KTNAME"] = "/home/vcap/app/.krb5/service.keytab";
+            EnvironmentalVariables["KRB5_CLIENT_KTNAME"] = "/home/vcap/app/.krb5/service.keytab";
 
             Directory.CreateDirectory(krb5Dir);
 

src/KerberosBuildpack/KerberosBuildpack.csproj

@@ -10,13 +10,13 @@
 
   <ItemGroup>
     <PackageReference Include="CommandDotNet" Version="3.0.2" />
-    <PackageReference Include="Kerberos.NET" Version="4.5.124" />
+<!--    <PackageReference Include="Kerberos.NET" Version="4.5.124" />-->
     <PackageReference Include="NMica.Utils" Version="1.0.1" />
   </ItemGroup>
 
-  <ItemGroup>
-    <ProjectReference Include="..\KerberosSidecar\KerberosSidecar.csproj" />
-  </ItemGroup>
+<!--  <ItemGroup>-->
+<!--    <ProjectReference Include="..\KerberosSidecar\KerberosSidecar.csproj" />-->
+<!--  </ItemGroup>-->
 
   <ItemGroup>
     <EmbeddedResource Include="launch.yaml" />

src/KerberosSidecar/KerberosOptions.cs

@@ -37,6 +37,7 @@ public class KerberosOptions
     public KerberosClient KerberosClient { get; set; } = null!;
 
     public bool RunOnce { get; set; }
+    public bool GenerateKrb5 { get; set; }
 
     public class Validator : IValidateOptions<KerberosOptions>
     {

src/KerberosSidecar/KerberosSidecar.csproj

@@ -11,7 +11,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Kerberos.NET" Version="4.5.124" />
+    <PackageReference Include="Kerberos.NET" Version="4.5.155" />
     <PackageReference Include="MediatR.Extensions.Microsoft.DependencyInjection" Version="9.0.0" />
     <PackageReference Include="NetEscapades.Configuration.Yaml" Version="2.1.0" />
   </ItemGroup>

src/KerberosSidecar/KerberosWorker.cs

@@ -79,7 +79,10 @@ private async Task CreateMitKerberosKeytab()
 
     private async Task CreateMitKerberosKrb5Config()
     {
-        await File.WriteAllTextAsync(_options.CurrentValue.Kerb5ConfigFile,  _options.CurrentValue.KerberosClient.Configuration.Serialize(), _cancellationToken);
+        if (_options.CurrentValue.GenerateKrb5)
+        {
+            await File.WriteAllTextAsync(_options.CurrentValue.Kerb5ConfigFile, _options.CurrentValue.KerberosClient.Configuration.Serialize(), _cancellationToken);
+        }
     }
 
     /// <summary>
@@ -118,6 +121,11 @@ private  async Task<KeyTable> GenerateKeytab()
                 kerberosKeys.Add(key);
             }
         }
+        foreach (var (encryptionType, salt) in credentials.Salts)
+        {
+            var key = new KerberosKey(_options.CurrentValue.Password, new PrincipalName(PrincipalNameType.NT_PRINCIPAL, realm, new[] { $"{credentials.UserName}@{credentials.Domain.ToUpper()}" }), salt: salt, etype: encryptionType);
+            kerberosKeys.Add(key);
+        }
         var keyTable = new KeyTable(kerberosKeys.ToArray());
         return keyTable;
     }

src/KerberosSidecar/Program.cs

@@ -43,13 +43,21 @@
         options.Kerb5ConfigFile ??= Path.Combine(userKerbDir, "krb5.conf");
         options.KeytabFile ??= Path.Combine(userKerbDir, "krb5.keytab");
         options.CacheFile ??= Path.Combine(userKerbDir, "krb5cc");
+        options.GenerateKrb5 = options.Kerb5ConfigFile != null! ? !File.Exists(options.Kerb5ConfigFile) : true;
+        if (!options.GenerateKrb5)
+        {
+            log.LogInformation("Existing krb5.config was detected");
+        }
         Directory.CreateDirectory(Path.GetDirectoryName(options.Kerb5ConfigFile)!);
         Directory.CreateDirectory(Path.GetDirectoryName(options.KeytabFile)!);
         Directory.CreateDirectory(Path.GetDirectoryName(options.CacheFile)!);
 
         // var config = File.Exists(options.Kerb5ConfigFile) ? Krb5Config.Parse(File.ReadAllText(options.Kerb5ConfigFile)) : Krb5Config.Default();
         var config = Krb5Config.Default();
         config.Defaults.DefaultCCacheName = options.CacheFile;
+        config.Defaults.DefaultKeytabName = options.KeytabFile;
+        config.Defaults.DefaultClientKeytabName = options.KeytabFile;
+        
         string realm;
         try
         {
@@ -62,9 +70,13 @@
         options.Kdc ??= realm;
         if (realm != null)
         {
+            config.Defaults.DefaultRealm = realm;
             config.Realms[realm].Kdc.Add(options.Kdc);
+            config.Realms[realm].DefaultDomain = realm.ToLower();
+            config.DomainRealm.Add(realm.ToLower(), realm.ToUpper());
+            config.DomainRealm.Add($".{realm.ToLower()}", realm.ToUpper());
         }
-
+        
         var client = new KerberosClient(config, loggerFactory);
         client.CacheInMemory = false;
         client.Cache = new Krb5TicketCache(options.CacheFile);

src/KerberosSidecar/appsettings.Development.yaml

@@ -5,6 +5,6 @@ Logging:
     Microsoft.Hosting.Lifetime: Information
 KRB_SERVICE_ACCOUNT: iwaclient@macsux.com
 KRB_PASSWORD: P@ssw0rd
-KRB_KDC: dc1.macsux.com1
+KRB_KDC: dc1.macsux.com
 Routes:
   - "http://iwaclient"