Skip to content
This repository was archived by the owner on Nov 24, 2021. It is now read-only.

Commit 01b6457

Browse files
sambottsambott
authored
Merge pull request #20 from wintoncode/improve_readme
Improve Readme
2 parents afc7abe + 139fcf9 commit 01b6457

File tree

1 file changed

+15
-5
lines changed

1 file changed

+15
-5
lines changed

README.md

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
[![Travis Build Status](https://travis-ci.org/wintoncode/vault-plugin-auth-kerberos.svg?branch=master)](https://travis-ci.org/wintoncode/vault-plugin-auth-kerberos)
33

44
This is a standalone backend plugin for use with [Hashicorp Vault](https://www.github.com/hashicorp/vault).
5-
This plugin allows for users to authenticate with Vault via Kerberos.
5+
This plugin allows for users to authenticate with Vault via Kerberos/SPNEGO.
66

77
You can find binaries on the [Release page](https://github.com/wintoncode/vault-plugin-auth-kerberos/releases).
88

@@ -19,7 +19,7 @@ except:
1919
import winkerberos as kerberos
2020
import requests
2121

22-
service = "HTTP/vault.domain@YOUR-REALM.COM"
22+
service = "HTTP/vault.domain"
2323
rc, vc = kerberos.authGSSClientInit(service=service, mech_oid=kerberos.GSS_MECH_OID_SPNEGO)
2424
kerberos.authGSSClientStep(vc, "")
2525
kerberos_token = kerberos.authGSSClientResponse(vc)
@@ -50,7 +50,7 @@ $ vault write sys/plugins/catalog/auth/kerberos sha_256="$(shasum -a 256 'vault-
5050
2. Enable the Kerberos auth method:
5151

5252
```sh
53-
$ vault auth enable -passthrough-request-headers=Authorization kerberos
53+
$ vault auth enable -passthrough-request-headers=Authorization -allowed-response-headers=www-authenticate kerberos
5454
Success! Enabled kerberos auth method at: kerberos/
5555
```
5656

@@ -68,6 +68,10 @@ slot KVNO Principal
6868
ktutil: wkt vault.keytab
6969
```
7070

71+
The KVNO (`-k 1`) should match the KVNO of the service account. An error will show in the vault logs if this is incorrect.
72+
73+
Different encryption types can also be added to the keytab, for example `-e rc4-hmac` with additional `addent` commands.
74+
7175
Then base64 encode it:
7276
```sh
7377
base64 vault.keytab > vault.keytab.base64
@@ -77,7 +81,14 @@ base64 vault.keytab > vault.keytab.base64
7781
vault write auth/kerberos/config [email protected] service_account="your_service_account"
7882
```
7983

80-
4. Configure LDAP backend to look up Vault policies.
84+
4. Add a SPNs (Service Principal Names) to your KDC for your service and service account. This should map the vault service to the account it is running as:
85+
```sh
86+
# for Windows/Active Directory
87+
setspn.exe -U -S HTTP/vault.domain:8200 your_service_account
88+
setspn.exe -U -S HTTP/vault.domain your_service_account
89+
```
90+
91+
5. Configure LDAP backend to look up Vault policies.
8192
Configuration for LDAP is identical to the [LDAP](https://www.vaultproject.io/docs/auth/ldap.html)
8293
auth method, but writing to to the Kerberos endpoint:
8394

@@ -175,4 +186,3 @@ You can also specify a `TESTARGS` variable to filter tests like so:
175186
```sh
176187
$ make test TESTARGS='--run=TestConfig'
177188
```
178-

0 commit comments

Comments
 (0)