Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot locate SRV record in docker container #375

Closed
LordXaosa opened this issue Sep 6, 2024 · 7 comments
Closed

Cannot locate SRV record in docker container #375

LordXaosa opened this issue Sep 6, 2024 · 7 comments
Labels
bug

Comments

@LordXaosa
Copy link

LordXaosa commented Sep 6, 2024
edited
Loading

I'm trying to authorize httpclient using following code:

var kerbCred = new KerberosPasswordCredential($"{config.User}@{config.DomainName}", $"{config.Password}");
await client.Authenticate(kerbCred);
var ticket = await client.GetServiceTicket($"http/{config.Host}");
var header = Convert.ToBase64String(ticket.EncodeGssApi().ToArray());
httpclient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Negotiate", header);

On windows works perfect, but in docker container on same machine it doesn't work:

System.AggregateException: One or more errors occurred. (Cannot locate SRV record for DOMAIN) (KDC KRB_ERR_RESPONSE_TOO_BIG: Response too big for UDP; retry with TCP) (Cannot locate a KDC Proxy endpoint for DOMAIN)
 ---> Kerberos.NET.Transport.KerberosTransportException: Cannot locate SRV record for DOMAIN
   at Kerberos.NET.Transport.KerberosTransportBase.SelectedPreferredInstance(String domain, String servicePrefix, IEnumerable1 results, Int32 defaultPort) in D:\a\1\s\Kerberos.NET\Client\Transport\KerberosTransportBase.cs:line 187
   at Kerberos.NET.Transport.KerberosTransportBase.LocatePreferredKdc(String domain, String servicePrefix) in D:\a\1\s\Kerberos.NET\Client\Transport\KerberosTransportBase.cs:line 168
   at Kerberos.NET.Transport.TcpKerberosTransport.GetClient(Func1 locatePreferredServer) in D:\a\1\s\Kerberos.NET\Client\Transport\TcpKerberosTransport.cs:line 99
   at Kerberos.NET.Transport.TcpKerberosTransport.SendMessageTCP(String domain, ReadOnlyMemory1 encoded, CancellationToken cancellation, Func1 locatePreferredServer) in D:\a\1\s\Kerberos.NET\Client\Transport\TcpKerberosTransport.cs:line 75
   at Kerberos.NET.Transport.TcpKerberosTransport.SendMessage(String domain, ReadOnlyMemory1 encoded, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\Client\Transport\TcpKerberosTransport.cs:line 54
   at Kerberos.NET.Transport.KerberosTransportSelector.<>c__DisplayClass7_0.<<SendMessage>b__0>d.MoveNext() in D:\a\1\s\Kerberos.NET\Client\Transport\KerberosTransportSelector.cs:line 76
--- End of stack trace from previous location ---
   at Kerberos.NET.Transport.KerberosTransportSelector.SendMessageOnTransport(String domain, Func2 cbSend) in D:\a\1\s\Kerberos.NET\Client\Transport\KerberosTransportSelector.cs:line 126
   --- End of inner exception stack trace ---
   at Kerberos.NET.Transport.KerberosTransportSelector.SendMessageOnTransport(String domain, Func2 cbSend) in D:\a\1\s\Kerberos.NET\Client\Transport\KerberosTransportSelector.cs:line 145
   at Kerberos.NET.Transport.KerberosTransportSelector.SendMessage(String domain, ReadOnlyMemory1 encoded, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\Client\Transport\KerberosTransportSelector.cs:line 72
   at Kerberos.NET.Transport.KerberosTransportBase.SendMessage[T](String domain, ReadOnlyMemory1 req, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\Client\Transport\KerberosTransportBase.cs:line 112
   at Kerberos.NET.Client.KerberosClient.RequestTgt(KerberosCredential credential, KrbPrincipalName tgtServicePrincipal) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 1325
   at Kerberos.NET.Client.KerberosClient.AuthenticateCredential(KerberosCredential credential, String tgtServiceName) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 384
   at Kerberos.NET.Client.KerberosClient.AuthenticateCore(KerberosCredential credential, String tgtServiceName) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 365
   at Kerberos.NET.Client.KerberosClient.Authenticate(KerberosCredential credential) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 322

I tried nslookup on both environments, windows:

╤хЁтхЁ:  server.internal
Address:  10.129.0.X

_kerberos._udp.DOMAIN  SRV service location:
          priority       = 0
          weight         = 100
          port           = 88
          svr hostname   = adhost.DOMAIN
adhost.DOMAIN internet address = 10.129.0.X

on docker container:

nslookup -type=SRV _kerberos._udp.DOMAIN
Server:         192.168.65.7
Address:        192.168.65.7#53

Non-authoritative answer:
_kerberos._udp.DOMAIN  service = 0 100 88 adhost.DOMAIN.

So seems that dns works fine.

Expected behavior
All works fine

What am I doing wrong?
@LordXaosa LordXaosa added the bug label Sep 6, 2024
@LordXaosa
Copy link
Author

LordXaosa commented Sep 6, 2024
edited
Loading

Weird thing. If I nslookup domain only I will get different answers from docker and windows. Windows:

nslookup -type=SRV DOMAIN
╤хЁтхЁ: server.internal
Address:  10.129.0.X

DOMAIN
        primary name server = adhost.DOMAIN
        responsible mail addr = hostmaster.DOMAIN
        serial  = 2564
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

But docker seems can't find it:

nslookup -type=SRV DOMAIN
Server:         192.168.65.7
Address:        192.168.65.7#53

Non-authoritative answer:
*** Can't find DOMAIN: No answer

Authoritative answers can be found from:
DOMIAN
        origin = adhost.DOMAIN
        mail addr = hostmaster.DOMAIN
        serial = 2564
        refresh = 900
        retry = 600
        expire = 86400
        minimum = 3600

nslookup -type=SRV DOMAIN 10.129.0.X
Server:         10.129.0.X
Address:        10.129.0.X#53

*** Can't find DOMAIN: No answer

May be it's relevant

@DanielMGoldberg
Copy link

Hi!
This is a duplicate of #185
The solution is to use DnsQuerry in your code.

@LordXaosa
Copy link
Author

Wow! Thank you so much it worked!
May be it could be a part of main library?

@DanielMGoldberg
Copy link

Wow! Thank you so much it worked! May be it could be a part of main library?

You're welcome.
I think the nugget author was working on it, I don't really know if it's been completed.

@SteveSyfuhs
Copy link
Collaborator

The goal is to keep 3rd party dependencies to a minimum. There aren't many Linux users of this library so there hasn't been a big demand, though that is changing. Another contributer started work on native DNS support but it hasn't gone anywhere recently. I suspect it was a bigger job than they thought it would be. #334

@LordXaosa
Copy link
Author

The goal is to keep 3rd party dependencies to a minimum. There aren't many Linux users of this library so there hasn't been a big demand, though that is changing. Another contributer started work on native DNS support but it hasn't gone anywhere recently. I suspect it was a bigger job than they thought it would be. #334

I thought there are many users of docker. Sound reasonable about 3d party. Thanks.

@SteveSyfuhs
Copy link
Collaborator

I'm just basing that on cases I've debugged. Could be higher. There's no telemetry to say one way or another. Submissions to finish the PR are of course always welcome.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@LordXaosa @SteveSyfuhs @DanielMGoldberg