openldap + kerberos - unable to reach any KDC in realm

On MacOS the default client does not fall back to TCP. in your krb.conf prefix your kdc with tcp/ to force the client to use TCP if your network blocks UPD traffic (As some network admins might do).

kdc = tcp/ds01.int.domain.com:88

You need multiple things to get a containerized KDC being reachable from the outside.

Lets assume you are using port 88 as that is the default and lets also assume your image was called docker-kdc.

1. Make sure your port 88 is exposed.

EXPOSE 88

2. Make sure your KDC daemon listens on that port. For the sake of this example, I am simply using the KDC as an entrypoint, you should be able to extrapolate if that wasn't applying for your specific example.

ENTRYPOINT ["/usr/lib/heimdal-servers/kdc", "--config-file=/etc/heimdal-kdc/kdc.conf", "-P 88"]

3. When running the container, I am using port forwarding towards 48088. Note that the KDC uses both, TCP and UDP.

docker run -d -h kdc --name kdc -p 48088:88/udp -p 48088:88 docker-kdc

From this point on, your KDC should be reachable from within the host system.

=== OSX Only ===

4. Now given that you are using OSX (boot2docker -> VirtualBox), you will also need to setup port forwarding towards your OSX environment.

VBoxManage controlvm boot2docker-vm natpf1 "48088/tcp,tcp,127.0.0.1,48088,,48088"

VBoxManage controlvm boot2docker-vm natpf1 "48088/udp,udp,127.0.0.1,48088,,48088"

5. Get the IP address of your docker container if needed.

   • When using plain docker (on linux), you can simply use the loopback 127.0.0.1.

   • When using boot2docker (on OSX), you will get that using: boot2docker ip

6. Prepare a minimal krb5.conf that makes use of the KDC. For the sake of this example, I am using a realm called EXAMPLE.COM on the domain example.com.Note that you will have to replace IP with the result of step 5.

[libdefaults]

    default_realm = EXAMPLE.COM    noaddresses = true

[realms]

    EXAMPLE.COM = {            kdc = IP:48088            admin_server = IP:48088    }

[domain_realm]

    example.com = EXAMPLE.COM    .example.com = EXAMPLE.COM

7. Now go ahead and test that configuration.

export KRB5_CONF=PATH_TO_THE_KRB5.CONF_FILE_FROM_STEP_6

kinit test/foo.example.com@EXAMPLE.COM

Since I had to do this for a project of mine, I packed it all into some little script that might be helpful for your further research; https://github.com/tillt/docker-kdc

Ensure that krb5.conf file is in /etc directory. I had the same issue and had no firewall issues, still was getting the same error. Finally, I was able to fix the issue by moving the krb5.conf file to /etc directory.