Overall goal: I'm trying to authenticate to Active Directory over LDAP with Kerberos on Windows. Due to dependencies, I'm unable to use python-ldap or python-gssapi, so I'm using ldap3 with the patch found in this answer to use Kerberos (by way of winkerberos instead of python-gssapi).
Example code:
from ldap3 import Connection, Server, ALL, IP_V4_PREFERRED, SASL, GSSAPI
domain_controller = input("DC: ")
SERVER = Server(domain_controller,
allowed_referral_hosts=[('*', True)],
get_info=ALL,
mode=IP_V4_PREFERRED)
CONNECTION = {"authentication": SASL,
"sasl_mechanism": GSSAPI,
"check_names": True}
c = Connection(SERVER, **CONNECTION)
c.bind()
Throws:
File "ldap3\core\connection.py", line 550, in bind
response = self.do_sasl_bind(controls)
File "ldap3\core\connection.py", line 1252, in do_sasl_bind
result = sasl_gssapi(self, controls)
File "ldap3\protocol\sasl\kerberos.py", line 54, in sasl_gssapi
base64.b64encode(in_token).decode('ascii')
winkerberos.GSSError: SSPI: InitializeSecurityContext: The specified target is unknown or unreachable
I've tried changing @ to / from the solution here without any difference. The socket is resolving the dc fqdn properly, the dc has the SASL/GSSAPI mechanism supported, and I can alternatively pass a username/password to bind successfully. The part failing here sounds kerberos-specific.
Question: what is causing this error and how can I remediate it?
