Overall goal: I'm trying to authenticate to Active Directory over LDAP with Kerberos on Windows. Due to dependencies, I'm unable to use python-ldap or python-gssapi, so I'm using ldap3 with the patch found in this answer to use Kerberos (by way of winkerberos instead of python-gssapi).

Example code:

from ldap3 import Connection, Server, ALL, IP_V4_PREFERRED, SASL, GSSAPI

domain_controller = input("DC: ")

SERVER = Server(domain_controller,
                allowed_referral_hosts=[('*', True)],
                get_info=ALL,
                mode=IP_V4_PREFERRED)

CONNECTION = {"authentication": SASL,
              "sasl_mechanism": GSSAPI,
              "check_names": True}

c = Connection(SERVER, **CONNECTION)
c.bind()

Throws:

  File "ldap3\core\connection.py", line 550, in bind
    response = self.do_sasl_bind(controls)
  File "ldap3\core\connection.py", line 1252, in do_sasl_bind
    result = sasl_gssapi(self, controls)
  File "ldap3\protocol\sasl\kerberos.py", line 54, in sasl_gssapi
    base64.b64encode(in_token).decode('ascii')
winkerberos.GSSError: SSPI: InitializeSecurityContext: The specified target is unknown or unreachable

I've tried changing @ to / from the solution here without any difference. The socket is resolving the dc fqdn properly, the dc has the SASL/GSSAPI mechanism supported, and I can alternatively pass a username/password to bind successfully. The part failing here sounds kerberos-specific.

Question: what is causing this error and how can I remediate it?