Ubuntu: 22.04 (Kerberos 5 version 1.19.2, which support RBKCD) Python: 3.9.16 hdbcli : 2.14.24
- Users have account Kerberos REALM A.
- A mid-tier Dash App server, with serviceaccount and principal in REALM A.
- SAP HANA instance is in REALM B.
Cross realm delegation from A to B, via RBKCD (Resource-Based Kerberos Constrained Delegation) RBKCD has been setup between service account for SAP HANA and service account Dash App.
$rb = Get-ADGroup -Server B:3268 -Identity "CN=rbkcd_dl_cdp,OU=Security_Groups,DC=a,DC=example,DC=com"
Set-ADUser -Server B -Identity HANA-ACCOUNT -PrincipalsAllowedToDelegateToAccount $rb
Port 3268, is ldap global catalog.
rbkcd_dl_cdp is a group containing service accounts for mid-tier services.
Then connecting
host = 'hana.b.example.com'
port = 31115
cnx_hdb = dbapi.connect(address=host, port=port)
gives: Kerberos error. Major: "unspecified [851968]", minor: "Server not found in Kerberos database"
We have a similar setup, with MS SQL, which works:
driver = 'ODBC Driver 18 for SQL Server'
host = 'sql.b.example.com'
port = 1433
server = f'{host},{port}'
SPN = f'MSSQLSvc/sql'
conn_pyodbc=f'Driver={driver};Server={server};ServerSPN={SPN};Trusted_Connection=yes;TrustServerCertificate=Yes'
cnx_pyodbc = pyodbc.connect(conn_pyodbc, timeout=2)
This works :)
I am looking for a "ServerSPN" setting for dbapi.connect or an environment variable. ?
Or maybe understand if there is some problems with DNS?
Interestingly:
If the ";ServerSPN={SPN}" is taken out of the connection string, then the MS SQL give same error as SAP.
If I set KRB5_CONFIG to a temp krb5.conf file, then MS SQL complains if I make silly things.
But HANA seems to not to respect this.
As a temporary fix, a TGT can be created via user PW, which do:
echo pwd | kinit user@A.EXAMPLE.COM
And then SAP also works, with a TGT on mid-tier service.
We have the SPN in REALM B registered hdb/hana.b.example.com B\HANA-ACCOUNT
I am wondering if I should add SPN with port nr? setspn -U -S hdb/hana.b.example.com:1433 B\HANA-ACCOUNT
I have looked at DNS: nslookup hana.b.example.com and reverse nslookup IP-FROM-BEFORE
This seems fine. :)
After testing with environment variable KRB5_CONFIG=/TEMP/krb5.conf and setting dns_lookup_kdc = false, I can kind of conclude that it looks like hdbcli is directly going to B.EXAMPLE.COM instead of first negotiating with A.EXAMPLE.COM, like MS SQL. Does hdbcli (2.14.24) support RBKCD?
