Support creating krb5.conf via configuration variables

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Problem

Our Kerberos support requires the user create a krb5.conf file in a before_script. Creating the file requires running the container as administrator (root) which may be in violation of customer security policies.

Proposal

Create the /etc/krb5.conf automatically using information from new variables.

Example krb5.conf file:

[libdefaults]
  # Realm is another name for domain name
  default_realm = EXAMPLE.COM
  # These settings are not needed for Windows Domains
  # they support other Kerberos implementations
  kdc_timesync = 1
  ccache_type = 4
  forwardable = true
  proxiable = true
  rdns = false
  fcc-mit-ticketflags = true
[realms]
  EXAMPLE.COM = {
    # Domain controller or KDC
    kdc = kdc.example.com
  }
[domain_realm]
  # Mapping DNS domains to realms/Windows domain
  # DNS domains provided by DAST_AUTH_NEGOTIATE_DELEGATION
  # should also be represented here (but without the wildcard)
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM

Information we need to fill this out:

Realm/domain name (EXAMPLE.COM)
DNS domains (example.com)
KDC (`kdc.example.com')

Existing variables:

DAST_AUTH_NEGOTIATE_DELEGATION: *.example.com,example.com,...

New variables:

DAST_AUTH_KERBEROS_REALM: EXAMPLE.COM
DAST_AUTH_KERBEROS_DC: kdc.example.com

The DAST_AUTH_NEGOTIATE_DELEGATION variable will provide DNS domains, this combined with the two new variables should be enough to generate a valid /etc/krb5.conf file.

Edited Jun 20, 2025 by 🤖 GitLab Bot 🤖