Is there a possible way to make GMSA supported for linux containers

sai kiran Akula 16 Reputation points
2022-02-28T04:26:55.687+00:00

I am looking if there is a way to use GMSA authentication for a .net core application running on linux container on a linux host.

I tried using the method provided here https://www.dsinternals.com/en/retrieving-cleartext-gmsa-passwords-from-active-directory/ but found that interative login "Kinit" won't work with AD.

More details:

  1. The linux host I am using is domain joined to AD server and have access to retrieve passwords from AD
  2. https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/manage-serviceaccounts - I used the link that provides info how to configure GMSA account
    a. The way docker is reading credspec file is only enabled fo windows machine

If anyone have thoughts how to approach this please do share it here. Thank you.

.NET
.NET
Microsoft Technologies based on the .NET software framework.
3,459 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,287 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,996 questions
0 comments No comments
{count} vote

3 answers

Sort by: Most helpful
  1. sai kiran Akula 16 Reputation points
    2023-01-12T19:41:56.5033333+00:00

    Hi @Takahito Iwasa Thank you for pointing it, we did worked on last year to help the users running .NET workloads on Linux containers which uses gMSAs for authentication. We did open-source Credentials-fetcher (https://github.com/aws/credentials-fetcher) last year and are open to contributions.

    Here is the quick 2 line summary about credentials-fetcher:

    Credentials-fetcher is a Linux daemon that retrieves gMSA credentials from Active Directory over LDAP. It creates and refreshes kerberos tickets from gMSA credentials. Kerberos tickets can be used by containers to run apps/services that authenticate using Active Directory.

    For anyone who has the similar use-case to run gMSA on Linux containers can follow the instructions provided here - https://github.com/aws/credentials-fetcher/blob/mainline/README.md,

    2 people found this answer helpful.
    0 comments No comments

  2. Thameur-BOURBITA 32,606 Reputation points
    2022-02-28T10:57:44.957+00:00

    Hi,

    No it's not supported for Linux envirement.

    GMSA is supported on Widows server 2012 or higher domain member servers (Windows 8 or upper domain joined computers also supported).

    To have more details you can read this article:

    329864

    Please don't forget to mark helpful reply as answer


  3. Takahito Iwasa 4,841 Reputation points MVP
    2023-01-03T10:06:24.957+00:00

    Hi, @sai kiran Akula .

    I just found out that AWS has a credential fetcher to support gMSA in Linux Containers.
    you might get a hint. :)

    https://aws.amazon.com/jp/about-aws/whats-new/2022/08/aws-open-sourced-credentials-fetcher-simplify-microsoft-ad-access-linux-containers/

    0 comments No comments