Quick Links

Linux Postgres authentication against active directory

From:	"Ronzani Dario" <dario(dot)ronzani(at)oword(dot)it>
To:	<pgsql-general(at)postgresql(dot)org>
Subject:	Linux Postgres authentication against active directory
Date:	2005-08-12 10:33:23
Message-ID:	!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAALd57argJ9UGDQfooa9N8nMKAAAAQAAAA1c3+U1SwKk+6jQMi/wn/RgEAAAAA@oword.it
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-general

Hi to all,

Actually I try to authenticate my Linux Postgres installation against Active
Directory, I find 3 solution to use:

1) LDAP
2) Pam and Kerberos
3) Kerberos alone

The first require the modification of the active directory schema, and I
prefer to avoid such responsibility.

For the 2 kerberos solution I don't find to much documentation, I try to
compile postgres with kerberos using this configure flag:

--with-krb5=/usr/
--with-includes=/usr/include/
--with-libraries=/usr/lib/

My kerberos installation is in
/usr/bin and /usr/sbin for the binary
/usr/lib/ libkrb5.* e libk5crypto.so
and libkadm5
/usr/include/ krb5.h heaser file

But seems that I miss something because when I put the krb5 word in the
pg_hba.conf and I try to connect the system give me the error:

psql -U postgres -d template1 -h 192.168.0.205

psql: Kerberos 5 authentication failed

--from the system log--
postgres[26793]: [2-1] LOG: Kerberos recvauth returned error 103
postgres[26793]: [3-1] FATAL: Kerberos5 authentication failed for user
"postgres"
postgres[26795]: [2-1] LOG: Kerberos recvauth returned error 103
postgres[26795]: [3-1] FATAL: Kerberos5 authentication failed for user
"postgres(at)OWORD(dot)LOCAL"

--from the postgres log--
postgres: Software caused connection abort from krb5_recvauth

I also create with KTPASS a principal for the windows user POSTGRES and put
it in the keytab file that the configure script search for.

The kinit utility work well for any user I try to use.

After this not enthusiastics result I try with PAM and postgres (I just have
another installation that work well with pam-ldap), and sounds good, now I'm
able to authenticate the postgres user but not my and other user.

--system log--
postgres[26991]: pam_krb5: pam_sm_authenticate(postgresql ronzanid): entry:
postgres[26991]: pam_krb5: pam_sm_authenticate(postgresql ronzanid):
get_user_info(): Conversation error
postgres[26991]: pam_krb5: pam_sm_authenticate(postgresql ronzanid): exit:
failure
postgres[26991]: [2-1] LOG: pam_authenticate failed: Error in service
module
postgres[26991]: [3-1] FATAL: PAM authentication failed for user "ronzanid"
postgres[26992]: pam_krb5: pam_sm_authenticate(postgresql ronzanid): entry:
postgres[26992]: pam_krb5: pam_sm_authenticate(postgresql ronzanid):
getpwnam():
postgres[26992]: pam_krb5: pam_sm_authenticate(postgresql ronzanid): exit:
failure
postgres[26992]: [2-1] LOG: pam_authenticate failed: User not known to the
underlying authentication module
postgres[26992]: [3-1] FATAL: PAM authentication failed for user "ronzanid"

I hope someone can help, any hint, useful web pages, or documentation is
very appreciate.

Thanks in advance
Dario

In response to

Access NEW and OLD from function called by a rule at 2005-08-12 09:20:54 from Frodo Larik

Browse pgsql-general by date

	From	Date	Subject
Next Message	Magnus Hagander	2005-08-12 10:56:11	Re: Linux Postgres authentication against active directory
Previous Message	Frodo Larik	2005-08-12 09:20:54	Access NEW and OLD from function called by a rule