R: Linux Postgres authentication against active directory

From: "Ronzani Dario" <dario(dot)ronzani(at)oword(dot)it>
To: <pgsql-general(at)postgresql(dot)org>
Subject: R: Linux Postgres authentication against active directory
Date: 2005-08-12 14:15:50
Message-ID: !~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAALd57argJ9UGDQfooa9N8nMKAAAAQAAAALWvt2XHkokSrxmtOAkJckgEAAAAA@oword.it
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Hi, thanks for the answer.

Below my comment

> -----Messaggio originale-----
> Da: Magnus Hagander [mailto:mha(at)sollentuna(dot)net]
> Inviato: venerdì 12 agosto 2005 12.56
> A: Ronzani Dario; pgsql-general(at)postgresql(dot)org
> Oggetto: RE: [GENERAL] Linux Postgres authentication against
> active directory
>
>
> > Hi to all,
> >
> > Actually I try to authenticate my Linux Postgres installation
> > against Active Directory, I find 3 solution to use:
> >
> > 1) LDAP
> > 2) Pam and Kerberos
> > 3) Kerberos alone
>
> (3) is the one I've been using, and it works very well. I've
> been working on a HOWTO, but it' snot done yet.
>
> Note that if your clients are on win32, you need at least
> version 8.0.2.

Great to know that someone are able to use this solution, I don't have any
client my application is a web (php, java) application with a request for AD
(or ldap depend on the customer) users authentication.

>
>
> > For the 2 kerberos solution I don't find to much
> > documentation, I try to compile postgres with kerberos using
> > this configure flag:
> >
> > --with-krb5=/usr/
> > --with-includes=/usr/include/
> > --with-libraries=/usr/lib/
> >
> > My kerberos installation is in
> > /usr/bin and /usr/sbin for the binary
> > /usr/lib/ libkrb5.* e
> > libk5crypto.so
> > and libkadm5
> > /usr/include/ krb5.h heaser file
> >
> > But seems that I miss something because when I put the krb5
> > word in the pg_hba.conf and I try to connect the system give
> > me the error:
>
> For AD to do proper interop, the SPN has to be in uppercase.
> For this you need to recompile postgresql using
> --with-krbsrvnam=POSTGRES on both client and server. (You
> will be able to change this at runtime in 8.1)
>
> Naturally you will have to recreate the service account in AD
> with the proper SPN.

My fear is that I have misunderstood how kerberes work, I understand that I
must to kerberize the postgres application to give it the access to AD, then
I need to put a principal to any user that need to authenticate?

This is my principal on the linux box, as you say (I think) I create this
principal in uppercase:

ktutil: rkt /usr/etc/postgresql/krb5.keytab
ktutil: list
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 3 POSTGRES/onet003(at)OWORD(dot)LOCAL
2 3 RONZANID/onet003(at)OWORD(dot)LOCAL

May be my problem was related with this compilation line?

checking for library containing com_err... -lkrb5
checking for library containing krb5_encrypt... none required
checking for library containing krb5_sendauth... none required
checking krb5.h usability... yes
checking krb5.h presence... yes
checking for krb5.h... yes
checking for krb5_ticket.enc_part2... yes
checking for krb5_error.text.data... yes

Particularly I refer to krb5_encrypt and krb5_sendauth.

With more debug I received this error when I try to authenticate.

postgres: Bad application version was sent (via sendauth) from
krb5_recvauth

Thanks Dario

>
>
> //Magnus
>

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Tom Lane 2005-08-12 14:26:15 Re: vacuum error "left link changed unexpectedly"
Previous Message Ilene 2005-08-12 14:01:03 Left join pa on dal resulting in null