| From: | rob stone <floriparob(at)gmail(dot)com> |
|---|---|
| To: | techmail+pgsql(at)dangertoaster(dot)com, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: pg_ident mapping Kerberos Usernames |
| Date: | 2017-09-10 02:28:49 |
| Message-ID: | 1505010529.4018.2.camel@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Sat, 2017-09-09 at 20:44 -0500, techmail+pgsql(at)dangertoaster(dot)com
wrote:
> Hi,
>
> I'm trying to get pg_ident to map "user1" and "user1(at)A(dot)DOMAIN(dot)TLD"
> to
> "user1" in postgres, or vice versa. I'm not picky about which way
> works.
>
> Kerberos authentication works. I've gotten "user1" to login
> successfully
> with a Kerberos ticket, but I'm not able to get "user1(at)A(dot)DOMAIN(dot)TLD"
> to
> match.
>
> Environment:
> * PostgreSQL 9.6 from PostgreSQL repos
> * CentOS 7
> * FreeIPA for Kerberos, LDAP, etc.
> * Realm A.DOMAIN.TLD
> * "user1" database exists
> * "user1" role exists
> * Logging into CentOS usernames are configured to drop the domain,
> so
> they appear as "user1" rather then "user1(at)a(dot)domain(dot)tld".
>
>
> pg_hba.conf:
>
> local all postgres peer
> host all all 127.0.0.1/32 md5
> host all all ::1/128 md5
> host all all 192.168.1.0/24 gss
> include_realm=1 map=testnet krb_realm=A.DOMAIN.TLD #This is on one
> line.
> Thunderbird is truncating lines.
>
>
> pg_ident.conf:
>
> testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1
> testnet /^([0-9A-Za-z_-]+)$ \1
>
>
> Regex that works for both in regexr.com:
>
> /^([0-9A-Za-z-_]+)(@A\.DOMAIN\.TLD)?$/gm
>
>
> Command and lines from pg_log:
>
> $ psql -h db0 # Logged in as user1 with Kerberos ticket
>
> < 2017-09-09 19:50:49.376 CDT - 192.168.1.201 [unknown] > LOG:
> connection received: host=192.168.1.201 port=44918
> < 2017-09-09 19:50:49.398 CDT - 192.168.1.201 user1 >
> LOG: connection
> authorized: user=user1 database=user1
> < 2017-09-09 19:50:50.912 CDT - 192.168.1.201 user1 > LOG:
> disconnection: session time: 0:00:01.537 user=user1 database=user1
> host=192.168.1.201 port=44918
>
> $ psql -h db0 -U user1(at)A(dot)DOMAIN(dot)TLD # Logged in as user1 with
> Kerberos
> ticket
>
> < 2017-09-09 19:50:54.959 CDT - 192.168.1.201 [unknown] > LOG:
> connection received: host=192.168.1.201 port=44920
> < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1(at)A(dot)DOMAIN(dot)TLD >
> LOG:
> no match in usermap "testnet" for user "user1(at)A(dot)DOMAIN(dot)TLD"
> authenticated as "user1(at)A(dot)DOMAIN(dot)TLD"
> < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1(at)A(dot)DOMAIN(dot)TLD >
> FATAL: GSSAPI authentication failed for user "user1(at)A(dot)DOMAIN(dot)TLD"
> < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1(at)A(dot)DOMAIN(dot)TLD >
> DETAIL: Connection matched pg_hba.conf line 87: "host all
> all 192.168.1.0/24 gss include_realm=1
> map=testnet krb_realm=A.DOMAIN.TLD"
>
>
> Is this something that is possible, or is it something where I need
> to
> pick one way to do it?
>
> Thanks in advance,
> Ryan
>
>
Hello,
I think you need a line in your pg_hba.conf file along the lines of:-
testnet all all 192.168.1.0/24 gss
as the error message says it can't find this relationship.
HTH,
Rob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2017-09-10 03:24:43 | Re: Analyzing performance regression from 9.2 to 9.6 |
| Previous Message | techmail+pgsql | 2017-09-10 01:44:08 | pg_ident mapping Kerberos Usernames |