Re: GSS Authentication

From: greigwise(at)comcast(dot)net
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: pgsql-general(at)postgresql(dot)org, Bryan Montgomery <monty(at)english(dot)net>
Subject: Re: GSS Authentication
Date: 2010-06-15 21:25:14
Message-ID: 1718270797.4378711276637114764.JavaMail.root@sz0069a.emeryville.ca.mail.comcast.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

OK. I tried what you suggested. I pasted the whole sequence of commands and the results below. As you can see, the connection to postgres still failed, but it looks like it actually acquired the ticket (I think). What do you make of that?

Thanks again for the help.
Greig

[user(at)client ~]$ kdestroy
--------------------------------------------------------------------
[user(at)client ~]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_503)

Kerberos 4 ticket cache: /tmp/tkt503
klist: You have no tickets cached
--------------------------------------------------------------------
[user(at)client ~]$ kinit
Password for user(at)DOMAIN(dot)COM:
--------------------------------------------------------------------
[user(at)client ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_503
Default principal: user(at)DOMAIN(dot)COM

Valid starting Expires Service principal
06/15/10 17:16:37 06/16/10 03:16:42 krbtgt/DOMAIN(dot)COM(at)DOMAIN(dot)COM
renew until 06/16/10 03:16:37

Kerberos 4 ticket cache: /tmp/tkt503
klist: You have no tickets cached
--------------------------------------------------------------------
[user(at)client ~]$ psql -d postgres -h server.DOMAIN.COM
psql: FATAL: accepting GSS security context failed
DETAIL: Miscellaneous failure: Unknown code krb5 181
--------------------------------------------------------------------
[user(at)client ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_503
Default principal: user(at)DOMAIN(dot)COM

Valid starting Expires Service principal
06/15/10 17:16:37 06/16/10 03:16:42 krbtgt/DOMAIN(dot)COM(at)DOMAIN(dot)COM
renew until 06/16/10 03:16:37
06/15/10 17:17:01 06/16/10 03:16:42 POSTGRES/server(dot)DOMAIN(dot)COM(at)DOMAIN(dot)COM
renew until 06/16/10 03:16:37

Kerberos 4 ticket cache: /tmp/tkt503
klist: You have no tickets cached
--------------------------------------------------------------------

----- Original Message -----
From: "Stephen Frost" <sfrost(at)snowman(dot)net>
To: greigwise(at)comcast(dot)net
Cc: pgsql-general(at)postgresql(dot)org, "Bryan Montgomery" <monty(at)english(dot)net>
Sent: Tuesday, June 15, 2010 4:25:55 PM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication

* greigwise(at)comcast(dot)net (greigwise(at)comcast(dot)net) wrote:
> kinit -S POSTGRES/host.domain.com user
>
> (where user is my account name in AD). That then asked for my password and when I entered it, it seemed to work. And now klist shows that I have a ticket. Doing it this way though, the keytab file doesn't seem to come into play. Does this point to something in my keytab file being wrong?

Good that you were able to get a ticket manually. Next you need to try
getting a client application (eg: psql) to get that same ticket. Before
you run psql, do:

kdestroy
kinit
export PGKRBSRVNAME=POSTGRES
psql -d postgres -h host.domain.com
klist

And see if you acquired the same ticket you got with the manual klist.

> I did this:
>
> klist -ket postgres.keytab
>
> and got:
>
> KVNO Timestamp Principal
> ---- ----------------- --------------------------------------------------------
> 3 12/31/69 19:00:00 POSTGRES/host(dot)domain(dot)com(at)DOMAIN(dot)COM (DES cbc mode with RSA-MD5)
>
> That timestamp seems kinda funky, doesn't it? 12/31/69? That can't be right, can it?

The timestamp isn't really "right", but it shouldn't really hurt either-
that's just when it was "created". The encyprtion is crappy though and
might be disabled by default (MIT Kerberos recently started disabling
DES and lower encryption because it's horribly insecure). Check your
/etc/krb5.conf for permitted_enctypes. Also, after you get a
POSTGRES/host.domain.com ticket using kinit (or psql), do a klist -e and
see if the encryption type of the ticket you got matches that of the
keytab. If it doesn't, then you might have created multiple keys for
the same princ on the server (not generally a bad thing), but not
exported and loaded all of them into the keytab on the unix system
(which would be a problem...).

Thanks,

Stephen

In response to

Browse pgsql-general by date

  From Date Subject
Next Message greigwise 2010-06-15 22:13:58 Re: GSS Authentication
Previous Message Sid 2010-06-15 21:01:29 Problem with triggers