From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Josh Tanski <mortonjt(at)rochester(dot)rr(dot)com> |
Cc: | pgsql-admin(at)postgresql(dot)org |
Subject: | Re: 8.4 to 9.1 Upgrade Kerberos Auth Stops Working "Wrong principal in request" |
Date: | 2013-05-31 12:46:48 |
Message-ID: | 20130531124648.GW6434@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
Josh,
That key type (des-cbc-md5) has looonngggg been deprecated and has
been actively disabled and disallowed from use in modern Kerberos
libraries.
Please go get an AES256 key and install that instead.
Thanks,
Stephen
* Josh Tanski (mortonjt(at)rochester(dot)rr(dot)com) wrote:
> I have Kerberos Authentication working for PostgreSQL 8.4 on Debian
> Squeeze, against a Windows 2000 Server Domain. I tried upgrading
> some test servers to Debian Wheezy which upgrades PostgreSQL to 9.1,
> but Kerberos authentication breaks with the "Wrong principal in
> request" error.
>
> These servers ultimately use Apache2/mod-auth-kerb/php5-cgi to do
> SSO in a Windows web browser and that gets passed to PostgreSQL, but
> I have the issue with psql as well and that is where I normally
> start troubleshooting. Mod-Auth-Kerb in Apache2 continues to
> authenticate and work after the upgrade, only PostgreSQL stops
> working.
>
> Here is everything I've looked at and the results I get - I am
> baffled on why this stopped working with 9.1, my config is the same,
> hostnames, DNS, clocks, etc. look good and nothing changed there.
> Below is from a fresh, clean install of Debian Wheezy/ PostgreSQL
> 9.1 on a new test VM and I still get the error. If anyone sees
> something I am doing wrong or something I missed and should be
> looking into, your advice would be greatly appreciated.
>
> Thanks,
> Josh
>
> IN /etc/postgresql/9.1/main/postgresql.conf
> krb_server_keyfile = '/etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab'
>
> IN /etc/postgresql/9.1/main/pg_hba.conf
> host all all 10.203.105.96 255.255.255.255
> krb5 krb_server_hostname=ss-sv-tmp40.mydomain.local
>
> root(at)ss-sv-tmp40:~# hostname --fqdn
> ss-sv-tmp40.mydomain.local
>
> root(at)ss-sv-tmp40:~# cat /etc/hosts
> 127.0.0.1 localhost
> 10.203.105.96 ss-sv-tmp40.mydomain.local ss-sv-tmp40
>
>
> root(at)ss-sv-tmp40:~# klist -ek /etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab
> Keytab name: FILE:/etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 1 postgres/ss-sv-tmp40(dot)mydomain(dot)local(at)MYDOMAIN(dot)LOCAL (des-cbc-md5)
>
>
> jdt(at)ss-sv-tmp40:~$ kinit jdt(at)MYDOMAIN(dot)LOCAL
> Password for jdt(at)MYDOMAIN(dot)LOCAL:
> jdt(at)ss-sv-tmp40:~$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: jdt(at)MYDOMAIN(dot)LOCAL
>
> Valid starting Expires Service principal
> 31/05/2013 07:36 31/05/2013 15:36 krbtgt/MYDOMAIN(dot)LOCAL(at)MYDOMAIN(dot)LOCAL
> renew until 31/05/2013 15:36, Etype (skey, tkt):
> arcfour-hmac, arcfour-hmac
>
> jdt(at)ss-sv-tmp40:~$ psql -h ss-sv-tmp40.mydomain.local -U jdt
> psql: Kerberos 5 authentication rejected: Wrong principal in request
> jdt(at)ss-sv-tmp40:~$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: jdt(at)MYDOMAIN(dot)LOCAL
>
> Valid starting Expires Service principal
> 31/05/2013 07:36 31/05/2013 15:36 krbtgt/MYDOMAIN(dot)LOCAL(at)MYDOMAIN(dot)LOCAL
> renew until 31/05/2013 15:36, Etype (skey, tkt):
> arcfour-hmac, arcfour-hmac
> 31/05/2013 07:38 31/05/2013 15:36 postgres/ss-sv-tmp40.mydomain.local@
> renew until 31/05/2013 15:36, Etype (skey, tkt):
> des-cbc-crc, des-cbc-crc
> 31/05/2013 07:38 31/05/2013 15:36
> postgres/ss-sv-tmp40(dot)mydomain(dot)local(at)MYDOMAIN(dot)LOCAL
> renew until 31/05/2013 15:36, Etype (skey, tkt):
> des-cbc-crc, des-cbc-crc
>
>
> root(at)ss-sv-tmp40:~# tail /var/log/postgresql/postgresql-9.1-main.log
> 2013-05-31 07:38:07 EDT LOG: Kerberos recvauth returned error -1765328240
> postgres: Wrong principal in request from krb5_recvauth
> 2013-05-31 07:38:07 EDT FATAL: Kerberos 5 authentication failed for
> user "jdt"
>
>
> root(at)ss-sv-tmp40:~# cat /etc/krb5.conf
> [libdefaults]
> default_realm = MYDOMAIN.LOCAL
> allow_weak_crypto = true
> <snip>
>
>
> --
> Sent via pgsql-admin mailing list (pgsql-admin(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin
From | Date | Subject | |
---|---|---|---|
Next Message | Josh Tanski | 2013-05-31 17:50:23 | Re: 8.4 to 9.1 Upgrade Kerberos Auth Stops Working "Wrong principal in request" |
Previous Message | Josh Tanski | 2013-05-31 12:39:54 | 8.4 to 9.1 Upgrade Kerberos Auth Stops Working "Wrong principal in request" |