Re: GSSAPI authentication with AD

Abbas,

* Abbas (abbas(dot)dba(at)gmail(dot)com) wrote:
> created enterprisedb user in AD with DES encryption type.

Do not use DES- it's not secure and there's no reason to use it. Use
AES instead.

> -bash-4.1$ klist
>
> Ticket cache: FILE:/tmp/krb5cc_501
>
> Default principal: POSTGRES/centos(at)MY(dot)TESTDOMAIN(dot)LAN

This is the problem- with Kerberos and GSSAPI, you need to have a
'service' princ (that's the POSTGRES/my.host.name one) *and* a 'user'
princ (in your case, that should be 'enterprisedb'). The 'service'
princ needs to be exported as a keytab, as you've done, and then made
available to the PostgreSQL server (which I think you've done).
However, the 'user' princ should acquire credentials through a normal
'kinit' (which is what happens when a user logs on to a Windows system
with AD).

> -bash-4.1$ ~/bin/psql -h centos.MY.TESTDOMAIN.LAN -U enterprisedb
> psql: FATAL: GSSAPI authentication failed for user "enterprisedb"
> -bash-4.1$
>
> pglogs :
>
> LOG: provided user name (enterprisedb) and authenticated user name
> (POSTGRES/centos) do not match

Right, this is telling you that you're using a principal
(POSTGRES/centos) which doesn't match the user that you're trying to
authenticate as ('enterprisedb').

Thanks,

Stephen