| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Bear Giles <bgiles(at)coyotesong(dot)com> |
| Cc: | "Weingartner, Steven" <SWeingartner(at)semprautilities(dot)com>, "pgsql-admin(at)postgresql(dot)org" <pgsql-admin(at)postgresql(dot)org> |
| Subject: | Re: GSSAPI / Kerberos Authentication |
| Date: | 2016-06-03 00:18:35 |
| Message-ID: | 20160603001835.GA21416@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
All,
* Bear Giles (bgiles(at)coyotesong(dot)com) wrote:
> I remember reading comments in the code that case matters - postgres and
> POSTGRES are not the same - but I'm drawing a blank on the rest. I just
> started looking at the code myself though - others probably have more
> experience.
That's correct, case absolutely matters and it needs to match.
There are options in postgresql.conf to control what's expected. This
is a source of common issue when coming from Windows clients to Linux
servers (or the other way around).
In particular, review section 19.3.3 of the 9.5 docs:
https://www.postgresql.org/docs/9.5/static/auth-methods.html#GSSAPI-AUTH
For the client side, review krbsrvname:
https://www.postgresql.org/docs/9.5/static/libpq-connect.html#LIBPQ-PARAMKEYWORDS
Check the klist from the client side and also look at the keytab that's
on the server and what's in the KDC database and make sure they all
match. What the client asks for from the KDC needs to be what the KDC
has and what is installed in the keytab on the server for it all to
work.
Thanks!
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bear Giles | 2016-06-03 15:07:25 | Re: GSSAPI / Kerberos Authentication |
| Previous Message | Bear Giles | 2016-06-03 00:08:16 | Re: GSSAPI / Kerberos Authentication |