Re: PG 8.3 and kerberos failures

On Thu, Apr 17, 2008 at 11:40 AM, Peter Koczan <pjkoczan(at)gmail(dot)com> wrote:
> Hi all,
>
> I just upgraded one of my servers and I'm having a bit of trouble
> getting some of the kerberos authentication bits working.
> Specifically, any Kerberos instance run out of a v5srvtab doesn't work
> so well. Using stashed tickets or normal principals worked fine.
> Gritty details follow.
>
> Peter
>
> Here are details from the specific v5srvtab's...
> [root(at)sensei postgres]# klist -k -t /etc/v5srvtab.wsbackup
> Keytab name: FILE:/etc/v5srvtab.wsbackup
> KVNO Timestamp Principal
> ---- ----------------- --------------------------------------------------------
> 13 12/20/07 15:56:11 wsbackup/sensei(dot)cs(dot)wisc(dot)edu(at)CS(dot)WISC(dot)EDU

Here's what happens when I do this (it's on a different machine but
it's the same mechanism).

[root(at)ator] ~ $ su - wsbackup
ator(1)% kinit -f -k -t /etc/v5srvtab.wsbackup -l 1d
wsbackup/ator(dot)cs(dot)wisc(dot)edu(at)CS(dot)WISC(dot)EDU
ator(2)% klist
Ticket cache: FILE:/var/adm/krb5/tmp/tkt/krb5cc_28528
Default principal: wsbackup/ator(dot)cs(dot)wisc(dot)edu(at)CS(dot)WISC(dot)EDU

Valid starting Expires Service principal
04/18/08 12:25:00 04/19/08 12:25:00 krbtgt/CS(dot)WISC(dot)EDU(at)CS(dot)WISC(dot)EDU

Kerberos 4 ticket cache: /tmp/tkt28528
klist: You have no tickets cached
ator(4)% /s/postgresql-8.2/bin/psql -h sensei -p 5432 postgres
Connecting to 8.2 works...

ator(5)% /s/postgresql-8.3/bin/psql -h sensei -p 5432 postgres
Connecting to 8.2 via 8.3 binaries works...

ator(6)% /s/postgresql-8.3/bin/psql -h sensei -p 49173 postgres
psql: FATAL: no pg_hba.conf entry for host "128.105.162.36", user
"wsbackup", database "postgres", SSL off

And then it fails as above...
Apr 18 12:20:41 sensei postgres[4486]: [3-1] LOG: connection
received: host=ator.cs.wisc.edu port=56925
Apr 18 12:20:41 sensei postgres[4486]: [4-1] LOG: unexpected Kerberos
user name received from client (received "wsbackup", expected
"wsbackup/ator.cs.wisc.edu")
Apr 18 12:20:41 sensei postgres[4486]: [5-1] FATAL: Kerberos 5
authentication failed for user "wsbackup"
Apr 18 12:20:41 sensei postgres[4488]: [3-1] LOG: connection
received: host=ator.cs.wisc.edu port=56926
Apr 18 12:20:41 sensei postgres[4488]: [4-1] FATAL: no pg_hba.conf
entry for host "128.105.162.36", user "wsbackup", database "postgres",
SSL off

And this is what syslog shows when I try GSSAPI authentication.
Apr 18 12:34:40 sensei postgres[25885]: [3-1] LOG: connection
received: host=ator.cs.wisc.edu port=41148
Apr 18 12:34:40 sensei postgres[25885]: [4-1] FATAL: GSSAPI
authentication failed for user "wsbackup"
Apr 18 12:34:40 sensei postgres[25886]: [3-1] LOG: connection
received: host=ator.cs.wisc.edu port=41149
Apr 18 12:34:40 sensei postgres[25886]: [4-1] FATAL: no pg_hba.conf
entry for host "128.105.162.36", user "wsbackup", database "postgres",
SSL off

Is this something I'm just going to have to find a way to work around
or should I file a bug report?

Peter