From: | HIRTZ Jorge Alberto TENARIS <jhirtz(at)tenaris(dot)com> |
---|---|
To: | "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
Subject: | PostgreSQL Kerberos Authentication |
Date: | 2018-01-30 16:13:47 |
Message-ID: | C911CF65C193334EADACFA5AE9AB3D4DBBEF0FE4@SIDARWEX100.tenaris.techint.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Hello All,
I am trying to configure PostgreSQL9.6 (On Centos 7.4) with Kerberos (Active Directory) via GSSAPI authentication and I'm getting the following error:
[postgres(at)hostname data]$ psql -h hostname -U USERNAME(at)DOMAIN(dot)COM postgres
psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database
I did the following configuration:
1.- Create KeyTab in Active Directory:
ktpass -out postgres_instance.keytab -princ postgres/hostnamename(dot)domain(dot)com(at)DOMAIN(dot)COM -mapUser svcPostgres -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL
2.- Copy the keytab to Linux Server on $PGDATA and change the privileges to postgres:postgres
3.- Configure postgresql.conf
krb_server_keyfile = '/<INSTANCA_NAME>/data/postgres_instance.keytab
4.- Configure /etc/krb5.conf
5.- Request a ticket to the KDC server using kinit (this work OK!)
[postgres(at)hostname ~]$ klist
Ticket cache: KEYRING:persistent:26:krb_ccache_AO0Y1kx
Default principal: USERNAME(at)DOMAIN(dot)COM
Valid starting Expires Service principal
01/30/2018 11:01:59 01/30/2018 21:01:59 krbtgt/DOMAIN(dot)COM(at)DOMAIN(dot)COM
renew until 02/06/2018 11:01:55
6.- Configure pg_hba.conf
host all all 0.0.0.0/0 gss include_realm=1
7.- Create user in PG to test:
create user "USERNAME(at)DOMAIN(dot)COM<mailto:USERNAME(at)DOMAIN(dot)COM>" WITH SUPERUSER;
8.- Testing
[postgres(at)hostname data]$ psql -h hostname -U USERNAME(at)DOMAIN(dot)COM postgres
psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database
I tried generate the Keytab with "postgres" and "POSTGRES" user as a SPN but I get the same error.
Any suggestion is welcome!
Thanks in advance for your help!
Jorge
From | Date | Subject | |
---|---|---|---|
Next Message | Poul Kristensen | 2018-01-30 16:50:09 | Re: PostgreSQL Kerberos Authentication |
Previous Message | btober@computer.org | 2018-01-30 15:34:12 | Re: Alter view with dependence without drop view! |