From: | Dave Page <dpage(at)pgadmin(dot)org> |
---|---|
To: | "Haskin, Daniel J" <DHaskin(at)verisk(dot)com> |
Cc: | "pgadmin-support(at)lists(dot)postgresql(dot)org" <pgadmin-support(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Having trouble with connecting to database via kerberos |
Date: | 2020-08-28 10:03:09 |
Message-ID: | CA+OCxozf8nXX-6Loq5q0K=0SBqz0BP6pHZCUUHQCV_tSRUT-ZA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgadmin-support |
Hi
On Fri, Aug 28, 2020 at 9:59 AM Haskin, Daniel J <DHaskin(at)verisk(dot)com> wrote:
> Hello!
>
> I wonder if you folks can help me. I am having the hardest time location
> documentation on, or otherwise figuring out how to connect to a
> Kerberos-authenticated database using pgAdmin in Amazon RDS.
>
> I can connect to the database just fine with psql + kinit on linux, but
> the rest of my team is on Windows and pgAdmin.
>
> How, in general, do you connect to a Kerberos-authenticated database from
> pgAdmin on Windows? I haven't been able to find the answer to this question.
>
> In particular, I am connecting to a 12.3 pgsql database hosted on amazon
> RDS. No matter what I try, whenever I try to auth via Kerberos, I get this
> error:
>
> SSPI continuation error: The specified target is unknown or unreachable
> (80090303)
>
> If I connect using a local pg user, the connection succeeds.
> If I connect using kinit + psql on linux, the connection succeeds.
> If I connect using the correct host endpoint, I get the error above.
> If I connect using the AWS alternative method described here[1] of
> connecting to <endpoint>.<aws-ad-domain>, I *still* get the error above.
>
> Is there anyone who can help?
>
> 1:
> https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/postgresql-kerberos-connecting.html
pgAdmin doesn't (yet) officially support kerberos authentication. You can
use SSPI if you're connecting from Windows to a Windows-hosted PostgreSQL
server in a domain or on a the same machine (I actually verified that works
yesterday), or you can in theory use GSSAPI to authenticate to a Linux
hosted server if you're on a Linux client (I'm working on verifying that at
the moment).
Once I've got those scenarios working and verified, I'll move on to
figuring out how to handle Windows/Mac clients connecting with GSSAPI.
Note that SSPI/GSSAPI will require that you're running pgAdmin in Desktop
mode. It will not work in Server mode (because the server will typically be
running under a different user account). There's a feature request for that
in the backlog.
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
From | Date | Subject | |
---|---|---|---|
Next Message | Dave Page | 2020-08-28 14:12:36 | Re: Having trouble with connecting to database via kerberos |
Previous Message | Akshay Joshi | 2020-08-28 09:36:35 | Re: URGENT ACTION : Fatal Error with launching pgAdmn |