| From: | Dave Page <dpage(at)pgadmin(dot)org> |
|---|---|
| To: | "Haskin, Daniel J" <DHaskin(at)verisk(dot)com> |
| Cc: | "pgadmin-support(at)lists(dot)postgresql(dot)org" <pgadmin-support(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Having trouble with connecting to database via kerberos |
| Date: | 2020-08-28 14:12:36 |
| Message-ID: | CA+OCxoztJCZijhhmGTtjPZ2Lvu6nfT3aoGVZkq=Wbd7nnAn0Pg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-support |
On Fri, Aug 28, 2020 at 11:03 AM Dave Page <dpage(at)pgadmin(dot)org> wrote:
> Hi
>
> On Fri, Aug 28, 2020 at 9:59 AM Haskin, Daniel J <DHaskin(at)verisk(dot)com>
> wrote:
>
>> Hello!
>>
>> I wonder if you folks can help me. I am having the hardest time location
>> documentation on, or otherwise figuring out how to connect to a
>> Kerberos-authenticated database using pgAdmin in Amazon RDS.
>>
>> I can connect to the database just fine with psql + kinit on linux, but
>> the rest of my team is on Windows and pgAdmin.
>>
>> How, in general, do you connect to a Kerberos-authenticated database from
>> pgAdmin on Windows? I haven't been able to find the answer to this question.
>>
>> In particular, I am connecting to a 12.3 pgsql database hosted on amazon
>> RDS. No matter what I try, whenever I try to auth via Kerberos, I get this
>> error:
>>
>> SSPI continuation error: The specified target is unknown or unreachable
>> (80090303)
>>
>> If I connect using a local pg user, the connection succeeds.
>> If I connect using kinit + psql on linux, the connection succeeds.
>> If I connect using the correct host endpoint, I get the error above.
>> If I connect using the AWS alternative method described here[1] of
>> connecting to <endpoint>.<aws-ad-domain>, I *still* get the error above.
>>
>> Is there anyone who can help?
>>
>> 1:
>> https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/postgresql-kerberos-connecting.html
>
>
> pgAdmin doesn't (yet) officially support kerberos authentication. You can
> use SSPI if you're connecting from Windows to a Windows-hosted PostgreSQL
> server in a domain or on a the same machine (I actually verified that works
> yesterday), or you can in theory use GSSAPI to authenticate to a Linux
> hosted server if you're on a Linux client (I'm working on verifying that at
> the moment).
>
> Once I've got those scenarios working and verified, I'll move on to
> figuring out how to handle Windows/Mac clients connecting with GSSAPI.
>
> Note that SSPI/GSSAPI will require that you're running pgAdmin in Desktop
> mode. It will not work in Server mode (because the server will typically be
> running under a different user account). There's a feature request for that
> in the backlog.
>
FYI, I've also confirmed that Linux - Linux works with GSSAPI.
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
| From | Date | Subject | |
|---|---|---|---|
| Next Message | tutiluren | 2020-08-29 03:28:51 | Re: Critical bug: pgAdmin v4.25 has started ignoring my "Browser Command" which completely cripples me and makes me unable to manage my PostgreSQL database. |
| Previous Message | Dave Page | 2020-08-28 10:03:09 | Re: Having trouble with connecting to database via kerberos |