Quick Links

Re: PostgreSQL Kerberos Authentication

From:	Poul Kristensen <bcc5226(at)gmail(dot)com>
To:	HIRTZ Jorge Alberto TENARIS <jhirtz(at)tenaris(dot)com>
Cc:	"pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org>
Subject:	Re: PostgreSQL Kerberos Authentication
Date:	2018-01-30 16:50:09
Message-ID:	CAAOuvVqNizV=48NCtod2QqePLTkut2GBWyow1pBZ900vk6pxEQ@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-general

you need til tell Postgresql/pg_hba.conf the AD kerberos server name ldap
= kerberos.domain.com and suffix @domain.com

Then create the users(is in fact a role) as the owner of a database.
Hereafter the user could just write psql after login and after password
auhtentication the user/role is logged into the database.

It has been testet and works!

Hope it is usefull.

regards
Poul

2018-01-30 17:13 GMT+01:00 HIRTZ Jorge Alberto TENARIS <jhirtz(at)tenaris(dot)com>:

> Hello All,
>
>
>
> I am trying to configure PostgreSQL9.6 (On Centos 7.4) with Kerberos
> (Active Directory) via GSSAPI authentication and I’m getting the following
> error:
>
>
>
> [postgres(at)hostname data]$ psql -h hostname -U USERNAME(at)DOMAIN(dot)COM
> postgres
>
> psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may
> provide more information
>
> GSSAPI continuation error: Server not found in Kerberos database
>
>
>
> I did the following configuration:
>
>
>
> 1.- Create KeyTab in Active Directory:
>
> ktpass -out postgres_instance.keytab -princ postgres/hostnamename.domain.
> com(at)DOMAIN(dot)COM -mapUser svcPostgres -pass <password> -crypto all -ptype
> KRB5_NT_PRINCIPAL
>
>
>
> 2.- Copy the keytab to Linux Server on $PGDATA and change the privileges
> to postgres:postgres
>
> 3.- Configure postgresql.conf
>
> krb_server_keyfile = '/<INSTANCA_NAME>/data/postgres_instance.keytab
>
>
>
> 4.- Configure /etc/krb5.conf
>
>
>
> 5.- Request a ticket to the KDC server using kinit (this work OK!)
>
>
>
> [postgres(at)hostname ~]$ klist
>
> Ticket cache: KEYRING:persistent:26:krb_ccache_AO0Y1kx
>
> Default principal: USERNAME(at)DOMAIN(dot)COM
>
>
>
> Valid starting Expires Service principal
>
> 01/30/2018 11:01:59 01/30/2018 21:01:59 krbtgt/DOMAIN(dot)COM(at)DOMAIN(dot)COM
>
> renew until 02/06/2018 11:01:55
>
>
>
>
>
> 6.- Configure pg_hba.conf
>
> host all all
> 0.0.0.0/0 gss include_realm=1
>
> 7.- Create user in PG to test:
>
> create user “USERNAME(at)DOMAIN(dot)COM” WITH SUPERUSER;
>
>
>
> 8.- Testing
>
> [postgres(at)hostname data]$ psql -h hostname -U USERNAME(at)DOMAIN(dot)COM
> postgres
>
> psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may
> provide more information
>
> GSSAPI continuation error: Server not found in Kerberos database
>
>
>
> I tried generate the Keytab with “postgres” and “POSTGRES” user as a SPN
> but I get the same error.
>
>
>
> Any suggestion is welcome!
>
>
>
> Thanks in advance for your help!
>
>
>
> Jorge
>
>
>

--
Med venlig hilsen / Best regards
Poul Kristensen
Linux-OS/Virtualizationexpert and Oracle DBA

In response to

PostgreSQL Kerberos Authentication at 2018-01-30 16:13:47 from HIRTZ Jorge Alberto TENARIS

Responses

RE: PostgreSQL Kerberos Authentication at 2018-01-30 18:02:12 from HIRTZ Jorge Alberto TENARIS

Browse pgsql-general by date

	From	Date	Subject
Next Message	Steven Winfield	2018-01-30 17:01:30	Many Backends stuck in wait event IPC/ParallelFinish
Previous Message	HIRTZ Jorge Alberto TENARIS	2018-01-30 16:13:47	PostgreSQL Kerberos Authentication