From: | Poul Kristensen <bcc5226(at)gmail(dot)com> |
---|---|
To: | HIRTZ Jorge Alberto TENARIS <jhirtz(at)tenaris(dot)com> |
Cc: | "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
Subject: | Re: PostgreSQL Kerberos Authentication |
Date: | 2018-01-30 16:50:09 |
Message-ID: | CAAOuvVqNizV=48NCtod2QqePLTkut2GBWyow1pBZ900vk6pxEQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
you need til tell Postgresql/pg_hba.conf the AD kerberos server name ldap
= kerberos.domain.com and suffix @domain.com
Then create the users(is in fact a role) as the owner of a database.
Hereafter the user could just write psql after login and after password
auhtentication the user/role is logged into the database.
It has been testet and works!
Hope it is usefull.
regards
Poul
2018-01-30 17:13 GMT+01:00 HIRTZ Jorge Alberto TENARIS <jhirtz(at)tenaris(dot)com>:
> Hello All,
>
>
>
> I am trying to configure PostgreSQL9.6 (On Centos 7.4) with Kerberos
> (Active Directory) via GSSAPI authentication and I’m getting the following
> error:
>
>
>
> [postgres(at)hostname data]$ psql -h hostname -U USERNAME(at)DOMAIN(dot)COM
> postgres
>
> psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may
> provide more information
>
> GSSAPI continuation error: Server not found in Kerberos database
>
>
>
> I did the following configuration:
>
>
>
> 1.- Create KeyTab in Active Directory:
>
> ktpass -out postgres_instance.keytab -princ postgres/hostnamename.domain.
> com(at)DOMAIN(dot)COM -mapUser svcPostgres -pass <password> -crypto all -ptype
> KRB5_NT_PRINCIPAL
>
>
>
> 2.- Copy the keytab to Linux Server on $PGDATA and change the privileges
> to postgres:postgres
>
> 3.- Configure postgresql.conf
>
> krb_server_keyfile = '/<INSTANCA_NAME>/data/postgres_instance.keytab
>
>
>
> 4.- Configure /etc/krb5.conf
>
>
>
> 5.- Request a ticket to the KDC server using kinit (this work OK!)
>
>
>
> [postgres(at)hostname ~]$ klist
>
> Ticket cache: KEYRING:persistent:26:krb_ccache_AO0Y1kx
>
> Default principal: USERNAME(at)DOMAIN(dot)COM
>
>
>
> Valid starting Expires Service principal
>
> 01/30/2018 11:01:59 01/30/2018 21:01:59 krbtgt/DOMAIN(dot)COM(at)DOMAIN(dot)COM
>
> renew until 02/06/2018 11:01:55
>
>
>
>
>
> 6.- Configure pg_hba.conf
>
> host all all
> 0.0.0.0/0 gss include_realm=1
>
> 7.- Create user in PG to test:
>
> create user “USERNAME(at)DOMAIN(dot)COM” WITH SUPERUSER;
>
>
>
> 8.- Testing
>
> [postgres(at)hostname data]$ psql -h hostname -U USERNAME(at)DOMAIN(dot)COM
> postgres
>
> psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may
> provide more information
>
> GSSAPI continuation error: Server not found in Kerberos database
>
>
>
> I tried generate the Keytab with “postgres” and “POSTGRES” user as a SPN
> but I get the same error.
>
>
>
> Any suggestion is welcome!
>
>
>
> Thanks in advance for your help!
>
>
>
> Jorge
>
>
>
--
Med venlig hilsen / Best regards
Poul Kristensen
Linux-OS/Virtualizationexpert and Oracle DBA
From | Date | Subject | |
---|---|---|---|
Next Message | Steven Winfield | 2018-01-30 17:01:30 | Many Backends stuck in wait event IPC/ParallelFinish |
Previous Message | HIRTZ Jorge Alberto TENARIS | 2018-01-30 16:13:47 | PostgreSQL Kerberos Authentication |