Re: GSSAPI authentication

This sounds like your PG service was unable to authenticate itself to AD.

There's probably a trick to that somewhere - AD doesn't really want to be a
Kerberos server, it just happens to use it 😉

On Mon, 6 June 2022, 10:05 pm Niels Jespersen, <NJN(at)dst(dot)dk> wrote:

> Hello all
>
>
>
> We are running Postgres 14 on Ubuntu. Our Windows users connect
> passwordless using GSSAPI. This works great.
>
>
>
> Now we want users on Linux client to also connect passwordless using
> GSSAPI. Users on Linux log on using their Active Directory credentials, as
> the Linux host (Ubuntu 22.04) is joined to the domain. Logon to Linux works
> fine, access to Windows cifs shares works fine authentication with
> Kerberos.
>
>
>
> But psql won't connect using GSSAPI. It does hit the right pg_hba.conf
> line and the username is translated via pg_ident.conf, just fine. But psql
> says
>
>
>
> psql: error: connection to server at "srvpostgres4.xxx.local"
> (172.30.33.30), port 1609 failed: could not initiate GSSAPI security
> context: Unspecified GSS failure. Minor code may provide more information:
> Server not found in Kerberos database connection to server at
> "srvpostgres4.xxx.local" (172.30.33.30), port 1609 failed: GSSAPI
> continuation error: Unspecified GSS failure. Minor code may provide more
> information: Server not found in Kerberos database
>
>
>
> Server log is like this
>
>
>
> 2022-06-06 08:14:01.176 CEST,"yyy","db1",474094,"172.30.32.213:33556",627e83c9.73bee,2,"authentication",2022-06-06
> 08:14:01 CEST,2/14544,0,FATAL,28000,"GSSAPI authentication failed for user
> ""yyy""","Connection matched pg_hba.conf line 15: ""host all
> all 172.0.0.0/8 gss map=xxxlocal include_realm=0
> krb_realm=""XXX.LOCAL""""",,,,,,,,"","client backend",,-3382135431624836920
>
>
>
> We are a bit lost here. What are we missing?
>
>
>
> Regards Niels Jespersen
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>