| From: | Michael van der Kolff <mvanderkolff(at)gmail(dot)com> |
|---|---|
| To: | Niels Jespersen <NJN(at)dst(dot)dk> |
| Cc: | pgsql-general list <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: GSSAPI authentication |
| Date: | 2022-06-06 13:01:10 |
| Message-ID: | CAFBbO2S33xOC3P3_CNFtnDwVAn5uhsYTTBDv8sXn-y=gcEBuRQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Looking closely at a configuration guide for MSSQL with Kerberos
authentication, I see this part:
https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections?view=sql-server-ver16#Manual.
It looks like it might be adapted to your question.
--Michael
On Mon, Jun 6, 2022 at 10:26 PM Michael van der Kolff <
mvanderkolff(at)gmail(dot)com> wrote:
> This sounds like your PG service was unable to authenticate itself to AD.
>
> There's probably a trick to that somewhere - AD doesn't really want to be
> a Kerberos server, it just happens to use it 😉
>
> On Mon, 6 June 2022, 10:05 pm Niels Jespersen, <NJN(at)dst(dot)dk> wrote:
>
>> Hello all
>>
>>
>>
>> We are running Postgres 14 on Ubuntu. Our Windows users connect
>> passwordless using GSSAPI. This works great.
>>
>>
>>
>> Now we want users on Linux client to also connect passwordless using
>> GSSAPI. Users on Linux log on using their Active Directory credentials, as
>> the Linux host (Ubuntu 22.04) is joined to the domain. Logon to Linux works
>> fine, access to Windows cifs shares works fine authentication with
>> Kerberos.
>>
>>
>>
>> But psql won't connect using GSSAPI. It does hit the right pg_hba.conf
>> line and the username is translated via pg_ident.conf, just fine. But psql
>> says
>>
>>
>>
>> psql: error: connection to server at "srvpostgres4.xxx.local"
>> (172.30.33.30), port 1609 failed: could not initiate GSSAPI security
>> context: Unspecified GSS failure. Minor code may provide more information:
>> Server not found in Kerberos database connection to server at
>> "srvpostgres4.xxx.local" (172.30.33.30), port 1609 failed: GSSAPI
>> continuation error: Unspecified GSS failure. Minor code may provide more
>> information: Server not found in Kerberos database
>>
>>
>>
>> Server log is like this
>>
>>
>>
>> 2022-06-06 08:14:01.176 CEST,"yyy","db1",474094,"172.30.32.213:33556",627e83c9.73bee,2,"authentication",2022-06-06
>> 08:14:01 CEST,2/14544,0,FATAL,28000,"GSSAPI authentication failed for user
>> ""yyy""","Connection matched pg_hba.conf line 15: ""host all
>> all 172.0.0.0/8 gss map=xxxlocal include_realm=0
>> krb_realm=""XXX.LOCAL""""",,,,,,,,"","client backend",,-3382135431624836920
>>
>>
>>
>> We are a bit lost here. What are we missing?
>>
>>
>>
>> Regards Niels Jespersen
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Niels Jespersen | 2022-06-06 13:33:01 | SV: GSSAPI authentication |
| Previous Message | Michael van der Kolff | 2022-06-06 12:26:06 | Re: GSSAPI authentication |