Re: pgadmin kerberos auth propblem - Delegated credentials not supplied.

Hi,

As you are using AD, there are 2 things you need to check.

1. Configure the AD server in a way that the UPN associated with HTTP
should be able to delegate the tickets to the client.
2. Your browser should be able to support the kerberos ticket negotiation
and delegation.

Reference:
https://www.pgadmin.org/docs/pgadmin4/6.18/kerberos.html
https://www.youtube.com/watch?v=EDg6I21kCak

Thanks,
Khushboo

On Tue, Jan 3, 2023 at 2:32 PM Milan MOLNÁR <milan_molnar(at)tatrabanka(dot)sk>
wrote:

> Hello,
>
>
>
> I have trouble to setup kerberos authetication with pgadmin. I run pgadmin
> in the docker container and I’d like to use SPENGO SSO to access pgadmin.
> Pgadmin fails to authenticate user and the error message is „'Delegated
> credentials not supplied.“ It seem, that credentials does not contain
> delegated part. Do you have any suggestion where is the problem with my
> setup? Do you use kerberos auth – pls can you share your setup or just
> explain it a little bit?
>
>
>
> We have kdc servers on the linux and there is trust between active
> directory (we use kerberos for many other services and it is working
> properly). I tried to connect from the PC where I’m loggend in the AD.
>
>
>
> Docker container
>
> *Dockerfile*
>
> FROM dpage/pgadmin4:6.17
>
>
>
> COPY krb5.conf /etc/krb5.conf
>
> COPY config.py /pgadmin4/config.py
>
>
>
> config.py changed variables (we have reason why to change vars here)
>
> AUTHENTICATION_SOURCES = ['kerberos','internal']
>
> KRB_APP_HOST_NAME = ‚fqdn of pgadmin‘
>
> KRB_KTNAME = '/var/lib/pgadmin/pgadmin.keytab'
>
>
>
> *krb5.conf*
>
> cat krb5-wsl.conf
>
> [libdefaults]
>
> clockskew = 18000
>
> canonicalize = true
>
> dns_canonicalize_hostname= false
>
> rdns = false
>
> default_realm = EXAMPLE.COM
>
> default_keytab_name=/var/lib/pgadmin/pgadmin.keytab
>
> dns_lookup_kdc = false
>
> #ignore_acceptor_hostname = true
>
> proxiable = true
>
> realm_try_domains = 1
>
>
>
> dns_lookup_realm = false
>
> ticket_lifetime = 86400
>
> renew_lifetime = 604800
>
> forwardable = true
>
> #default_tgs_enctypes = aes256-cts-hmac-sha1-96
>
> #default_tkt_enctypes = aes256-cts-hmac-sha1-96
>
> permitted_enctypes = aes256-cts aes128-cts
>
> udp_preference_limit = 1
>
> kdc_timeout = 5000
>
>
>
> [realms]
>
> EXAMPLE.COM = {
>
> kdc = kdc01.EXAMPLE.COM
>
> kdc = kdc02.EXAMPLE.COM
>
> admin_server = kdc01.EXAMPLE.COM
>
> default_domain = EXAMPLE.COM
>
> }
>
> [domain_realm]
>
> .EXAMPLE.COM=EXAMPLE.COM
>
> EXAMPLE.COM = EXAMPLE.COM
>
>
>
>
>
> *pgadmin4/pgadmin/authenticate/kerberos.py*
>
>
>
> def negotiate_start(self, in_token):
>
> svc_princ = gssapi.Name('HTTP(at)%s' % config.KRB_APP_HOST_NAME,
>
>
> name_type=gssapi.NameType.hostbased_service)
>
> cname = svc_princ.canonicalize(gssapi.MechType.kerberos)
>
>
>
> try:
>
> server_creds = gssapi.Credentials(usage='accept', name=cname)
>
> context = gssapi.SecurityContext(creds=server_creds)
>
> out_token = context.step(base64.b64decode(in_token))
>
> except Exception as e:
>
> current_app.logger.exception(e)
>
> return False, e
>
>
>
> if out_token and not context.complete:
>
> return False, out_token
>
> if context.complete:
>
> deleg_creds = context.delegated_creds
>
> if not hasattr(deleg_creds, 'name'):
>
> *error_msg = gettext('Delegated credentials not
> supplied.')*
>
> current_app.logger.error(error_msg)
>
> return False, Exception(error_msg)
>
> try:
>
> ...
>
>
>
>
>
> Thank you
>
> Regards
>
> Milanm
>
>
>
>
> ________________________________________________________________________
> Informácie obsiahnuté v tomto dokumente sú určené výlučne pre potreby jeho
> adresáta.
> Dokument môže obsahovať informácie chránené bankovým alebo obchodným
> tajomstvom alebo informácie podliehajúce ochrane podľa iných právnych
> predpisov.
> V prípade, že Vám bol tento dokument doručený omylom, vyzývame Vás,
> aby ste sa zdržali odtajnenia alebo použitia pre vlastnú potrebu.
> Zároveň si Vás dovoľujeme požiadať, aby ste nás o takomto prípade
> bez zbytočného odkladu informovali a následne dokument zlikvidovali.
>
> The information contained in this document is intended exclusively for the
> needs of its addressee. The document may contain information protected
> by banking or trade secrets or information subject to protection under
> other
> legal regulations. In the event that this document was delivered to you by
> mistake,
> we urge you to refrain from declassifying it or using it for your own
> purposes.
> At the same time, we would like to request that you inform us of such a
> case
> without undue delay and then dispose of the document.
>
> Tatra banka, a.s.
> Hodžovo námestie 3, 811 06 Bratislava 1
> IČO: 00 686 930
> Zapísaná v obchodnom registri Okresného sudu Bratislava I
> Oddiel: Sa, vložka číslo: 71/B
> *https://www.tatrabanka.sk*
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.tatrabanka.sk%2F&data=05%7C01%7Crastislav_purdek%40tatrabanka.sk%7C00381060a1bf42e1875808daaab3630f%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638009984675941476%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wkGykBMUSLFM8xVDc50OL3XXDoB%2F31%2FS6tAGW47xgMQ%3D&reserved=0>
>