Re: pgadmin kerberos auth propblem - Delegated credentials not supplied.

Hi,

On Sat, Jan 7, 2023 at 3:53 PM Milan MOLNÁR <milan_molnar(at)tatrabanka(dot)sk>
wrote:

> Hello Khushboo,
>
>
>
> thnak you for your time and advice. We had to change the concept based on
> your recommendation, because as I wrote, we used external kdc on linux to
> provide krb ticket for the service and therefore there was not any user on
> AD.
>
> We created service user account on the AD (password never expire, AES
> 128/256 encryption), set service SPN to that user, generate keytab via
> ktpass command. When we use pgadmin to use this keytab and ask directly AD
> for kerberos ticket we ended with the error message
>
Have you used any encryption type while creating Keytab ? As it should
match with the AD user account.
If possible please provide the command you have used to create the keytab
file.

Make sure to generate the new keytab, whenever you do changes in AD user.

Thanks,
Khushboo

>
>
> „*ERROR* pgadmin: Major (65536): An unsupported mechanism was requested,
> Minor (0): Unknown *error*“
>
>
>
> When I tried to get ticket for the service via kinit command a can get it,
> but default principal is not service SPN but the windows 2000 logon name of
> the user of AD which is this SPN mapped to?
>
>
>
> Do you have any idea/advice hot to solve this problem?
>
>
>
> Logs from the container
>
>
>
> 2023-01-07 10:16:44,252: DEBUG pgadmin: Authentication initiated via
> source: kerberos
>
> ::ffff:10.238.6.198 - - [07/Jan/2023:10:16:44 +0000] "GET
> /login?next=%2Fbrowser%2F HTTP/1.1" 401 4725 "-" "Mozilla/5.0 (Windows NT
> 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0
> Safari/537.36 Edg/108.0.1462.54"
>
> 2023-01-07 10:16:44,388: DEBUG pgadmin: Authentication initiated via
> source: kerberos
>
> *2023-01-07 10:16:44,407: ERROR pgadmin: Major (65536): An unsupported
> mechanism was requested, Minor (0): Unknown error*
>
> Traceback (most recent call last):
>
> File "/pgadmin4/pgadmin/authenticate/kerberos.py", line 237, in
> negotiate_start
>
> out_token = context.step(base64.b64decode(in_token))
>
> File "/venv/lib/python3.10/site-packages/decorator.py", line 232, in fun
>
> return caller(func, *(extras + args), **kw)
>
> File "/venv/lib/python3.10/site-packages/gssapi/_utils.py", line 165, in
> check_last_err
>
> return func(self, *args, **kwargs)
>
> File "/venv/lib/python3.10/site-packages/decorator.py", line 232, in fun
>
> return caller(func, *(extras + args), **kw)
>
> File "/venv/lib/python3.10/site-packages/gssapi/_utils.py", line 131, in
> catch_and_return_token
>
> return func(self, *args, **kwargs)
>
> File "/venv/lib/python3.10/site-packages/gssapi/sec_contexts.py", line
> 582, in step
>
> return self._acceptor_step(token=token or b"")
>
> File "/venv/lib/python3.10/site-packages/gssapi/sec_contexts.py", line
> 590, in _acceptor_step
>
> res = rsec_contexts.accept_sec_context(token, self._creds,
>
> File "gssapi/raw/sec_contexts.pyx", line 270, in
> gssapi.raw.sec_contexts.accept_sec_context
>
> gssapi.raw.*exceptions*.BadMechanism*Error*: Major (65536): An
> unsupported mechanism was requested, Minor (0): Unknown *error*
>
>
>
> Thank you very much for your time and investigation
>
> Ragards
>
> milanm
>
> *From:* Khushboo Vashi <khushboo(dot)vashi(at)enterprisedb(dot)com>
> *Sent:* Wednesday, January 4, 2023 5:43 AM
> *To:* Milan MOLNÁR <milan_molnar(at)tatrabanka(dot)sk>
> *Cc:* pgadmin-support(at)postgresql(dot)org
> *Subject:* Re: pgadmin kerberos auth propblem - Delegated credentials not
> supplied.
>
>
>
> *[EXTERNÝ E-MAIL]* Tento e-mail prichádza z prostredia mimo Tatra banka
> Group.
>
>
>
> Hi,
>
>
>
> As you are using AD, there are 2 things you need to check.
>
>
>
> 1. Configure the AD server in a way that the UPN associated with HTTP
> should be able to delegate the tickets to the client.
>
> 2. Your browser should be able to support the kerberos ticket negotiation
> and delegation.
>
>
>
> Reference:
>
> https://www.pgadmin.org/docs/pgadmin4/6.18/kerberos.html
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.pgadmin.org%2Fdocs%2Fpgadmin4%2F6.18%2Fkerberos.html&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Cc258016e49a74e56125e08daee0e36ff%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638084042071648743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=eqEPmDUZv6roU8HuuiOMSpU59YRoVRKRe7RR5YAXAhA%3D&reserved=0>
>
> https://www.youtube.com/watch?v=EDg6I21kCak
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DEDg6I21kCak&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Cc258016e49a74e56125e08daee0e36ff%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638084042071648743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bGKoK71M6Nxdqs%2BoYsW4j46L2knQXDCe6r79XaJ6QTM%3D&reserved=0>
>
>
>
> Thanks,
>
> Khushboo
>
>
>
>
>
>
>
> On Tue, Jan 3, 2023 at 2:32 PM Milan MOLNÁR <milan_molnar(at)tatrabanka(dot)sk>
> wrote:
>
> Hello,
>
>
>
> I have trouble to setup kerberos authetication with pgadmin. I run pgadmin
> in the docker container and I’d like to use SPENGO SSO to access pgadmin.
> Pgadmin fails to authenticate user and the error message is „'Delegated
> credentials not supplied.“ It seem, that credentials does not contain
> delegated part. Do you have any suggestion where is the problem with my
> setup? Do you use kerberos auth – pls can you share your setup or just
> explain it a little bit?
>
>
>
> We have kdc servers on the linux and there is trust between active
> directory (we use kerberos for many other services and it is working
> properly). I tried to connect from the PC where I’m loggend in the AD.
>
>
>
> Docker container
>
> *Dockerfile*
>
> FROM dpage/pgadmin4:6.17
>
>
>
> COPY krb5.conf /etc/krb5.conf
>
> COPY config.py /pgadmin4/config.py
>
>
>
> config.py changed variables (we have reason why to change vars here)
>
> AUTHENTICATION_SOURCES = ['kerberos','internal']
>
> KRB_APP_HOST_NAME = ‚fqdn of pgadmin‘
>
> KRB_KTNAME = '/var/lib/pgadmin/pgadmin.keytab'
>
>
>
> *krb5.conf*
>
> cat krb5-wsl.conf
>
> [libdefaults]
>
> clockskew = 18000
>
> canonicalize = true
>
> dns_canonicalize_hostname= false
>
> rdns = false
>
> default_realm = EXAMPLE.COM
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Cc258016e49a74e56125e08daee0e36ff%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638084042071648743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hGC7V72n17fKenhVXN3M2H1Q9Szilx7GjbOABRmm6mU%3D&reserved=0>
>
> default_keytab_name=/var/lib/pgadmin/pgadmin.keytab
>
> dns_lookup_kdc = false
>
> #ignore_acceptor_hostname = true
>
> proxiable = true
>
> realm_try_domains = 1
>
>
>
> dns_lookup_realm = false
>
> ticket_lifetime = 86400
>
> renew_lifetime = 604800
>
> forwardable = true
>
> #default_tgs_enctypes = aes256-cts-hmac-sha1-96
>
> #default_tkt_enctypes = aes256-cts-hmac-sha1-96
>
> permitted_enctypes = aes256-cts aes128-cts
>
> udp_preference_limit = 1
>
> kdc_timeout = 5000
>
>
>
> [realms]
>
> EXAMPLE.COM
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Cc258016e49a74e56125e08daee0e36ff%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638084042071648743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hGC7V72n17fKenhVXN3M2H1Q9Szilx7GjbOABRmm6mU%3D&reserved=0>
> = {
>
> kdc = kdc01.EXAMPLE.COM
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fkdc01.example.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Cc258016e49a74e56125e08daee0e36ff%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638084042071648743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=heY9YpRlidIwE%2Fn%2BROv6Q2FPVNldZuB2wnTpoMybjsY%3D&reserved=0>
>
> kdc = kdc02.EXAMPLE.COM
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fkdc02.example.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Cc258016e49a74e56125e08daee0e36ff%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638084042071648743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Cx%2F31IWIHev%2FjUwpJUxiz4lD8UG1h%2BOnAYFcwr2jDGs%3D&reserved=0>
>
> admin_server = kdc01.EXAMPLE.COM
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fkdc01.example.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Cc258016e49a74e56125e08daee0e36ff%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638084042071648743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=heY9YpRlidIwE%2Fn%2BROv6Q2FPVNldZuB2wnTpoMybjsY%3D&reserved=0>
>
> default_domain = EXAMPLE.COM
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Cc258016e49a74e56125e08daee0e36ff%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638084042071804958%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Sn6R%2FOAIt1rjkJOxzBoCIilrz6Nv06uh1wNBuWIHZV8%3D&reserved=0>
>
> }
>
> [domain_realm]
>
> .EXAMPLE.COM
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Cc258016e49a74e56125e08daee0e36ff%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638084042071804958%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Sn6R%2FOAIt1rjkJOxzBoCIilrz6Nv06uh1wNBuWIHZV8%3D&reserved=0>
> =EXAMPLE.COM
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Cc258016e49a74e56125e08daee0e36ff%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638084042071804958%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Sn6R%2FOAIt1rjkJOxzBoCIilrz6Nv06uh1wNBuWIHZV8%3D&reserved=0>
>
> EXAMPLE.COM
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Cc258016e49a74e56125e08daee0e36ff%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638084042071804958%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Sn6R%2FOAIt1rjkJOxzBoCIilrz6Nv06uh1wNBuWIHZV8%3D&reserved=0>
> = EXAMPLE.COM
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Cc258016e49a74e56125e08daee0e36ff%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638084042071804958%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Sn6R%2FOAIt1rjkJOxzBoCIilrz6Nv06uh1wNBuWIHZV8%3D&reserved=0>
>
>
>
>
>
> *pgadmin4/pgadmin/authenticate/kerberos.py*
>
>
>
> def negotiate_start(self, in_token):
>
> svc_princ = gssapi.Name('HTTP(at)%s' % config.KRB_APP_HOST_NAME,
>
>
> name_type=gssapi.NameType.hostbased_service)
>
> cname = svc_princ.canonicalize(gssapi.MechType.kerberos)
>
>
>
> try:
>
> server_creds = gssapi.Credentials(usage='accept', name=cname)
>
> context = gssapi.SecurityContext(creds=server_creds)
>
> out_token = context.step(base64.b64decode(in_token))
>
> except Exception as e:
>
> current_app.logger.exception(e)
>
> return False, e
>
>
>
> if out_token and not context.complete:
>
> return False, out_token
>
> if context.complete:
>
> deleg_creds = context.delegated_creds
>
> if not hasattr(deleg_creds, 'name'):
>
> *error_msg = gettext('Delegated credentials not
> supplied.')*
>
> current_app.logger.error(error_msg)
>
> return False, Exception(error_msg)
>
> try:
>
> ...
>
>
>
>
>
> Thank you
>
> Regards
>
> Milanm
>
>
>
> ________________________________________________________________________
> Informácie obsiahnuté v tomto dokumente sú určené výlučne pre potreby jeho
> adresáta.
> Dokument môže obsahovať informácie chránené bankovým alebo obchodným
> tajomstvom alebo informácie podliehajúce ochrane podľa iných právnych
> predpisov.
> V prípade, že Vám bol tento dokument doručený omylom, vyzývame Vás,
> aby ste sa zdržali odtajnenia alebo použitia pre vlastnú potrebu.
> Zároveň si Vás dovoľujeme požiadať, aby ste nás o takomto prípade
> bez zbytočného odkladu informovali a následne dokument zlikvidovali.
>
> The information contained in this document is intended exclusively for the
> needs of its addressee. The document may contain information protected
> by banking or trade secrets or information subject to protection under
> other
> legal regulations. In the event that this document was delivered to you by
> mistake,
> we urge you to refrain from declassifying it or using it for your own
> purposes.
> At the same time, we would like to request that you inform us of such a
> case
> without undue delay and then dispose of the document.
>
> Tatra banka, a.s.
> Hodžovo námestie 3, 811 06 Bratislava 1
> IČO: 00 686 930
> Zapísaná v obchodnom registri Okresného sudu Bratislava I
> Oddiel: Sa, vložka číslo: 71/B
> *https://www.tatrabanka.sk*
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.tatrabanka.sk%2F&data=05%7C01%7Crastislav_purdek%40tatrabanka.sk%7C00381060a1bf42e1875808daaab3630f%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638009984675941476%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wkGykBMUSLFM8xVDc50OL3XXDoB%2F31%2FS6tAGW47xgMQ%3D&reserved=0>
>