| From: | Khushboo Vashi <khushboo(dot)vashi(at)enterprisedb(dot)com> |
|---|---|
| To: | Milan MOLNÁR <milan_molnar(at)tatrabanka(dot)sk> |
| Cc: | "pgadmin-support(at)postgresql(dot)org" <pgadmin-support(at)postgresql(dot)org> |
| Subject: | Re: pgadmin kerberos auth propblem - Delegated credentials not supplied. |
| Date: | 2023-01-09 10:03:05 |
| Message-ID: | CAFOhELfwzS5UkBHs-gWwnYJAXEHoVAOu7qAQXTTdjnEkk+2eRA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-support |
On Mon, Jan 9, 2023 at 3:15 PM Milan MOLNÁR <milan_molnar(at)tatrabanka(dot)sk>
wrote:
> Hi,
>
>
>
> here is the command how the keytab has been regenerated. Unfortunatelly
> it did not helped.
>
>
>
> ktpass -out pgadmin-dev-ad-ee1.keytab -mapUser
> pgadmin-dev(at)AWS-AD-EE1(dot)EXAMPLE(dot)COM +rndPass -mapOp set +DumpSalt -crypto
> AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ
> HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(dot)sk(at)AWS-AD-EE1(dot) EXAMPLE.COM
>
Targeting domain controller: IP-C6130167.aws-ad-ee1.example.com
>
> Successfully mapped HTTP/pgadmin-dev.aws-ad-ee1.example.com to
> pgadmin-dev.
>
> Password successfully set!
>
> Building salt with principalname HTTP/pgadmin-dev.aws-ad-ee1.example.com
> and domain AWS-AD-EE1.EXAMPLE.COM.SK (encryption type 18)...
>
> Hashing password with salt "
> AWS-AD-EE1.EXAMPLE.COMHTTPpgadmin-dev.aws-ad-ee1.example.com".
>
> Key created.
>
> Output keytab to pgadmin-dev-ad-ee1.keytab:
>
> Keytab version: 0x502
>
> keysize 117 HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot)EXAMPLE(dot)COM
> ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x12 (AES256-SHA1) keylength 32
> (0x65c0f02ddea2d866d2e792cd125ff1784aa646bb0035ebd2c5fedf7282c7c384)
>
>
>
> C:\Users\Admin>
>
>
>
> Do you have any another advice how to find out where is the problem?
>
This is something to do with the keytab file. Can you try applying all the
encryptions (-crypto all) while creating the keytab file, just for testing
?
>
>
> Thank you
>
> milanm
>
>
>
>
>
> *From:* Khushboo Vashi <khushboo(dot)vashi(at)enterprisedb(dot)com>
> *Sent:* Monday, January 9, 2023 7:11 AM
> *To:* Milan MOLNÁR <milan_molnar(at)tatrabanka(dot)sk>
> *Cc:* pgadmin-support(at)postgresql(dot)org
> *Subject:* Re: pgadmin kerberos auth propblem - Delegated credentials not
> supplied.
>
>
>
> Hi,
>
>
>
> On Sat, Jan 7, 2023 at 3:53 PM Milan MOLNÁR <milan_molnar(at)tatrabanka(dot)sk>
> wrote:
>
> Hello Khushboo,
>
>
>
> thnak you for your time and advice. We had to change the concept based on
> your recommendation, because as I wrote, we used external kdc on linux to
> provide krb ticket for the service and therefore there was not any user on
> AD.
>
> We created service user account on the AD (password never expire, AES
> 128/256 encryption), set service SPN to that user, generate keytab via
> ktpass command. When we use pgadmin to use this keytab and ask directly AD
> for kerberos ticket we ended with the error message
>
> Have you used any encryption type while creating Keytab ? As it should
> match with the AD user account.
>
> If possible please provide the command you have used to create the keytab
> file.
>
>
>
> Make sure to generate the new keytab, whenever you do changes in AD user.
>
>
>
> Thanks,
>
> Khushboo
>
>
> ________________________________________________________________________
> Informácie obsiahnuté v tomto dokumente sú určené výlučne pre potreby jeho
> adresáta.
> Dokument môže obsahovať informácie chránené bankovým alebo obchodným
> tajomstvom alebo informácie podliehajúce ochrane podľa iných právnych
> predpisov.
> V prípade, že Vám bol tento dokument doručený omylom, vyzývame Vás,
> aby ste sa zdržali odtajnenia alebo použitia pre vlastnú potrebu.
> Zároveň si Vás dovoľujeme požiadať, aby ste nás o takomto prípade
> bez zbytočného odkladu informovali a následne dokument zlikvidovali.
>
> The information contained in this document is intended exclusively for the
> needs of its addressee. The document may contain information protected
> by banking or trade secrets or information subject to protection under
> other
> legal regulations. In the event that this document was delivered to you by
> mistake,
> we urge you to refrain from declassifying it or using it for your own
> purposes.
> At the same time, we would like to request that you inform us of such a
> case
> without undue delay and then dispose of the document.
>
> Tatra banka, a.s.
> Hodžovo námestie 3, 811 06 Bratislava 1
> IČO: 00 686 930
> Zapísaná v obchodnom registri Okresného sudu Bratislava I
> Oddiel: Sa, vložka číslo: 71/B
> *https://www.tatrabanka.sk*
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.tatrabanka.sk%2F&data=05%7C01%7Crastislav_purdek%40tatrabanka.sk%7C00381060a1bf42e1875808daaab3630f%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638009984675941476%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wkGykBMUSLFM8xVDc50OL3XXDoB%2F31%2FS6tAGW47xgMQ%3D&reserved=0>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Milan MOLNÁR | 2023-01-09 12:08:24 | RE: pgadmin kerberos auth propblem - Delegated credentials not supplied. |
| Previous Message | Milan MOLNÁR | 2023-01-09 09:45:41 | RE: pgadmin kerberos auth propblem - Delegated credentials not supplied. |