From: | Bear Giles <bgiles(at)coyotesong(dot)com> |
---|---|
To: | "Weingartner, Steven" <SWeingartner(at)semprautilities(dot)com> |
Cc: | "pgsql-admin(at)postgresql(dot)org" <pgsql-admin(at)postgresql(dot)org> |
Subject: | Re: GSSAPI / Kerberos Authentication |
Date: | 2016-06-02 22:43:48 |
Message-ID: | CALBNtw6g_AvmX11G8WaEfJHj2h4eJgPT3NNFenNit_8v35r3ow@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
I was just looking at the Kerberos support. Is your server principal
postgres/x(dot)y(dot)z(at)REALM, where x.y.z is the DNS name for your server? It
probably won't affect you but think it needs to be POSTGRES/x(dot)y(dot)z(at)REALM for
windows networks.
I'll have to check my notes for more details, e.g., I'm 99% sure it's
'postgres' and not 'postgresql'.
I know you need to use password authentication from the client - and the
username has to be simple (bob(at)REALM, not bob/postgres(at)REALM). I'll be
submitting a patch to support a keytab file and compound principals when I
have some free time.
Bear
On Thu, Jun 2, 2016 at 4:23 PM, Weingartner, Steven <
SWeingartner(at)semprautilities(dot)com> wrote:
> I am currently trying to configure a Centos6.x – postgresql-9.3 server to
> authenticate using gssapi. I have several servers I have already
> configured and are working (a combination of Oracle Linux and Centos, all
> 6.x series with 9.2,3 or 4). Our company use vas for an interface to
> Kerberos, The errors I am getting are as follows:
>
>
>
> [sweingar(at)pglgisprtd001 ~]$ psql -hpglgisprtd001 -dpostgres
>
> psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may
> provide more information
>
> GSSAPI continuation error: Server not found in Kerberos database
>
>
>
> or from a windows client
>
>
>
> C:\Users\sweingar>psql -hpglgisprtd001.sempra.com -Usweingar
>
> psql: SSPI continuation error: The specified target is unknown or
> unreachable
>
> (80090303)
>
>
>
> I see nothing worthwhile in the postgresql log, nor in /var/log/messages.
> I have verified the dns record to my kdc works (or at least I can ping), I
> am sort of at a loss of where to look next.
>
From | Date | Subject | |
---|---|---|---|
Next Message | Weingartner, Steven | 2016-06-02 22:49:41 | Re: GSSAPI / Kerberos Authentication |
Previous Message | Weingartner, Steven | 2016-06-02 22:23:48 | GSSAPI / Kerberos Authentication |