Re: GSSAPI / Kerberos Authentication

I was just looking at the Kerberos support. Is your server principal
postgres/x(dot)y(dot)z(at)REALM, where x.y.z is the DNS name for your server? It
probably won't affect you but think it needs to be POSTGRES/x(dot)y(dot)z(at)REALM for
windows networks.

I'll have to check my notes for more details, e.g., I'm 99% sure it's
'postgres' and not 'postgresql'.

I know you need to use password authentication from the client - and the
username has to be simple (bob(at)REALM, not bob/postgres(at)REALM). I'll be
submitting a patch to support a keytab file and compound principals when I
have some free time.

Bear

On Thu, Jun 2, 2016 at 4:23 PM, Weingartner, Steven <
SWeingartner(at)semprautilities(dot)com> wrote:

> I am currently trying to configure a Centos6.x – postgresql-9.3 server to
> authenticate using gssapi. I have several servers I have already
> configured and are working (a combination of Oracle Linux and Centos, all
> 6.x series with 9.2,3 or 4). Our company use vas for an interface to
> Kerberos, The errors I am getting are as follows:
>
>
>
> [sweingar(at)pglgisprtd001 ~]$ psql -hpglgisprtd001 -dpostgres
>
> psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may
> provide more information
>
> GSSAPI continuation error: Server not found in Kerberos database
>
>
>
> or from a windows client
>
>
>
> C:\Users\sweingar>psql -hpglgisprtd001.sempra.com -Usweingar
>
> psql: SSPI continuation error: The specified target is unknown or
> unreachable
>
> (80090303)
>
>
>
> I see nothing worthwhile in the postgresql log, nor in /var/log/messages.
> I have verified the dns record to my kdc works (or at least I can ping), I
> am sort of at a loss of where to look next.
>