Quick Links

Re: kerberos pg_ident different behavior in psql vs. jdbc

From:	Bear Giles <bgiles(at)coyotesong(dot)com>
To:	pgsql-admin(at)postgresql(dot)org
Subject:	Re: kerberos pg_ident different behavior in psql vs. jdbc
Date:	2016-04-21 23:30:34
Message-ID:	CALBNtw6gq3mCZvWu7QKcZGnYDMGSxU_aRGhdv=L-09SfXFMqLw@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-admin

I've finally tracked down the code in question. Kerberos authentication
currently only supports (username, password) authentication and not keytab
authentication. The username can't be a compound name (e.g., bob/postgres)
either.

I'll pencil in some time to work on a patch to the PostgreSQL JDBC driver.

Bear

On Thu, Apr 21, 2016 at 1:27 PM, Bear Giles <bgiles(at)coyotesong(dot)com> wrote:

> I have installed PostgreSQL 9.4 and MIT Kerberos 5 on an Ubuntu 15.10
> system.
>
> I have added the following entries:
>
> pg_hba.conf:
>
>
> 1. # TYPE DATABASE USER ADDRESS
> METHOD OPTIONS
> 2. host all all 52.34.69.195/32 gss
> include_realm=1 map=gss krb_realm=INVARIANTPROPERTIES.COM
>
>
> pg_ident.conf:
>
>
> 1. # MAPNAME SYSTEM-USERNAME
> PG-USERNAME
> 2. gss /^([^/]+)\/postgres(at)INVARIANTPROPERTIES\(dot)COM$ \1
>
>
> If I kinit the principal 'bgiles/postgres(at)INVARIANTPROPERTIES(dot)COM' I can
> successfully connect to the database as the 'bgiles' user. I have
> confidence is the PostgreSQL configuration.
>
> I can take the keytab file containing the key, add a JAAS configuration
> file, and successfully authenticate to the KDC. I have confidence that
> that's correct although there might be small tweaks possible. (E.g., should
> the JAAS principal field include @REALM?)
>
> However when I try to connect via JDBC (using JAAS and a keytab file) I
> seem to fail at the pg_ident.conf step.
>
> 2016-04-21 19:36:22 UTC [10992-2] bgiles/postgres(at)SNAPLOGIC(dot)COM@bgiles
> LOG: no match in usermap "gss" for user "bgiles/postgres" authenticated as
> "bgiles/postgres(at)SNAPLOGIC(dot)COM"
> 2016-04-21 19:36:22 UTC [10992-3] bgiles/postgres(at)SNAPLOGIC(dot)COM@bgiles
> FATAL: GSSAPI authentication failed for user "bgiles/
> postgres(at)SNAPLOGIC(dot)COM"
> 2016-04-21 19:36:22 UTC [10992-4] bgiles/postgres(at)SNAPLOGIC(dot)COM@bgiles
> DETAIL: Connection matched pg_hba.conf line 100: "host all all
> 75.144.16.201/32 gss include_realm=1 map=gss krb_realm=SNAPLOGIC.COM"
>
> That happens with a jdbc username of 'bgiles', 'bgiles/postgres', or
> 'bgiles/postgres(at)SNAPLOGIC(dot)COM'.
>
> Have other people looked at Kerberos + JDBC? I'm also looking at the JDBC
> driver code and I might have noticed something that would cause problems
> but I wanted to check with others before I tried hacking on it.
>
> Thanks,
>
> Bear
>
>

In response to

kerberos pg_ident different behavior in psql vs. jdbc at 2016-04-21 20:27:45 from Bear Giles

Browse pgsql-admin by date

	From	Date	Subject
Next Message	rajan	2016-04-22 04:12:33	Re: Partition table data are not found in the pg_dump backup
Previous Message	Bear Giles	2016-04-21 20:27:45	kerberos pg_ident different behavior in psql vs. jdbc