From: | Bear Giles <bgiles(at)coyotesong(dot)com> |
---|---|
To: | "Weingartner, Steven" <SWeingartner(at)semprautilities(dot)com> |
Cc: | "pgsql-admin(at)postgresql(dot)org" <pgsql-admin(at)postgresql(dot)org> |
Subject: | Re: GSSAPI / Kerberos Authentication |
Date: | 2016-06-03 00:08:16 |
Message-ID: | CALBNtw7AitdWubT7B9taeSD755hk7Tzntq+eunj32p9xF07T2g@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
I remember reading comments in the code that case matters - postgres and
POSTGRES are not the same - but I'm drawing a blank on the rest. I just
started looking at the code myself though - others probably have more
experience.
On Thu, Jun 2, 2016 at 4:49 PM, Weingartner, Steven <
SWeingartner(at)semprautilities(dot)com> wrote:
> The spn is POSTGRES/pglgisprtd001(dot)sempra(dot)com(at)CORP(dot)SE(dot)SEMPRA(dot)COM, as I set
> up different servers, the server in the spn changes of course. The server
> name resolves, and if I do a klist on the keytab the realm matches.
>
>
>
> I am thinking that it has to do with our “vas” & “vasd” systems and how it
> is configured. But I can’t really say.
>
>
>
> *From:* Bear Giles [mailto:bgiles(at)coyotesong(dot)com]
> *Sent:* Thursday, June 2, 2016 3:44 PM
> *To:* Weingartner, Steven <SWeingartner(at)semprautilities(dot)com>
> *Cc:* pgsql-admin(at)postgresql(dot)org
> *Subject:* Re: [ADMIN] GSSAPI / Kerberos Authentication
>
>
>
> I was just looking at the Kerberos support. Is your server principal
> postgres/x(dot)y(dot)z(at)REALM, where x.y.z is the DNS name for your server? It
> probably won't affect you but think it needs to be POSTGRES/x(dot)y(dot)z(at)REALM
> for windows networks.
>
>
>
> I'll have to check my notes for more details, e.g., I'm 99% sure it's
> 'postgres' and not 'postgresql'.
>
>
>
> I know you need to use password authentication from the client - and the
> username has to be simple (bob(at)REALM, not bob/postgres(at)REALM). I'll be
> submitting a patch to support a keytab file and compound principals when I
> have some free time.
>
>
>
> Bear
>
>
>
> On Thu, Jun 2, 2016 at 4:23 PM, Weingartner, Steven <
> SWeingartner(at)semprautilities(dot)com> wrote:
>
> I am currently trying to configure a Centos6.x – postgresql-9.3 server to
> authenticate using gssapi. I have several servers I have already
> configured and are working (a combination of Oracle Linux and Centos, all
> 6.x series with 9.2,3 or 4). Our company use vas for an interface to
> Kerberos, The errors I am getting are as follows:
>
>
>
> [sweingar(at)pglgisprtd001 ~]$ psql -hpglgisprtd001 -dpostgres
>
> psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may
> provide more information
>
> GSSAPI continuation error: Server not found in Kerberos database
>
>
>
> or from a windows client
>
>
>
> C:\Users\sweingar>psql -hpglgisprtd001.sempra.com -Usweingar
>
> psql: SSPI continuation error: The specified target is unknown or
> unreachable
>
> (80090303)
>
>
>
> I see nothing worthwhile in the postgresql log, nor in /var/log/messages.
> I have verified the dns record to my kdc works (or at least I can ping), I
> am sort of at a loss of where to look next.
>
>
> ------------------------------
>
> This email originated outside of Sempra Energy. Be cautious of
> attachments, web links, or requests for information.
>
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2016-06-03 00:18:35 | Re: GSSAPI / Kerberos Authentication |
Previous Message | Suya Huang | 2016-06-02 23:33:32 | Re: how to downgrade Postgres in Ubuntu |