Re: GSSAPI / Kerberos Authentication

I remember reading comments in the code that case matters - postgres and
POSTGRES are not the same - but I'm drawing a blank on the rest. I just
started looking at the code myself though - others probably have more
experience.

On Thu, Jun 2, 2016 at 4:49 PM, Weingartner, Steven <
SWeingartner(at)semprautilities(dot)com> wrote:

> The spn is POSTGRES/pglgisprtd001(dot)sempra(dot)com(at)CORP(dot)SE(dot)SEMPRA(dot)COM, as I set
> up different servers, the server in the spn changes of course. The server
> name resolves, and if I do a klist on the keytab the realm matches.
>
>
>
> I am thinking that it has to do with our “vas” & “vasd” systems and how it
> is configured. But I can’t really say.
>
>
>
> *From:* Bear Giles [mailto:bgiles(at)coyotesong(dot)com]
> *Sent:* Thursday, June 2, 2016 3:44 PM
> *To:* Weingartner, Steven <SWeingartner(at)semprautilities(dot)com>
> *Cc:* pgsql-admin(at)postgresql(dot)org
> *Subject:* Re: [ADMIN] GSSAPI / Kerberos Authentication
>
>
>
> I was just looking at the Kerberos support. Is your server principal
> postgres/x(dot)y(dot)z(at)REALM, where x.y.z is the DNS name for your server? It
> probably won't affect you but think it needs to be POSTGRES/x(dot)y(dot)z(at)REALM
> for windows networks.
>
>
>
> I'll have to check my notes for more details, e.g., I'm 99% sure it's
> 'postgres' and not 'postgresql'.
>
>
>
> I know you need to use password authentication from the client - and the
> username has to be simple (bob(at)REALM, not bob/postgres(at)REALM). I'll be
> submitting a patch to support a keytab file and compound principals when I
> have some free time.
>
>
>
> Bear
>
>
>
> On Thu, Jun 2, 2016 at 4:23 PM, Weingartner, Steven <
> SWeingartner(at)semprautilities(dot)com> wrote:
>
> I am currently trying to configure a Centos6.x – postgresql-9.3 server to
> authenticate using gssapi. I have several servers I have already
> configured and are working (a combination of Oracle Linux and Centos, all
> 6.x series with 9.2,3 or 4). Our company use vas for an interface to
> Kerberos, The errors I am getting are as follows:
>
>
>
> [sweingar(at)pglgisprtd001 ~]$ psql -hpglgisprtd001 -dpostgres
>
> psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may
> provide more information
>
> GSSAPI continuation error: Server not found in Kerberos database
>
>
>
> or from a windows client
>
>
>
> C:\Users\sweingar>psql -hpglgisprtd001.sempra.com -Usweingar
>
> psql: SSPI continuation error: The specified target is unknown or
> unreachable
>
> (80090303)
>
>
>
> I see nothing worthwhile in the postgresql log, nor in /var/log/messages.
> I have verified the dns record to my kdc works (or at least I can ping), I
> am sort of at a loss of where to look next.
>
>
> ------------------------------
>
> This email originated outside of Sempra Energy. Be cautious of
> attachments, web links, or requests for information.
>