Can't connect to DB using GSS(Kerberos) aut

From: Alexander Lazarević <laza(at)e11bits(dot)com>
To: pgsql-jdbc(at)postgresql(dot)org
Subject: Can't connect to DB using GSS(Kerberos) aut
Date: 2015-05-13 09:18:53
Message-ID: CAMPYxd=iymY1u0-dxnHUZVRRDRirymtAwHwbx22PpfQKT5jGHA@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-jdbc

Ok, let me try that again. I tried
​to ​
format the text for better reading. Hopefully this will work.

I prepared a pastebin link as an alternative for better reading, but the
mailing list does not seem to allow these links. <sigh>

Thanks

Before I did anything I checked the ticket cache:

someuser*clienthost:~$ kinit -k -t drhouse.keytab -p drhouse
someuser*clienthost:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_20000_Z95lup
Default principal: drhouse*HOSPITAL#DE

Valid starting Expires Service principal
13.05.2015 xx:xx:xx 13.05.2015 xx:xx:xx krbtgt/HOSPITAL#DE*HOSPITAL#DE
renew until 14.05.2015 xx:xx:xx, Flags: FPRIA

//////////////////////////////////////////////////////////////////

This is the corresponding keytab for drhouse:

someuser*clienthost:~$ ktutil
ktutil: read_kt drhouse.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------
1 5 drhouse*HOSPITAL#DE
2 5 drhouse*HOSPITAL#DE
3 5 drhouse*HOSPITAL#DE
4 5 drhouse*HOSPITAL#DE

//////////////////////////////////////////////////////////////////

Now I launched eclipse from that shell and tried something like this:

Properties connectionProps = new Properties();
connectionProps.setProperty("user", "drhouse");
connectionProps.setProperty("loglevel",
Integer.toString(org.postgresql.Driver.DEBUG));
String databaseUrl = "jdbc:" + DBMS + "://" + HOST + "/" + DATABASE;
connection = DriverManager.getConnection(databaseUrl, connectionProps);

//////////////////////////////////////////////////////////////////

The result was a failure to connect:

xx:xx:xx.879 (1) PostgreSQL 9.2 JDBC3 (build 1002)
xx:xx:xx.883 (1) Trying to establish a protocol version 3 connection to
databasehost:5432
xx:xx:xx.895 (1) Receive Buffer Size is 186240
xx:xx:xx.895 (1) Send Buffer Size is 43520
xx:xx:xx.895 (1) FE=> StartupPacket(user=drhouse, database=measurements,
client_encoding=UTF8, DateStyle=ISO, extra_float_digits=2,
TimeZone=Europe/Berlin)
xx:xx:xx.898 (1) <=BE AuthenticationReqGSS
org.postgresql.util.PSQLException: GSS Authentication failed
at org.postgresql.gss.MakeGSS.authenticate(MakeGSS.java:47)
at
org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:486)
at
org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:173)
at
org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:64)
at
org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:136)
at
org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:29)
at org.postgresql.jdbc3.Jdbc3Connection.<init>(Jdbc3Connection.java:24)
at org.postgresql.Driver.makeConnection(Driver.java:393)
at org.postgresql.Driver.connect(Driver.java:267)
at java.sql.DriverManager.getConnection(DriverManager.java:571)
at java.sql.DriverManager.getConnection(DriverManager.java:187)
at tlogger.TLogger.start(TLogger.java:123)
at tlogger.TLogger.main(TLogger.java:108)
SQLException: SQLState(08006)
getConnection failed: org.postgresql.util.PSQLException: GSS Authentication
failed
GSS Authentication failed

//////////////////////////////////////////////////////////////////

On the server this looked like that:

2015-05-13 xx:xx:xx CEST LOG: connection received: host=databasehostip
port=39829
2015-05-13 xx:xx:xx CEST FATAL: GSSAPI authentication failed for user
"drhouse"
2015-05-13 xx:xx:xx CEST DETAIL: Connection matched pg_hba.conf line 95:
"host all all ne#tm#as#k/16 gss"

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

BUT when I tried to connect using psql (from that very same shell):

someuser*clienthost:/$ psql -U drhouse -h databasehost measurements
psql (9.4.1, server 9.3.6)
SSL connection (protocol: TLSv1.2, cipher: DHE-RSA-AES256-GCM-SHA384, bits:
256, compression: off)
Type "help" for help.

measurements=>

//////////////////////////////////////////////////////////////////

Looking at the ticket cache:

someuser*clienthost:~/eclipse$ klist -f
Ticket cache: FILE:/tmp/krb5cc_20000_Z95lup
Default principal: drhouse*HOSPITAL#DE

Valid starting Expires Service principal
13.05.2015 xx:xx:xx 13.05.2015 xx:xx:xx krbtgt/HOSPITAL#DE*HOSPITAL#DE
renew until 14.05.2015 xx:xx:xx, Flags: FPRIA
13.05.2015 xx:xx:xx 13.05.2015 xx:xx:xx
postgres/databasehost#dep#hospital#de*
renew until 14.05.2015 xx:xx:xx, Flags: FPRAT
13.05.2015 xx:xx:xx 13.05.2015 xx:xx:xx
postgres/databasehost#dep#hospital#de*HOSPITAL#DE
renew until 14.05.2015 xx:xx:xx, Flags: FPRAT

//////////////////////////////////////////////////////////////////

Any hint on what might be going wrong?

Thanks,
Alex

Browse pgsql-jdbc by date

  From Date Subject
Next Message Dave Cramer 2015-05-14 00:09:26 Re: Resource lookup timeout causes Travis IC to fail test.
Previous Message Alexander Lazarević 2015-05-13 08:53:59 Can't connect to DB using GSS(Kerberos) auth