| From: | Alexander Lazarević <laza(at)e11bits(dot)com> |
|---|---|
| To: | pgsql-jdbc(at)postgresql(dot)org |
| Subject: | Can't connect to DB using GSS(Kerberos) auth |
| Date: | 2015-05-13 08:53:59 |
| Message-ID: | CAMPYxdmc-A2yuKmsEdJ72HeQ3faxDonEDPwvyVZHFYh95E86FQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Before I did anything I checked the ticket cache:
*someuser(at)clienthost:~$ kinit -k -t drhouse.keytab -p
drhousesomeuser(at)clienthost:~$ klist -fTicket cache:
FILE:/tmp/krb5cc_20000_Z95lupDefault principal: drhouse(at)HOSPITAL(dot)DE
<drhouse(at)HOSPITAL(dot)DE>Valid starting Expires Service
principal13.05.2015 xx:xx:xx 13.05.2015 xx:xx:xx
krbtgt/HOSPITAL(dot)DE(at)HOSPITAL(dot)DE <HOSPITAL(dot)DE(at)HOSPITAL(dot)DE> renew until
14.05.2015 xx:xx:xx, Flags: FPRIA*
This is the corresponding keytab for drhouse:
*someuser(at)clienthost:~$ ktutil ktutil: read_kt drhouse.keytab ktutil:
listslot KVNO Principal---- ----
---------------------------------------------------------------------
1 5 drhouse(at)HOSPITAL(dot)DE <drhouse(at)HOSPITAL(dot)DE> 2
5 drhouse(at)HOSPITAL(dot)DE <drhouse(at)HOSPITAL(dot)DE> 3
5 drhouse(at)HOSPITAL(dot)DE <drhouse(at)HOSPITAL(dot)DE> 4
5 drhouse(at)HOSPITAL(dot)DE <drhouse(at)HOSPITAL(dot)DE>*
Now I launched eclipse from that shell and tried something like this:
*Properties connectionProps = new
Properties();connectionProps.setProperty("user",
"drhouse");connectionProps.setProperty("loglevel",
Integer.toString(org.postgresql.Driver.DEBUG));String databaseUrl = "jdbc:"
+ DBMS + "://" + HOST + "/" + DATABASE;connection =
DriverManager.getConnection(databaseUrl, connectionProps);*
The result was a failure to connect:
*xx:xx:xx.879 (1) PostgreSQL 9.2 JDBC3 (build 1002)xx:xx:xx.883 (1) Trying
to establish a protocol version 3 connection to
databasehost:5432xx:xx:xx.895 (1) Receive Buffer Size is 186240xx:xx:xx.895
(1) Send Buffer Size is 43520xx:xx:xx.895 (1) FE=>
StartupPacket(user=drhouse, database=measurements, client_encoding=UTF8,
DateStyle=ISO, extra_float_digits=2, TimeZone=Europe/Berlin)xx:xx:xx.898
(1) <=BE AuthenticationReqGSSorg.postgresql.util.PSQLException: GSS
Authentication failed at
org.postgresql.gss.MakeGSS.authenticate(MakeGSS.java:47) at
org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:486)
at
org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:173)
at
org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:64)
at
org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:136)
at
org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:29)
at org.postgresql.jdbc3.Jdbc3Connection.<init>(Jdbc3Connection.java:24)
at org.postgresql.Driver.makeConnection(Driver.java:393) at
org.postgresql.Driver.connect(Driver.java:267) at
java.sql.DriverManager.getConnection(DriverManager.java:571) at
java.sql.DriverManager.getConnection(DriverManager.java:187) at
tlogger.TLogger.start(TLogger.java:123) at
tlogger.TLogger.main(TLogger.java:108)SQLException:
SQLState(08006)getConnection failed: org.postgresql.util.PSQLException: GSS
Authentication failedGSS Authentication failed*
On the server this looked like that:
*2015-05-13 xx:xx:xx CEST LOG: connection received: host=databasehostip
port=398292015-05-13 xx:xx:xx CEST FATAL: GSSAPI authentication failed for
user "drhouse"2015-05-13 xx:xx:xx CEST DETAIL: Connection matched
pg_hba.conf line 95: "host all all ne.tm.as.k/16 gss"*
BUT when I tried to connect using psql (from that very same shell):
*someuser(at)clienthost:/$ psql -U drhouse -h databasehost measurementspsql
(9.4.1, server 9.3.6)SSL connection (protocol: TLSv1.2, cipher:
DHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)Type "help" for
help.measurements=> *
Looking at the ticket cache:
*someuser(at)clienthost:~/eclipse$ klist -fTicket cache:
FILE:/tmp/krb5cc_20000_Z95lupDefault principal: drhouse(at)HOSPITAL(dot)DE
<drhouse(at)HOSPITAL(dot)DE>Valid starting Expires Service
principal13.05.2015 xx:xx:xx 13.05.2015 xx:xx:xx
krbtgt/HOSPITAL(dot)DE(at)HOSPITAL(dot)DE <HOSPITAL(dot)DE(at)HOSPITAL(dot)DE> renew until
14.05.2015 xx:xx:xx, Flags: FPRIA13.05.2015 xx:xx:xx 13.05.2015 xx:xx:xx
postgres/databasehost.dep.hospital.de@ renew until 14.05.2015 xx:xx:xx,
Flags: FPRAT13.05.2015 xx:xx:xx 13.05.2015 xx:xx:xx
postgres/databasehost(dot)dep(dot)hospital(dot)de(at)HOSPITAL(dot)DE
<databasehost(dot)dep(dot)hospital(dot)de(at)HOSPITAL(dot)DE> renew until 14.05.2015
xx:xx:xx, Flags: FPRAT*
Any hint on what might be going wrong?
Thanks,
Alex
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alexander Lazarević | 2015-05-13 09:18:53 | Can't connect to DB using GSS(Kerberos) aut |
| Previous Message | Jeremy Whiting | 2015-05-13 08:01:46 | Re: Resource lookup timeout causes Travis IC to fail test. |