From: | Jean-Philippe Chenel <jp(dot)chenel(at)LIVE(dot)CA> |
---|---|
To: | "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
Subject: | PostgreSQL GSSAPI Windows AD |
Date: | 2023-05-25 21:50:45 |
Message-ID: | DS7PR05MB7304D1AA80CF2866A6177BBBFD469@DS7PR05MB7304.namprd05.prod.outlook.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Hi,
I've recently updated from PostgreSQL 9.6 to 14 and also ubuntu 16.04 to 22.04.
I've made all the installation required for postgresql to connect in GSSAPI authentication to a Windows domain.
Something is going wrong and I don't know why.
When I change the mapped user password from "postgres" to anything else, the connection stop to work
Log of postgres:
Unspecified GSS failure. Minor code may provide more information: Request ticket server postgres/ubuntu(dot)ad(dot)corp(dot)com(at)AD(dot)CORP(dot)COM not found in keytab (ticket kvno 3)
Here is the ktpass command (Windows AD):
working:
ktpass -out postgres.keytab -princ postgres/UBUNTU(dot)ad(dot)corp(dot)com(at)AD(dot)CORP(dot)COM -mapUser AD\pgsql_ubuntu -pass postgres -mapOp add -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL
not working:
ktpass -out postgres.keytab -princ postgres/UBUNTU(dot)ad(dot)corp(dot)com(at)AD(dot)CORP(dot)COM -mapUser AD\pgsql_ubuntu -pass other_password -mapOp add -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL
I put the keytab on the postgres server, the keytab file is referenced in the postgresql.conf file.
Here is the full procedure:
1. Create user in AD for postgresql mapping (pgsql_ubuntu), always valid, support AES256
2. Create another user for connection testing
3. run ktpass command
4. put the keytab file on the pg server in /etc/postgresql, chown to postgres and chmod 600
5. postgresql.conf krb_server_keyfile = '/etc/postgresql/postgres.keytab'
6. pg_hba is configured to connect over gss
7. ubuntu server (postgres) is added to domain with this command:
sudo realm join server.ad.corp.com -U Administrateur
I don't know why it works when the password is "postgres" and why I can't change it.
With best regards,
From | Date | Subject | |
---|---|---|---|
Next Message | Sengottaiyan T | 2023-05-26 04:16:37 | Re: DB migration : Sybase to Postgres |
Previous Message | Randy Needham | 2023-05-25 20:01:03 | Re: Having issue with SSL. |