RE: pgadmin kerberos auth propblem - Delegated credentials not supplied.

Hi,

now we have this keytab

klist -kt pgadmin.keytab -e
Keytab name: FILE:pgadmin.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
5 01/01/1970 01:00:00 HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot)EXAMPLE(dot)COM<mailto:HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot)EXAMPLE(dot)COM> (des-cbc-crc)
5 01/01/1970 01:00:00 HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot)<mailto:HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot)>EXAMPLE.COM (des-cbc-md5)
5 01/01/1970 01:00:00 HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot) EXAMPLE.COM <mailto:HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot)%20EXAMPLE(dot)COM%20> (arcfour-hmac)
5 01/01/1970 01:00:00 HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot) EXAMPLE.COM <mailto:HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot)%20EXAMPLE(dot)COM%20> (aes256-cts-hmac-sha1-96)
5 01/01/1970 01:00:00 HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot) EXAMPLE.COM <mailto:HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot)%20EXAMPLE(dot)COM%20> (aes128-cts-hmac-sha1-96)

To krb5.conf I've added
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac

but the error is the same

2023-01-09 12:00:30,045: DEBUG pgadmin: Authentication initiated via source: kerberos
2023-01-09 12:00:30,073: ERROR pgadmin: Major (65536): An unsupported mechanism was requested, Minor (0): Unknown error
Traceback (most recent call last):
File "/pgadmin4/pgadmin/authenticate/kerberos.py", line 237, in negotiate_start
out_token = context.step(base64.b64decode(in_token))
File "/venv/lib/python3.10/site-packages/decorator.py", line 232, in fun
return caller(func, *(extras + args), **kw)
File "/venv/lib/python3.10/site-packages/gssapi/_utils.py", line 165, in check_last_err
return func(self, *args, **kwargs)
File "/venv/lib/python3.10/site-packages/decorator.py", line 232, in fun
return caller(func, *(extras + args), **kw)
File "/venv/lib/python3.10/site-packages/gssapi/_utils.py", line 131, in catch_and_return_token
return func(self, *args, **kwargs)
File "/venv/lib/python3.10/site-packages/gssapi/sec_contexts.py", line 582, in step
return self._acceptor_step(token=token or b"")
File "/venv/lib/python3.10/site-packages/gssapi/sec_contexts.py", line 590, in _acceptor_step
res = rsec_contexts.accept_sec_context(token, self._creds,
File "gssapi/raw/sec_contexts.pyx", line 270, in gssapi.raw.sec_contexts.accept_sec_context
gssapi.raw.exceptions.BadMechanismError: Major (65536): An unsupported mechanism was requested, Minor (0): Unknown error

milanm
From: Khushboo Vashi <khushboo(dot)vashi(at)enterprisedb(dot)com>
Sent: Monday, January 9, 2023 11:03 AM
To: Milan MOLNÁR <milan_molnar(at)tatrabanka(dot)sk>
Cc: pgadmin-support(at)postgresql(dot)org
Subject: Re: pgadmin kerberos auth propblem - Delegated credentials not supplied.

[EXTERNÝ E-MAIL] Tento e-mail prichádza z prostredia mimo Tatra banka Group.

On Mon, Jan 9, 2023 at 3:15 PM Milan MOLNÁR <milan_molnar(at)tatrabanka(dot)sk<mailto:milan_molnar(at)tatrabanka(dot)sk>> wrote:
Hi,

here is the command how the keytab has been regenerated. Unfortunatelly it did not helped.

ktpass -out pgadmin-dev-ad-ee1.keytab -mapUser pgadmin-dev(at)AWS-AD-EE1(dot)EXAMPLE(dot)COM<mailto:pgadmin-dev(at)AWS-AD-EE1(dot)EXAMPLE(dot)COM> +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(dot)sk(at)AWS-AD-EE1<mailto:HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(dot)sk(at)AWS-AD-EE1>. EXAMPLE.COM<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Ca1f00eb0a989409a351408daf228c022%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638088554090209653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WPFzRz6YqfWiY5EYL%2FzU0J22Xun9krPXrmgJ8xoeSFo%3D&reserved=0>
Targeting domain controller: IP-C6130167.aws-ad-ee1.example.com<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fip-c6130167.aws-ad-ee1.example.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Ca1f00eb0a989409a351408daf228c022%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638088554090209653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=n%2BafWlMs1dMFT4m0NNwwBtXZ%2B82cR0z%2BSXVp03SYOlU%3D&reserved=0>
Successfully mapped HTTP/pgadmin-dev.aws-ad-ee1.example.com<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpgadmin-dev.aws-ad-ee1.example.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Ca1f00eb0a989409a351408daf228c022%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638088554090209653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3ssIKqhI3MzC98R0lxiykapMpivWSzVuFGmp6QRoQQE%3D&reserved=0> to pgadmin-dev.
Password successfully set!
Building salt with principalname HTTP/pgadmin-dev.aws-ad-ee1.example.com<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpgadmin-dev.aws-ad-ee1.example.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Ca1f00eb0a989409a351408daf228c022%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638088554090209653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3ssIKqhI3MzC98R0lxiykapMpivWSzVuFGmp6QRoQQE%3D&reserved=0> and domain AWS-AD-EE1.EXAMPLE.COM.SK<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Faws-ad-ee1.example.com.sk%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Ca1f00eb0a989409a351408daf228c022%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638088554090209653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2DUHIIwjoDSppGpWDSnB6Lhtae9twB8XFOsr%2Bo3fNeU%3D&reserved=0> (encryption type 18)...
Hashing password with salt "AWS-AD-EE1.EXAMPLE.COMHTTPpgadmin-dev.aws-ad-ee1.example.com<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Faws-ad-ee1.example.comhttppgadmin-dev.aws-ad-ee1.example.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Ca1f00eb0a989409a351408daf228c022%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638088554090209653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HQiRAs77Gobe35SF02s0xyNb7fPmJPPnJUpzwYCPzsA%3D&reserved=0>".
Key created.
Output keytab to pgadmin-dev-ad-ee1.keytab:
Keytab version: 0x502
keysize 117 HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot)EXAMPLE(dot)COM<mailto:HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot)EXAMPLE(dot)COM> ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x12 (AES256-SHA1) keylength 32 (0x65c0f02ddea2d866d2e792cd125ff1784aa646bb0035ebd2c5fedf7282c7c384)

C:\Users\Admin>

Do you have any another advice how to find out where is the problem?
This is something to do with the keytab file. Can you try applying all the encryptions (-crypto all) while creating the keytab file, just for testing ?

Thank you
milanm

________________________________________________________________________
Informácie obsiahnuté v tomto dokumente sú určené výlučne pre potreby jeho adresáta.
Dokument môže obsahovať informácie chránené bankovým alebo obchodným
tajomstvom alebo informácie podliehajúce ochrane podľa iných právnych predpisov.
V prípade, že Vám bol tento dokument doručený omylom, vyzývame Vás,
aby ste sa zdržali odtajnenia alebo použitia pre vlastnú potrebu.
Zároveň si Vás dovoľujeme požiadať, aby ste nás o takomto prípade
bez zbytočného odkladu informovali a následne dokument zlikvidovali.

The information contained in this document is intended exclusively for the
needs of its addressee. The document may contain information protected
by banking or trade secrets or information subject to protection under other
legal regulations. In the event that this document was delivered to you by mistake,
we urge you to refrain from declassifying it or using it for your own purposes.
At the same time, we would like to request that you inform us of such a case
without undue delay and then dispose of the document.

Tatra banka, a.s.
Hodžovo námestie 3, 811 06 Bratislava 1
IČO: 00 686 930
Zapísaná v obchodnom registri Okresného sudu Bratislava I
Oddiel: Sa, vložka číslo: 71/B
https://www.tatrabanka.sk