GSSAPI auth issue with windows 7 client, postgresql 9.2.3 linux server - Mailing list pgsql-general

From jaime soler
Subject GSSAPI auth issue with windows 7 client, postgresql 9.2.3 linux server
Date
Msg-id 1389703919.9086.56.camel@turing
Whole thread Raw
List pgsql-general
Hi list,

I am able to successfully authenticate a Windows server AD user with
PostgreSQL 9.2.3 version from linux clients but It doesn't work with
Windows client.
First I logon windows 7, using a Active Directory's user, then I tried
to login to postgresql 9.2.3 server with psql:

psql -h hostname -p 5444

psql: SSPI continuation error: The encryption type requested is not
supported by the KDC. (80090342)

postgresql.log :

-1 log: connection received: host = 172.XXX.XXX.XXX port = 61877
-1FATAL: GSSAPI authentication failed for 'userXX' user


userXX exists in our postgresql server and pg_hba.conf applied to
172.XXX.XXX.XXX subnet is:

host    all             all             172.0.0.0/8             gss

Our postgresql.conf use keytab:
krb_server_keyfile = 'postgres.keytab'


And I have generated keytab with this ktpass command:

ktpass -out postgres.keytab -princ
postgres/hostname@domain -mapUser postgres -pass
XXX -crypto DES-CBC-MD5

The postgres user, exists in the Active Directory and it has a spn
defined:

C:\Users\Administrator>setspn -S postgres/hostname
 domain\postgres

Checking domain DC=domain
Registering ServicePrincipalNames for CN=postgres,CN=Users,DC=domain
postgres/hostname

Updated object


If I login from a linux client to linux server, there is no problem:

[root@hostnane datos]# su - userXX
[userXX@hostname ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_503
Default principal: userXX@domain

Valid starting     Expires            Service principal
12/11/13 08:42:04  12/11/13 18:42:09  krbtgt/domain@domain
        renew until 12/18/13 08:42:04
12/11/13 08:42:43  12/11/13 18:42:09  postgres/hostname@domain
        renew until 12/18/13 08:42:04
[userXX@u2vbddpg ~]$ psql -h 172.XX.XX.XX
psql (9.2.1.3)
Type "help" for help.

edb=>


Thanks




pgsql-general by date:

Previous
From: Keith Minsel
Date:
Subject: Postgres usage of session identifiers for security
Next
From: "Abraham, Danny"
Date:
Subject: Re: PG 924, Windows 2012, error code 487