Postgres Pro
Downloads
Home   >   mailing lists

Re: 8.4 to 9.1 Upgrade Kerberos Auth Stops Working "Wrong principal in request" - Mailing list pgsql-admin

From Stephen Frost
Subject Re: 8.4 to 9.1 Upgrade Kerberos Auth Stops Working "Wrong principal in request"
Date
Msg-id 20130531124648.GW6434@tamriel.snowman.net
Whole thread Raw
In response to 8.4 to 9.1 Upgrade Kerberos Auth Stops Working "Wrong principal in request"  (Josh Tanski <mortonjt@rochester.rr.com>)
Responses Re: 8.4 to 9.1 Upgrade Kerberos Auth Stops Working "Wrong principal in request"  (Josh Tanski <mortonjt@rochester.rr.com>)
List pgsql-admin
Tree view 
Josh,

  That key type (des-cbc-md5) has looonngggg been deprecated and has
  been actively disabled and disallowed from use in modern Kerberos
  libraries.

  Please go get an AES256 key and install that instead.

      Thanks,

        Stephen

* Josh Tanski (mortonjt@rochester.rr.com) wrote:
> I have Kerberos Authentication working for PostgreSQL 8.4 on Debian
> Squeeze, against a Windows 2000 Server Domain.  I tried upgrading
> some test servers to Debian Wheezy which upgrades PostgreSQL to 9.1,
> but Kerberos authentication breaks with the "Wrong principal in
> request" error.
>
> These servers ultimately use Apache2/mod-auth-kerb/php5-cgi to do
> SSO in a Windows web browser and that gets passed to PostgreSQL, but
> I have the issue with psql as well and that is where I normally
> start troubleshooting.  Mod-Auth-Kerb in Apache2 continues to
> authenticate and work after the upgrade, only PostgreSQL stops
> working.
>
> Here is everything I've looked at and the results I get - I am
> baffled on why this stopped working with 9.1, my config is the same,
> hostnames, DNS, clocks, etc. look good and nothing changed there.
> Below is from a fresh, clean install of Debian Wheezy/ PostgreSQL
> 9.1 on a new test VM and I still get the error.  If anyone sees
> something I am doing wrong or something I missed and should be
> looking into, your advice would be greatly appreciated.
>
> Thanks,
> Josh
>
> IN /etc/postgresql/9.1/main/postgresql.conf
> krb_server_keyfile = '/etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab'
>
> IN /etc/postgresql/9.1/main/pg_hba.conf
> host     all             all         10.203.105.96 255.255.255.255
> krb5 krb_server_hostname=ss-sv-tmp40.mydomain.local
>
> root@ss-sv-tmp40:~# hostname --fqdn
> ss-sv-tmp40.mydomain.local
>
> root@ss-sv-tmp40:~# cat /etc/hosts
> 127.0.0.1       localhost
> 10.203.105.96   ss-sv-tmp40.mydomain.local   ss-sv-tmp40
>
>
> root@ss-sv-tmp40:~# klist -ek /etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab
> Keytab name: FILE:/etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    1 postgres/ss-sv-tmp40.mydomain.local@MYDOMAIN.LOCAL (des-cbc-md5)
>
>
> jdt@ss-sv-tmp40:~$ kinit jdt@MYDOMAIN.LOCAL
> Password for jdt@MYDOMAIN.LOCAL:
> jdt@ss-sv-tmp40:~$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: jdt@MYDOMAIN.LOCAL
>
> Valid starting    Expires           Service principal
> 31/05/2013 07:36  31/05/2013 15:36  krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
>         renew until 31/05/2013 15:36, Etype (skey, tkt):
> arcfour-hmac, arcfour-hmac
>
> jdt@ss-sv-tmp40:~$ psql -h ss-sv-tmp40.mydomain.local -U jdt
> psql: Kerberos 5 authentication rejected:  Wrong principal in request
> jdt@ss-sv-tmp40:~$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: jdt@MYDOMAIN.LOCAL
>
> Valid starting    Expires           Service principal
> 31/05/2013 07:36  31/05/2013 15:36  krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
>         renew until 31/05/2013 15:36, Etype (skey, tkt):
> arcfour-hmac, arcfour-hmac
> 31/05/2013 07:38  31/05/2013 15:36  postgres/ss-sv-tmp40.mydomain.local@
>         renew until 31/05/2013 15:36, Etype (skey, tkt):
> des-cbc-crc, des-cbc-crc
> 31/05/2013 07:38  31/05/2013 15:36
> postgres/ss-sv-tmp40.mydomain.local@MYDOMAIN.LOCAL
>         renew until 31/05/2013 15:36, Etype (skey, tkt):
> des-cbc-crc, des-cbc-crc
>
>
> root@ss-sv-tmp40:~# tail /var/log/postgresql/postgresql-9.1-main.log
> 2013-05-31 07:38:07 EDT LOG:  Kerberos recvauth returned error -1765328240
> postgres: Wrong principal in request from krb5_recvauth
> 2013-05-31 07:38:07 EDT FATAL:  Kerberos 5 authentication failed for
> user "jdt"
>
>
> root@ss-sv-tmp40:~# cat /etc/krb5.conf
> [libdefaults]
>         default_realm = MYDOMAIN.LOCAL
>         allow_weak_crypto = true
> <snip>
>
>
> --
> Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin
Attachment

pgsql-admin by date:

Previous
From: Josh Tanski
Date:
Subject: 8.4 to 9.1 Upgrade Kerberos Auth Stops Working "Wrong principal in request"
Next
From: Josh Tanski
Date:
Subject: Re: 8.4 to 9.1 Upgrade Kerberos Auth Stops Working "Wrong principal in request"