Re: GSSAPI authentication with AD - Mailing list pgsql-admin

From Stephen Frost
Subject Re: GSSAPI authentication with AD
Date
Msg-id 20131125023805.GB17272@tamriel.snowman.net
Whole thread Raw
In response to GSSAPI authentication with AD  (Abbas <abbas.dba@gmail.com>)
List pgsql-admin
Abbas,

* Abbas (abbas.dba@gmail.com) wrote:
> created enterprisedb user in AD with DES encryption type.

Do not use DES- it's not secure and there's no reason to use it.  Use
AES instead.

> -bash-4.1$ klist
>
> Ticket cache: FILE:/tmp/krb5cc_501
>
> Default principal: POSTGRES/centos@MY.TESTDOMAIN.LAN

This is the problem- with Kerberos and GSSAPI, you need to have a
'service' princ (that's the POSTGRES/my.host.name one) *and* a 'user'
princ (in your case, that should be 'enterprisedb').  The 'service'
princ needs to be exported as a keytab, as you've done, and then made
available to the PostgreSQL server (which I think you've done).
However, the 'user' princ should acquire credentials through a normal
'kinit' (which is what happens when a user logs on to a Windows system
with AD).

> -bash-4.1$ ~/bin/psql -h centos.MY.TESTDOMAIN.LAN -U enterprisedb
> psql: FATAL:  GSSAPI authentication failed for user "enterprisedb"
> -bash-4.1$
>
> pglogs :
>
> LOG:  provided user name (enterprisedb) and authenticated user name
> (POSTGRES/centos) do not match

Right, this is telling you that you're using a principal
(POSTGRES/centos) which doesn't match the user that you're trying to
authenticate as ('enterprisedb').

    Thanks,

        Stephen

Attachment

pgsql-admin by date:

Previous
From: Rune Gullstrom
Date:
Subject: How do I get plpython working on postgres 9.2 / windows 64 bit
Next
From: Technical Doubts
Date:
Subject: Reg : Logging