Postgres Pro
Downloads
Home   >   mailing lists

Logon via GSSAPI from Linux fails, but works from Windows - Mailing list pgsql-general

From Niels Jespersen
Subject Logon via GSSAPI from Linux fails, but works from Windows
Date
Msg-id 3307acb3f9a84562a704c85b8e0c5a25@dst.dk
Whole thread Raw
List pgsql-general
Tree view 
Hello all

We have our analysis users log on to Postgres without a password. Instead we rely on their Windows identity.

When the Postgres server is on Windows, we use SSPI. Works great.

When the Postgres server is on Linux, we use GSSAPI. Works great.

Now, we are introducing Linux for analysts to run their Python/R/SQL/whatever.

They log onto Linux using their Windows identity. The Linux analysis servers are joined to the Windows domain using
sssd. 

This gives us a headache. Logging onto Postgres without a password does not immediately work when the Windows user is
loggedonto a Linux server with their Windows credentials.  

Linux is Ubuntu 22.04 on the client side, Ubuntu 20.04 on the Postgres server side. Postgres server version is server
14.2(Ubuntu 14.2-1.pgdg20.04+1). psql client is psql (PostgreSQL) 14.2 (Ubuntu 14.2-1ubuntu1). 

What happens is this

yyy@srvpython8:~$ psql service=bigdata_db1
psql: error: connection to server at "srvpostgres4.xxx.local" (172.30.33.30), port 1609 failed: could not initiate
GSSAPIsecurity context: Unspecified GSS failure.  Minor code may provide more information: Server not found in Kerberos
database
connection to server at "srvpostgres4.xxx.local" (172.30.33.30), port 1609 failed: GSSAPI continuation error:
UnspecifiedGSS failure.  Minor code may provide more information: Server not found in Kerberos database 
yyy@srvpython8:~$

The Postgres server log has this.

2022-05-13 18:14:01.140 CEST,,,474093,"172.30.32.213:33554",627e83c9.73bed,1,"",2022-05-13 18:14:01
CEST,,0,LOG,00000,"connectionreceived: host=172.30.32.213 port=33554",,,,,,,,,"","not initialized",,0 
2022-05-13 18:14:01.159 CEST,,,474094,"172.30.32.213:33556",627e83c9.73bee,1,"",2022-05-13 18:14:01
CEST,,0,LOG,00000,"connectionreceived: host=172.30.32.213 port=33556",,,,,,,,,"","not initialized",,0 
2022-05-13 18:14:01.176 CEST,"yyy","db1",474094,"172.30.32.213:33556",627e83c9.73bee,2,"authentication",2022-05-13
18:14:01CEST,2/14544,0,FATAL,28000,"GSSAPI authentication failed for user ""yyy""","Connection matched pg_hba.conf line
15:""host    all             all             172.0.0.0/8             gss map=xxxlocal include_realm=0
krb_realm=""XXX.LOCAL""""",,,,,,,,"","clientbackend",,-3382135431624836920 

Are we forgetting to set something up?

Regards Niels Jespersen

pgsql-general by date:

Previous
From: Adrian Klaver
Date:
Subject: Re: Restricting user to see schema structure
Next
From: Bryn Llewellyn
Date:
Subject: Re: Deferred constraint trigger semantics