Re: PG 8.3 and kerberos failures - Mailing list pgsql-admin
| From | Peter Koczan |
|---|---|
| Subject | Re: PG 8.3 and kerberos failures |
| Date | |
| Msg-id | 4544e0330804181043y6db18a9bve072aa5bc44a8cc4@mail.gmail.com Whole thread Raw |
| In response to | PG 8.3 and kerberos failures ("Peter Koczan" <pjkoczan@gmail.com>) |
| Responses |
Re: PG 8.3 and kerberos failures
("Peter Koczan" <pjkoczan@gmail.com>)
|
| List | pgsql-admin |
On Thu, Apr 17, 2008 at 11:40 AM, Peter Koczan <pjkoczan@gmail.com> wrote: > Hi all, > > I just upgraded one of my servers and I'm having a bit of trouble > getting some of the kerberos authentication bits working. > Specifically, any Kerberos instance run out of a v5srvtab doesn't work > so well. Using stashed tickets or normal principals worked fine. > Gritty details follow. > > Peter > > Here are details from the specific v5srvtab's... > [root@sensei postgres]# klist -k -t /etc/v5srvtab.wsbackup > Keytab name: FILE:/etc/v5srvtab.wsbackup > KVNO Timestamp Principal > ---- ----------------- -------------------------------------------------------- > 13 12/20/07 15:56:11 wsbackup/sensei.cs.wisc.edu@CS.WISC.EDU Here's what happens when I do this (it's on a different machine but it's the same mechanism). [root@ator] ~ $ su - wsbackup ator(1)% kinit -f -k -t /etc/v5srvtab.wsbackup -l 1d wsbackup/ator.cs.wisc.edu@CS.WISC.EDU ator(2)% klist Ticket cache: FILE:/var/adm/krb5/tmp/tkt/krb5cc_28528 Default principal: wsbackup/ator.cs.wisc.edu@CS.WISC.EDU Valid starting Expires Service principal 04/18/08 12:25:00 04/19/08 12:25:00 krbtgt/CS.WISC.EDU@CS.WISC.EDU Kerberos 4 ticket cache: /tmp/tkt28528 klist: You have no tickets cached ator(4)% /s/postgresql-8.2/bin/psql -h sensei -p 5432 postgres Connecting to 8.2 works... ator(5)% /s/postgresql-8.3/bin/psql -h sensei -p 5432 postgres Connecting to 8.2 via 8.3 binaries works... ator(6)% /s/postgresql-8.3/bin/psql -h sensei -p 49173 postgres psql: FATAL: no pg_hba.conf entry for host "128.105.162.36", user "wsbackup", database "postgres", SSL off And then it fails as above... Apr 18 12:20:41 sensei postgres[4486]: [3-1] LOG: connection received: host=ator.cs.wisc.edu port=56925 Apr 18 12:20:41 sensei postgres[4486]: [4-1] LOG: unexpected Kerberos user name received from client (received "wsbackup", expected "wsbackup/ator.cs.wisc.edu") Apr 18 12:20:41 sensei postgres[4486]: [5-1] FATAL: Kerberos 5 authentication failed for user "wsbackup" Apr 18 12:20:41 sensei postgres[4488]: [3-1] LOG: connection received: host=ator.cs.wisc.edu port=56926 Apr 18 12:20:41 sensei postgres[4488]: [4-1] FATAL: no pg_hba.conf entry for host "128.105.162.36", user "wsbackup", database "postgres", SSL off And this is what syslog shows when I try GSSAPI authentication. Apr 18 12:34:40 sensei postgres[25885]: [3-1] LOG: connection received: host=ator.cs.wisc.edu port=41148 Apr 18 12:34:40 sensei postgres[25885]: [4-1] FATAL: GSSAPI authentication failed for user "wsbackup" Apr 18 12:34:40 sensei postgres[25886]: [3-1] LOG: connection received: host=ator.cs.wisc.edu port=41149 Apr 18 12:34:40 sensei postgres[25886]: [4-1] FATAL: no pg_hba.conf entry for host "128.105.162.36", user "wsbackup", database "postgres", SSL off Is this something I'm just going to have to find a way to work around or should I file a bug report? Peter
pgsql-admin by date: