Thank you for your suggestion. I arrived at the same suspicion. And that was it. Reverse DNS was not set up correctly.
Fra: Michael van der Kolff <mvanderkolff@gmail.com> Sendt: 6. juni 2022 15:50 Til: Niels Jespersen <NJN@dst.dk> Cc: pgsql-general list <pgsql-general@lists.postgresql.org> Emne: Re: GSSAPI authentication
It seems to suggest that either the KDC or your service account might have bad PTR records, and you might want to capture DNS traffic on the two hosts. Of course, I have no idea whether that is actually the issue.
I remember reading these docs ages ago - best of luck!
The part that you're missing, I think, is that Kerberized services require a service account.
The SPN (service principal name) is the name that is used in Kerberos contexts for that service account. PostgreSQL uses postgres/${hostname}@${realm} by default - see https://www.postgresql.org/docs/14/gssapi-auth.html.
The important part to note here is that $hostname must match what is registered in the SPN for the user that you're using as the service account in AD. It might (I don't know) have to match what AD believes about the host from its PTR records for that domain as well.
--Michael
On Mon, Jun 6, 2022 at 11:33 PM Niels Jespersen <NJN@dst.dk> wrote:
>This sounds like your PG service was unable to authenticate itself to AD.
>
>There's probably a trick to that somewhere - AD doesn't really want to be a Kerberos server, it just happens to use it 😉
But it works fine when the same AD-user connects from Windows to the same postgres (Linux) server. Auth fails when the user initiates login from a Linux box (that otherwise uses Kerberized ressources just fine).
