Re: PostgreSQL Kerberos Authentication - Mailing list pgsql-general

Hello All,

 

I am trying to configure PostgreSQL9.6 (On Centos 7.4) with Kerberos (Active Directory) via GSSAPI authentication and I’m getting the following error:

 

[postgres@hostname data]$ psql  -h hostname -U USERNAME@DOMAIN.COM postgres

psql: GSSAPI continuation error: Unspecified GSS failure.  Minor code may provide more information

GSSAPI continuation error: Server not found in Kerberos database

 

I did the following configuration:

 

1.- Create KeyTab in Active Directory:

ktpass -out postgres_instance.keytab -princ postgres/hostnamename.domain.com@DOMAIN.COM -mapUser svcPostgres -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL

 

2.- Copy the keytab to Linux Server on $PGDATA and change the privileges to postgres:postgres

3.- Configure postgresql.conf

krb_server_keyfile = '/<INSTANCA_NAME>/data/postgres_instance.keytab

 

4.- Configure /etc/krb5.conf

 

5.- Request a ticket to the KDC server using kinit (this work OK!)

 

[postgres@hostname ~]$ klist

Ticket cache: KEYRING:persistent:26:krb_ccache_AO0Y1kx

Default principal: USERNAME@DOMAIN.COM

 

Valid starting       Expires              Service principal

01/30/2018 11:01:59  01/30/2018 21:01:59  krbtgt/DOMAIN.COM@DOMAIN.COM

        renew until 02/06/2018 11:01:55

 

 

6.- Configure pg_hba.conf

host    all            all                                                0.0.0.0/0          gss include_realm=1

7.- Create user in PG to test:

create user “USERNAME@DOMAIN.COM” WITH SUPERUSER;

 

8.- Testing

[postgres@hostname data]$ psql  -h hostname -U USERNAME@DOMAIN.COM postgres

psql: GSSAPI continuation error: Unspecified GSS failure.  Minor code may provide more information

GSSAPI continuation error: Server not found in Kerberos database

 

I tried generate the Keytab with “postgres” and “POSTGRES” user as a SPN but I get the same error.

 

Any suggestion is welcome!

 

Thanks in advance for your help!

 

Jorge