Re: GSSAPI authentication - Mailing list pgsql-general

From Michael van der Kolff
Subject Re: GSSAPI authentication
Date
Msg-id CAFBbO2Qn4V=V-ZBjBnh-4FVQKJDSkBk+YgVNf0_8B-fSj_tKQA@mail.gmail.com
Whole thread Raw
In response to GSSAPI authentication  (Niels Jespersen <NJN@dst.dk>)
Responses Re: GSSAPI authentication
SV: GSSAPI authentication
List pgsql-general
This sounds like your PG service was unable to authenticate itself to AD.

There's probably a trick to that somewhere - AD doesn't really want to be a Kerberos server, it just happens to use it 😉

On Mon, 6 June 2022, 10:05 pm Niels Jespersen, <NJN@dst.dk> wrote:

Hello all

 

We are running Postgres 14 on Ubuntu. Our Windows users connect passwordless using GSSAPI. This works great.

 

Now we want users on Linux client to also connect passwordless using GSSAPI. Users on Linux log on using their Active Directory credentials, as the Linux host (Ubuntu 22.04) is joined to the domain. Logon to Linux works fine, access to Windows cifs shares works fine authentication with Kerberos.

 

But psql won't connect using GSSAPI. It does hit the right pg_hba.conf line and the username is translated via pg_ident.conf, just fine. But psql says

 

psql: error: connection to server at "srvpostgres4.xxx.local" (172.30.33.30), port 1609 failed: could not initiate GSSAPI security context: Unspecified GSS failure.  Minor code may provide more information: Server not found in Kerberos database connection to server at "srvpostgres4.xxx.local" (172.30.33.30), port 1609 failed: GSSAPI continuation error: Unspecified GSS failure.  Minor code may provide more information: Server not found in Kerberos database

 

Server log is like this

 

2022-06-06 08:14:01.176 CEST,"yyy","db1",474094,"172.30.32.213:33556",627e83c9.73bee,2,"authentication",2022-06-06 08:14:01 CEST,2/14544,0,FATAL,28000,"GSSAPI authentication failed for user ""yyy""","Connection matched pg_hba.conf line 15: ""host    all             all             172.0.0.0/8             gss map=xxxlocal include_realm=0 krb_realm=""XXX.LOCAL""""",,,,,,,,"","client backend",,-3382135431624836920

 

We are a bit lost here. What are we missing?

 

Regards Niels Jespersen

 

 

 

 

 

 

 

 

 

pgsql-general by date:

Previous
From: Niels Jespersen
Date:
Subject: GSSAPI authentication
Next
From: Michael van der Kolff
Date:
Subject: Re: GSSAPI authentication