Postgres Pro
Downloads
Home   >   mailing lists

Re: pgadmin kerberos auth propblem - Delegated credentials not supplied. - Mailing list pgadmin-support

From Khushboo Vashi
Subject Re: pgadmin kerberos auth propblem - Delegated credentials not supplied.
Date
Msg-id CAFOhELdkqy6CYeWrOQVE2MpVH=gHGvd8x11K2ey5dtVa5E_Bkg@mail.gmail.com
Whole thread Raw
In response to pgadmin kerberos auth propblem - Delegated credentials not supplied.  (Milan MOLNÁR <milan_molnar@tatrabanka.sk>)
Responses RE: pgadmin kerberos auth propblem - Delegated credentials not supplied.
List pgadmin-support
Tree view
Hi,

As you are using AD, there are 2 things you need to check.

1. Configure the AD server in a way that the UPN associated with HTTP should be able to delegate the tickets to the client.
2. Your browser should be able to support the kerberos ticket negotiation and delegation.

Reference:

Thanks,
Khushboo



On Tue, Jan 3, 2023 at 2:32 PM Milan MOLNÁR <milan_molnar@tatrabanka.sk> wrote:

Hello,

 

I have trouble to setup kerberos authetication with pgadmin. I run pgadmin in the docker container and I’d like to use SPENGO SSO to access pgadmin. Pgadmin fails to authenticate user and the error message is „'Delegated credentials not supplied.“ It seem, that credentials does not contain delegated part. Do you have any suggestion where is the problem with my setup? Do you use kerberos auth – pls can you share your setup or just explain it a little bit?

 

We have kdc servers on the linux and there is trust between active directory (we use kerberos for many other services and it is working properly). I tried to connect from the PC where I’m loggend in the AD.

 

Docker container

Dockerfile

FROM dpage/pgadmin4:6.17

 

COPY krb5.conf /etc/krb5.conf

COPY config.py /pgadmin4/config.py

 

config.py changed variables (we have reason why to change vars here)

AUTHENTICATION_SOURCES = ['kerberos','internal']

KRB_APP_HOST_NAME = ‚fqdn of pgadmin‘

KRB_KTNAME = '/var/lib/pgadmin/pgadmin.keytab'

 

krb5.conf

cat krb5-wsl.conf

[libdefaults]

clockskew = 18000

canonicalize = true

dns_canonicalize_hostname= false

rdns = false

default_realm = EXAMPLE.COM

default_keytab_name=/var/lib/pgadmin/pgadmin.keytab

dns_lookup_kdc = false

#ignore_acceptor_hostname = true

proxiable = true

realm_try_domains = 1

 

dns_lookup_realm = false

ticket_lifetime = 86400

renew_lifetime = 604800

forwardable = true

#default_tgs_enctypes = aes256-cts-hmac-sha1-96

#default_tkt_enctypes = aes256-cts-hmac-sha1-96

permitted_enctypes =  aes256-cts aes128-cts

udp_preference_limit = 1

kdc_timeout = 5000

 

[realms]

EXAMPLE.COM = {

kdc = kdc01.EXAMPLE.COM

kdc = kdc02.EXAMPLE.COM

admin_server = kdc01.EXAMPLE.COM

default_domain = EXAMPLE.COM

}

[domain_realm]

.EXAMPLE.COM=EXAMPLE.COM

EXAMPLE.COM = EXAMPLE.COM

 

 

pgadmin4/pgadmin/authenticate/kerberos.py

 

    def negotiate_start(self, in_token):

        svc_princ = gssapi.Name('HTTP@%s' % config.KRB_APP_HOST_NAME,

                                name_type=gssapi.NameType.hostbased_service)

        cname = svc_princ.canonicalize(gssapi.MechType.kerberos)

 

        try:

            server_creds = gssapi.Credentials(usage='accept', name=cname)

            context = gssapi.SecurityContext(creds=server_creds)

            out_token = context.step(base64.b64decode(in_token))

        except Exception as e:

            current_app.logger.exception(e)

            return False, e

 

        if out_token and not context.complete:

            return False, out_token

        if context.complete:

            deleg_creds = context.delegated_creds

            if not hasattr(deleg_creds, 'name'):

                error_msg = gettext('Delegated credentials not supplied.')

                current_app.logger.error(error_msg)

                return False, Exception(error_msg)

            try:

...

 

 

Thank you

Regards

Milanm

 



________________________________________________________________________
Informácie obsiahnuté v tomto dokumente sú určené výlučne pre potreby jeho adresáta.
Dokument môže obsahovať informácie chránené bankovým alebo obchodným
tajomstvom alebo informácie podliehajúce ochrane podľa iných právnych predpisov.
V prípade, že Vám bol tento dokument doručený omylom, vyzývame Vás,
aby ste sa zdržali odtajnenia alebo použitia pre vlastnú potrebu.
Zároveň si Vás dovoľujeme požiadať, aby ste nás o takomto prípade
bez zbytočného odkladu informovali a následne dokument zlikvidovali.

The information contained in this document is intended exclusively for the
needs of its addressee. The document may contain information protected
by banking or trade secrets or information subject to protection under other
legal regulations. In the event that this document was delivered to you by mistake,
we urge you to refrain from declassifying it or using it for your own purposes.
At the same time, we would like to request that you inform us of such a case
without undue delay and then dispose of the document.

Tatra banka, a.s.
Hodžovo námestie 3, 811 06 Bratislava 1
IČO: 00 686 930
Zapísaná v obchodnom registri Okresného sudu Bratislava I
Oddiel: Sa, vložka číslo: 71/B
https://www.tatrabanka.sk

pgadmin-support by date:

Previous
From: Tiffany
Date:
Subject: Issues Restoring
Next
From: "Ray O'Donnell"
Date:
Subject: Re: Issues Restoring