GSSAPI authentication with AD - Mailing list pgsql-general
| From | Abbas |
|---|---|
| Subject | GSSAPI authentication with AD |
| Date | |
| Msg-id | CAHq+KHJOvZT8M-o_sE+QzqqBGnUjNubWo_rRmpHZyw5ZUuaseg@mail.gmail.com Whole thread Raw |
| Responses |
Re: [ADMIN] GSSAPI authentication with AD
|
| List | pgsql-general |
Hi,
I am struggling to provide access to the windows Active Directory user into postgres database.
Am using windows server 2008R2, created forest in AD with 2003 compatibility. postgresql 9.3.1 has been compiled with gssapi and krb5 support on centos both windows server and contos are on vms with static ips.
I walkthrough as follows;
created enterprisedb user in AD with DES encryption type.
Added centos host to AD domain.
C:\Users\Administrator>setspn -S POSTGRES/centos.my.testdomain.lan my.testdomain.lan\enterprisedb
Checking domain DC=my,DC=testdomain,DC=lan
Registering ServicePrincipalNames for CN=enterprisedb,CN=Users,DC=my,DC=testdomain,DC=lan
POSTGRES/centos.my.testdomain.lan
Updated object
C:\Users\Administrator>ktpass -out postgres.keytab -princ POSTGRES/centos@MY.TESTDOMAIN.LAN -mapUser enterprisedb -pass XXXXXX -crypto DES-CBC-MD5
Targeting domain controller: WIN-UC777GC73I8.my.testdomain.lan
Using legacy password setting method
Successfully mapped POSTGRES/centos to enterprisedb.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to postgres.keytab:
Keytab version: 0x502
keysize 60 POSTGRES/centos@MY.TESTDOMAIN.LAN ptype 0 (KRB5_NT_UNKNOWN) vno 8 etype 0x3 (DES-CBC-MD5) keylength 8 (0x1af1c29ebf252549)
-bash-4.1$ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
debug=true
default_realm = MY.TESTDOMAIN.LAN
allow_weak_crypto = 1
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
MYWIN.MY.TESTDOMAIN.LAN = {
kdc = .my.testdomain.lan
}
MY.TESTDOMAIN.LAN = {
kdc = win-uc777gc73i8.my.testdomain.lan
}
[domain_realm]
mywin.my.testdomain.lan = MYWIN.MY.TESTDOMAIN.LAN
.mywin.my.testdomain.lan = MYWIN.MY.TESTDOMAIN.LAN
################
out put klist:
-bash-4.1$ klist
Ticket cache: FILE:/tmp/krb5cc_501
Default principal: POSTGRES/centos@MY.TESTDOMAIN.LAN
Valid starting Expires Service principal
11/25/13 00:41:34 11/25/13 10:41:38 krbtgt/MY.TESTDOMAIN.LAN@MY.TESTDOMAIN.LAN
renew until 12/02/13 00:41:34
11/25/13 00:41:41 11/25/13 10:41:38 postgres/centos@
renew until 12/02/13 00:41:34
11/25/13 00:41:41 11/25/13 10:41:38 postgres/centos@MY.TESTDOMAIN.LAN
renew until 12/02/13 00:41:34
-bash-4.1$ kinit -V -k -t /opt/PostgreSQL/9.3.1/data/postgres.keytab POSTGRES/centos@MY.TESTDOMAIN.LAN
Using default cache: /tmp/krb5cc_501
Using principal: POSTGRES/centos@MY.TESTDOMAIN.LAN
Using keytab: /opt/PostgreSQL/9.3.1/data/postgres.keytab
Authenticated to Kerberos v5
-bash-4.1$
-bash-4.1$ klist -k /opt/PostgreSQL/9.3.1/data/postgres.keytab
Keytab name: FILE:/opt/PostgreSQL/9.3.1/data/postgres.keytab
KVNO Principal
---- --------------------------------------------------------------------------
8 POSTGRES/centos@MY.TESTDOMAIN.LAN
postgresql.conf:
# Kerberos and GSSAPI
krb_server_keyfile = '/opt/PostgreSQL/9.3.1/data/postgres.keytab'
krb_srvname = 'POSTGRES' # (Kerberos only)
pg_hba.conf:
host all all 0.0.0.0/0 gss
while I was trying to connect psql client on centos I am getting below error;
-bash-4.1$ ~/bin/psql -h centos.MY.TESTDOMAIN.LAN -U enterprisedb
psql: FATAL: GSSAPI authentication failed for user "enterprisedb"
-bash-4.1$
pglogs :
LOG: provided user name (enterprisedb) and authenticated user name (POSTGRES/centos) do not match
FATAL: GSSAPI authentication failed for user "enterprisedb"
DETAIL: Connection matched pg_hba.conf line 86: "host all all 0.0.0.0/0 gss"
Log output of /tmp/krb5_gp.log
[3947] 1385322573.406775: ccselect can't find appropriate cache for server principal postgres/centos@
[3947] 1385322573.406955: Getting credentials POSTGRES/centos@MY.TESTDOMAIN.LAN -> postgres/centos@ using ccache FILE:/tmp/krb5cc_501
[3947] 1385322573.407067: Retrieving POSTGRES/centos@MY.TESTDOMAIN.LAN -> postgres/centos@ from FILE:/tmp/krb5cc_501 with result: 0/Unknown code 0
[3947] 1385322573.407203: Creating authenticator for POSTGRES/centos@MY.TESTDOMAIN.LAN -> postgres/centos@, seqnum 222559749, subkey des-cbc-crc/7B63, session key des-cbc-crc/66D8
[3947] 1385322573.407227: Negotiating for enctypes in authenticator: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, des-cbc-crc, des, des-cbc-md4
[3947] 1385322573.418759: ccselect can't find appropriate cache for server principal postgres/centos@
[3947] 1385322573.418896: Read AP-REP, time 1385322576.407247, subkey aes256-cts/710D, seqnum 574336718
Please suggest my where am missing.
pgsql-general by date: