Thread: GSSAPI auth issue with windows 7 client, postgresql 9.2.3 linux server

GSSAPI auth issue with windows 7 client, postgresql 9.2.3 linux server

From
jaime soler
Date:
Hi list,

I am able to successfully authenticate a Windows server AD user with
PostgreSQL 9.2.3 version from linux clients but It doesn't work with
Windows client.
First I logon windows 7, using a Active Directory's user, then I tried
to login to postgresql 9.2.3 server with psql:

psql -h hostname -p 5444

psql: SSPI continuation error: The encryption type requested is not
supported by the KDC. (80090342)

postgresql.log :

-1 log: connection received: host = 172.XXX.XXX.XXX port = 61877
-1FATAL: GSSAPI authentication failed for 'userXX' user


userXX exists in our postgresql server and pg_hba.conf applied to
172.XXX.XXX.XXX subnet is:

host    all             all             172.0.0.0/8             gss

Our postgresql.conf use keytab:
krb_server_keyfile = 'postgres.keytab'


And I have generated keytab with this ktpass command:

ktpass -out postgres.keytab -princ
postgres/hostname@domain -mapUser postgres -pass
XXX -crypto DES-CBC-MD5

The postgres user, exists in the Active Directory and it has a spn
defined:

C:\Users\Administrator>setspn -S postgres/hostname
 domain\postgres

Checking domain DC=domain
Registering ServicePrincipalNames for CN=postgres,CN=Users,DC=domain
postgres/hostname

Updated object


If I login from a linux client to linux server, there is no problem:

[root@hostnane datos]# su - userXX
[userXX@hostname ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_503
Default principal: userXX@domain

Valid starting     Expires            Service principal
12/11/13 08:42:04  12/11/13 18:42:09  krbtgt/domain@domain
        renew until 12/18/13 08:42:04
12/11/13 08:42:43  12/11/13 18:42:09  postgres/hostname@domain
        renew until 12/18/13 08:42:04
[userXX@u2vbddpg ~]$ psql -h 172.XX.XX.XX
psql (9.2.1.3)
Type "help" for help.

edb=>


Thanks




Re: GSSAPI auth issue with windows 7 client, postgresql 9.2.3 linux server

From
Stephen Frost
Date:
* jaime soler (jaime.soler@gmail.com) wrote:
> psql: SSPI continuation error: The encryption type requested is not
> supported by the KDC. (80090342)

[...]

> ktpass -out postgres.keytab -princ
> postgres/hostname@domain -mapUser postgres -pass
> XXX -crypto DES-CBC-MD5

Not 100% sure this is it, but it looks like you're using an ancient
encryption algo which is no longer supported by MIT Kerberos (very
intentionally...).  Why aren't you using AES256 instead?

    Thanks,

        Stephen

Attachment

Re: GSSAPI auth issue with windows 7 client, postgresql 9.2.3 linux server

From
jaime soler
Date:
El mar, 14-01-2014 a las 08:19 -0500, Stephen Frost escribió:
> * jaime soler (jaime.soler@gmail.com) wrote:
> > psql: SSPI continuation error: The encryption type requested is not
> > supported by the KDC. (80090342)
>
> [...]
>
> > ktpass -out postgres.keytab -princ
> > postgres/hostname@domain -mapUser postgres -pass
> > XXX -crypto DES-CBC-MD5
>
> Not 100% sure this is it, but it looks like you're using an ancient
> encryption algo which is no longer supported by MIT Kerberos (very
> intentionally...).  Why aren't you using AES256 instead?

So, should I use ALL as argument to -crypto option as it follows  ?

 ktpass -out postgres.keytab -princ
 postgres/hostname@domain -mapUser postgres -pass
 XXX -crypto ALL


Thanks,
Jaime

>
>     Thanks,
>
>         Stephen




Re: GSSAPI auth issue with windows 7 client, postgresql 9.2.3 linux server

From
Stephen Frost
Date:
* jaime soler (jaime.soler@gmail.com) wrote:
> So, should I use ALL as argument to -crypto option as it follows  ?
>
>  ktpass -out postgres.keytab -princ
>  postgres/hostname@domain -mapUser postgres -pass
>  XXX -crypto ALL

You could, or you could use AES256-SHA1 ...

    Thanks,

        Stephen

Attachment