Thread: Problems with kerberos 4 authenication

Problems with kerberos 4 authenication

From
Rodney McDuff
Date:
Hi
    I've compiled postgresql 6.3.2 with kerberos 4 support (using the KTH-KRB
Ebones distribution) on a Alpha running DU4.0D. I create a postgres_dbms
principle in /etc/srvtab (and arranged for the postmaster to be able to read
this file) and  made the appropriate modifications to pg_hba.conf file.
I've then use kinit to get a krbtgt (ticket granting ticket) which shows up
using klist. I then type "psql database" and get a "User authentication
failed" error. Running the postmaster in debug mode shows up

  "pg_krb4_recvauth: kerberos error: Can't decode authenticator (krb_rd_req)"

(which is a kstatus of RD_AP_UNDEC=31). But whats really werid is that I
successfuly get a postgres_dbms ticket from the KDC (which shows up in both
the kerberos logs and under a a klist).

I'm a bit stumped about this so any ideas or comments would be greatly
appreciated.

--

  +-----------------+------------------------------------------+
  |    _   ^   _    | Dr. Rodney McDuff                        |
  |   |\  /|\  /|   | Network Development, ITS                 |
  |     \  |  /     | The University of Queensland             |
  |      \ | /      | St. Lucia, Brisbane                      |
  |       \|/       | Queensland, Australia. 4072.             |
  |<-------+------->| TELEPHONE: +61 7 3365 8220               |
  |       /|\       | FACSIMILE: +61 7 3365 4477               |
  |      / | \      | EMAIL: mcduff@its.uq.edu.au              |
  |     /  |  \     |                                          |
  |   |/  \|/  \|   |        Ex ignorantia ad sapientiam       |
  |    -   v   -    |            Ex luce ad tenebras           |
  +-----------------+------------------------------------------+



Re: [GENERAL] Problems with kerberos 4 authenication

From
Tom Ivar Helbekkmo
Date:
Rodney McDuff <ccmcduff@its.uq.edu.au> writes:

>     I've compiled postgresql 6.3.2 with kerberos 4 support (using
> the KTH-KRB Ebones distribution) on a Alpha running DU4.0D.

I've been using KTH Kerberos IV with PostgreSQL for a long time, and
it's always been working great, until very recently (about which more
later).  Right now, I use PostgreSQL 6.4.2, under NetBSD on i386 and
Sparc systems, with no problems.

> I create a postgres_dbms principle in /etc/srvtab (and arranged for
> the postmaster to be able to read this file) and made the
> appropriate modifications to pg_hba.conf file.

(It's "principal", not "principle", by the way.)  You probably
shouldn't do it this way, since it means opening up access to your
main srvtab file more than you should be comfortable with.  Use
ksrvutil to create a separate srvtab for PostgreSQL, and modify the
Makefile.global file in the main PostgreSQL src directory after
configure, before make.

> I've then use kinit to get a krbtgt (ticket granting ticket) which shows up
> using klist. I then type "psql database" and get a "User authentication
> failed" error. Running the postmaster in debug mode shows up
>
>   "pg_krb4_recvauth: kerberos error: Can't decode authenticator (krb_rd_req)"
>
> (which is a kstatus of RD_AP_UNDEC=31). But whats really werid is that I
> successfuly get a postgres_dbms ticket from the KDC (which shows up in both
> the kerberos logs and under a a klist).

I see the exact same behavior with the current CVS version of
PostgreSQL, and have been trying to find time to study it more
carefully and post a description of the problem.  I assume something
was done to the communication between front end and back end that
broke Kerberos.  I can't recall if I ever ran the actual 6.3.2 -- I've
been tracking CVS mostly -- but I can confirm that 6.4.2 is OK, so you
might want to upgrade to that before going further with your problem.

-tih
--
Popularity is the hallmark of mediocrity.  --Niles Crane, "Frasier"