Thread: IDENT and pg_hda.conf
Is this good advice? IDENT Authentication failed for user "postgres" This error has everything to do with the way distros set up access rights for postgres. They are way too restrictive and leave you wondering what to do next. Do yourself a favour and change authentication type in pg_hba.conf to local all trust until you have figured out what all this stuff in pg_hba.conf does. Read about the different authentication settings and change them as you see fit. It is all described in detail in pg_hba.conf In any case I don't have a pg_hba.conf file: :~> locate pg_hba.conf /usr/share/postgresql/pg_hba.conf.sample :~> Should I have one? If I should, where does it belong? Thanks, Jerome
On 30/01/2004 09:39 Susemail wrote: > [snip] > In any case I don't have a pg_hba.conf file: You should have, unless you haven't done an initdb... > > :~> locate pg_hba.conf > /usr/share/postgresql/pg_hba.conf.sample > :~> > > Should I have one? If I should, where does it belong? It's in PostgreSQL's data dir. Obviously this may differ from distro to distro. Probably what is happening is that you running locate as regular user which won't have read access to that directoty (it's owned by user postgres). -- Paul Thomas +------------------------------+---------------------------------------------+ | Thomas Micro Systems Limited | Software Solutions for the Smaller Business | | Computer Consultants | http://www.thomas-micro-systems-ltd.co.uk | +------------------------------+---------------------------------------------+
On Thu, Jan 29, 2004 at 23:39:23 -1000, Susemail <susemail@hawaii.rr.com> wrote: > Is this good advice? > > IDENT Authentication failed for user "postgres" > > This error has everything to do with the way distros set up access rights for > postgres. They are way too restrictive and leave you wondering what to do > next. > > Do yourself a favour and change authentication type in pg_hba.conf to > > local all trust > > until you have figured out what all this stuff in pg_hba.conf does. Read about > the different authentication settings and change them as you see fit. It is > all described in detail in pg_hba.conf If only trusted users have access to the server, this is a reasonable way to start off while learning things. Generally using ident for local access is the way to go unless you are using OS where it doesn't work.
On Friday 30 January 2004 01:37 am, Paul Thomas wrote:
> On 30/01/2004 09:39 Susemail wrote:
> > [snip]
> > In any case I don't have a pg_hba.conf file:
>
> You should have, unless you haven't done an initdb...
>
True, I hadn't done an initdb:
postgres@linux:/home/adriel> /usr/bin/initdb -D /usr/local/pgsql/data
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.
The database cluster will be initialized with locale en_US.
fixing permissions on existing directory /usr/local/pgsql/data... ok
creating directory /usr/local/pgsql/data/base... ok
creating directory /usr/local/pgsql/data/global... ok
creating directory /usr/local/pgsql/data/pg_xlog... ok
creating directory /usr/local/pgsql/data/pg_clog... ok
selecting default max_connections... 100
selecting default shared_buffers... 1000
creating configuration files... ok
creating template1 database in /usr/local/pgsql/data/base/1... ok
initializing pg_shadow... ok
enabling unlimited row size for system tables... ok
initializing pg_depend... ok
creating system views... ok
loading pg_description... ok
creating conversions... ok
setting privileges on built-in objects... ok
creating information schema... ok
vacuuming database template1... ok
copying template1 to template0... ok
Success. You can now start the database server using:
Still not able to authenticate:
postgres@linux:/home/adriel> /usr/bin/postmaster -D /usr/local/pgsql/data
LOG: database system was shut down at 2004-01-30 08:47:05 HST
LOG: checkpoint record is at 0/9B1058
LOG: redo record is at 0/9B1058; undo record is at 0/0; shutdown TRUE
LOG: next transaction ID: 534; next OID: 17142
LOG: database system is ready
FATAL: IDENT authentication failed for user "adriel"
FATAL: IDENT authentication failed for user "adriel"
FATAL: IDENT authentication failed for user "postgres"
FATAL: IDENT authentication failed for user "postgres"
My pg_hba.conf file configuration: Is it correct?
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
local all all trust
# IPv4-style local connections:
#host all all 127.0.0.1 255.255.255.255 trust
# IPv6-style local connections:
#host all all ::1
ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff trust
#local all all ident
sameuser
This is my user list:
:~> psql -l
List of databases
Name | Owner | Encoding
-----------+----------+-----------
mydb | postgres | SQL_ASCII
mydb1 | adriel | SQL_ASCII
mydb2 | postgres | SQL_ASCII
template0 | postgres | SQL_ASCII
template1 | postgres | SQL_ASCII
test | postgres | SQL_ASCII
(6 rows)
So...what am I still doing wrong?
Thanks,
Jerome
Not sure if I am following your current difficulty, but if you want users on another server to conenct you'll need to
makesure your postmaster was started with the "-i" option (to allow TCP/IP connections) and edit the pg_hba.conffile to
addthe user name, db, IP address and sub mask, for example:
host all all 12.4.12.0 255.255.255.0 trust
This line will let anybody from our 12.4.12 network connect to this instance of postgres, to any database.
You'll need to restart postgres after changing thefile to make it see the changes.
HTH,
Greg Williamson
DBA
GlobeXplorer LLC
-----Original Message-----
From: Jerome Lyles [mailto:susemail@hawaii.rr.com]
Sent: Fri 1/30/2004 12:23 PM
To: pgsql-general@postgresql.org
Cc:
Subject: Re: [GENERAL] IDENT and pg_hda.conf
On Friday 30 January 2004 01:37 am, Paul Thomas wrote:
> On 30/01/2004 09:39 Susemail wrote:
> > [snip]
> > In any case I don't have a pg_hba.conf file:
>
> You should have, unless you haven't done an initdb...
>
True, I hadn't done an initdb:
postgres@linux:/home/adriel> /usr/bin/initdb -D /usr/local/pgsql/data
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.
The database cluster will be initialized with locale en_US.
fixing permissions on existing directory /usr/local/pgsql/data... ok
creating directory /usr/local/pgsql/data/base... ok
creating directory /usr/local/pgsql/data/global... ok
creating directory /usr/local/pgsql/data/pg_xlog... ok
creating directory /usr/local/pgsql/data/pg_clog... ok
selecting default max_connections... 100
selecting default shared_buffers... 1000
creating configuration files... ok
creating template1 database in /usr/local/pgsql/data/base/1... ok
initializing pg_shadow... ok
enabling unlimited row size for system tables... ok
initializing pg_depend... ok
creating system views... ok
loading pg_description... ok
creating conversions... ok
setting privileges on built-in objects... ok
creating information schema... ok
vacuuming database template1... ok
copying template1 to template0... ok
Success. You can now start the database server using:
Still not able to authenticate:
postgres@linux:/home/adriel> /usr/bin/postmaster -D /usr/local/pgsql/data
LOG: database system was shut down at 2004-01-30 08:47:05 HST
LOG: checkpoint record is at 0/9B1058
LOG: redo record is at 0/9B1058; undo record is at 0/0; shutdown TRUE
LOG: next transaction ID: 534; next OID: 17142
LOG: database system is ready
FATAL: IDENT authentication failed for user "adriel"
FATAL: IDENT authentication failed for user "adriel"
FATAL: IDENT authentication failed for user "postgres"
FATAL: IDENT authentication failed for user "postgres"
My pg_hba.conf file configuration: Is it correct?
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
local all all trust
# IPv4-style local connections:
#host all all 127.0.0.1 255.255.255.255 trust
# IPv6-style local connections:
#host all all ::1
ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff trust
#local all all ident
sameuser
This is my user list:
:~> psql -l
List of databases
Name | Owner | Encoding
-----------+----------+-----------
mydb | postgres | SQL_ASCII
mydb1 | adriel | SQL_ASCII
mydb2 | postgres | SQL_ASCII
template0 | postgres | SQL_ASCII
template1 | postgres | SQL_ASCII
test | postgres | SQL_ASCII
(6 rows)
So...what am I still doing wrong?
Thanks,
Jerome
---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org
Hi, > host all all 12.4.12.0 255.255.255.0 trust This looks to me a bad idea. Anyone will be able to connect as any user they wish without providing a password. Better change "trust" to "md5" and assing password to the user (alter user password 'secret') []s, Fernando Lozano
On Friday 30 January 2004 10:23 am, Jerome Lyles wrote: > On Friday 30 January 2004 01:37 am, Paul Thomas wrote: > > On 30/01/2004 09:39 Susemail wrote: > > > [snip] > > > In any case I don't have a pg_hba.conf file: > > > > You should have, unless you haven't done an initdb... > > True, I hadn't done an initdb: > > > Still not able to authenticate: > > FATAL: IDENT authentication failed for user "adriel" > FATAL: IDENT authentication failed for user "postgres" > The problem turned out to be two copies of pg_hba. One in "/usr/local/pgsql/data/pg_hba.conf" the other in "/var/lib/pgsql/data/pg_hba.conf" "/var/lib/pgsql/data/pg_hba.conf" is in the Root Directory of postgres on my system so that's the one the system was using. I thought the system was using the other one: "/usr/local/pgsql/data/pg_hba.conf", the only one I knew about. Thank you for helping me figure it out, Jerome
On Friday 30 January 2004 02:11 pm, Paul Thomas wrote: > On 30/01/2004 20:23 Jerome Lyles wrote: > > On Friday 30 January 2004 01:37 am, Paul Thomas wrote: > > > On 30/01/2004 09:39 Susemail wrote: > > > > [snip] > > > > In any case I don't have a pg_hba.conf file: > > > > > > You should have, unless you haven't done an initdb... > > > > True, I hadn't done an initdb: > > So...what am I still doing wrong? > > Thanks, > > Jerome > > You've got me really confused here. If you hadn't done an initdb and > couldn't connect to the postmaster how come you managed to create several > databases? I did solve the problem, turns out there were two copies of pg_hba.conf. As to how this was possible I don't know. If I did it earlier whatever I did left "/usr/local/pgsql/data/" empty.
True enough in the "real" world ... this is taken from a very "hidden" server used for testing ideas ... not anything exposedto the world. GSW -----Original Message----- From: listas@lozano.eti.br [mailto:listas@lozano.eti.br] Sent: Fri 1/30/2004 4:13 PM To: Gregory S. Williamson; Jerome Lyles; pgsql-general@postgresql.org Cc: Subject: Re: [GENERAL] IDENT and pg_hda.conf Hi, > host all all 12.4.12.0 255.255.255.0 trust This looks to me a bad idea. Anyone will be able to connect as any user they wish without providing a password. Better change "trust" to "md5" and assing password to the user (alter user password 'secret') []s, Fernando Lozano
Hi, > > host all all 12.4.12.0 255.255.255.0 trust > > This looks to me a bad idea. Anyone will be able to connect as any user they > wish without providing a password. > > True enough in the "real" world ... this is taken from a very "hidden" server used for testing > ideas ... not anything exposed to the world. You mean a islated testing enviroment, right? :-) Remember most successfull attacks comes from insiders, not outsiders, of the company. []s, Fernando Lozano