Thread: kerberos authentication error with Windows 2003 SP1 AD

My operating system is Red Hat Linux AS 4, Kerberos 5, with postgresql-7.4.14 that I compiled. I can authenticate using ssh, su, console login, and also have gotten apache mod_auth_kerb to work with AD - but I am missing something with postgresql. When I try:

[pkoppe01@ipswich ~]$ /usr/local/pgsql/bin/psql -d test -h ipswich
psql: Kerberos 5 authentication failed

For the configure step, I did (needed the include statement to prevent an error about comm_err.h):

[koppel@ipswich postgresql-7.4.14]$ ./configure --with-java --with-krb5 --with-includes=/usr/include/et

The make proceeded normally.

My pg_hba.conf looks like this (with pkoppe01 defined in Active Directory but not defined in postgres using "createuser")

local all all trust
host test pkoppe01 192.168.1.0 255.255.255.0 krb5

Also have "tcpip_socket = true" and the postgres keytab referenced in postgresql.conf and the keytab file itself owned by postgres.

When I try the psql command above (as pkoppe01) I do get the service ticket for postgres:

[pkoppe01@ipswich ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_501_LCzZ1P
Default principal: pkoppe01@PRIVATE.LAN

Valid starting Expires Service principal
11/13/06 11:17:25 11/13/06 21:17:28 krbtgt/PRIVATE.LAN@PRIVATE.LAN
renew until 11/14/06 11:17:25
11/13/06 11:19:02 11/13/06 21:17:28 postgres/ipswich.private.lan@PRIVATE.LAN
renew until 11/14/06 11:17:25

Any ideas would be greatly appreciated. Thanks in advance. Please feel free to email me directly as I just joined the list and don't know my way around yet.

Paul Koppel
Systems Manager
Washington University School of Medicine
St. Louis, MO 63110

> My operating system is Red Hat Linux AS 4, Kerberos 5, with
> postgresql-7.4.14 that I compiled. I can authenticate using
> ssh, su, console login, and also have gotten apache
> mod_auth_kerb to work with AD - but I am missing something
> with postgresql. When I try:
>
> [pkoppe01@ipswich ~]$ /usr/local/pgsql/bin/psql -d test -h ipswich
> psql: Kerberos 5 authentication failed
>
> For the configure step, I did (needed the include statement
> to prevent an error about comm_err.h):
>
> [koppel@ipswich postgresql-7.4.14]$ ./configure --with-java
> --with-krb5 --with-includes=/usr/include/et
>
> The make proceeded normally.
>
> My pg_hba.conf looks like this (with pkoppe01 defined in
> Active Directory but not defined in postgres using "createuser")
>
> local all all trust
> host test pkoppe01 192.168.1.0 255.255.255.0 krb5
>
> Also have "tcpip_socket = true" and the postgres keytab
> referenced in postgresql.conf and the keytab file itself
> owned by postgres.
>
> When I try the psql command above (as pkoppe01) I do get the
> service ticket for postgres:
>
> [pkoppe01@ipswich ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_501_LCzZ1P Default principal:
> pkoppe01@PRIVATE.LAN
>
> Valid starting Expires Service principal
> 11/13/06 11:17:25 11/13/06 21:17:28
> krbtgt/PRIVATE.LAN@PRIVATE.LAN renew until 11/14/06 11:17:25
> 11/13/06 11:19:02 11/13/06 21:17:28
> postgres/ipswich.private.lan@PRIVATE.LAN
> renew until 11/14/06 11:17:25
>
> Any ideas would be greatly appreciated. Thanks in advance.
> Please feel free to email me directly as I just joined the
> list and don't know my way around yet.

The server log from postgresql should give some more information.

//Magnus

Magnus Hagander wrote:

>> My pg_hba.conf looks like this (with pkoppe01 defined in
>> Active Directory but not defined in postgres using "createuser")

You need to createuser with the AD username - this allows that user to
connect to PostgreSQL and to own and have various permissions in
PostgreSQL but uses the kerberos password authentication instead of
internal password storage.



--

Shane Ambler
pgSQL@007Marketing.com

Get Sheeky @ http://Sheeky.Biz

Hi!

Wherever your pg_ctl command sets the logfiles, or syslog if you use
syslog etc.

(Note that you still need to define the user in PostgreSQL as well, but
that shoudl give a different error message)

//Magnus

> -----Original Message-----
> From: koppelp@mir.wustl.edu [mailto:koppelp@mir.wustl.edu]
> Sent: den 17 november 2006 23:18
> To: Magnus Hagander
> Subject: RE: [GENERAL] kerberos authentication error with
> Windows 2003 SP1 AD
>
> HI Magnus-
>
> Thanks for your reply. Which error log in postgres should I
> look at? Do I need to configure postgres to add more detailed
> logging? Thanks again for your help.
>
> Please include my email address in your reply.
>
> -- pk
>
> Inactive hide details for "Magnus Hagander"
> <mha@sollentuna.net>"Magnus Hagander" <mha@sollentuna.net>
>
>
>
>
>                 "Magnus Hagander" <mha@sollentuna.net>
>
>                 11/14/2006 10:22 AM
>
>
>
> To
>
> <koppelp@mir.wustl.edu>, <pgsql-general@postgresql.org>
>
>
> cc
>
>
>
>
> Subject
>
> RE: [GENERAL] kerberos authentication error with Windows 2003 SP1 AD
>
>
> > My operating system is Red Hat Linux AS 4, Kerberos 5, with
> > postgresql-7.4.14 that I compiled. I can authenticate using
> ssh, su,
> > console login, and also have gotten apache mod_auth_kerb to
> work with
> > AD - but I am missing something with postgresql. When I try:
> >
> > [pkoppe01@ipswich ~]$ /usr/local/pgsql/bin/psql -d test -h ipswich
> > psql: Kerberos 5 authentication failed
> >
> > For the configure step, I did (needed the include statement
> to prevent
> > an error about comm_err.h):
> >
> > [koppel@ipswich postgresql-7.4.14]$ ./configure --with-java
> > --with-krb5 --with-includes=/usr/include/et
> >
> > The make proceeded normally.
> >
> > My pg_hba.conf looks like this (with pkoppe01 defined in Active
> > Directory but not defined in postgres using "createuser")
> >
> > local all all trust
> > host test pkoppe01 192.168.1.0 255.255.255.0 krb5
> >
> > Also have "tcpip_socket = true" and the postgres keytab
> referenced in
> > postgresql.conf and the keytab file itself owned by postgres.
> >
> > When I try the psql command above (as pkoppe01) I do get
> the service
> > ticket for postgres:
> >
> > [pkoppe01@ipswich ~]$ klist
> > Ticket cache: FILE:/tmp/krb5cc_501_LCzZ1P Default principal:
> > pkoppe01@PRIVATE.LAN
> >
> > Valid starting Expires Service principal
> > 11/13/06 11:17:25 11/13/06 21:17:28
> > krbtgt/PRIVATE.LAN@PRIVATE.LAN renew until 11/14/06 11:17:25
> > 11/13/06 11:19:02 11/13/06 21:17:28
> > postgres/ipswich.private.lan@PRIVATE.LAN
> > renew until 11/14/06 11:17:25
> >
> > Any ideas would be greatly appreciated. Thanks in advance.
> > Please feel free to email me directly as I just joined the list and
> > don't know my way around yet.
>
> The server log from postgresql should give some more information.
>
> //Magnus
>
>
>

I am able to use kerberos authentication with Windows 20003 SP1 Active Directory. I couldn't get Postgres 7.414 to work, but as soon as I upgraded to 8.15, added my username to postgres (also set in Active Directory), used POSTGRES as the service principal, I could login using psql successfully.

Thanks for all who helped.

Paul Koppel


"Magnus Hagander" <mha@sollentuna.net>

"Magnus Hagander" <mha@sollentuna.net> 11/20/2006 04:16 AM

To <koppelp@mir.wustl.edu> cc <pgsql-general@postgresql.org> Subject RE: [GENERAL] kerberos authentication error with Windows 2003 SP1 AD