Thread: PostgreSQL with Kerberos and Active Directory
Hi everyone,
I'm trying to configure PostgreSQL version 8.2.4 with Kerberos and Active Directory.
The AD is run on a windows 2003 server, and the postgre on gentoo.
The gentoo computer name is postgre and it's added to the windows 2003 server AD domain.
I did the following:
- I compiled postgre with kerberos support and installed it on the gentoo machine.
- I created a keytab for the user postgres/postgre on the windows 2003 server machine and copied it to the gentoo machine.
- I configured the postgresql.conf to point to the keytab.
- I configured pg_hba.conf to authenticate remote users by kerberos.
- I followed additional configurations from the howto in the mailing list archives.
Now, when trying to log in with an AD user to postgre I get:
psq: krb5_sendauth: Bad application version was sent (via sendauth)
Any help will be appreciated.
Thanks,
Idan.
On Thu, Aug 30, 2007 at 02:07:13PM +0300, Idan Miller wrote: > Hi everyone, > > I'm trying to configure PostgreSQL version 8.2.4 with Kerberos and Active > Directory. > The AD is run on a windows 2003 server, and the postgre on gentoo. > The gentoo computer name is postgre and it's added to the windows 2003 > server AD domain. > > I did the following: > - I compiled postgre with kerberos support and installed it on the gentoo > machine. > - I created a keytab for the user postgres/postgre on the windows 2003 > server machine and copied it to the gentoo machine. > - I configured the postgresql.conf to point to the keytab. > - I configured pg_hba.conf to authenticate remote users by kerberos. > - I followed additional configurations from the howto in the mailing list > archives. > > Now, when trying to log in with an AD user to postgre I get: > psq: krb5_sendauth: Bad application version was sent (via sendauth) > > Any help will be appreciated. Are you sure you have postgresql 8.2 on both ends of the connection? Are yuor clients on windos or unix? //Magnus
We tried to connect from a different gentoo machine.
both client and server are running version 8.2.4 of postgresql.
right now, we are trying to connect from gentoo, but we want to connect from windows as well
Idan
On 8/30/07, Magnus Hagander <magnus@hagander.net> wrote:
On Thu, Aug 30, 2007 at 02:07:13PM +0300, Idan Miller wrote:
> Hi everyone,
>
> I'm trying to configure PostgreSQL version 8.2.4 with Kerberos and Active
> Directory.
> The AD is run on a windows 2003 server, and the postgre on gentoo.
> The gentoo computer name is postgre and it's added to the windows 2003
> server AD domain.
>
> I did the following:
> - I compiled postgre with kerberos support and installed it on the gentoo
> machine.
> - I created a keytab for the user postgres/postgre on the windows 2003
> server machine and copied it to the gentoo machine.
> - I configured the postgresql.conf to point to the keytab.
> - I configured pg_hba.conf to authenticate remote users by kerberos.
> - I followed additional configurations from the howto in the mailing list
> archives.
>
> Now, when trying to log in with an AD user to postgre I get:
> psq: krb5_sendauth: Bad application version was sent (via sendauth)
>
> Any help will be appreciated.
Are you sure you have postgresql 8.2 on both ends of the connection? Are
yuor clients on windos or unix?
//Magnus
Ok. I'd try locally from the machine first, so you know the krb configurations are absolutely identical all the way. Just change your pg_hba so it uses krb5 (and don't forget to use -h - krb5 only works over TCP/IP sockets) THat said, I think your problem is in that you use "postgres" as your SPN. It has to be uppercase POSTGRES to work with Active Directory. //Magnus On Thu, Aug 30, 2007 at 03:34:18PM +0300, Idan Miller wrote: > We tried to connect from a different gentoo machine. > both client and server are running version 8.2.4 of postgresql. > right now, we are trying to connect from gentoo, but we want to connect from > windows as well > > Idan > > > On 8/30/07, Magnus Hagander <magnus@hagander.net> wrote: > > > > On Thu, Aug 30, 2007 at 02:07:13PM +0300, Idan Miller wrote: > > > Hi everyone, > > > > > > I'm trying to configure PostgreSQL version 8.2.4 with Kerberos and > > Active > > > Directory. > > > The AD is run on a windows 2003 server, and the postgre on gentoo. > > > The gentoo computer name is postgre and it's added to the windows 2003 > > > server AD domain. > > > > > > I did the following: > > > - I compiled postgre with kerberos support and installed it on the > > gentoo > > > machine. > > > - I created a keytab for the user postgres/postgre on the windows 2003 > > > server machine and copied it to the gentoo machine. > > > - I configured the postgresql.conf to point to the keytab. > > > - I configured pg_hba.conf to authenticate remote users by kerberos. > > > - I followed additional configurations from the howto in the mailing > > list > > > archives. > > > > > > Now, when trying to log in with an AD user to postgre I get: > > > psq: krb5_sendauth: Bad application version was sent (via sendauth) > > > > > > Any help will be appreciated. > > > > Are you sure you have postgresql 8.2 on both ends of the connection? Are > > yuor clients on windos or unix? > > > > //Magnus > >
Hi Magnus,
I tried changing the SPN to uppercase POSTGRES, but still the same error occurs.
Any other ideas? (this didn't work both locally and remotely).
Idan.
On 8/31/07, Magnus Hagander <magnus@hagander.net> wrote:
Ok. I'd try locally from the machine first, so you know the krb
configurations are absolutely identical all the way. Just change your
pg_hba so it uses krb5 (and don't forget to use -h - krb5 only works over
TCP/IP sockets)
THat said, I think your problem is in that you use "postgres" as your SPN.
It has to be uppercase POSTGRES to work with Active Directory.
//Magnus
On Thu, Aug 30, 2007 at 03:34:18PM +0300, Idan Miller wrote:
> We tried to connect from a different gentoo machine.
> both client and server are running version 8.2.4 of postgresql.
> right now, we are trying to connect from gentoo, but we want to connect from
> windows as well
>
> Idan
>
>
> On 8/30/07, Magnus Hagander < magnus@hagander.net> wrote:
> >
> > On Thu, Aug 30, 2007 at 02:07:13PM +0300, Idan Miller wrote:
> > > Hi everyone,
> > >
> > > I'm trying to configure PostgreSQL version 8.2.4 with Kerberos and
> > Active
> > > Directory.
> > > The AD is run on a windows 2003 server, and the postgre on gentoo.
> > > The gentoo computer name is postgre and it's added to the windows 2003
> > > server AD domain.
> > >
> > > I did the following:
> > > - I compiled postgre with kerberos support and installed it on the
> > gentoo
> > > machine.
> > > - I created a keytab for the user postgres/postgre on the windows 2003
> > > server machine and copied it to the gentoo machine.
> > > - I configured the postgresql.conf to point to the keytab.
> > > - I configured pg_hba.conf to authenticate remote users by kerberos.
> > > - I followed additional configurations from the howto in the mailing
> > list
> > > archives.
> > >
> > > Now, when trying to log in with an AD user to postgre I get:
> > > psq: krb5_sendauth: Bad application version was sent (via sendauth)
> > >
> > > Any help will be appreciated.
> >
> > Are you sure you have postgresql 8.2 on both ends of the connection? Are
> > yuor clients on windos or unix?
> >
> > //Magnus
> >
Not really - it's always worked that way for me :-( Have you managed to make any other kerberised applications work on this machine? There are sample programs in the kerberos package - try those to see if the problem is in postgresql or int he kerberos libs/setup. //Magnus On Sun, Sep 02, 2007 at 12:05:54PM +0300, Idan Miller wrote: > Hi Magnus, > > I tried changing the SPN to uppercase POSTGRES, but still the same error > occurs. > Any other ideas? (this didn't work both locally and remotely). > > Idan. > > > On 8/31/07, Magnus Hagander <magnus@hagander.net> wrote: > > > > Ok. I'd try locally from the machine first, so you know the krb > > configurations are absolutely identical all the way. Just change your > > pg_hba so it uses krb5 (and don't forget to use -h - krb5 only works over > > TCP/IP sockets) > > > > THat said, I think your problem is in that you use "postgres" as your SPN. > > It has to be uppercase POSTGRES to work with Active Directory. > > > > //Magnus > > > > > > On Thu, Aug 30, 2007 at 03:34:18PM +0300, Idan Miller wrote: > > > We tried to connect from a different gentoo machine. > > > both client and server are running version 8.2.4 of postgresql. > > > right now, we are trying to connect from gentoo, but we want to connect > > from > > > windows as well > > > > > > Idan > > > > > > > > > On 8/30/07, Magnus Hagander <magnus@hagander.net> wrote: > > > > > > > > On Thu, Aug 30, 2007 at 02:07:13PM +0300, Idan Miller wrote: > > > > > Hi everyone, > > > > > > > > > > I'm trying to configure PostgreSQL version 8.2.4 with Kerberos and > > > > Active > > > > > Directory. > > > > > The AD is run on a windows 2003 server, and the postgre on gentoo. > > > > > The gentoo computer name is postgre and it's added to the windows > > 2003 > > > > > server AD domain. > > > > > > > > > > I did the following: > > > > > - I compiled postgre with kerberos support and installed it on the > > > > gentoo > > > > > machine. > > > > > - I created a keytab for the user postgres/postgre on the windows > > 2003 > > > > > server machine and copied it to the gentoo machine. > > > > > - I configured the postgresql.conf to point to the keytab. > > > > > - I configured pg_hba.conf to authenticate remote users by kerberos. > > > > > - I followed additional configurations from the howto in the mailing > > > > list > > > > > archives. > > > > > > > > > > Now, when trying to log in with an AD user to postgre I get: > > > > > psq: krb5_sendauth: Bad application version was sent (via sendauth) > > > > > > > > > > Any help will be appreciated. > > > > > > > > Are you sure you have postgresql 8.2 on both ends of the connection? > > Are > > > > yuor clients on windos or unix? > > > > > > > > //Magnus > > > > > >