Thread: PostgreSQL Kerberos Authentication
Hello All,
I am trying to configure PostgreSQL9.6 (On Centos 7.4) with Kerberos (Active Directory) via GSSAPI authentication and I’m getting the following error:
[postgres@hostname data]$ psql -h hostname -U USERNAME@DOMAIN.COM postgres
psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database
I did the following configuration:
1.- Create KeyTab in Active Directory:
ktpass -out postgres_instance.keytab -princ postgres/hostnamename.domain.com@DOMAIN.COM -mapUser svcPostgres -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL
2.- Copy the keytab to Linux Server on $PGDATA and change the privileges to postgres:postgres
3.- Configure postgresql.conf
krb_server_keyfile = '/<INSTANCA_NAME>/data/postgres_instance.keytab
4.- Configure /etc/krb5.conf
5.- Request a ticket to the KDC server using kinit (this work OK!)
[postgres@hostname ~]$ klist
Ticket cache: KEYRING:persistent:26:krb_ccache_AO0Y1kx
Default principal: USERNAME@DOMAIN.COM
Valid starting Expires Service principal
01/30/2018 11:01:59 01/30/2018 21:01:59 krbtgt/DOMAIN.COM@DOMAIN.COM
renew until 02/06/2018 11:01:55
6.- Configure pg_hba.conf
host all all 0.0.0.0/0 gss include_realm=1
7.- Create user in PG to test:
create user “USERNAME@DOMAIN.COM” WITH SUPERUSER;
8.- Testing
[postgres@hostname data]$ psql -h hostname -U USERNAME@DOMAIN.COM postgres
psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database
I tried generate the Keytab with “postgres” and “POSTGRES” user as a SPN but I get the same error.
Any suggestion is welcome!
Thanks in advance for your help!
Jorge
Hello All,
I am trying to configure PostgreSQL9.6 (On Centos 7.4) with Kerberos (Active Directory) via GSSAPI authentication and I’m getting the following error:
[postgres@hostname data]$ psql -h hostname -U USERNAME@DOMAIN.COM postgres
psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database
I did the following configuration:
1.- Create KeyTab in Active Directory:
ktpass -out postgres_instance.keytab -princ postgres/hostnamename.domain.
com@DOMAIN.COM -mapUser svcPostgres -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL
2.- Copy the keytab to Linux Server on $PGDATA and change the privileges to postgres:postgres
3.- Configure postgresql.conf
krb_server_keyfile = '/<INSTANCA_NAME>/data/
postgres_instance.keytab
4.- Configure /etc/krb5.conf
5.- Request a ticket to the KDC server using kinit (this work OK!)
[postgres@hostname ~]$ klist
Ticket cache: KEYRING:persistent:26:krb_
ccache_AO0Y1kx Default principal: USERNAME@DOMAIN.COM
Valid starting Expires Service principal
01/30/2018 11:01:59 01/30/2018 21:01:59 krbtgt/DOMAIN.COM@DOMAIN.COM
renew until 02/06/2018 11:01:55
6.- Configure pg_hba.conf
host all all
0.0.0.0/0 gss include_realm=1 7.- Create user in PG to test:
create user “USERNAME@DOMAIN.COM” WITH SUPERUSER;
8.- Testing
[postgres@hostname data]$ psql -h hostname -U USERNAME@DOMAIN.COM postgres
psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database
I tried generate the Keytab with “postgres” and “POSTGRES” user as a SPN but I get the same error.
Any suggestion is welcome!
Thanks in advance for your help!
Jorge
Poul Kristensen
Linux-OS/Virtualizationexpert and Oracle DBA
Thanks Poul,
According to official documentation parameters like ldap, and suffix in pg_hba.conf are for LDAP Authentication not for Kerberos/GSSAPI. In fact the authentication through LDAP works fine in our environment but not for Kerberos…
Do you know if the principal in Active Directory KDC must be in uppercase or lowercase? POSTGRES or postgres? Just to confirm.
Thanks
Jorge
From: EXTERNAL:Poul Kristensen [mailto:bcc5226@gmail.com]
Sent: martes, 30 de enero de 2018 01:50 p.m.
To: HIRTZ Jorge Alberto TENARIS <jhirtz@tenaris.com>
Cc: pgsql-general@lists.postgresql.org
Subject: Re: PostgreSQL Kerberos Authentication
you need til tell Postgresql/pg_hba.conf the AD kerberos server name ldap = kerberos.domain.com and suffix @domain.com
Then create the users(is in fact a role) as the owner of a database.
Hereafter the user could just write psql after login and after password auhtentication the user/role is logged into the database.
It has been testet and works!
Hope it is usefull.
regards
Poul
2018-01-30 17:13 GMT+01:00 HIRTZ Jorge Alberto TENARIS <jhirtz@tenaris.com>:
Hello All,
I am trying to configure PostgreSQL9.6 (On Centos 7.4) with Kerberos (Active Directory) via GSSAPI authentication and I’m getting the following error:
[postgres@hostname data]$ psql -h hostname -U USERNAME@DOMAIN.COM postgres
psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database
I did the following configuration:
1.- Create KeyTab in Active Directory:
ktpass -out postgres_instance.keytab -princ postgres/hostnamename.domain.com@DOMAIN.COM -mapUser svcPostgres -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL
2.- Copy the keytab to Linux Server on $PGDATA and change the privileges to postgres:postgres
3.- Configure postgresql.conf
krb_server_keyfile = '/<INSTANCA_NAME>/data/postgres_instance.keytab
4.- Configure /etc/krb5.conf
5.- Request a ticket to the KDC server using kinit (this work OK!)
[postgres@hostname ~]$ klist
Ticket cache: KEYRING:persistent:26:krb_ccache_AO0Y1kx
Default principal: USERNAME@DOMAIN.COM
Valid starting Expires Service principal
01/30/2018 11:01:59 01/30/2018 21:01:59 krbtgt/DOMAIN.COM@DOMAIN.COM
renew until 02/06/2018 11:01:55
6.- Configure pg_hba.conf
host all all 0.0.0.0/0 gss include_realm=1
7.- Create user in PG to test:
create user “USERNAME@DOMAIN.COM” WITH SUPERUSER;
8.- Testing
[postgres@hostname data]$ psql -h hostname -U USERNAME@DOMAIN.COM postgres
psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database
I tried generate the Keytab with “postgres” and “POSTGRES” user as a SPN but I get the same error.
Any suggestion is welcome!
Thanks in advance for your help!
Jorge
--
Med venlig hilsen / Best regards
Poul Kristensen
Linux-OS/Virtualizationexpert and Oracle DBA
On 1/30/18 11:13, HIRTZ Jorge Alberto TENARIS wrote: > [postgres@hostname data]$ psql -h hostname -U USERNAME@DOMAIN.COM postgres > > psql: GSSAPI continuation error: Unspecified GSS failure. Minor code > may provide more information > > GSSAPI continuation error: Server not found in Kerberos database Check that your DNS resolves everything correctly. You can find some ideas about this error in the internet. It's not a problem specific to PostgreSQL. It looks like you have things set up correctly. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Thank you Peter!, I will check DNS configuration. Regards Jorge -----Original Message----- From: EXTERNAL:Peter Eisentraut [mailto:peter.eisentraut@2ndquadrant.com] Sent: miércoles, 31 de enero de 2018 01:33 a.m. To: HIRTZ Jorge Alberto TENARIS <jhirtz@tenaris.com>; pgsql-general@lists.postgresql.org Subject: Re: PostgreSQL Kerberos Authentication On 1/30/18 11:13, HIRTZ Jorge Alberto TENARIS wrote: > [postgres@hostname data]$ psql -h hostname -U USERNAME@DOMAIN.COM > postgres > > psql: GSSAPI continuation error: Unspecified GSS failure. Minor code > may provide more information > > GSSAPI continuation error: Server not found in Kerberos database Check that your DNS resolves everything correctly. You can find some ideas about this error in the internet. It's not a problem specific to PostgreSQL. It looks like youhave things set up correctly. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services