Re: Kerberized login to Postgres database

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

2012-01-10 07:05 keltezéssel, Eugene Budanov írta:
> Hi all!
>
> I have a problem with kerberizing PostgreSQL 9.1.1.
>
> PostgreSQL and Kerberos installed at different computers in network. I'm using internal network in VirtualBox 4.1.6.
> There are no firewalls on both machines. 
>
> So, let's see pg_hba.conf:
>
> less /var/lib/pgsql/data/pg_hba.conf
>  
> # TYPE  DATABASE        USER            ADDRESS                 METHOD
>
> # "local" is for Unix domain socket connections only
> local   all             all                                     trust
> # IPv4 local connections:
> host    all             all             127.0.0.1/32            trust
> host    all             all             192.168.100.0/24        krb5
>
> And content of my  postgresql.conf
>
> # Kerberos and GSSAPI
> krb_server_keyfile = '/var/lib/pgsql/data/krb5.keytab'
> #krb_srvname = 'postgres'               # (Kerberos only)
> #krb_caseins_users = off
>
> Pricipals in keytab file:
>
> postgres/db.domain.int@xxxxxxxxxx
> host/db.domain.int@xxxxxxxxxx
>
> Passwords for principals in keytab randomly generated by kadmin.local during export to keytab. 
>
> User postgres is exists in database of course.
>
> Now, let's try connect to postgres database through kerberos:
>
> [postgres@localhost eugene]$ kinit postgres
> Password for postgres@xxxxxxxxxx:
> [postgres@localhost eugene]$ klist
> Ticket cache: FILE:/tmp/krb5cc_481
> Default principal: postgres@xxxxxxxxxx
> Valid starting     Expires            Service principal
> 12/30/11 12:21:14  12/31/11 12:21:14  krbtgt/DOMAIN.INT@xxxxxxxxxx
>         renew until 01/06/12 12:21:14
>
> All works good. Other services such as kerberized login for operating system works fine. 
>
> But if try connect to postgres database:
>
> [postgres@localhost eugene]$ psql -h 192.168.100.10 -U postgres
> psql: Kerberos 5 authentication rejected:  Wrong principal in request 
>
> What I'am doing wrong? Any ideas? Questions?
>
> Thanks in advance for your help.
> ---
> Best regards,
> Budanov Eugene
>
If kerberos is unable to do a reverse lookup of the IP address it will
be also unable to get the right ticket for the service.
You should try to connect by fqdn instead of ip address: psql -h FQDN -U
USER.
BTW you don't need the host principal in the
/var/lib/pgsql/data/krb5.keytab keytab used only by postgres.

Regards

Geza


-- 
Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux