Hi, I had a same problem already, but I recompiled Postgre with GSSAPI, it does works correctly. On 1/10/12, Gémes Géza <geza@xxxxxxxxxxx> wrote: > 2012-01-10 07:05 keltezéssel, Eugene Budanov írta: >> Hi all! >> >> I have a problem with kerberizing PostgreSQL 9.1.1. >> >> PostgreSQL and Kerberos installed at different computers in network. I'm >> using internal network in VirtualBox 4.1.6. >> There are no firewalls on both machines. >> >> So, let's see pg_hba.conf: >> >> less /var/lib/pgsql/data/pg_hba.conf >> >> # TYPE DATABASE USER ADDRESS METHOD >> >> # "local" is for Unix domain socket connections only >> local all all trust >> # IPv4 local connections: >> host all all 127.0.0.1/32 trust >> host all all 192.168.100.0/24 krb5 >> >> And content of my postgresql.conf >> >> # Kerberos and GSSAPI >> krb_server_keyfile = '/var/lib/pgsql/data/krb5.keytab' >> #krb_srvname = 'postgres' # (Kerberos only) >> #krb_caseins_users = off >> >> Pricipals in keytab file: >> >> postgres/db.domain.int@xxxxxxxxxx >> host/db.domain.int@xxxxxxxxxx >> >> Passwords for principals in keytab randomly generated by kadmin.local >> during export to keytab. >> >> User postgres is exists in database of course. >> >> Now, let's try connect to postgres database through kerberos: >> >> [postgres@localhost eugene]$ kinit postgres >> Password for postgres@xxxxxxxxxx: >> [postgres@localhost eugene]$ klist >> Ticket cache: FILE:/tmp/krb5cc_481 >> Default principal: postgres@xxxxxxxxxx >> Valid starting Expires Service principal >> 12/30/11 12:21:14 12/31/11 12:21:14 krbtgt/DOMAIN.INT@xxxxxxxxxx >> renew until 01/06/12 12:21:14 >> >> All works good. Other services such as kerberized login for operating >> system works fine. >> >> But if try connect to postgres database: >> >> [postgres@localhost eugene]$ psql -h 192.168.100.10 -U postgres >> psql: Kerberos 5 authentication rejected: Wrong principal in request >> >> What I'am doing wrong? Any ideas? Questions? >> >> Thanks in advance for your help. >> --- >> Best regards, >> Budanov Eugene >> > If kerberos is unable to do a reverse lookup of the IP address it will > be also unable to get the right ticket for the service. > You should try to connect by fqdn instead of ip address: psql -h FQDN -U > USER. > BTW you don't need the host principal in the > /var/lib/pgsql/data/krb5.keytab keytab used only by postgres. > > Regards > > Geza > > > -- > Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-admin > -- With Best Regards Rahimeh Khodadadi -- Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-admin
