I have Kerberos Authentication working for PostgreSQL 8.4 on Debian
Squeeze, against a Windows 2000 Server Domain. I tried upgrading some
test servers to Debian Wheezy which upgrades PostgreSQL to 9.1, but
Kerberos authentication breaks with the "Wrong principal in request" error.
These servers ultimately use Apache2/mod-auth-kerb/php5-cgi to do SSO in
a Windows web browser and that gets passed to PostgreSQL, but I have the
issue with psql as well and that is where I normally start
troubleshooting. Mod-Auth-Kerb in Apache2 continues to authenticate and
work after the upgrade, only PostgreSQL stops working.
Here is everything I've looked at and the results I get - I am baffled
on why this stopped working with 9.1, my config is the same, hostnames,
DNS, clocks, etc. look good and nothing changed there. Below is from a
fresh, clean install of Debian Wheezy/ PostgreSQL 9.1 on a new test VM
and I still get the error. If anyone sees something I am doing wrong or
something I missed and should be looking into, your advice would be
greatly appreciated.
Thanks,
Josh
IN /etc/postgresql/9.1/main/postgresql.conf
krb_server_keyfile = '/etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab'
IN /etc/postgresql/9.1/main/pg_hba.conf
host all all 10.203.105.96 255.255.255.255 krb5
krb_server_hostname=ss-sv-tmp40.mydomain.local
root@ss-sv-tmp40:~# hostname --fqdn
ss-sv-tmp40.mydomain.local
root@ss-sv-tmp40:~# cat /etc/hosts
127.0.0.1 localhost
10.203.105.96 ss-sv-tmp40.mydomain.local ss-sv-tmp40
root@ss-sv-tmp40:~# klist -ek /etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab
Keytab name: FILE:/etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 postgres/ss-sv-tmp40.mydomain.local@MYDOMAIN.LOCAL (des-cbc-md5)
jdt@ss-sv-tmp40:~$ kinit jdt@MYDOMAIN.LOCAL
Password for jdt@MYDOMAIN.LOCAL:
jdt@ss-sv-tmp40:~$ klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: jdt@MYDOMAIN.LOCAL
Valid starting Expires Service principal
31/05/2013 07:36 31/05/2013 15:36 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
renew until 31/05/2013 15:36, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac
jdt@ss-sv-tmp40:~$ psql -h ss-sv-tmp40.mydomain.local -U jdt
psql: Kerberos 5 authentication rejected: Wrong principal in request
jdt@ss-sv-tmp40:~$ klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: jdt@MYDOMAIN.LOCAL
Valid starting Expires Service principal
31/05/2013 07:36 31/05/2013 15:36 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
renew until 31/05/2013 15:36, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac
31/05/2013 07:38 31/05/2013 15:36 postgres/ss-sv-tmp40.mydomain.local@
renew until 31/05/2013 15:36, Etype (skey, tkt): des-cbc-crc,
des-cbc-crc
31/05/2013 07:38 31/05/2013 15:36
postgres/ss-sv-tmp40.mydomain.local@MYDOMAIN.LOCAL
renew until 31/05/2013 15:36, Etype (skey, tkt): des-cbc-crc,
des-cbc-crc
root@ss-sv-tmp40:~# tail /var/log/postgresql/postgresql-9.1-main.log
2013-05-31 07:38:07 EDT LOG: Kerberos recvauth returned error -1765328240
postgres: Wrong principal in request from krb5_recvauth
2013-05-31 07:38:07 EDT FATAL: Kerberos 5 authentication failed for
user "jdt"
root@ss-sv-tmp40:~# cat /etc/krb5.conf
[libdefaults]
default_realm = MYDOMAIN.LOCAL
allow_weak_crypto = true
<snip>
--
Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin