Re: 8.4 to 9.1 Upgrade Kerberos Auth Stops Working "Wrong principal in request"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Josh,

  That key type (des-cbc-md5) has looonngggg been deprecated and has
  been actively disabled and disallowed from use in modern Kerberos
  libraries.

  Please go get an AES256 key and install that instead.

  	Thanks,

		Stephen

* Josh Tanski (mortonjt@xxxxxxxxxxxxxxxx) wrote:
> I have Kerberos Authentication working for PostgreSQL 8.4 on Debian
> Squeeze, against a Windows 2000 Server Domain.  I tried upgrading
> some test servers to Debian Wheezy which upgrades PostgreSQL to 9.1,
> but Kerberos authentication breaks with the "Wrong principal in
> request" error.
> 
> These servers ultimately use Apache2/mod-auth-kerb/php5-cgi to do
> SSO in a Windows web browser and that gets passed to PostgreSQL, but
> I have the issue with psql as well and that is where I normally
> start troubleshooting.  Mod-Auth-Kerb in Apache2 continues to
> authenticate and work after the upgrade, only PostgreSQL stops
> working.
> 
> Here is everything I've looked at and the results I get - I am
> baffled on why this stopped working with 9.1, my config is the same,
> hostnames, DNS, clocks, etc. look good and nothing changed there.
> Below is from a fresh, clean install of Debian Wheezy/ PostgreSQL
> 9.1 on a new test VM and I still get the error.  If anyone sees
> something I am doing wrong or something I missed and should be
> looking into, your advice would be greatly appreciated.
> 
> Thanks,
> Josh
> 
> IN /etc/postgresql/9.1/main/postgresql.conf
> krb_server_keyfile = '/etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab'
> 
> IN /etc/postgresql/9.1/main/pg_hba.conf
> host     all             all         10.203.105.96 255.255.255.255
> krb5 krb_server_hostname=ss-sv-tmp40.mydomain.local
> 
> root@ss-sv-tmp40:~# hostname --fqdn
> ss-sv-tmp40.mydomain.local
> 
> root@ss-sv-tmp40:~# cat /etc/hosts
> 127.0.0.1       localhost
> 10.203.105.96   ss-sv-tmp40.mydomain.local   ss-sv-tmp40
> 
> 
> root@ss-sv-tmp40:~# klist -ek /etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab
> Keytab name: FILE:/etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    1 postgres/ss-sv-tmp40.mydomain.local@MYDOMAIN.LOCAL (des-cbc-md5)
> 
> 
> jdt@ss-sv-tmp40:~$ kinit jdt@MYDOMAIN.LOCAL
> Password for jdt@MYDOMAIN.LOCAL:
> jdt@ss-sv-tmp40:~$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: jdt@MYDOMAIN.LOCAL
> 
> Valid starting    Expires           Service principal
> 31/05/2013 07:36  31/05/2013 15:36  krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
>         renew until 31/05/2013 15:36, Etype (skey, tkt):
> arcfour-hmac, arcfour-hmac
> 
> jdt@ss-sv-tmp40:~$ psql -h ss-sv-tmp40.mydomain.local -U jdt
> psql: Kerberos 5 authentication rejected:  Wrong principal in request
> jdt@ss-sv-tmp40:~$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: jdt@MYDOMAIN.LOCAL
> 
> Valid starting    Expires           Service principal
> 31/05/2013 07:36  31/05/2013 15:36  krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
>         renew until 31/05/2013 15:36, Etype (skey, tkt):
> arcfour-hmac, arcfour-hmac
> 31/05/2013 07:38  31/05/2013 15:36  postgres/ss-sv-tmp40.mydomain.local@
>         renew until 31/05/2013 15:36, Etype (skey, tkt):
> des-cbc-crc, des-cbc-crc
> 31/05/2013 07:38  31/05/2013 15:36
> postgres/ss-sv-tmp40.mydomain.local@MYDOMAIN.LOCAL
>         renew until 31/05/2013 15:36, Etype (skey, tkt):
> des-cbc-crc, des-cbc-crc
> 
> 
> root@ss-sv-tmp40:~# tail /var/log/postgresql/postgresql-9.1-main.log
> 2013-05-31 07:38:07 EDT LOG:  Kerberos recvauth returned error -1765328240
> postgres: Wrong principal in request from krb5_recvauth
> 2013-05-31 07:38:07 EDT FATAL:  Kerberos 5 authentication failed for
> user "jdt"
> 
> 
> root@ss-sv-tmp40:~# cat /etc/krb5.conf
> [libdefaults]
>         default_realm = MYDOMAIN.LOCAL
>         allow_weak_crypto = true
> <snip>
> 
> 
> -- 
> Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin

Attachment: signature.asc
Description: Digital signature


[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux