Josh, That key type (des-cbc-md5) has looonngggg been deprecated and has been actively disabled and disallowed from use in modern Kerberos libraries. Please go get an AES256 key and install that instead. Thanks, Stephen * Josh Tanski (mortonjt@xxxxxxxxxxxxxxxx) wrote: > I have Kerberos Authentication working for PostgreSQL 8.4 on Debian > Squeeze, against a Windows 2000 Server Domain. I tried upgrading > some test servers to Debian Wheezy which upgrades PostgreSQL to 9.1, > but Kerberos authentication breaks with the "Wrong principal in > request" error. > > These servers ultimately use Apache2/mod-auth-kerb/php5-cgi to do > SSO in a Windows web browser and that gets passed to PostgreSQL, but > I have the issue with psql as well and that is where I normally > start troubleshooting. Mod-Auth-Kerb in Apache2 continues to > authenticate and work after the upgrade, only PostgreSQL stops > working. > > Here is everything I've looked at and the results I get - I am > baffled on why this stopped working with 9.1, my config is the same, > hostnames, DNS, clocks, etc. look good and nothing changed there. > Below is from a fresh, clean install of Debian Wheezy/ PostgreSQL > 9.1 on a new test VM and I still get the error. If anyone sees > something I am doing wrong or something I missed and should be > looking into, your advice would be greatly appreciated. > > Thanks, > Josh > > IN /etc/postgresql/9.1/main/postgresql.conf > krb_server_keyfile = '/etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab' > > IN /etc/postgresql/9.1/main/pg_hba.conf > host all all 10.203.105.96 255.255.255.255 > krb5 krb_server_hostname=ss-sv-tmp40.mydomain.local > > root@ss-sv-tmp40:~# hostname --fqdn > ss-sv-tmp40.mydomain.local > > root@ss-sv-tmp40:~# cat /etc/hosts > 127.0.0.1 localhost > 10.203.105.96 ss-sv-tmp40.mydomain.local ss-sv-tmp40 > > > root@ss-sv-tmp40:~# klist -ek /etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab > Keytab name: FILE:/etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab > KVNO Principal > ---- -------------------------------------------------------------------------- > 1 postgres/ss-sv-tmp40.mydomain.local@MYDOMAIN.LOCAL (des-cbc-md5) > > > jdt@ss-sv-tmp40:~$ kinit jdt@MYDOMAIN.LOCAL > Password for jdt@MYDOMAIN.LOCAL: > jdt@ss-sv-tmp40:~$ klist -e > Ticket cache: FILE:/tmp/krb5cc_1000 > Default principal: jdt@MYDOMAIN.LOCAL > > Valid starting Expires Service principal > 31/05/2013 07:36 31/05/2013 15:36 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL > renew until 31/05/2013 15:36, Etype (skey, tkt): > arcfour-hmac, arcfour-hmac > > jdt@ss-sv-tmp40:~$ psql -h ss-sv-tmp40.mydomain.local -U jdt > psql: Kerberos 5 authentication rejected: Wrong principal in request > jdt@ss-sv-tmp40:~$ klist -e > Ticket cache: FILE:/tmp/krb5cc_1000 > Default principal: jdt@MYDOMAIN.LOCAL > > Valid starting Expires Service principal > 31/05/2013 07:36 31/05/2013 15:36 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL > renew until 31/05/2013 15:36, Etype (skey, tkt): > arcfour-hmac, arcfour-hmac > 31/05/2013 07:38 31/05/2013 15:36 postgres/ss-sv-tmp40.mydomain.local@ > renew until 31/05/2013 15:36, Etype (skey, tkt): > des-cbc-crc, des-cbc-crc > 31/05/2013 07:38 31/05/2013 15:36 > postgres/ss-sv-tmp40.mydomain.local@MYDOMAIN.LOCAL > renew until 31/05/2013 15:36, Etype (skey, tkt): > des-cbc-crc, des-cbc-crc > > > root@ss-sv-tmp40:~# tail /var/log/postgresql/postgresql-9.1-main.log > 2013-05-31 07:38:07 EDT LOG: Kerberos recvauth returned error -1765328240 > postgres: Wrong principal in request from krb5_recvauth > 2013-05-31 07:38:07 EDT FATAL: Kerberos 5 authentication failed for > user "jdt" > > > root@ss-sv-tmp40:~# cat /etc/krb5.conf > [libdefaults] > default_realm = MYDOMAIN.LOCAL > allow_weak_crypto = true > <snip> > > > -- > Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-admin
Attachment:
signature.asc
Description: Digital signature
