GSSAPI authentication with AD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I am struggling to provide access to the windows Active Directory user into postgres database.

Am using windows server 2008R2, created forest in AD with 2003 compatibility. postgresql 9.3.1 has been compiled with gssapi and krb5 support on centos both windows server and contos are on vms with static ips.

I walkthrough as follows;

created enterprisedb user in AD with DES encryption type.

Added centos host to AD domain.

C:\Users\Administrator>setspn -S POSTGRES/centos.my.testdomain.lan my.testdomain.lan\enterprisedb

Checking domain DC=my,DC=testdomain,DC=lan

Registering ServicePrincipalNames for CN=enterprisedb,CN=Users,DC=my,DC=testdomain,DC=lan

        POSTGRES/centos.my.testdomain.lan

Updated object

C:\Users\Administrator>ktpass -out postgres.keytab -princ POSTGRES/centos@xxxxxxxxxxxxxxxxx -mapUser enterprisedb -pass XXXXXX -crypto DES-CBC-MD5

Targeting domain controller: WIN-UC777GC73I8.my.testdomain.lan

Using legacy password setting method

Successfully mapped POSTGRES/centos to enterprisedb.

WARNING: pType and account type do not match. This might cause problems.

Key created.

Output keytab to postgres.keytab:

Keytab version: 0x502

keysize 60 POSTGRES/centos@xxxxxxxxxxxxxxxxx ptype 0 (KRB5_NT_UNKNOWN) vno 8 etype 0x3 (DES-CBC-MD5) keylength 8 (0x1af1c29ebf252549)

-bash-4.1$ cat /etc/krb5.conf 

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

[libdefaults]

 debug=true

 default_realm = MY.TESTDOMAIN.LAN

 allow_weak_crypto = 1

 dns_lookup_realm = false

 dns_lookup_kdc = false

 ticket_lifetime = 24h

 renew_lifetime = 7d

 forwardable = true

[realms]

 EXAMPLE.COM = {

  kdc = kerberos.example.com

  admin_server = kerberos.example.com

 }


 MYWIN.MY.TESTDOMAIN.LAN = {

  kdc = .my.testdomain.lan

 }

 MY.TESTDOMAIN.LAN = {

  kdc = win-uc777gc73i8.my.testdomain.lan

 }

[domain_realm]

 .example.com = EXAMPLE.COM

 example.com = EXAMPLE.COM

 mywin.my.testdomain.lan = MYWIN.MY.TESTDOMAIN.LAN

 .mywin.my.testdomain.lan = MYWIN.MY.TESTDOMAIN.LAN


################

out put klist:

-bash-4.1$ klist

Ticket cache: FILE:/tmp/krb5cc_501

Default principal: POSTGRES/centos@xxxxxxxxxxxxxxxxx


Valid starting     Expires            Service principal

11/25/13 00:41:34  11/25/13 10:41:38  krbtgt/MY.TESTDOMAIN.LAN@xxxxxxxxxxxxxxxxx

renew until 12/02/13 00:41:34

11/25/13 00:41:41  11/25/13 10:41:38  postgres/centos@

renew until 12/02/13 00:41:34

11/25/13 00:41:41  11/25/13 10:41:38  postgres/centos@xxxxxxxxxxxxxxxxx

renew until 12/02/13 00:41:34


-bash-4.1$ kinit -V -k -t /opt/PostgreSQL/9.3.1/data/postgres.keytab POSTGRES/centos@xxxxxxxxxxxxxxxxx

Using default cache: /tmp/krb5cc_501

Using principal: POSTGRES/centos@xxxxxxxxxxxxxxxxx

Using keytab: /opt/PostgreSQL/9.3.1/data/postgres.keytab

Authenticated to Kerberos v5

-bash-4.1$ 

-bash-4.1$ klist -k /opt/PostgreSQL/9.3.1/data/postgres.keytab 

Keytab name: FILE:/opt/PostgreSQL/9.3.1/data/postgres.keytab

KVNO Principal

---- --------------------------------------------------------------------------

   8 POSTGRES/centos@xxxxxxxxxxxxxxxxx

postgresql.conf:

# Kerberos and GSSAPI

krb_server_keyfile = '/opt/PostgreSQL/9.3.1/data/postgres.keytab'

krb_srvname = 'POSTGRES'                # (Kerberos only)


pg_hba.conf:

host    all              all            0.0.0.0/0 gss


while I was trying to connect psql client on centos I am getting below error;


-bash-4.1$ ~/bin/psql -h centos.MY.TESTDOMAIN.LAN -U enterprisedb

psql: FATAL:  GSSAPI authentication failed for user "enterprisedb"

-bash-4.1$ 

pglogs :

LOG:  provided user name (enterprisedb) and authenticated user name (POSTGRES/centos) do not match

FATAL:  GSSAPI authentication failed for user "enterprisedb"

DETAIL:  Connection matched pg_hba.conf line 86: "host    all              all            0.0.0.0/0 gss"


Log output of /tmp/krb5_gp.log

[3947] 1385322573.406775: ccselect can't find appropriate cache for server principal postgres/centos@

[3947] 1385322573.406955: Getting credentials POSTGRES/centos@xxxxxxxxxxxxxxxxx -> postgres/centos@ using ccache FILE:/tmp/krb5cc_501

[3947] 1385322573.407067: Retrieving POSTGRES/centos@xxxxxxxxxxxxxxxxx -> postgres/centos@ from FILE:/tmp/krb5cc_501 with result: 0/Unknown code 0

[3947] 1385322573.407203: Creating authenticator for POSTGRES/centos@xxxxxxxxxxxxxxxxx -> postgres/centos@, seqnum 222559749, subkey des-cbc-crc/7B63, session key des-cbc-crc/66D8

[3947] 1385322573.407227: Negotiating for enctypes in authenticator: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, des-cbc-crc, des, des-cbc-md4

[3947] 1385322573.418759: ccselect can't find appropriate cache for server principal postgres/centos@

[3947] 1385322573.418896: Read AP-REP, time 1385322576.407247, subkey aes256-cts/710D, seqnum 574336718


Please suggest my where am missing.

Thanks in advance.
Abbas

[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux