Re: GSSAPI authentication with AD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Abbas,

* Abbas (abbas.dba@xxxxxxxxx) wrote:
> created enterprisedb user in AD with DES encryption type.

Do not use DES- it's not secure and there's no reason to use it.  Use
AES instead.

> -bash-4.1$ klist
> 
> Ticket cache: FILE:/tmp/krb5cc_501
> 
> Default principal: POSTGRES/centos@xxxxxxxxxxxxxxxxx

This is the problem- with Kerberos and GSSAPI, you need to have a
'service' princ (that's the POSTGRES/my.host.name one) *and* a 'user'
princ (in your case, that should be 'enterprisedb').  The 'service'
princ needs to be exported as a keytab, as you've done, and then made
available to the PostgreSQL server (which I think you've done).
However, the 'user' princ should acquire credentials through a normal
'kinit' (which is what happens when a user logs on to a Windows system
with AD).

> -bash-4.1$ ~/bin/psql -h centos.MY.TESTDOMAIN.LAN -U enterprisedb
> psql: FATAL:  GSSAPI authentication failed for user "enterprisedb"
> -bash-4.1$
> 
> pglogs :
> 
> LOG:  provided user name (enterprisedb) and authenticated user name
> (POSTGRES/centos) do not match

Right, this is telling you that you're using a principal
(POSTGRES/centos) which doesn't match the user that you're trying to
authenticate as ('enterprisedb').

	Thanks,

		Stephen

Attachment: signature.asc
Description: Digital signature


[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux