Re: GSSAPI / Kerberos Authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The spn is POSTGRES/pglgisprtd001.sempra.com@xxxxxxxxxxxxxxxxxx, as I set up different servers, the server in the spn changes of course.  The server name resolves, and if I do a klist on the keytab the realm matches.

 

I am thinking that it has to do with our “vas” & “vasd” systems and how it is configured. But I can’t really say.

 

From: Bear Giles [mailto:bgiles@xxxxxxxxxxxxxx]
Sent: Thursday, June 2, 2016 3:44 PM
To: Weingartner, Steven <SWeingartner@xxxxxxxxxxxxxxxxxxx>
Cc: pgsql-admin@xxxxxxxxxxxxxx
Subject: Re: [ADMIN] GSSAPI / Kerberos Authentication

 

I was just looking at the Kerberos support. Is your server principal postgres/x.y.z@REALM, where x.y.z is the DNS name for your server? It probably won't affect you but think it needs to be POSTGRES/x.y.z@REALM for windows networks.

 

I'll have to check my notes for more details, e.g., I'm 99% sure it's 'postgres' and not 'postgresql'.

 

I know you need to use password authentication from the client - and the username has to be simple (bob@REALM, not bob/postgres@REALM). I'll be submitting a patch to support a keytab file and compound principals when I have some free time.

 

Bear

 

On Thu, Jun 2, 2016 at 4:23 PM, Weingartner, Steven <SWeingartner@xxxxxxxxxxxxxxxxxxx> wrote:

I am currently trying to configure a Centos6.x – postgresql-9.3 server to authenticate using gssapi.  I have several servers I have already configured and are working (a combination of Oracle Linux and Centos, all 6.x series with 9.2,3 or 4).  Our company use vas for an interface to Kerberos, The errors I am getting are as follows:

 

[sweingar@pglgisprtd001 ~]$ psql -hpglgisprtd001 -dpostgres

psql: GSSAPI continuation error: Unspecified GSS failure.  Minor code may provide more information

GSSAPI continuation error: Server not found in Kerberos database

 

or from a windows client

 

C:\Users\sweingar>psql -hpglgisprtd001.sempra.com -Usweingar

psql: SSPI continuation error: The specified target is unknown or unreachable

(80090303)

 

I see nothing worthwhile in the postgresql log, nor in /var/log/messages.  I have verified the dns record to my kdc works (or at least I can ping), I am sort of at a loss of where to look next.

 

This email originated outside of Sempra Energy. Be cautious of attachments, web links, or requests for information.

[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux