RE: PostgreSQL Kerberos Authentication

[HIRTZ Jorge Alberto TENARIS <jhirtz@xxxxxxxxxxx>]

Thanks Poul,

 

According to official documentation parameters like ldap, and suffix in pg_hba.conf are for LDAP Authentication not for Kerberos/GSSAPI. In fact the authentication through LDAP works fine in our environment but not for Kerberos…

 

Do you know if the principal in Active Directory KDC must be in uppercase or lowercase? POSTGRES or postgres? Just to confirm.

 

Thanks

Jorge

 

 

 

 

 

From: EXTERNAL:Poul Kristensen [mailto:bcc5226@xxxxxxxxx]
Sent: martes, 30 de enero de 2018 01:50 p.m.
To: HIRTZ Jorge Alberto TENARIS <jhirtz@xxxxxxxxxxx>
Cc: pgsql-general@xxxxxxxxxxxxxxxxxxxx
Subject: Re: PostgreSQL Kerberos Authentication

 

you need til tell Postgresql/pg_hba.conf  the AD kerberos server name ldap = kerberos.domain.com       and suffix    @domain.com

 

Then create the users(is in fact a role) as the owner of a database.

Hereafter the user could just write psql after login and after password auhtentication the user/role is logged into the database.

 

It has been testet and works!

 

Hope it is usefull.

 

regards 

Poul 

 

2018-01-30 17:13 GMT+01:00 HIRTZ Jorge Alberto TENARIS <jhirtz@xxxxxxxxxxx>:

Hello All,

 

I am trying to configure PostgreSQL9.6 (On Centos 7.4) with Kerberos (Active Directory) via GSSAPI authentication and I’m getting the following error:

 

[postgres@hostname data]$ psql  -h hostname -U USERNAME@xxxxxxxxxx postgres

psql: GSSAPI continuation error: Unspecified GSS failure.  Minor code may provide more information

GSSAPI continuation error: Server not found in Kerberos database

 

I did the following configuration:

 

1.- Create KeyTab in Active Directory:

ktpass -out postgres_instance.keytab -princ postgres/hostnamename.domain.com@xxxxxxxxxx -mapUser svcPostgres -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL

 

2.- Copy the keytab to Linux Server on $PGDATA and change the privileges to postgres:postgres

3.- Configure postgresql.conf

krb_server_keyfile = '/<INSTANCA_NAME>/data/postgres_instance.keytab

 

4.- Configure /etc/krb5.conf

 

5.- Request a ticket to the KDC server using kinit (this work OK!)

 

[postgres@hostname ~]$ klist

Ticket cache: KEYRING:persistent:26:krb_ccache_AO0Y1kx

Default principal: USERNAME@xxxxxxxxxx

 

Valid starting       Expires              Service principal

01/30/2018 11:01:59  01/30/2018 21:01:59  krbtgt/DOMAIN.COM@xxxxxxxxxx

        renew until 02/06/2018 11:01:55

 

 

6.- Configure pg_hba.conf

host    all            all                                                0.0.0.0/0          gss include_realm=1

7.- Create user in PG to test:

create user “USERNAME@xxxxxxxxxx” WITH SUPERUSER;

 

8.- Testing

[postgres@hostname data]$ psql  -h hostname -U USERNAME@xxxxxxxxxx postgres

psql: GSSAPI continuation error: Unspecified GSS failure.  Minor code may provide more information

GSSAPI continuation error: Server not found in Kerberos database

 

I tried generate the Keytab with “postgres” and “POSTGRES” user as a SPN but I get the same error.

 

Any suggestion is welcome!

 

Thanks in advance for your help!

 

Jorge

 

 

--

Med venlig hilsen / Best regards
Poul Kristensen
Linux-OS/Virtualizationexpert and Oracle DBA