PostgreSQL GSSAPI Windows AD

[Jean-Philippe Chenel <jp.chenel@xxxxxxx>]

Hi,

I've recently updated from PostgreSQL 9.6 to 14 and also ubuntu 16.04 to 22.04.

I've made all the installation required for postgresql to connect in GSSAPI authentication to a Windows domain.

Something is going wrong and I don't know why.

When I change the mapped user password from "postgres" to anything else, the connection stop to work

Log of postgres:

Unspecified GSS failure.  Minor code may provide more information: Request ticket server postgres/ubuntu.ad.corp.com@xxxxxxxxxxx not found in keytab (ticket kvno 3)

Here is the ktpass command (Windows AD):

working:

ktpass -out postgres.keytab -princ postgres/UBUNTU.ad.corp.com@xxxxxxxxxxx -mapUser AD\pgsql_ubuntu -pass postgres -mapOp add -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL

not working:

ktpass -out postgres.keytab -princ postgres/UBUNTU.ad.corp.com@xxxxxxxxxxx -mapUser AD\pgsql_ubuntu -pass other_password -mapOp add -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL

I put the keytab on the postgres server, the keytab file is referenced in the postgresql.conf file.

Here is the full procedure:

1. Create user in AD for postgresql mapping (pgsql_ubuntu), always valid, support AES256
   
2. Create another user for connection testing
3. run ktpass command
4. put the keytab file on the pg server in /etc/postgresql, chown to postgres and chmod 600
5. postgresql.conf krb_server_keyfile = '/etc/postgresql/postgres.keytab'
6. pg_hba is configured to connect over gss
7. ubuntu server (postgres) is added to domain with this command:
   sudo realm join server.ad.corp.com -U Administrateur
   
   

I don't know why it works when the password is "postgres" and why I can't change it.

With best regards,