Greetings, * Matthew Dennison (mail@xxxxxxxxxxxxxx) wrote: > No matter what I try I don't seem to be able to get the psl command locally to work using Kerberos. I receive for following message: > FATAL: GSSAPI authentication failed for user "postgres" > FATAL: GSSAPI authentication failed for user myad.username@xxxxxxxxxxxx [...] > kinit -kt /pgcluster/data/postgres.keytab POSTGRES/hostname.mydomain.net@xxxxxxxxxxxx<mailto:POSTGRES/hostname.mydomain.net@xxxxxxxxxxxx> > klist > Ticket cache: KCM:0:20151 > Default principal: POSTGRES/hostname.mydomain.net@xxxxxxxxxxxx > > Valid starting Expires Service principal > 23/02/24 10:19:12 23/02/24 20:19:12 krbtgt/MYDOMAIN.NET@xxxxxxxxxxxx > renew until 23/02/24 20:19:12 Doesn't look like you're actually getting a PG tickets ... > psql -h localhost -U postgres -d postgres And this might be why. Don't use '-h localhost' because that'll, by default anyway, cause the Kerberos library to try to do reverse DNS on the address you are trying to connect to (::1/128, for example) ... and that possibly just resolves to 'localhost', which isn't the server's name that you're trying to connect to. If the rDNS lookup fails then we'll use what you provided- but again, that's just 'localhost' and isn't the server's name in the AD realm. Try doing: psql -h hostname.mydomain.net -U postgres -d postgres instead, and update your pg_hba.conf to match those connections which are coming into the system's actual IP address instead of only matching loaclhost connection attempts. You're definitely not going to have any succcess until you can do a 'klist' and see a POSTGRES/hostname.mydomain.net ticket listed after doing your psql attempt. Thanks, Stephen
Attachment:
signature.asc
Description: PGP signature
