From: | "Peter Koczan" <pjkoczan(at)gmail(dot)com> |
---|---|
To: | pgsql-bugs(at)postgresql(dot)org |
Subject: | BUG #4126: KRB5/GSSAPI authenication fails for multipart kerberos principals |
Date: | 2008-04-23 17:17:01 |
Message-ID: | 200804231717.m3NHH1vq092328@wwwmaster.postgresql.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
The following bug has been logged online:
Bug reference: 4126
Logged by: Peter Koczan
Email address: pjkoczan(at)gmail(dot)com
PostgreSQL version: 8.3.1
Operating system: Red Hat Enterprise Linux 5
Description: KRB5/GSSAPI authenication fails for multipart kerberos
principals
Details:
When trying to connect to an 8.3 server using a multipart Kerberos principal
(e.g. ator/wsbackup(dot)cs(dot)wisc(dot)edu(at)CS(dot)WISC(dot)EDU or koczan/mail(at)CS(dot)WISC(dot)EDU
instead of wsbackup(at)CS(dot)WISC(dot)EDU or koczan(at)CS(dot)WISC(dot)EDU), the connection
fails, claiming a name mismatch. This is a change from 8.2 and I found
nothing in the changelog or documentation to suggest this change or offer a
workaround.
This happens no matter what client libraries I'm using (I'll connect using
8.3 clients only to illustrate this point).
Here's what happens with a normal login principal:
[koczan(at)ator] ~ $ klist
Ticket cache: FILE:/var/adm/krb5/tmp/tkt/krb5cc_3258_zWQIbO
Default principal: koczan(at)CS(dot)WISC(dot)EDU
...
[koczan(at)ator] koczan $ /s/postgresql-8.3/bin/psql -h sensei -p 5432 sushi
Welcome to psql 8.3.1 (server 8.2.6), the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit
WARNING: You are connected to a server with major version 8.2,
but your psql client is major version 8.3. Some backslash commands,
such as \d, might not work properly.
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
sushi=> select version();
version
----------------------------------------------------------------------------
PostgreSQL 8.2.6 on i686-pc-linux-gnu, compiled by GCC gcc.bin (GCC) 3.4.4
(1 row)
sushi=> select current_user;
current_user
--------------
koczan
(1 row)
[koczan(at)ator] ~ $ /s/postgresql-8.3/bin/psql -h sensei -p 49173 sushi
Welcome to psql 8.3.1, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
sushi=> select version();
version
----------------------------------------------------------------------------
PostgreSQL 8.3.1 on i686-pc-linux-gnu, compiled by GCC gcc.bin (GCC) 3.4.4
(1 row)
sushi=> select current_user;
current_user
--------------
koczan
(1 row)
And what happens with my "mail" instance:
[root(at)ator ~]# su - koczan
[koczan(at)ator] ~ $ klist
klist: No credentials cache found (ticket cache
FILE:/var/adm/krb5/tmp/tkt/krb5cc_3258_xQK9wc)
...
[koczan(at)ator] ~ $ kinit -f -k -t /var/adm/krb5/quickauth/kt/koczan.mail.kt
-l 1d koczan/mail(at)CS(dot)WISC(dot)EDU
[koczan(at)ator] ~ $ klist
Ticket cache: FILE:/var/adm/krb5/tmp/tkt/krb5cc_3258_xQK9wc
Default principal: koczan/mail(at)CS(dot)WISC(dot)EDU
...
Connecting to an 8.2 server works just fine...
[koczan(at)ator] ~ $ /s/postgresql-8.3/bin/psql -h sensei -p 5432 sushi
Welcome to psql 8.3.1 (server 8.2.6), the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit
WARNING: You are connected to a server with major version 8.2,
but your psql client is major version 8.3. Some backslash commands,
such as \d, might not work properly.
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
sushi=> select version();
version
----------------------------------------------------------------------------
PostgreSQL 8.2.6 on i686-pc-linux-gnu, compiled by GCC gcc.bin (GCC) 3.4.4
(1 row)
sushi=> select current_user;
current_user
--------------
koczan
(1 row)
However, connecting to an 8.3 server...
[koczan(at)ator] ~ $ /s/postgresql-8.3/bin/psql -h sensei -p 49173 sushi
psql: FATAL: no pg_hba.conf entry for host "128.105.162.36", user "koczan",
database "sushi", SSL off
And this shows up in the syslog...
Apr 23 12:02:41 sensei postgres[23100]: [3-1] LOG: connection received:
host=ator.cs.wisc.edu port=49188
Apr 23 12:02:41 sensei postgres[23100]: [4-1] LOG: unexpected Kerberos user
name received from client (received "koczan", expected "koczan/mail")
Apr 23 12:02:41 sensei postgres[23100]: [5-1] FATAL: Kerberos 5
authentication failed for user "koczan"
Apr 23 12:02:41 sensei postgres[23101]: [3-1] LOG: connection received:
host=ator.cs.wisc.edu port=49189
Apr 23 12:02:41 sensei postgres[23101]: [4-1] FATAL: no pg_hba.conf entry
for host "128.105.162.36", user "koczan", database "sushi", SSL off
The appropriate line in pg_hba.conf shows
hostssl all all 128.105.0.0/16 krb5
I'm connecting via native krb5, but this problem (or a variant of it) occurs
when using GSSAPI authentication...
[koczan(at)ator] ~ $ /s/postgresql-8.3/bin/psql -h sensei -p 49173 sushi
psql: FATAL: no pg_hba.conf entry for host "128.105.162.36", user "koczan",
database "sushi", SSL off
Apr 23 12:08:02 sensei postgres[23257]: [4-1] LOG: connection received:
host=ator.cs.wisc.edu port=49409
Apr 23 12:08:02 sensei postgres[23257]: [5-1] FATAL: GSSAPI authentication
failed for user "koczan"
Apr 23 12:08:02 sensei postgres[23258]: [4-1] LOG: connection received:
host=ator.cs.wisc.edu port=49410
Apr 23 12:08:02 sensei postgres[23258]: [5-1] FATAL: no pg_hba.conf entry
for host "128.105.162.36", user "koczan", database "sushi", SSL off
Different things happen when I turn SSL off, but it's still failing to
connect...
Native krb5 / SSL off:
[koczan(at)ator] ~ $ /s/postgresql-8.3/bin/psql -h sensei -p 49173 sushi
psql: FATAL: Kerberos 5 authentication failed for user "koczan"
Apr 23 12:12:10 sensei postgres[23327]: [6-1] LOG: connection received:
host=ator.cs.wisc.edu port=49525
Apr 23 12:12:11 sensei postgres[23327]: [7-1] LOG: unexpected Kerberos user
name received from client (received "koczan", expected "koczan/mail")
Apr 23 12:12:11 sensei postgres[23327]: [8-1] FATAL: Kerberos 5
authentication failed for user "koczan"
Apr 23 12:12:11 sensei postgres[23328]: [6-1] LOG: connection received:
host=ator.cs.wisc.edu port=49526
Apr 23 12:12:11 sensei postgres[23328]: [7-1] LOG: unexpected Kerberos user
name received from client (received "koczan", expected "koczan/mail")
Apr 23 12:12:11 sensei postgres[23328]: [8-1] FATAL: Kerberos 5
authentication failed for user "koczan"
GSSAPI / SSL off:
[koczan(at)ator] ~ $ /s/postgresql-8.3/bin/psql -h sensei -p 49173 sushi
psql: duplicate GSS authentication request
Apr 23 12:10:21 sensei postgres[23287]: [5-1] LOG: connection received:
host=ator.cs.wisc.edu port=49462
Apr 23 12:10:22 sensei postgres[23287]: [6-1] FATAL: GSSAPI authentication
failed for user "koczan"
Apr 23 12:10:22 sensei postgres[23288]: [5-1] LOG: connection received:
host=ator.cs.wisc.edu port=49463
Apr 23 12:10:22 sensei postgres[23288]: [6-1] FATAL: GSSAPI authentication
failed for user "koczan"
From | Date | Subject | |
---|---|---|---|
Next Message | Kris Jurka | 2008-04-24 10:28:18 | Re: Re: BUG #4123: Statement.setQueryTimeout does not work with Postgres Java Driver |
Previous Message | Tom Lane | 2008-04-23 17:10:59 | Re: HELP pls |