Skip site navigation (1) Skip section navigation (2)

Re: Fwd: psql+krb5

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>
Cc: rahimeh khodadadi <rahimeh(dot)khodadadi(at)gmail(dot)com>,PG-General Mailing List <pgsql-general(at)postgresql(dot)org>
Subject: Re: Fwd: psql+krb5
Date: 2009-12-02 01:45:56
Message-ID: 20091202014556.GS17756@tamriel.snowman.net (view raw or flat)
Thread:
Lists: pgsql-docspgsql-generalpgsql-hackerspgsql-odbc
* Craig Ringer (craig(at)postnewspapers(dot)com(dot)au) wrote:
> I've dropped all your cross-posts; this is just going to PgSQL-general.

Thanks for that.

> On 30/11/2009 3:29 PM, rahimeh khodadadi wrote:
>
>> psql: *krb5_sendauth: Bad application version was sent (via sendauth)*
>
> Also: a search for your error message finds this post, which, while  
> related to a Windows kerberos server, seems to apply:

It's the same kind of issue (wrong service name), but I think the real
problem is this:

krb_srvname = 'postgres/star(at)EXAMPLE(dot)COM'

The documentation, I think, is pretty clear:
http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#KERBEROS-AUTH

 PostgreSQL operates like a normal Kerberos service. The name of the
 service principal is servicename/hostname(at)realm(dot)

 servicename can be set on the server side using the krb_srvname
 configuration parameter

The above should just be:

krb_srvname = 'postgres'

Or, better, just removed.  Unless you're running under a Microsoft
Active Directory Kerberos environment, the default should 'just work'.

Additionally, this is also almost certainly wrong:

krb_server_hostname = 'star'

Again, referring to the same documentation:

  hostname is the fully qualified host name of the server machine.

You really should have a proper FQDN set for this system.  I would also
recommend using a real domain rather than 'EXAMPLE.COM'.  Also, I didn't
see the version of PostgreSQL, but if you're using something recent your
auth method should really be 'gss' instead of 'krb5'.

> I don't know much about Kerberos, not I suspect do all that many people  
> on the list, so I can't be of any more help.

Unfortunately, I don't pay as close attention to the lists as I wish I
could.  Kerberos with PG is actually a solution I typically recommend.

	Thanks,

		Stephen

In response to

Responses

pgsql-docs by date

Next:From: rahimeh khodadadiDate: 2009-12-02 06:40:43
Subject: Re: Fwd: psql+krb5
Previous:From: Craig RingerDate: 2009-12-02 01:04:34
Subject: Re: Fwd: psql+krb5

pgsql-hackers by date

Next:From: KaiGai KoheiDate: 2009-12-02 01:52:20
Subject: Re: SE-PgSQL patch review
Previous:From: Greg StarkDate: 2009-12-02 01:13:50
Subject: Re: Block-level CRC checks

pgsql-odbc by date

Next:From: rahimeh khodadadiDate: 2009-12-02 06:40:43
Subject: Re: Fwd: psql+krb5
Previous:From: Craig RingerDate: 2009-12-02 01:20:17
Subject: Re: Hi!

pgsql-general by date

Next:From: weixiang tamDate: 2009-12-02 02:15:28
Subject: customize Postgres install issue
Previous:From: Craig RingerDate: 2009-12-02 01:29:16
Subject: Re: how to install just client libraries on windows?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group