Skip site navigation (1) Skip section navigation (2)

PG 8.3 and kerberos failures

From: "Peter Koczan" <pjkoczan(at)gmail(dot)com>
To: "pgsql-admin(at)postgresql(dot)org" <pgsql-admin(at)postgresql(dot)org>
Subject: PG 8.3 and kerberos failures
Date: 2008-04-17 16:40:22
Message-ID: 4544e0330804170940j45035b17s42071d7b2358ae80@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-admin
Hi all,

I just upgraded one of my servers and I'm having a bit of trouble
getting some of the kerberos authentication bits working.
Specifically, any Kerberos instance run out of a v5srvtab doesn't work
so well. Using stashed tickets or normal principals worked fine.
Gritty details follow.

Peter

Here are details from the specific v5srvtab's...
[root(at)sensei postgres]# klist -k -t /etc/v5srvtab.wsbackup
Keytab name: FILE:/etc/v5srvtab.wsbackup
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
  13 12/20/07 15:56:11 wsbackup/sensei(dot)cs(dot)wisc(dot)edu(at)CS(dot)WISC(dot)EDU

[root(at)sensei postgres]# klist -k -t /etc/v5srvtab
Keytab name: FILE:/etc/v5srvtab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
  13 12/20/07 15:56:11 host/sensei(dot)cs(dot)wisc(dot)edu(at)CS(dot)WISC(dot)EDU
  13 12/20/07 15:56:11 rcmd/sensei(dot)cs(dot)wisc(dot)edu(at)CS(dot)WISC(dot)EDU
  13 12/20/07 15:56:11 telnet/sensei(dot)cs(dot)wisc(dot)edu(at)CS(dot)WISC(dot)EDU
  13 12/20/07 15:56:11 ftp/sensei(dot)cs(dot)wisc(dot)edu(at)CS(dot)WISC(dot)EDU
  13 12/20/07 15:56:11 pop/sensei(dot)cs(dot)wisc(dot)edu(at)CS(dot)WISC(dot)EDU
  13 12/20/07 15:56:11 wsbackup/sensei(dot)cs(dot)wisc(dot)edu(at)CS(dot)WISC(dot)EDU
  12 12/20/07 15:56:11 auth/sensei(dot)cs(dot)wisc(dot)edu(at)CS(dot)WISC(dot)EDU
   8 12/20/07 15:56:11 postgres/sensei(dot)cs(dot)wisc(dot)edu(at)CS(dot)WISC(dot)EDU

Here's the error from the syslog...
Apr 17 11:18:39 sensei postgres[4486]: [3-1] LOG:  connection
received: host=mitchell.cs.wisc.edu port=56925
Apr 17 11:18:39 sensei postgres[4486]: [4-1] LOG:  unexpected Kerberos
user name received from client (received "wsbackup", expected
"wsbackup/mitchell.cs.wisc.edu")
Apr 17 11:18:39 sensei postgres[4486]: [5-1] FATAL:  Kerberos 5
authentication failed for user "wsbackup"
Apr 17 11:18:39 sensei postgres[4488]: [3-1] LOG:  connection
received: host=mitchell.cs.wisc.edu port=56926
Apr 17 11:18:39 sensei postgres[4488]: [4-1] FATAL:  no pg_hba.conf
entry for host "128.105.207.19", user "wsbackup", database "sushi",
SSL off

Here's the relevant bit from my pg_hba.conf. For compatibility, I'm
using krb5 instead of gss until everything is upgraded from 8.2. If
using gss authentication will work, please let me know.
hostssl all         all         128.105.0.0/16     krb5
hostssl all         all         198.133.224.0/24   krb5

And from postgresql.conf...
# - Security & Authentication -

#authentication_timeout = 1min          # 1s-600s
ssl = on                                # (change requires restart)
#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'      # Allowed SSL ciphers
                                        # (change requires restart)
#password_encryption = on
krb_realm = 'CS.WISC.EDU'
#db_user_namespace = off

# Kerberos and GSSAPI
krb_server_keyfile = '/etc/v5srvtab.postgres'   # (change requires restart)
#krb_srvname = 'postgres'               # (change requires restart, kerberos onl
y)
#krb_server_hostname = ''               # empty string matches any keytab entry
                                        # (change requires restart, kerberos onl
y)
#krb_caseins_users = off                # (change requires restart)

Responses

pgsql-admin by date

Next:From: Jesper KroghDate: 2008-04-17 19:48:49
Subject: autovacuum?
Previous:From: Mikko PartioDate: 2008-04-17 16:08:55
Subject: Re: FATAL: could not open relation xxx: No such file or directory

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group