Skip site navigation (1) Skip section navigation (2)

Re: PG 8.3 and kerberos failures

From: "Peter Koczan" <pjkoczan(at)gmail(dot)com>
To: "pgsql-admin(at)postgresql(dot)org" <pgsql-admin(at)postgresql(dot)org>
Subject: Re: PG 8.3 and kerberos failures
Date: 2008-04-18 17:43:20
Message-ID: 4544e0330804181043y6db18a9bve072aa5bc44a8cc4@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-admin
On Thu, Apr 17, 2008 at 11:40 AM, Peter Koczan <pjkoczan(at)gmail(dot)com> wrote:
> Hi all,
>
>  I just upgraded one of my servers and I'm having a bit of trouble
>  getting some of the kerberos authentication bits working.
>  Specifically, any Kerberos instance run out of a v5srvtab doesn't work
>  so well. Using stashed tickets or normal principals worked fine.
>  Gritty details follow.
>
>  Peter
>
>  Here are details from the specific v5srvtab's...
>  [root(at)sensei postgres]# klist -k -t /etc/v5srvtab.wsbackup
>  Keytab name: FILE:/etc/v5srvtab.wsbackup
>  KVNO Timestamp         Principal
>  ---- ----------------- --------------------------------------------------------
>   13 12/20/07 15:56:11 wsbackup/sensei(dot)cs(dot)wisc(dot)edu(at)CS(dot)WISC(dot)EDU

Here's what happens when I do this (it's on a different machine but
it's the same mechanism).

[root(at)ator] ~ $ su - wsbackup
ator(1)% kinit -f -k -t /etc/v5srvtab.wsbackup -l 1d
wsbackup/ator(dot)cs(dot)wisc(dot)edu(at)CS(dot)WISC(dot)EDU
ator(2)% klist
Ticket cache: FILE:/var/adm/krb5/tmp/tkt/krb5cc_28528
Default principal: wsbackup/ator(dot)cs(dot)wisc(dot)edu(at)CS(dot)WISC(dot)EDU

Valid starting     Expires            Service principal
04/18/08 12:25:00  04/19/08 12:25:00  krbtgt/CS(dot)WISC(dot)EDU(at)CS(dot)WISC(dot)EDU


Kerberos 4 ticket cache: /tmp/tkt28528
klist: You have no tickets cached
ator(4)% /s/postgresql-8.2/bin/psql -h sensei -p 5432 postgres
Connecting to 8.2 works...

ator(5)% /s/postgresql-8.3/bin/psql -h sensei -p 5432 postgres
Connecting to 8.2 via 8.3 binaries works...

ator(6)% /s/postgresql-8.3/bin/psql -h sensei -p 49173 postgres
psql: FATAL:  no pg_hba.conf entry for host "128.105.162.36", user
"wsbackup", database "postgres", SSL off

And then it fails as above...
Apr 18 12:20:41 sensei postgres[4486]: [3-1] LOG:  connection
received: host=ator.cs.wisc.edu port=56925
Apr 18 12:20:41 sensei postgres[4486]: [4-1] LOG:  unexpected Kerberos
user name received from client (received "wsbackup", expected
"wsbackup/ator.cs.wisc.edu")
Apr 18 12:20:41 sensei postgres[4486]: [5-1] FATAL:  Kerberos 5
authentication failed for user "wsbackup"
Apr 18 12:20:41 sensei postgres[4488]: [3-1] LOG:  connection
received: host=ator.cs.wisc.edu port=56926
Apr 18 12:20:41 sensei postgres[4488]: [4-1] FATAL:  no pg_hba.conf
entry for host "128.105.162.36", user "wsbackup", database "postgres",
SSL off

And this is what syslog shows when I try GSSAPI authentication.
Apr 18 12:34:40 sensei postgres[25885]: [3-1] LOG:  connection
received: host=ator.cs.wisc.edu port=41148
Apr 18 12:34:40 sensei postgres[25885]: [4-1] FATAL:  GSSAPI
authentication failed for user "wsbackup"
Apr 18 12:34:40 sensei postgres[25886]: [3-1] LOG:  connection
received: host=ator.cs.wisc.edu port=41149
Apr 18 12:34:40 sensei postgres[25886]: [4-1] FATAL:  no pg_hba.conf
entry for host "128.105.162.36", user "wsbackup", database "postgres",
SSL off

Is this something I'm just going to have to find a way to work around
or should I file a bug report?

Peter

In response to

Responses

pgsql-admin by date

Next:From: Medi MontaseriDate: 2008-04-18 18:52:57
Subject: Dev Process
Previous:From: Ryan WellsDate: 2008-04-18 15:45:13
Subject: Re: pg_dump Performance

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group