Skip site navigation (1) Skip section navigation (2)

Re: GSSAPI/KRB5 and JDBC (again)

From: "Peter Koczan" <pjkoczan(at)gmail(dot)com>
To: "Kris Jurka" <books(at)ejurka(dot)com>
Cc: pgsql-jdbc(at)postgresql(dot)org, sfrost(at)snowman(dot)net
Subject: Re: GSSAPI/KRB5 and JDBC (again)
Date: 2008-07-29 17:31:20
Message-ID: 4544e0330807291031l3b0f7778q3c3ac4d37bfed76a@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-jdbc
On Mon, Jul 28, 2008 at 11:35 PM, Kris Jurka <books(at)ejurka(dot)com> wrote:
> It tries to use the provided password only if it doesn't find an existing
> set of credentials.  It definitely works for me without a password after
> kinit(ing).  Perhaps your ticket cache or keytab is in a non-standard place?
>  This is the first and only time I've setup a kerberos server, so I may have
> done something unusual on my end too, but I basically just did a stock
> Debian install.  Perhaps you need some additional options from here in your
> login.conf to let it know things particular to your setup?
>
> http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html

Our ticket cache location is somewhat random on each login, but it can
always be reliably found by looking at the environment variable
KRB5CCNAME. I can specify the temporary location, but it would be much
better to somehow be able to grab the auth info from that.

I got this working after a few attempts and reading up on Java auth
configs. It looks like I have to have the line which tells which user
to use, i.e.

        props.setProperty("user", "koczan");

...but it has to be the same as the user/principal in the ticket
cache. It would be nice in the case of web scripts or cron jobs (where
things may run as different or arbitrary users) if I could specify
that elsewhere without having to recompile. I tried specifying the
principal in the config file, and I tried specifying the user on the
command line with -D, but neither worked without the setProperty line
in the .java file.

org.postgresql.util.PSQLException: FATAL: no PostgreSQL user name
specified in startup packet

Still, this is a lot further along compared to where I was a week ago.
Thanks again.

Peter

In response to

Responses

pgsql-jdbc by date

Next:From: Kris JurkaDate: 2008-07-29 18:37:30
Subject: Re: GSSAPI/KRB5 and JDBC (again)
Previous:From: Kris JurkaDate: 2008-07-29 17:09:56
Subject: Re: numeric type

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group