Skip site navigation (1) Skip section navigation (2)

Kerberized login to Postgres database

From: Eugene Budanov <eugene(dot)budanov(at)rosalab(dot)ru>
To: pgsql-admin(at)postgresql(dot)org
Subject: Kerberized login to Postgres database
Date: 2012-01-10 06:05:14
Message-ID: 481045983.5980.1326175514267.JavaMail.root@collab.rosalab.ru (view raw or flat)
Thread:
Lists: pgsql-admin
Hi all!

I have a problem with kerberizing PostgreSQL 9.1.1.

PostgreSQL and Kerberos installed at different computers in network. I'm using internal network in VirtualBox 4.1.6.
There are no firewalls on both machines. 

So, let's see pg_hba.conf:

less /var/lib/pgsql/data/pg_hba.conf
 
# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     trust
# IPv4 local connections:
host    all             all             127.0.0.1/32            trust
host    all             all             192.168.100.0/24        krb5

And content of my  postgresql.conf

# Kerberos and GSSAPI
krb_server_keyfile = '/var/lib/pgsql/data/krb5.keytab'
#krb_srvname = 'postgres'               # (Kerberos only)
#krb_caseins_users = off

Pricipals in keytab file:

postgres/db(dot)domain(dot)int(at)DOMAIN(dot)INT
host/db(dot)domain(dot)int(at)DOMAIN(dot)INT

Passwords for principals in keytab randomly generated by kadmin.local during export to keytab. 

User postgres is exists in database of course.

Now, let's try connect to postgres database through kerberos:

[postgres(at)localhost eugene]$ kinit postgres
Password for postgres(at)DOMAIN(dot)INT:
[postgres(at)localhost eugene]$ klist
Ticket cache: FILE:/tmp/krb5cc_481
Default principal: postgres(at)DOMAIN(dot)INT
Valid starting     Expires            Service principal
12/30/11 12:21:14  12/31/11 12:21:14  krbtgt/DOMAIN(dot)INT(at)DOMAIN(dot)INT
        renew until 01/06/12 12:21:14

All works good. Other services such as kerberized login for operating system works fine. 

But if try connect to postgres database:

[postgres(at)localhost eugene]$ psql -h 192.168.100.10 -U postgres
psql: Kerberos 5 authentication rejected:  Wrong principal in request 

What I'am doing wrong? Any ideas? Questions?

Thanks in advance for your help.
---
Best regards,
Budanov Eugene

Responses

pgsql-admin by date

Next:From: Gémes GézaDate: 2012-01-10 17:36:19
Subject: Re: Kerberized login to Postgres database
Previous:From: Kevin GrittnerDate: 2012-01-09 15:48:00
Subject: Re: problem on table statistics

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group