2012-01-10 07:05 keltezéssel, Eugene Budanov írta:
> Hi all!
> I have a problem with kerberizing PostgreSQL 9.1.1.
> PostgreSQL and Kerberos installed at different computers in network. I'm using internal network in VirtualBox 4.1.6.
> There are no firewalls on both machines.
> So, let's see pg_hba.conf:
> less /var/lib/pgsql/data/pg_hba.conf
> # TYPE DATABASE USER ADDRESS METHOD
> # "local" is for Unix domain socket connections only
> local all all trust
> # IPv4 local connections:
> host all all 127.0.0.1/32 trust
> host all all 192.168.100.0/24 krb5
> And content of my postgresql.conf
> # Kerberos and GSSAPI
> krb_server_keyfile = '/var/lib/pgsql/data/krb5.keytab'
> #krb_srvname = 'postgres' # (Kerberos only)
> #krb_caseins_users = off
> Pricipals in keytab file:
> Passwords for principals in keytab randomly generated by kadmin.local during export to keytab.
> User postgres is exists in database of course.
> Now, let's try connect to postgres database through kerberos:
> [postgres(at)localhost eugene]$ kinit postgres
> Password for postgres(at)DOMAIN(dot)INT:
> [postgres(at)localhost eugene]$ klist
> Ticket cache: FILE:/tmp/krb5cc_481
> Default principal: postgres(at)DOMAIN(dot)INT
> Valid starting Expires Service principal
> 12/30/11 12:21:14 12/31/11 12:21:14 krbtgt/DOMAIN(dot)INT(at)DOMAIN(dot)INT
> renew until 01/06/12 12:21:14
> All works good. Other services such as kerberized login for operating system works fine.
> But if try connect to postgres database:
> [postgres(at)localhost eugene]$ psql -h 192.168.100.10 -U postgres
> psql: Kerberos 5 authentication rejected: Wrong principal in request
> What I'am doing wrong? Any ideas? Questions?
> Thanks in advance for your help.
> Best regards,
> Budanov Eugene
If kerberos is unable to do a reverse lookup of the IP address it will
be also unable to get the right ticket for the service.
You should try to connect by fqdn instead of ip address: psql -h FQDN -U
BTW you don't need the host principal in the
/var/lib/pgsql/data/krb5.keytab keytab used only by postgres.
In response to
pgsql-admin by date
|Next:||From: Rahimeh Khodadadi||Date: 2012-01-10 18:40:35|
|Subject: Re: Kerberized login to Postgres database|
|Previous:||From: Eugene Budanov||Date: 2012-01-10 06:05:14|
|Subject: Kerberized login to Postgres database|