Skip site navigation (1) Skip section navigation (2)

Re: Kerberized login to Postgres database

From: Gémes Géza <geza(at)kzsdabas(dot)hu>
To: pgsql-admin(at)postgresql(dot)org
Subject: Re: Kerberized login to Postgres database
Date: 2012-01-10 17:36:19
Message-ID: 4F0C7713.2020200@kzsdabas.hu (view raw or flat)
Thread:
Lists: pgsql-admin
2012-01-10 07:05 keltezéssel, Eugene Budanov írta:
> Hi all!
>
> I have a problem with kerberizing PostgreSQL 9.1.1.
>
> PostgreSQL and Kerberos installed at different computers in network. I'm using internal network in VirtualBox 4.1.6.
> There are no firewalls on both machines. 
>
> So, let's see pg_hba.conf:
>
> less /var/lib/pgsql/data/pg_hba.conf
>  
> # TYPE  DATABASE        USER            ADDRESS                 METHOD
>
> # "local" is for Unix domain socket connections only
> local   all             all                                     trust
> # IPv4 local connections:
> host    all             all             127.0.0.1/32            trust
> host    all             all             192.168.100.0/24        krb5
>
> And content of my  postgresql.conf
>
> # Kerberos and GSSAPI
> krb_server_keyfile = '/var/lib/pgsql/data/krb5.keytab'
> #krb_srvname = 'postgres'               # (Kerberos only)
> #krb_caseins_users = off
>
> Pricipals in keytab file:
>
> postgres/db(dot)domain(dot)int(at)DOMAIN(dot)INT
> host/db(dot)domain(dot)int(at)DOMAIN(dot)INT
>
> Passwords for principals in keytab randomly generated by kadmin.local during export to keytab. 
>
> User postgres is exists in database of course.
>
> Now, let's try connect to postgres database through kerberos:
>
> [postgres(at)localhost eugene]$ kinit postgres
> Password for postgres(at)DOMAIN(dot)INT:
> [postgres(at)localhost eugene]$ klist
> Ticket cache: FILE:/tmp/krb5cc_481
> Default principal: postgres(at)DOMAIN(dot)INT
> Valid starting     Expires            Service principal
> 12/30/11 12:21:14  12/31/11 12:21:14  krbtgt/DOMAIN(dot)INT(at)DOMAIN(dot)INT
>         renew until 01/06/12 12:21:14
>
> All works good. Other services such as kerberized login for operating system works fine. 
>
> But if try connect to postgres database:
>
> [postgres(at)localhost eugene]$ psql -h 192.168.100.10 -U postgres
> psql: Kerberos 5 authentication rejected:  Wrong principal in request 
>
> What I'am doing wrong? Any ideas? Questions?
>
> Thanks in advance for your help.
> ---
> Best regards,
> Budanov Eugene
>
If kerberos is unable to do a reverse lookup of the IP address it will
be also unable to get the right ticket for the service.
You should try to connect by fqdn instead of ip address: psql -h FQDN -U
USER.
BTW you don't need the host principal in the
/var/lib/pgsql/data/krb5.keytab keytab used only by postgres.

Regards

Geza


In response to

Responses

pgsql-admin by date

Next:From: Rahimeh KhodadadiDate: 2012-01-10 18:40:35
Subject: Re: Kerberized login to Postgres database
Previous:From: Eugene BudanovDate: 2012-01-10 06:05:14
Subject: Kerberized login to Postgres database

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group