Re: GSS Authentication

I just notice that in your message you had more text further down (regarding the DES encryption). I didn't see that at first. So, I did klist -e as you suggested and I got this:

Ticket cache: FILE:/tmp/krb5cc_502
Default principal: user(at)DOMAIN(dot)COM

Valid starting Expires Service principal
06/15/10 18:07:33 06/16/10 04:07:36 krbtgt/DOMAIN(dot)COM(at)DOMAIN(dot)COM
renew until 06/16/10 04:07:33, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

Kerberos 4 ticket cache: /tmp/tkt502
klist: You have no tickets cached

Is that the problem? I don't see anything about permitted enctypes in my krb5.conf. Should I add something in there to allow DES, or should I recreate my keytab to use a different encryption type? If so, what should I use?

Thanks again. I feel like I'm making progress.
Greig

----- Original Message -----
From: "Stephen Frost" <sfrost(at)snowman(dot)net>
To: greigwise(at)comcast(dot)net
Cc: pgsql-general(at)postgresql(dot)org, "Bryan Montgomery" <monty(at)english(dot)net>
Sent: Tuesday, June 15, 2010 4:25:55 PM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication

* greigwise(at)comcast(dot)net (greigwise(at)comcast(dot)net) wrote:
> kinit -S POSTGRES/host.domain.com user
>
> (where user is my account name in AD). That then asked for my password and when I entered it, it seemed to work. And now klist shows that I have a ticket. Doing it this way though, the keytab file doesn't seem to come into play. Does this point to something in my keytab file being wrong?

Good that you were able to get a ticket manually. Next you need to try
getting a client application (eg: psql) to get that same ticket. Before
you run psql, do:

kdestroy
kinit
export PGKRBSRVNAME=POSTGRES
psql -d postgres -h host.domain.com
klist

And see if you acquired the same ticket you got with the manual klist.

> I did this:
>
> klist -ket postgres.keytab
>
> and got:
>
> KVNO Timestamp Principal
> ---- ----------------- --------------------------------------------------------
> 3 12/31/69 19:00:00 POSTGRES/host(dot)domain(dot)com(at)DOMAIN(dot)COM (DES cbc mode with RSA-MD5)
>
> That timestamp seems kinda funky, doesn't it? 12/31/69? That can't be right, can it?

The timestamp isn't really "right", but it shouldn't really hurt either-
that's just when it was "created". The encyprtion is crappy though and
might be disabled by default (MIT Kerberos recently started disabling
DES and lower encryption because it's horribly insecure). Check your
/etc/krb5.conf for permitted_enctypes. Also, after you get a
POSTGRES/host.domain.com ticket using kinit (or psql), do a klist -e and
see if the encryption type of the ticket you got matches that of the
keytab. If it doesn't, then you might have created multiple keys for
the same princ on the server (not generally a bad thing), but not
exported and loaded all of them into the keytab on the unix system
(which would be a problem...).

Thanks,

Stephen