Re: GSS Authentication

I'm not in front of a linux machine, but does
kinit -kt postgres.keytab -S POSTGRES/host.domain.com grant a ticket without
asking for the password?

On Tue, Jun 15, 2010 at 2:38 PM, <greigwise(at)comcast(dot)net> wrote:

>
> As suggested below, I just tried this:
>
> kinit -S POSTGRES/host.domain.com user
>
> (where user is my account name in AD). That then asked for my password and
> when I entered it, it seemed to work. And now klist shows that I have a
> ticket. Doing it this way though, the keytab file doesn't seem to come into
> play. Does this point to something in my keytab file being wrong?
>
> I did this:
>
> klist -ket postgres.keytab
>
> and got:
>
> KVNO Timestamp Principal
> ---- -----------------
> --------------------------------------------------------
> 3 12/31/69 19:00:00 POSTGRES/host(dot)domain(dot)com(at)DOMAIN(dot)COM<http://domain.com/>(DES cbc mode with RSA-MD5)
>
> That timestamp seems kinda funky, doesn't it? 12/31/69? That can't be
> right, can it?
>
>
> Thanks again.
>
> Greig
>
> ----- Original Message -----
> From: "Stephen Frost" <sfrost(at)snowman(dot)net>
> To: "Bryan Montgomery" <monty(at)english(dot)net>
> Cc: greigwise(at)comcast(dot)net, pgsql-general(at)postgresql(dot)org
> Sent: Saturday, June 12, 2010 8:35:13 AM GMT -05:00 US/Canada Eastern
> Subject: Re: [GENERAL] GSS Authentication
>
> * Bryan Montgomery (monty(at)english(dot)net) wrote:
> > I've been trying this as well off and on. In my case I'm not convinced
> the
> > AD configuration is correct (And someone else manages that).
>
> Yeah, that can be a challenge.. but it's *definitely* possible to get
> it set up and working correctly.
>
> > Can you use kinit with the key tab options to get a good response from
> the
> > server? I think I should be able to do this ..
> > $ kinit -V -k -t poe3b.keytab HTTP/poe3b.lab2k.net
> > kinit(v5): Preauthentication failed while getting initial credentials
>
> err, I'm not sure that should be expected to work.
>
> What does klist -ek <keytab file> return? Also, you should be able to
> kinit to *your* princ in the AD, and if you can do that, you should be
> able to use your princ to request the service princ ticket from the KDC
> by doing kinit -S HTTP/poe3b.lab2k.net your.princ
>
> Also, provided your *client* is set up/configured correctly, you should
> be able to see that it acquires the ticket (by using klist) when you try
> to connect to the server, even if the server is misconfigured.
>
> > I'd be interested to know if you get something different - and the steps
> you
> > went through on the AD side.
>
> You have to create an account in Active Directory for the PG service and
> then use:
>
> ktpass /princ POSTGRES/myserver(dot)mydomain(dot)com(at)MYDOMAIN(dot)COM<http://mydomain.com/>/mapuser
> postgres(at)mydomain(dot)com /pass mypass /crypto AES256-SHA1 /ptype
> KRB5_NT_PRINCIPAL /out krb5.keytab
>
> Then copy that krb5.keytab to the server. Note that you then have to
> adjust the server config to have service name set to POSTGRES, and
> adjust clients using the environment variables to indiciate they should
> ask for POSTGRES (instead of the postgres default).
>
> Thanks,
>
> Stephen
>