Re: GSS Authentication

Hope you don't mind me resurrecting this thread - but I have made a fair bit
of headway in my endeavours.

So, the big issue I had was a bug in Microsoft's ktpass (
http://support.microsoft.com/kb/919557) that was on the server.

After that I spent a bit of time on my windows client fiddling trying to get
it to work. I had set PGSRVKRBNAME, tried setting PGGSSAPI however, I wasn't
using the FQDN of my database server. When I went from dbhost to
dbhost.lab2k.net, I was able to connect.

Hopefully this may help someone else in the future.

Now my next step is to see if I can make a connection from a Java
application with JDBC.

Bryan.

On Wed, Jun 16, 2010 at 10:17 AM, <greigwise(at)comcast(dot)net> wrote:

> OMG!!!
>
> I finally got it working. Problem was that on the windows side on the
> service account within the account options, we needed to check "Use DES
> encryption types for this account". I had that changed on the AD side and
> that fixed the whole problem.
>
> Bryan, if you're still trying to get this to work I'd be happy to help if I
> can.
>
> Thanks all for the help.
>
> Greig
>
>
> ----- Original Message -----
> From: "Greig Wise" <greigwise(at)comcast(dot)net>
> To: "Bryan Montgomery" <monty(at)english(dot)net>
> Cc: "pgsql-general" <pgsql-general(at)postgresql(dot)org>
> Sent: Wednesday, June 16, 2010 1:09:16 AM GMT -05:00 US/Canada Eastern
> Subject: Re: [GENERAL] GSS Authentication
>
> Nope. I get this:
>
> kinit(v5): Client not found in Kerberos database while getting initial
> credentials
>
>
> On Jun 15, 2010, at 10:03 PM, Bryan Montgomery wrote:
>
> I'm not in front of a linux machine, but does
> kinit -kt postgres.keytab -S POSTGRES/host.domain.com grant a ticket
> without asking for the password?
>
> On Tue, Jun 15, 2010 at 2:38 PM, <greigwise(at)comcast(dot)net> wrote:
>
>>
>> As suggested below, I just tried this:
>>
>> kinit -S POSTGRES/host.domain.com user
>>
>> (where user is my account name in AD). That then asked for my password
>> and when I entered it, it seemed to work. And now klist shows that I have a
>> ticket. Doing it this way though, the keytab file doesn't seem to come into
>> play. Does this point to something in my keytab file being wrong?
>>
>> I did this:
>>
>> klist -ket postgres.keytab
>>
>> and got:
>>
>> KVNO Timestamp Principal
>> ---- -----------------
>> --------------------------------------------------------
>> 3 12/31/69 19:00:00 POSTGRES/host(dot)domain(dot)com(at)DOMAIN(dot)COM<http://domain.com/>(DES cbc mode with RSA-MD5)
>>
>> That timestamp seems kinda funky, doesn't it? 12/31/69? That can't be
>> right, can it?
>>
>>
>> Thanks again.
>>
>> Greig
>>
>> ----- Original Message -----
>> From: "Stephen Frost" <sfrost(at)snowman(dot)net>
>> To: "Bryan Montgomery" <monty(at)english(dot)net>
>> Cc: greigwise(at)comcast(dot)net, pgsql-general(at)postgresql(dot)org
>> Sent: Saturday, June 12, 2010 8:35:13 AM GMT -05:00 US/Canada Eastern
>> Subject: Re: [GENERAL] GSS Authentication
>>
>> * Bryan Montgomery (monty(at)english(dot)net) wrote:
>> > I've been trying this as well off and on. In my case I'm not convinced
>> the
>> > AD configuration is correct (And someone else manages that).
>>
>> Yeah, that can be a challenge.. but it's *definitely* possible to get
>> it set up and working correctly.
>>
>> > Can you use kinit with the key tab options to get a good response from
>> the
>> > server? I think I should be able to do this ..
>> > $ kinit -V -k -t poe3b.keytab HTTP/poe3b.lab2k.net
>> > kinit(v5): Preauthentication failed while getting initial credentials
>>
>> err, I'm not sure that should be expected to work.
>>
>> What does klist -ek <keytab file> return? Also, you should be able to
>> kinit to *your* princ in the AD, and if you can do that, you should be
>> able to use your princ to request the service princ ticket from the KDC
>> by doing kinit -S HTTP/poe3b.lab2k.net your.princ
>>
>> Also, provided your *client* is set up/configured correctly, you should
>> be able to see that it acquires the ticket (by using klist) when you try
>> to connect to the server, even if the server is misconfigured.
>>
>> > I'd be interested to know if you get something different - and the steps
>> you
>> > went through on the AD side.
>>
>> You have to create an account in Active Directory for the PG service and
>> then use:
>>
>> ktpass /princ POSTGRES/myserver(dot)mydomain(dot)com(at)MYDOMAIN(dot)COM<http://mydomain.com/>/mapuser
>> postgres(at)mydomain(dot)com /pass mypass /crypto AES256-SHA1 /ptype
>> KRB5_NT_PRINCIPAL /out krb5.keytab
>>
>> Then copy that krb5.keytab to the server. Note that you then have to
>> adjust the server config to have service name set to POSTGRES, and
>> adjust clients using the environment variables to indiciate they should
>> ask for POSTGRES (instead of the postgres default).
>>
>> Thanks,
>>
>> Stephen
>>
>
>
>