Skip site navigation (1) Skip section navigation (2)

Re: Kerberized login to Postgres database

From: Rahimeh Khodadadi <rahimeh(dot)khodadadi(at)gmail(dot)com>
To: Gémes Géza <geza(at)kzsdabas(dot)hu>
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: Kerberized login to Postgres database
Date: 2012-01-12 13:27:29
Message-ID: CAOudTMwKsUJLm7Ryu-3JW_dydxWbaDwie5R7K0n5gwxuW9uf8Q@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-admin
Hi,

I use postgres/fqdn-domain-name only.

#kadmin.local
Kadmin.local: ank –randkey postgres/aftab.example.com
Principal “postgres/aftab(dot)example(dot)com(at)EXAMPLE(dot)COM” created

#ktadd –k /tmp/postgresql.keytab   postgres/aftab.example.com
Entry for principal postgres/ aftab.example.com with kvno 3,
encryption type Triple DES cbc mode with
HMAC/sha1 added to keytab WRFILE:/tmp/postgresql.keytab.
Entry for principal postgres/aftab.example.com with kvno 3, encryption
type DES cbc mode with CRC-32 added
to keytab WRFILE:/tmp/postgresql.keytab.

#scp /tmp/postgresql.keytab/|
Aftab.example.com:/usr/local/pgsql/data/postgresql.keytab
#rm /tmp/postgresql.keytab


#chown postgres:postgres  /usr/local/pgsql/data/postgresql.keytab
#chmod 400 /usr/local/pgsql/data/postgresql.keytab

2- I edited the paramet of "krb_server_keytab " to keytab file path

Regards
Khodadadi

On 1/11/12, Gémes Géza <geza(at)kzsdabas(dot)hu> wrote:
> 2012-01-11 07:44 keltezéssel, Eugene Budanov írta:
>> Hi!
>>
>>> I had a same problem already, but I recompiled Postgre with GSSAPI, it
>>> does works correctly.
>> Very interesting. Can you send me your config files?
>>
>> ---
>> Best regards,
>> Budanov Eugene
>>
> The relevant parts of my config is below:
>
> postgresql.conf:
>
> listen_addresses = '*'
> krb_server_keyfile = '/etc/postgresql/postgres.keytab'
> krb_caseins_users = on
>
> pg_hba.conf:
>
> host    all         all         0.0.0.0/0          gss
>
> ktutil -k /etc/postgresql/postgres.keytab list gives:
>
> Vno  Type                     Principal
> Aliases
>   1  aes256-cts-hmac-sha1-96  postgres/intranet(dot)kzsdabas(dot)hu(at)KZSDABAS(dot)HU
>   1  des3-cbc-sha1            postgres/intranet(dot)kzsdabas(dot)hu(at)KZSDABAS(dot)HU
>   1  arcfour-hmac-md5         postgres/intranet(dot)kzsdabas(dot)hu(at)KZSDABAS(dot)HU
>
> The service is running on a debian squeeze box, the rest of the settings
> are unrelated.
>
> Regards
>
> Geza
>
> --
> Sent via pgsql-admin mailing list (pgsql-admin(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin
>


-- 
With Best Regards
Rahimeh Khodadadi

In response to

pgsql-admin by date

Next:From: Manoj GovindassamyDate: 2012-01-12 18:12:47
Subject: Re: PG synchronous replication and unresponsive slave
Previous:From: Manoj GovindassamyDate: 2012-01-11 21:50:48
Subject: PG synchronous replication and unresponsive slave

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group