Re: Kerberized login to Postgres database

Hi,
I had a same problem already, but I recompiled Postgre with GSSAPI, it
does works correctly.

On 1/10/12, Gémes Géza <geza(at)kzsdabas(dot)hu> wrote:
> 2012-01-10 07:05 keltezéssel, Eugene Budanov írta:
>> Hi all!
>>
>> I have a problem with kerberizing PostgreSQL 9.1.1.
>>
>> PostgreSQL and Kerberos installed at different computers in network. I'm
>> using internal network in VirtualBox 4.1.6.
>> There are no firewalls on both machines.
>>
>> So, let's see pg_hba.conf:
>>
>> less /var/lib/pgsql/data/pg_hba.conf
>>
>> # TYPE DATABASE USER ADDRESS METHOD
>>
>> # "local" is for Unix domain socket connections only
>> local all all trust
>> # IPv4 local connections:
>> host all all 127.0.0.1/32 trust
>> host all all 192.168.100.0/24 krb5
>>
>> And content of my postgresql.conf
>>
>> # Kerberos and GSSAPI
>> krb_server_keyfile = '/var/lib/pgsql/data/krb5.keytab'
>> #krb_srvname = 'postgres' # (Kerberos only)
>> #krb_caseins_users = off
>>
>> Pricipals in keytab file:
>>
>> postgres/db(dot)domain(dot)int(at)DOMAIN(dot)INT
>> host/db(dot)domain(dot)int(at)DOMAIN(dot)INT
>>
>> Passwords for principals in keytab randomly generated by kadmin.local
>> during export to keytab.
>>
>> User postgres is exists in database of course.
>>
>> Now, let's try connect to postgres database through kerberos:
>>
>> [postgres(at)localhost eugene]$ kinit postgres
>> Password for postgres(at)DOMAIN(dot)INT:
>> [postgres(at)localhost eugene]$ klist
>> Ticket cache: FILE:/tmp/krb5cc_481
>> Default principal: postgres(at)DOMAIN(dot)INT
>> Valid starting Expires Service principal
>> 12/30/11 12:21:14 12/31/11 12:21:14 krbtgt/DOMAIN(dot)INT(at)DOMAIN(dot)INT
>> renew until 01/06/12 12:21:14
>>
>> All works good. Other services such as kerberized login for operating
>> system works fine.
>>
>> But if try connect to postgres database:
>>
>> [postgres(at)localhost eugene]$ psql -h 192.168.100.10 -U postgres
>> psql: Kerberos 5 authentication rejected: Wrong principal in request
>>
>> What I'am doing wrong? Any ideas? Questions?
>>
>> Thanks in advance for your help.
>> ---
>> Best regards,
>> Budanov Eugene
>>
> If kerberos is unable to do a reverse lookup of the IP address it will
> be also unable to get the right ticket for the service.
> You should try to connect by fqdn instead of ip address: psql -h FQDN -U
> USER.
> BTW you don't need the host principal in the
> /var/lib/pgsql/data/krb5.keytab keytab used only by postgres.
>
> Regards
>
> Geza
>
>
> --
> Sent via pgsql-admin mailing list (pgsql-admin(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin
>

--
With Best Regards
Rahimeh Khodadadi