Skip site navigation (1) Skip section navigation (2)

Re: Kerberized login to Postgres database

From: Rahimeh Khodadadi <rahimeh(dot)khodadadi(at)gmail(dot)com>
To: Gémes Géza <geza(at)kzsdabas(dot)hu>
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: Kerberized login to Postgres database
Date: 2012-01-10 18:40:35
Message-ID: CAOudTMy=Ovwbk9gDRUD8LDoCPXJe1PRiTVy4t9wSw7hX2M0J1Q@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-admin
Hi,
I had a same problem already, but I recompiled Postgre with GSSAPI, it
does works correctly.

On 1/10/12, Gémes Géza <geza(at)kzsdabas(dot)hu> wrote:
> 2012-01-10 07:05 keltezéssel, Eugene Budanov írta:
>> Hi all!
>>
>> I have a problem with kerberizing PostgreSQL 9.1.1.
>>
>> PostgreSQL and Kerberos installed at different computers in network. I'm
>> using internal network in VirtualBox 4.1.6.
>> There are no firewalls on both machines.
>>
>> So, let's see pg_hba.conf:
>>
>> less /var/lib/pgsql/data/pg_hba.conf
>>
>> # TYPE  DATABASE        USER            ADDRESS                 METHOD
>>
>> # "local" is for Unix domain socket connections only
>> local   all             all                                     trust
>> # IPv4 local connections:
>> host    all             all             127.0.0.1/32            trust
>> host    all             all             192.168.100.0/24        krb5
>>
>> And content of my  postgresql.conf
>>
>> # Kerberos and GSSAPI
>> krb_server_keyfile = '/var/lib/pgsql/data/krb5.keytab'
>> #krb_srvname = 'postgres'               # (Kerberos only)
>> #krb_caseins_users = off
>>
>> Pricipals in keytab file:
>>
>> postgres/db(dot)domain(dot)int(at)DOMAIN(dot)INT
>> host/db(dot)domain(dot)int(at)DOMAIN(dot)INT
>>
>> Passwords for principals in keytab randomly generated by kadmin.local
>> during export to keytab.
>>
>> User postgres is exists in database of course.
>>
>> Now, let's try connect to postgres database through kerberos:
>>
>> [postgres(at)localhost eugene]$ kinit postgres
>> Password for postgres(at)DOMAIN(dot)INT:
>> [postgres(at)localhost eugene]$ klist
>> Ticket cache: FILE:/tmp/krb5cc_481
>> Default principal: postgres(at)DOMAIN(dot)INT
>> Valid starting     Expires            Service principal
>> 12/30/11 12:21:14  12/31/11 12:21:14  krbtgt/DOMAIN(dot)INT(at)DOMAIN(dot)INT
>>         renew until 01/06/12 12:21:14
>>
>> All works good. Other services such as kerberized login for operating
>> system works fine.
>>
>> But if try connect to postgres database:
>>
>> [postgres(at)localhost eugene]$ psql -h 192.168.100.10 -U postgres
>> psql: Kerberos 5 authentication rejected:  Wrong principal in request
>>
>> What I'am doing wrong? Any ideas? Questions?
>>
>> Thanks in advance for your help.
>> ---
>> Best regards,
>> Budanov Eugene
>>
> If kerberos is unable to do a reverse lookup of the IP address it will
> be also unable to get the right ticket for the service.
> You should try to connect by fqdn instead of ip address: psql -h FQDN -U
> USER.
> BTW you don't need the host principal in the
> /var/lib/pgsql/data/krb5.keytab keytab used only by postgres.
>
> Regards
>
> Geza
>
>
> --
> Sent via pgsql-admin mailing list (pgsql-admin(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin
>


-- 
With Best Regards
Rahimeh Khodadadi

In response to

Responses

pgsql-admin by date

Next:From: TripuraDate: 2012-01-10 19:33:37
Subject: Create & Alter Schema Permissions for a Login role in Postgresql database
Previous:From: Gémes GézaDate: 2012-01-10 17:36:19
Subject: Re: Kerberized login to Postgres database

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group