I had a same problem already, but I recompiled Postgre with GSSAPI, it
does works correctly.
On 1/10/12, Gémes Géza <geza(at)kzsdabas(dot)hu> wrote:
> 2012-01-10 07:05 keltezéssel, Eugene Budanov írta:
>> Hi all!
>> I have a problem with kerberizing PostgreSQL 9.1.1.
>> PostgreSQL and Kerberos installed at different computers in network. I'm
>> using internal network in VirtualBox 4.1.6.
>> There are no firewalls on both machines.
>> So, let's see pg_hba.conf:
>> less /var/lib/pgsql/data/pg_hba.conf
>> # TYPE DATABASE USER ADDRESS METHOD
>> # "local" is for Unix domain socket connections only
>> local all all trust
>> # IPv4 local connections:
>> host all all 127.0.0.1/32 trust
>> host all all 192.168.100.0/24 krb5
>> And content of my postgresql.conf
>> # Kerberos and GSSAPI
>> krb_server_keyfile = '/var/lib/pgsql/data/krb5.keytab'
>> #krb_srvname = 'postgres' # (Kerberos only)
>> #krb_caseins_users = off
>> Pricipals in keytab file:
>> Passwords for principals in keytab randomly generated by kadmin.local
>> during export to keytab.
>> User postgres is exists in database of course.
>> Now, let's try connect to postgres database through kerberos:
>> [postgres(at)localhost eugene]$ kinit postgres
>> Password for postgres(at)DOMAIN(dot)INT:
>> [postgres(at)localhost eugene]$ klist
>> Ticket cache: FILE:/tmp/krb5cc_481
>> Default principal: postgres(at)DOMAIN(dot)INT
>> Valid starting Expires Service principal
>> 12/30/11 12:21:14 12/31/11 12:21:14 krbtgt/DOMAIN(dot)INT(at)DOMAIN(dot)INT
>> renew until 01/06/12 12:21:14
>> All works good. Other services such as kerberized login for operating
>> system works fine.
>> But if try connect to postgres database:
>> [postgres(at)localhost eugene]$ psql -h 192.168.100.10 -U postgres
>> psql: Kerberos 5 authentication rejected: Wrong principal in request
>> What I'am doing wrong? Any ideas? Questions?
>> Thanks in advance for your help.
>> Best regards,
>> Budanov Eugene
> If kerberos is unable to do a reverse lookup of the IP address it will
> be also unable to get the right ticket for the service.
> You should try to connect by fqdn instead of ip address: psql -h FQDN -U
> BTW you don't need the host principal in the
> /var/lib/pgsql/data/krb5.keytab keytab used only by postgres.
> Sent via pgsql-admin mailing list (pgsql-admin(at)postgresql(dot)org)
> To make changes to your subscription:
With Best Regards
In response to
pgsql-admin by date
|Next:||From: Tripura||Date: 2012-01-10 19:33:37|
|Subject: Create & Alter Schema Permissions for a Login role in Postgresql
|Previous:||From: Gémes Géza||Date: 2012-01-10 17:36:19|
|Subject: Re: Kerberized login to Postgres database|