Re: GSS Authentication

* greigwise(at)comcast(dot)net (greigwise(at)comcast(dot)net) wrote:
> 2) Setup a new account in AD and used ktpass to create a keytab file for the SPN.

Did you make sure to use the right service name when creating the
keytab? Can you do a klist -k on the keytab file and send the output?
Does hostname --fqdn return the correct answer on the server? If not,
you might need to adjust what PG thinks your FQDN is (there's an option
in postgresql.conf for that too, but I'd recommend trying to fix your
server to return the right answer instead of forcing it).

> 3) Copied the keytab file onto my postgres server and updated my postgresql.conf file appropriately (set the krb_server_keyfile to point to the file I just created.)

You'll probably also need to change the default service name to POSTGRES
instead of postgres, in postgresql.conf too, klist -k should help figure
that out.

> Then I wrote a little test Perl program to connect to my postgres database.

Can you test with psql locally first? Make sure that when you *try* to
connect, it acquires the service princ from the KDC (check using klist)
and then see if it is actually *able* to authenticate to the server.
You'll need to set the appropriate environment variables on both Linux
and Windows tho for libpq to know what the right service name is (again,
POSTGRES instead of postgres, probably).

You may also need to make sure that your default realm is set correctly
and that your reverse DNS is working. Also, can you look in the PG
server-side logs and see what errors are being reported there? There
may be some during startup or when the client tries to connect that
would be useful.

Thanks,

Stephen