Re: GSSAPI Authentication using a CNAME

Thank you for replying.
I do not believe this is the case for two reasons.

Using the CNAME with a fully qualified domain name does work as shown below which suggests that CNAME Records are ok.

The error code received when using the CNAME with a short name, 08006, is a connection failure.
I ran the same command with a dummy host that could not be resolved and receive the error code 08001 which means sqlclient unable to establish sqlconnection.
This suggests that the Java resolver is working and when the hostname cannot be resolved, we receive a different error code.

Please let me know if I am missing your point.

Reference
https://www.postgresql.org/docs/9.2/errcodes-appendix.html <https://www.postgresql.org/docs/9.2/errcodes-appendix.html>

Jason Breitman

On Aug 27, 2020, at 7:24 AM, Dave Cramer <davecramer(at)postgres(dot)rocks> wrote:

HI Jason,

Top posting because I don't want to delete below. I am wondering if this is a java thing. The docs for GSSAPI for java are pretty horrible.

Is there a setting to deal with CNAME's ?

Dave

On Wed, 26 Aug 2020 at 19:00, Jason Breitman <jbreitman(at)tildenparkcapital(dot)com <mailto:jbreitman(at)tildenparkcapital(dot)com>> wrote:
Description
I am not able to connect to my PostgreSQL Server using the PostgreSQL JDBC Driver with GSSAPI when using the short name if the short name is a CNAME Record.
The fully qualified domain name does work when it is a CNAME.

For comparison, the psql client is able to connect using the short name when it is a CNAME.

JDBC Version
postgresql-42.2.16.jar

Dependancies
commons-cli-1.4

$ cat /opt/pgsql/conf/jaas.conf
pgjdbc {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
useTicketCache=true
renewTGT=true
debug=false
client=true;
};

Code Snippet
$ cat JDBCExample.java
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;

import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.CommandLineParser;
import org.apache.commons.cli.DefaultParser;
import org.apache.commons.cli.Option;
import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException;

public class JDBCExample {

public static void main(String[] args) throws ParseException {

Options options = new Options();

Option host = Option.builder()
.longOpt("host")
.argName("host")
.hasArg()
.desc("Name of the PostgreSQL Server.")
.build();

options.addOption(host);

Option db = Option.builder()
.longOpt("db")
.argName("db")
.hasArg()
.desc("Name of the PostgreSQL Database.")
.build();

options.addOption(db);

CommandLineParser parser = new DefaultParser();
CommandLine cmd = parser.parse( options, args);

String jdbcUrl = "jdbc:postgresql://" + cmd.getOptionValue("host") + ":5432/" + cmd.getOptionValue("db");

try (Connection conn = DriverManager.getConnection(jdbcUrl)) {

if (conn != null) {
System.out.println("Connected to the database!");
} else {
System.out.println("Failed to make connection!");
}

} catch (SQLException e) {
System.err.format("SQL State: %s\n%s", e.getSQLState(), e.getMessage());
} catch (Exception e) {
e.printStackTrace();
}

}
}

Compilation Steps
javac -cp .:postgresql-42.2.16.jar:commons-cli-1.4/commons-cli-1.4.jar JDBCExample.java

Results
$ java -Djava.security.krb5.realm=EXAMPLE.COM <http://EXAMPLE.COM> -Djava.security.krb5.kdc=EXAMPLE.COM <http://EXAMPLE.COM> -Djava.security.auth.login.config=/opt/pgsql/conf/jaas.conf -cp .:postgresql-42.2.16.jar:commons-cli-1.4/commons-cli-1.4.jar JDBCExample --host cname-hostname --db mydb
SQL State: 08006
GSS Authentication failed

$ java -Djava.security.krb5.realm=EXAMPLE.COM <http://EXAMPLE.COM> -Djava.security.krb5.kdc=EXAMPLE.COM <http://EXAMPLE.COM> -Djava.security.auth.login.config=/opt/pgsql/conf/jaas.conf -cp .:postgresql-42.2.16.jar:commons-cli-1.4/commons-cli-1.4.jar JDBCExample --host cname-hostname.example.com <http://cname-hostname.example.com> --db mydb
Connected to the database!

$ java -Djava.security.krb5.realm=EXAMPLE.COM <http://EXAMPLE.COM> -Djava.security.krb5.kdc=EXAMPLE.COM <http://EXAMPLE.COM> -Djava.security.auth.login.config=/opt/pgsql/conf/jaas.conf -cp .:postgresql-42.2.16.jar:commons-cli-1.4/commons-cli-1.4.jar JDBCExample --host hostname --db mydb
Connected to the database!

Jason Breitman